This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Content Warning misleading message

I was accessing a website and a warning page from the XGS (running current XG 18.5 MR1) popped up warning that the website was blocked because it was Information Technology. This was very puzzling since I had specifically eliminated Information Technology as a filter.

I poked around in the XGS and found nothing. Then poked around in Intercept X (via Sophos Central) to see if I'd perhaps blocked Information Technology there. I tested the URL in Policy Test and it was allowed, I think. (Though I lost track of tests and modifications over time, so I could be wrong on this one.) After quite some time, I finally figured out what was going on, and basically the warning was justified, but it was not because the site was Information Technology.

So a warning to admins: the reason listed on the warning page may be misleading.

Originally, Information Technology was grouped into a User Activity (was it Suspicious or Risky Downloads?) and I felt that other entries in the group were justified, but not Information Technology. So I deleted it from the UA group. Perhaps XG still thinks it's in there for message-generating purposes. Or perhaps a reverse lookup lists that URL as being in Information Technology and that's the best that can be done at message-generation time.

In fact, the site was blocked by being in the Blocked URLs for Default Policy URL group, which is referenced from a Web Policy.

So this might be considered a bug report, though it might be very hard to fix it. Mostly a warning to admins: a URL might be Web filtered due to local or unique policies/groups and misattributed to an activity that you have modified.



This thread was automatically locked due to age.
  • Hi,

    I see that error in my daily reports even though I don't have Information Technology blocked. The logviewer shows many successful connections to Information Technology sites, WEB, SSl/TLS and application logs, but no failed/denied connections. So I am unable to locate which web site is producing the error.

    Ian

    Deep, deep investigation found the  issue being categorised as Information Technology, classified as "Risky downloads"

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Initially, it was another page that wasn’t working. I looked at the console of Safaris web inspector and saw a link to the blocked page, which includes IPS in the URL, but it’s not IPS, it’s Web Filtering, and I did see the URL there in the Web filtering log.

    I had removed Information Technology from perhaps Risky Downloads because I do IT, etc, so duh of course I’m going to access IT pages and sites. But perhaps there is a non-GUI-visible link that isn’t broken by doing it that way… Perhaps that is invisibly tweaked by a Pattern Update.

  • Mine was automatic ms updates so no error messages to follow up on. I will need to track further because that device is not online all the time.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.