Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 41 subscribers
  • Views 2038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Firewall - GEO Blocking is equal to Webfiltering?!

Valvaris Sigma

Hello Sophos-Community, 

I own a Sophos XGS 126 [SFOS 18.5.2 MR-2-Build380] and am happy with it. After tinkering with a few settings, I found something odd and wanted to ask if this is intended?

(SSL Inspection = ON - DPI Engine Active - Added Rule in SSL Inspection to Scan all SSL Certs. - Default Compatibility Rule exists and is ON - Exclusions Defined in Web -> Exceptions -> RegEx entry's for different domains that are incompatible with SSL-Inspection)

For starters I created a Firewall Rule for GEO Blocking

TOP Rule

Rule

Drop any service going to any zone, when in any zone, and coming from any network, then apply log connections

Source & schedule
Any

Source networks and devices : Any
During scheduled time : All the time

Destination and services
Any

Destination networks : Country's To BLOCK and TEST!!!!
Services : Any

Exclusions

Source zones :
Source networks and devices :
Destination networks :
Destination networks :
Services :

What is odd is if a site on the Country list gets blocked, a Block Site from Sophos comes in.
EXAMPLE:

GEO_Blocking_Rule blocks a Country, and you visit a site that is blocked by that list and has a category in the Sophos XG. The Page will say it was blocked by a WebCategory example: Entertainment!!!

But in truth the GEO_Blocking_Rule did the Blocking!!! Not the WebPolicy >.<

Is this reconstructable? = YES

Best regards

Sig.



This thread was automatically locked due to age.
  • 0

    That is the intended behavior. For 80/443 Traffic, the firewall will allow the traffic and the Web Proxy gives you a block page. It is a better User Experience to give the user a block page instead of a browser "Time out error". 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    hello  

    Thank you - I understand in terms of user experience to show at least something but for the Admin....

    This is very confusing in where to look and troubleshoot.

    Feedback to Sophos Team - Please show that a Firewall Rule is blocking the site / or another Message with a general Warning and not a category -

    This helps differentiate where it comes from and where to look.  Instead of checking every WebFilter Rule...  and then conclude it could be a Firewall Rule. ^^


    A IT-Support / Helpdesk also only gets information based on the User and in the current state this does not help. 

    Example: Multiple Zones - Multiple Rules for WAN / Internet and using DPI and WebProxy mixed mode because of SafeSearch restrictions or Direct-Mode use. 

    Sincerely Sig.

  • 0 in reply to Valvaris Sigma

    Based on the process, how the firewall work, the firewall need to allow the traffic, to give the proxy a chance to log the packet. Therefore it is technical correct. If you expand the "allow" packet, you will see a Web proxy "Deny all". This indicates the block. 

    To enhance the experience for a admin, there needs to be more mechanism to detect this, which is currently in the backlog but not planned for a future release. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello 

    this has as much as I understand Sophos XGS Firewall tech. nothing to do with the WebProxy if the DPI Engine is in use. You enforce Webproxy if you want to add another Firewall Rule for having SafeSearch and other things that DPI does not support...

    DPI is Port agnostic, right?

    That is why it is so confusing. 

    DPI Engine = On 

    SSL-Inspection = On

    SSL-Inspection Rule is Second after the Compatibility Rule with Scan all SSL Cert.

    Top Firewall Rule = GeoBlocking 

    Second Firewall Rule = LAN Zone to WAN Zone with DPI Engine Active

    On my WebPolicy there is no filtering for "Entertainment" (Example) and I got that screen that tells me that. ^^

    I just posted all this to make sure there is no misunderstanding and that there is no WebProxy involved and to give feedback that this error is misleading.

    The true culprit was the Firewall Rule and not the Webpolicy as claimed by the Warning Screen. Smiley

    In theory it should be possible to have another WebScreen mentioning that the Country is blocked, or a Firewall Rule is blocking the site. Since that happens before the DPI Engine kicks in. ^^

    Best regards

    Sig.

  • +1 in reply to Valvaris Sigma

    Web Policy in both technologies mean basically the blocking of the Traffic. 

    Check the Logviewer. 

    __________________________________________________________________________________________________________________

  • 0 in reply to Valvaris Sigma

    The DPI engine does not process UDP traffic or apply web or application policies fully..

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to LuCar Toni

    Oml... Got it Cocktail

    Found the Log Entry and what to look for - Thank you allot  and to you too

    Did not know that the DPI Engine does not process UDP traffic?!

    Wish I could share a Screenshot with others to find the entry: (Way out of scope / size quite long) 

    On my part the Firewall Rule has the ID 8 and the WebFilter Log shows that the Policy with the ID 8 is responsable. 

    Sincerely 

    Sig.

Unfiltered HTML