Hello,
we have the problem that in general all websites load slowly and many others do not load at all. We use version 19 (SFV4C6 / 19.0.0-B317) as VM in Hyper-V.
Here are some examples of websites that cannot be accessed at all:
The basic problems (e.g. DNS or WAN-Connection) can definitely be ruled out. We spent several hours with the Support of Sophos and they desperately adjusted all the options. We were then told that we must enable in a rule the "Use web proxy instead of DPI engine" option for HTTP & HTTPS-Connections.
But that doesn't make any sense to us at all. Why do we have to enable the old web proxy to be able to access websites quickly and generally? There must be a way to access websites (HTTP/HTTPS) without web filtering. The other question is why the problems also exist with the DPI-Engine and only the old web proxy works reliably.
As mentioned above, after activating the following options, all websites can be loaded without problems and also at a good speed:
Maybe someone can help us or explain the background.
Thanks!
Hi,
the web proxy is used if you want full policy scanning.and the DPI engine does not as of the current version scan UDP traffic. In the web settings do you have any boxes ticked, if so you will be using…
the web proxy is used if you want full policy scanning.and the DPI engine does not as of the current version scan UDP traffic. In the web settings do you have any boxes ticked, if so you will be using the web proxy.
Icloud will need exceptions enabled along with all the other apple sites.
Ian
XG115W - v19 GA - Home
1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.
If a post solves your question please use the 'Verify Answer' button.
This. Are there any TLS decryption rules in effect? If so, do is there an earlier rule that forces no decryption for the Sophos-maintained list? (And also your hand-curated list.The very first thing I look at when a website fails is if it showed up as decrypted in the TLS logs.
Irrespective of the DPI engine or the web proxy: Can you add them under the exception web > exception: ^([A-Za-z0-9.-]*\.)?icloud\.com/^([A-Za-z0-9.-]*\.)?www\.securepoint\.de/^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/You can skip all the following checks:HTTPS decryptionHTTPS certificate validationMalware and content scanningZero-day protectionPolicy checksBy default the DPI engine is enabled, DPI engine detects and filters HTTP and SSL/TLS traffic on any port.if you use: Use web proxy instead of DPI engine || Web proxy transparently handles traffic only on TCP ports 80 and 443.Under the Rules & Polices > SSL/TLS inspection rules if you are using DPI engine and want to complete turn off the SSL/TLS then click on
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security EvolvedSophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
I made the following settings:
SSL/TLS Inspection > OffWeb Policy > NoneUse web proxy instead of DPI engine > InactiveWeb-Exception (Skip all checks) > ^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/Log-ViewerSSL/TLS Inspection: NothinWeb filter: NothingThe website (https://www.yahoo.com) still cannot be accessed. We also only have a single firewall rule, so there is no overlap with other rules. Why can't the DPI engine be completely disabled?
We have completely disabled SSL/TLS-Inspection:
Hey SM-ITM,can you check the packet capture to see the MTU/MSS values while accessing the websites...Monitor packet flow using the command line interface : https://support.sophos.com/support/s/article/KB-000035939?language=en_USMonitor dropped packets using CLI : https://support.sophos.com/support/s/article/KB-000036858?language=en_USCreate and download a packet capture : https://support.sophos.com/support/s/article/KB-000037007?language=en_US
Yahoo is not a single site, Australian yahoo has an au prefix which your exception will not pickup.
ian