This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Websites load slowly or not at all without Web-Proxy

Hello,

we have the problem that in general all websites load slowly and many others do not load at all. We use version 19 (SFV4C6 / 19.0.0-B317) as VM in Hyper-V.

Here are some examples of websites that cannot be accessed at all:

The basic problems (e.g. DNS or WAN-Connection) can definitely be ruled out. We spent several hours with the Support of Sophos and they desperately adjusted all the options. We were then told that we must enable in a rule the "Use web proxy instead of DPI engine" option for HTTP & HTTPS-Connections.

But that doesn't make any sense to us at all. Why do we have to enable the old web proxy to be able to access websites quickly and generally? There must be a way to access websites (HTTP/HTTPS) without web filtering. The other question is why the problems also exist with the DPI-Engine and only the old web proxy works reliably.

As mentioned above, after activating the following options, all websites can be loaded without problems and also at a good speed:

Use web proxy instead of DPI engine > Active
Web-Policy > Any (e.g. Allow All)

Maybe someone can help us or explain the background.

Thanks!

This thread was automatically locked due to age.

Top Replies

rfcat_vk over 1 year ago +2 suggested

Hi, the web proxy is used if you want full policy scanning.and the DPI engine does not as of the current version scan UDP traffic. In the web settings do you have any boxes ticked, if so you will be…

Parents

0 rfcat_vk over 1 year ago

Hi,

the web proxy is used if you want full policy scanning.and the DPI engine does not as of the current version scan UDP traffic. In the web settings do you have any boxes ticked, if so you will be using the web proxy.

Icloud will need exceptions enabled along with all the other apple sites.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Cancel
0 Wayne Folta over 1 year ago in reply to rfcat_vk

This. Are there any TLS decryption rules in effect? If so, do is there an earlier rule that forces no decryption for the Sophos-maintained list? (And also your hand-curated list.The very first thing I look at when a website fails is if it showed up as decrypted in the TLS logs.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Wayne Folta over 1 year ago in reply to rfcat_vk

This. Are there any TLS decryption rules in effect? If so, do is there an earlier rule that forces no decryption for the Sophos-maintained list? (And also your hand-curated list.The very first thing I look at when a website fails is if it showed up as decrypted in the TLS logs.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Vivek Jagad over 1 year ago in reply to Wayne Folta

Irrespective of the DPI engine or the web proxy:

Can you add them under the exception web > exception:
^([A-Za-z0-9.-]*\.)?icloud\.com/
^([A-Za-z0-9.-]*\.)?www\.securepoint\.de/
^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/

You can skip all the following checks:
HTTPS decryption
HTTPS certificate validation
Malware and content scanning
Zero-day protection
Policy checks

By default the DPI engine is enabled, DPI engine detects and filters HTTP and SSL/TLS traffic on any port.
if you use: Use web proxy instead of DPI engine || Web proxy transparently handles traffic only on TCP ports 80 and 443.

Under the Rules & Polices > SSL/TLS inspection rules if you are using DPI engine and want to complete turn off the SSL/TLS then click on

SSL/TLS inspection settings > Advance settings > disable.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 SM-ITM over 1 year ago in reply to Vivek Jagad

I made the following settings:

SSL/TLS Inspection > Off
Web Policy > None
Use web proxy instead of DPI engine > Inactive
Web-Exception (Skip all checks) > ^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/

Log-Viewer
SSL/TLS Inspection: Nothin
Web filter: Nothing

The website (https://www.yahoo.com) still cannot be accessed. We also only have a single firewall rule, so there is no overlap with other rules. Why can't the DPI engine be completely disabled?
Cancel
Vote Up 0 Vote Down

Cancel
0 SM-ITM over 1 year ago in reply to Wayne Folta

We have completely disabled SSL/TLS-Inspection:
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to SM-ITM

Hey SM-ITM,

can you check the packet capture to see the MTU/MSS values while accessing the websites...
Monitor packet flow using the command line interface : https://support.sophos.com/support/s/article/KB-000035939?language=en_US
Monitor dropped packets using CLI : https://support.sophos.com/support/s/article/KB-000036858?language=en_US
Create and download a packet capture : https://support.sophos.com/support/s/article/KB-000037007?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 1 year ago in reply to SM-ITM

Yahoo is not a single site, Australian yahoo has an au prefix which your exception will not pickup.

ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel