I was accessing a website and a warning page from the XGS (running current XG 18.5 MR1) popped up warning that the website was blocked because it was Information Technology. This was very puzzling since I had specifically eliminated Information Technology as a filter.
I poked around in the XGS and found nothing. Then poked around in Intercept X (via Sophos Central) to see if I'd perhaps blocked Information Technology there. I tested the URL in Policy Test and it was allowed, I think. (Though I lost track of tests and modifications over time, so I could be wrong on this one.) After quite some time, I finally figured out what was going on, and basically the warning was justified, but it was not because the site was Information Technology.
So a warning to admins: the reason listed on the warning page may be misleading.
Originally, Information Technology was grouped into a User Activity (was it Suspicious or Risky Downloads?) and I felt that other entries in the group were justified, but not Information Technology. So I deleted it from the UA group. Perhaps XG still thinks it's in there for message-generating purposes. Or perhaps a reverse lookup lists that URL as being in Information Technology and that's the best that can be done at message-generation time.
In fact, the site was blocked by being in the Blocked URLs for Default Policy URL group, which is referenced from a Web Policy.
So this might be considered a bug report, though it might be very hard to fix it. Mostly a warning to admins: a URL might be Web filtered due to local or unique policies/groups and misattributed to an activity that you have modified.
I see that error in my daily reports even though I don't have Information Technology blocked. The logviewer shows many successful connections to Information Technology sites, WEB, SSl/TLS and application logs, but no failed/denied connections. So I am unable to locate which web site is producing the error.
Deep, deep investigation found the issue being categorised as Information Technology, classified as "Risky downloads"
Initially, it was another page that wasn’t working. I looked at the console of Safaris web inspector and saw a link to the blocked page, which includes IPS in the URL, but it’s not IPS, it’s Web Filtering, and I did see the URL there in the Web filtering log.
I had removed Information Technology from perhaps Risky Downloads because I do IT, etc, so duh of course I’m going to access IT pages and sites. But perhaps there is a non-GUI-visible link that isn’t broken by doing it that way… Perhaps that is invisibly tweaked by a Pattern Update.
Mine was automatic ms updates so no error messages to follow up on. I will need to track further because that device is not online all the time.