Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 38 subscribers
  • Views 1527 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 18.04 Proxy and Internet sessions sloooooow with Web policy and Intercept X

Fred_B

I did not get the issue solved that random categories are blocked. I have unchecked matched users now and that solves the login SSO, STAS, recheck timeout login screen and also the random blocking of random categories. 

I tested with Web Policy Allow all and Default Workplace Policy and this works as expected. No more random blocking of categories. HTTP(S) scanning is still disabled. 

Problem is that this is not workable either with Web Policy Default Workplace Policy. Sometimes it works as expected and it will retreive pages quickly or present a correct category block page. But then it starts taking ages to establish a secure connection and eventually the attempt to retrieve the page will time out. Reloading can give the same result. Closing Chrome and retrying works at first but eventually it starts to slow again and time out.

We are also using Intercept X with category blocking as users are not always working in the office. Intercept X and XG are not aware of eachother. Intercept X should also be a XG Firewall client for SSO, STAS, authentication, logging, etcetera when connected via the LAN behind the XG. But this is currently not the case. 

To make it workable I need to disable the web policy and Allow All. 

 



This thread was automatically locked due to age.
Parents
  • 0

    The XG 210 HA has been upgraded to 18.0.5.

     

    The situation has not changed, still the XG 210 with 18.0.5 MR-5 will randomly block random categories.

     

     

    Log viewer states that firewall rule 18 Proxy Internet Access is used and is allowed.

     

    The Firewall rule 18 settings are:

     

    So no category blocking should be applied.

     There is no problem when unchecking unmatched users, so it seems an issue which is triggered by AD authorisation, STAS and identity probe. I have set STAS to not restrict client traffic during identity probe.

     

     

     I have disabled now all categories on the default policy to see if this makes a difference. Financial services is not a category in the default policy and it is not applied on any firewall rule.

    When testing our Default Workplace policy I noticed that the XG would randomly block random categories that were not in the Default Workplace Policy like search engines, Financial Services, Business, etc. I am trying to find the cause by eliminating the web policy and have set the firewall rule to Allow all.

    That didn't change the random blocking. One minute the url will work the next it won't. 

    So currently moving to the XG as our Secure Web Gateway is no option.

    Kind regards,

    Fred 

Reply
  • 0

    The XG 210 HA has been upgraded to 18.0.5.

     

    The situation has not changed, still the XG 210 with 18.0.5 MR-5 will randomly block random categories.

     

     

    Log viewer states that firewall rule 18 Proxy Internet Access is used and is allowed.

     

    The Firewall rule 18 settings are:

     

    So no category blocking should be applied.

     There is no problem when unchecking unmatched users, so it seems an issue which is triggered by AD authorisation, STAS and identity probe. I have set STAS to not restrict client traffic during identity probe.

     

     

     I have disabled now all categories on the default policy to see if this makes a difference. Financial services is not a category in the default policy and it is not applied on any firewall rule.

    When testing our Default Workplace policy I noticed that the XG would randomly block random categories that were not in the Default Workplace Policy like search engines, Financial Services, Business, etc. I am trying to find the cause by eliminating the web policy and have set the firewall rule to Allow all.

    That didn't change the random blocking. One minute the url will work the next it won't. 

    So currently moving to the XG as our Secure Web Gateway is no option.

    Kind regards,

    Fred 

Children
  • 0 in reply to Fred_B

    Hello Fred,

    Thank you for the feedback.

    I left some additional feedback on the ticket, thanks for updating to 18 MR5 but that shouldn't have been necessary, this issue seems more of an Authentication issue between DC, STAS, and XG.

    I have seen this issue in cases where there are nested imported groups from the DC where a user belongs to two groups. 

    This is just a guess. 

    In any case you could put the access_server.log in debug mode and it should give you more clues on the Web Policy it is moving from and to.

    # service access_server:debug -ds nosync

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    I also believe this is an authentication, identity probe issue of STAS. We are indeed using AD Groups.

    Originally I had enabled show login portal to unknown users. That would trigger a separate login page during loss of AD, STAS authentication. The block and login time out did not seem to be related in time.

    When I disable the show login page than it will show the category block page with on it an option to login to the network. If you login to the network than the category block is lifted immediately. 

    I do not believe STAS is good product. I also see other users associated in error with my test IP adress. STAS is EOL and there is no replacement yet. It was promised for Q1 2021. Endpoint X should also be the Firewall Client if using Sophos Firewalls responsible for authorization and logging.

  • 0 in reply to Fred_B

    Hello Fred,

    Thank you for the Feedback.

    STAS 3.0 is in the works but there’s no ETA at the moment.

    Regards

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • +1 in reply to emmosophos

    I believe I may have found the cause.

    There was a WMI performance issue on the AD DC due to a large security event log size. I backuped the event log, reduced the event log size and cleared the event log to start fresh this morning. Sofar there has not been any random blocking of categories.

    So it seems the XG does not handle a STAS / WMI time out very well. In such cases with Proxy server, matched users enabled and:
    - “Use web authentication for unknown user” enabled it should present the user portal immediately and not a blocked category message;
    - “Use web authentication for unknown user” disabled it should present a general (error) message that internet access is blocked and not a blocked category message.

    I have enabled now http(s) scanning and decrypting and I am tested that now.

    Regards,

    Fred

Unfiltered HTML