Sophos XG Firewall - License activation unavailable (error XG-00151). See KB-000043485 for the latest updates.

Sophos firewall application classification errors

Hi folks,

sometime in the last 6 weeks I started a thread on classification errors. I have been doing some further investigation and found thane was wrong and needed to be corrected. I have searched all my activities and not been able to find the initial post to correct the error.

Where has the post gone?

Classification errors

Streaming video is classified as infrastructure

NTP is classified as thunderVPN

A http access to an Apple site is classified as manual proxy surfing on IPv6

Some iMAPs traffic is unclassified.

Ian



Edited TAGs
[edited by: emmosophos at 11:20 PM (GMT -7) on 12 Aug 2021]
Parents
  • Hi folks,

    I spent this afternoon investigating why the ipad and iPhones don't connect to a site but the mac mini does, In the process I have fixed the issue with manual proxy surfing.

    The issue resolves around the missing functions in the HTTP proxy for IPv6 traffic eg does not know how to handle FQDNs which results in the web exceptions not working. So the issue is resolved partially by using DPI instead, but the downside is not all the web policies are obeyed. I can leave the web proxy working for the IP4 traffic just not for the IPv6 traffic. Very frustrating.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
Reply
  • Hi folks,

    I spent this afternoon investigating why the ipad and iPhones don't connect to a site but the mac mini does, In the process I have fixed the issue with manual proxy surfing.

    The issue resolves around the missing functions in the HTTP proxy for IPv6 traffic eg does not know how to handle FQDNs which results in the web exceptions not working. So the issue is resolved partially by using DPI instead, but the downside is not all the web policies are obeyed. I can leave the web proxy working for the IP4 traffic just not for the IPv6 traffic. Very frustrating.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
Children
  • This gets even more frustrating because the log denied entry refers to content policy which I can  no longer find to amend. There is reference to policy numbers that are greater than my configuration

    You cannot amend the default policies and you cannot clone to to make your own. Somewhere on my XG there is a content policy for Australia, but where?

    Something has gone missing in one of the many recent updates. How do you find and modify the now hidden functions?

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Would love someone who knows where the content policies hide to provide some guidance either that or fix/add the missing features to the IPv6 part of the firewall.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello rfcat,

    Can you show me the log where the XG is referencing a Content Policy for Australia?

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    I have been able to isolate the issue to IPv6 traffic only and the XG is unable to identify where the IPv6 address sites are located.

    content filter.rtf

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hello rfcat,

    So based on the Log, it doesn't look like it’s blocked due to a Content Filter, usually, if that is the case the log would show 

     reason="acl primary match Content Check on 

    So this is being blocked by the Application Filter Policy but not the content Filters.

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    I have a web exception in place that only works on IP4 traffic, not IPv6 traffic so hence the error. I don't have an application filter blocking content.

    If I use the proxy the application is blocked, doesn't show in the logs and the parent application ABC iview does not work. If I disable the proxy and use the DPI then the ABC iview works with errors in the logs about manual proxy surfing.. Further XG is unable to provide any detail when using the diagnostic tools, but knows about the url when the url category lookup is run.

    The url is iview-vod-his.akamaized.net

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • The issue is getting worse, I now have imaps between client mail and the RSP mail server classified as P2P torrent.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Hi,

    I thought I had identified the the cause, but that was masked by using the web proxy rather then DPI.  DPI causes the stuff to be blocked where as the web proxy allows it.

    Mail I have stopped scanning SMTPS because XG keeps breaking the trust.

    I am in the process of building a new XG with new hardware, but getting some parts is proving difficult eg dual port NICs.

    Ian

     edited:- remove incorrect conclusions.

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.