This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Websites load slowly or not at all without Web-Proxy

Hello,

we have the problem that in general all websites load slowly and many others do not load at all. We use version 19 (SFV4C6 / 19.0.0-B317) as VM in Hyper-V.

Here are some examples of websites that cannot be accessed at all:

The basic problems (e.g. DNS or WAN-Connection) can definitely be ruled out. We spent several hours with the Support of Sophos and they desperately adjusted all the options. We were then told that we must enable in a rule the "Use web proxy instead of DPI engine" option for HTTP & HTTPS-Connections.

But that doesn't make any sense to us at all. Why do we have to enable the old web proxy to be able to access websites quickly and generally? There must be a way to access websites (HTTP/HTTPS) without web filtering. The other question is why the problems also exist with the DPI-Engine and only the old web proxy works reliably.

As mentioned above, after activating the following options, all websites can be loaded without problems and also at a good speed:

  • Use web proxy instead of DPI engine > Active
  • Web-Policy > Any (e.g. Allow All)

Maybe someone can help us or explain the background.

Thanks!



This thread was automatically locked due to age.
Parents
  • Hi,

    the web proxy is used if you want full policy scanning.and the DPI engine does not as of the current version scan UDP traffic. In the web settings do you have any boxes ticked, if so you will be using the web proxy.

    Icloud will need exceptions enabled along with all the other apple sites.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • This. Are there any TLS decryption rules in effect? If so, do is there an earlier rule that forces no decryption for the Sophos-maintained list? (And also your hand-curated list.The very first thing I look at when a website fails is if it showed up as decrypted in the TLS logs.

  • Irrespective of the DPI engine or the web proxy: 

    Can you add them under the exception web > exception: 
    ^([A-Za-z0-9.-]*\.)?icloud\.com/
    ^([A-Za-z0-9.-]*\.)?www\.securepoint\.de/
    ^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/

    You can skip all the following checks:
    HTTPS decryption
    HTTPS certificate validation
    Malware and content scanning
    Zero-day protection
    Policy checks

    By default the DPI engine is enabled, DPI engine detects and filters HTTP and SSL/TLS traffic on any port.
    if you use: Use web proxy instead of DPI engine || Web proxy transparently handles traffic only on TCP ports 80 and 443.

    Under the Rules & Polices > SSL/TLS inspection rules if you are using DPI engine and want to complete turn off the SSL/TLS then click on 

    SSL/TLS inspection settings > Advance settings > disable. 


    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • I made the following settings:

    SSL/TLS Inspection > Off
    Web Policy > None
    Use web proxy instead of DPI engine > Inactive
    Web-Exception (Skip all checks) > ^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/


    Log-Viewer
    SSL/TLS Inspection: Nothin
    Web filter: Nothing


    The website (https://www.yahoo.com) still cannot be accessed. We also only have a single firewall rule, so there is no overlap with other rules. Why can't the DPI engine be completely disabled?

Reply
  • I made the following settings:

    SSL/TLS Inspection > Off
    Web Policy > None
    Use web proxy instead of DPI engine > Inactive
    Web-Exception (Skip all checks) > ^([A-Za-z0-9.-]*\.)?www\.yahoo\.com/


    Log-Viewer
    SSL/TLS Inspection: Nothin
    Web filter: Nothing


    The website (https://www.yahoo.com) still cannot be accessed. We also only have a single firewall rule, so there is no overlap with other rules. Why can't the DPI engine be completely disabled?

Children