Issue with Url block

I am trying to block YouTube.com during specific time but it doesn't seem to be working. This was discussed previously here community.sophos.com/.../issue-with-rules



Added TAG
[edited by: emmosophos at 12:24 AM (GMT -8) on 26 Feb 2021]
  • Hello SuperCM,

    Thank you for contacting the Sophos Community.

    Did you get the chance to check on the logs what happens when youtube is supposed to be blocked? If you are using the Web Filter the awarrenhttp_access.log in debug mode should show something.

    # service awarrenhttp:debug -ds nosync (Ran from the advanced shell 5 > 3)

    # /log/awarrenhttp_access.log

    Also, I double-check your post, and in the screenshot that you share where it says youtube is blocked, under constraints I don't see any time selected. 

    Please double check you’re adding a time to the Web Policy for youtube.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • When I look at the debug log, the traffic is not shown. 

  • Hello SuperCM,

    Thank you for the follow-up.

    Make sure the Computer is pointing to the XG as DNS resolver.

    If you aren’t seeing the traffic, double-check that your Firewall Rule is set to use Web Proxy instead of DPI engine.

    Try a Packet Capture from the GUI to confirm which Firewall Rule is being applied.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I confirmed that the rule is set to use web proxy and is using the xg for dns.

    Looking at the packet capture, it looks like it is using the right rule.

    The rule in the gui is rule 28

    also i have the time off right now while I am testing it.

  • Hi,

    please check if you have other rules that allow access other internet outside of your block times. You need to be enforcing access using allow and block rules in both web and application places.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • I don't see anything that stands out. Also shouldn't the logs show how access is granted? 

  • You wil need to check both application and web logs. I found the application log not very useful because it only shows blocked applications.

    Once a connection is established from memory the XG does not block it, it will only block new connections, but I will be corrected on that if in error. I think I got the idea wrong last time and had to run a test for one of the sophos support people to prove the block does work at the correct time. I will run a test tomorrow and report back.

    Ian

    added extra info.

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • Hi super_cm,

    I setup a the restriction profile and schedule and applied them to my application profile. I also changed the application policy to deny when applying the restricted time schedule.

    Results of testing

    1/. one VoIP service was locked after 40 seconds

    2/. the second VoIP service was dropped after 8 minutes.

    3/. the application logviewer showed only one attempt by one phone and multiple attempts by the other phone to restore a connection.

    4/. When the schedule and profile were deleted one phone took about 2 minutes to re-register, the other has not but that will e a configuration issue in VoIP ATA.

    5/. the deal between activation time and actual blocking time is very frustrating while trying to debug new rules.

    6/. I do not use web filtering on my VoIP services only application policy control.

    I Hope these results help with your issue?

    Ian

    corrected typing errors.

     
    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • I think this is my answer. It seems that the connection is still open and that's why it's allowing access.