Issue with Url block

Hello SuperCM,

Thank you for contacting the Sophos Community.

Did you get the chance to check on the logs what happens when youtube is supposed to be blocked? If you are using the Web Filter the awarrenhttp_access.log in debug mode should show something.

# service awarrenhttp:debug -ds nosync (Ran from the advanced shell 5 > 3)

# /log/awarrenhttp_access.log

Also, I double-check your post, and in the screenshot that you share where it says youtube is blocked, under constraints I don't see any time selected. 

Please double check you’re adding a time to the Web Policy for youtube.

Regards,

When I look at the debug log, the traffic is not shown. 

Hello SuperCM,

Thank you for the follow-up.

Make sure the Computer is pointing to the XG as DNS resolver.

If you aren’t seeing the traffic, double-check that your Firewall Rule is set to use Web Proxy instead of DPI engine.

Try a Packet Capture from the GUI to confirm which Firewall Rule is being applied.

Regards,

I confirmed that the rule is set to use web proxy and is using the xg for dns.

Looking at the packet capture, it looks like it is using the right rule.

The rule in the gui is rule 28

also i have the time off right now while I am testing it.

I confirmed that the rule is set to use web proxy and is using the xg for dns.

Looking at the packet capture, it looks like it is using the right rule.

The rule in the gui is rule 28

also i have the time off right now while I am testing it.

Hi,

please check if you have other rules that allow access other internet outside of your block times. You need to be enforcing access using allow and block rules in both web and application places.

Ian

I don't see anything that stands out. Also shouldn't the logs show how access is granted? 

You wil need to check both application and web logs. I found the application log not very useful because it only shows blocked applications.

Once a connection is established from memory the XG does not block it, it will only block new connections, but I will be corrected on that if in error. I think I got the idea wrong last time and had to run a test for one of the sophos support people to prove the block does work at the correct time. I will run a test tomorrow and report back.

Ian

added extra info.

Hi super_cm,

I setup a the restriction profile and schedule and applied them to my application profile. I also changed the application policy to deny when applying the restricted time schedule.

Results of testing

1/. one VoIP service was locked after 40 seconds

2/. the second VoIP service was dropped after 8 minutes.

3/. the application logviewer showed only one attempt by one phone and multiple attempts by the other phone to restore a connection.

4/. When the schedule and profile were deleted one phone took about 2 minutes to re-register, the other has not but that will e a configuration issue in VoIP ATA.

5/. the deal between activation time and actual blocking time is very frustrating while trying to debug new rules.

6/. I do not use web filtering on my VoIP services only application policy control.

I Hope these results help with your issue?

Ian

corrected typing errors.

I think this is my answer. It seems that the connection is still open and that's why it's allowing access.