Could not open some of the websites without web proxy

Hi,

the website works for me. If you do a dns check from the XG GUI, does it get a result?
ian

DNS lookup got a result.

I tried to switch on "Use web proxy instead of DPI engine" in the firewall rule and somehow it works now. I tried to disable Web Policy on a testing firewall rules but didn't get luck.

Does it mean web traffics will still be scanned without a Web Policy ? And why that option makes a difference ?

No, the scanning does not take place unless you tick some of the boxes.

Which version of XG are you running, if v18.0.5 then I suggest you upgrade to v18.5.1 seems to have fixed some of your issues.

Ian

I'm on "SFOS 18.0.5 MR-5-Build586" but I didn't see any choices in "Latest available firmware".

You have to download if from the EAP page.

Ian

I guess you mean this page ?
community.sophos.com/.../sophos-firewall-v185-mr1-eap

I guess you mean this page ?
community.sophos.com/.../sophos-firewall-v185-mr1-eap

I've just upgraded to 18.5 but I still found that my testing firewall rules with checking anything inside the "Web Filtering" section didn't work. But if I set the Web Policy to "Allow All" and check the "Use web proxy instead of DPI engine", I could access the websites just like before. I wonder what is the difference between "None" and "Allow All" ?

None, will use the default SSL/TLS inspection whereas allow all allows you to select the proxy. The DPI engine appears to be fixed from my testing, but still needs exceptions to work. My example is with the latest Apple upgrades over the last couple of days, they used to fail part the way through even with exceptions, now they download without issues. The was a bug in the TCP handling by the DPI engine which appears to have been fixed.

I use allow all with the proxy but no scanning functions even if the port is not a proxied port.

Ian

I tried "Allow All" with "Use web proxy instead of DPI engine" uncheck, added the domain name as exception in SSL/TLS, but I still couldn't get the page...

Do I need still need to set the web proxy in the computers with DPI ?

No, you enable it on the XG should be enough unless you have setup the PCs with one. Please do nslookup for the web site from the XG and the pc.

ian

This is the nslookup from the pc,

$ nslookup rupress.org
Server:        127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:    rupress.org
Address: 52.179.114.94

This is from the XG SSH console,

console> dnslookup host rupress.org
Domain Name Server#  127.0.0.1
Domain Name       #  rupress.org
Resolved Address 1#  52.179.114.94
Total query time  #  0.73 msec

so, now what does the logviewer show when you try to access the url?

ian

The page just didn't show. If I used wget to get the page, it waited for 1 minute and timed out.

$ wget rupress.org/.../Epigenetic-and-transcriptional-control-of
--2021-07-28 12:59:49--  rupress.org/.../Epigenetic-and-transcriptional-control-of
Resolving rupress.org (rupress.org)... 52.179.114.94
Connecting to rupress.org (rupress.org)|52.179.114.94|:443... connected.
Unable to establish SSL connection.

The only log I could find in log viewer is the log in the SSL/TLS inspection category,

2021-07-28 12:46:38SSL/TLS inspectionmessageid="19006" log_type="SSL" log_component="SSL" log_subtype="Error" severity="Information" user="" src_ip="192.168.1.239" dst_ip="52.179.114.94" user_group="" src_country="R1" dst_country="USA" src_port="41876" dst_port="443" app_name="" app_id="0" category="Health & Medicines" category_id="25" con_id="3407921152" rule_id="1" profile_id="1" rule_name="Exclusions by website or category" profile_name="Maximum compatibility" bitmask="" key_type="KEY_TYPE__UNKNOWN" key_param="Unknown" fingerprint="" resumed="0" cert_chain_served="TRUE" cipher_suite="" sni="rupress.org" tls_version="Unknown" reason="Dropped due to TLS engine error: FLOW_TIMEOUT[5]" exception="" message=""

Hi,

that result indicates you are not using the web proxy.

Ian

So with DPI Engine, I must set the web proxy on the pc ?

And if I check "Use web proxy instead of DPI engine", I don't need to set the web proxy on the pc ?

The logs and nslookup above is when I didn't tick the box for "Use web proxy instead of DPI engine" and having an exception record in the SSL/TLS exception list.