Sophos Firewall Web Protection Unable To Process Cyrillic Domain Names

Hi,

are they characters with special marks or just plain english alphabet?

Ian

ian

Thanks for the reply. They're Cyrillic, so, Russian language. See pics:

Hi,

the error is not from the firewall. Also it is an email so that would require a search to reject in the email tab.

I am trying to copy the website but fail and I don't have a RU keyboard to try. Please post a copy of the website that I can copy in this thread.

Ian

Hi Ian,

Apologies for the confusion. It's not a Firewall Rule I'm attempting to manage, but the Web Policies which are managed via Central > Firewall > Web > Policies, which make use of URL Groups, for which there is not a specific Forum/subsection.

At your own risk:

https://нориманес[.]ком[.]рус

The web policies that you are managing via CM become part of a firewall policy. The error message is from email or end user protection.

Thank you for the url.

The answer might be build a firewall using Russian and see if you can use English to configure it, not really a practical business solution

My testing comes to the same conclusion as yours. I suggest you raise a support case.

Do you need to access the RU based networks, if not just setup a country block rule, though this has limitations as well.

Ian

Of course this issue applies to other none english based sites.

Thanks Ian. Was aware that the warning message was from the Time of Click, just wanted to add it for context/clarity, i.e. that it was registering as a valid URL in browser.

I considered a FW rule for geographical blocking if IPs, but this seemed overkill. And whilst an interesting concept, I've not the time to build a new firewall haha!

It's a weird one that I'll take up with Sophos. Thanks for the insight.

There is a bigger issue with this url testing. the XG should not be testing and making judgements on the values within a valid url format regardless of character set used.

Ian

Spoke with Sophos' support team and after a lot of testing they decided the best approach was to either block the IP address (doesn't really solve the issue), or to ping the Cyrillic domain name, and determine the translated domain name, which in the case above comes to: xn--80akhqdddqo.xn--j1aef.xn--p1acf

I'll be honest, I don't really understand it. Probably something to do with Unicode, ASCII, etc. I still wouldn't consider this a true fix, but maybe that's not Sophos' fault.

It looks like my reply on Friday did not get posted.


In the DNS and HTTP standard, only ASCII characters are allowed.  In order to support non-ASCII domain names a standard for IDN (internationalized domain names) the standard is to use punycode, which looks uses a prefix xn--

You will note if you cut and paste that above punycode, the browser will convert it to the cyrillic version.  The browser does this in the display, but the actual request is the punycode.

URL Group (and I suspect all of the XG) only supports the punycode version of IDN, however it will correctly match.

https://en.wikipedia.org/wiki/Internationalized_domain_name
https://en.wikipedia.org/wiki/Punycode
You can google for punycode converters if you want to translate back and forth.

Thank you for the detailed reply. Though it does leave an issue with a user entering a none ASCII url and how doers the XG provide a security check or policy match on the url?

Ian