MATCH KNOWN USERS ISSUE WITH PROXY

Hello,

I'm using Sophos XG2300 SFOS 19.0.1 MR-1-Build365 and I would like to ask why do I get blocked when I'm trying to browse the internet with configured proxy, match known users turned on and web filtering set to none. Through testing and searching I managed to make a workaround where I had to make a new firewall rule for proxy only.

  • first firewall rule (LAN to WAN) has these settings: Services HTTP/S, ICMP; Match known users and Web proxy instead of DPI engine
  • second firewall rule (LAN to WAN PROXY) has these settings: Services PROXY(TCP 3128); Web proxy instead of DPI engine

If I enable match known users on the second firewall rule I get blocked from all websites even if I don't have web filtering on. I don't quite understand why that is happening so I would like to ask anyone who could tell me the reason why this is happening.

Another problem with match known users is that the Web proxy transparently handles traffic only on TCP ports 80 and 443. If I have match known users on and proxy turned off for the browser I can't seem to get on any website, I get stuck on loading and then the connection times out. If I have match known users off and proxy turned off for the browser I manage to get on websites

LAN to WAN

LAN to WAN

LAN to WAN PROXY

LAN to WAN PROXY



Added TAGs
[edited by: emmosophos at 7:28 PM (GMT -7) on 22 Sep 2022]
Parents
  • Seeing you have decrypt https do you have a CA install on your devices and you should have allow all enabled in web policy?

    Ian

    XG115W - v19.0.1 mr-1 - Home

    1225v5 6gb ram, SSID, 4 NICs 20w - v19 EAP - on holiday.

    If a post solves your question please use the 'Verify Answer' button.

  • Hello, 

    yes I have CA install on my device and allow all web policy doesn't help either with blocking caused by match known users.
    Also here's my web proxy configuration if you need to take a look.

  • Hi VGDtech

    Please post error message of website/s getting blocked on web browser from Sophos 

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    here's a detailed log of what happens when I have match known users enabled and web filtering set to allow all.

  • Also, post the blocked message getting on the browser from Sophos.

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • It's a different website but the result is the same even in log viewer

  • May I know if it was working earlier ? Did you make any changes cause the issue like on Minimum TLS version? As I can see default setting is TLS 1.1 in my lab

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I changed the minimum TLS version to TLS 1.2 and I don't think it worked with TLS 1.1 either

  • May I know if it was working earlier?DNS not allowed on firewall rule under Services?

    I have tested below firewall rules and it worked allowing DNS without authentication : 

    Here rule id 10 is DNS service base rule without Match known users, and rule id 9 is with match know user tick mark on firewall rule.

    If you apply the "Deny All" web filter policy, it will drop all web traffic and will get Sophos Blocked message while accessing any website instead you can try with the below web filter Policy where I have allowed access to the Government website for example rest blocked: 

    Please check with Drop-packet-capture as per the below link and share drops logs : 

    https://support.sophos.com/support/s/article/KB-000036858?language=en_US 

    Check packet flow under MONITOR & ANALYZE-->Diagnostics-->Packet Capture Click configure Enter BPF string host <Source IP or destination IP>  and turn on the Packet Capture

    The Packet Capture will help to find traffic passing from the same rule configured.

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • So I changed it to TLS 1.1, turned on match known users for my LAN to WAN PROXY rule and I still keep getting blocked. DNS is allowed, I tested it with the "same" setup like you've shown me but I get the same problem.


    drop packet capture with proxy off on my device

    2022-09-23 09:27:58 0101021 IP xxx.xxx.xxx.xxx.57496 > 77.75.79.222.443 : proto TCP: S 1011811188:1011811188(0) win 64240 checksum : 18010
    0x0000: 4500 0034 a7eb 4000 7f06 482a 0a21 6464 E..4..@...H*.!dd
    0x0010: 4d4b 4fde e098 01bb 3c4f 0374 0000 0000 MKO.....<O.t....
    0x0020: 8002 faf0 465a 0000 0204 05b4 0103 0308 ....FZ..........
    0x0030: 0101 0402 ....
    Date=2022-09-23 Time=09:27:58 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1.500 out_dev=Port2.92 inzone_id=1 outzone_id=2 source_mac=00:50:56:b5:2e:53 dest_mac=c8:4f:86:fc:00:01 bridge_name= l3_protocol=IPv4 source_ip=xxx.xxx.xxx.xxx dest_ip=77.75.79.222 l4_protocol=TCP source_port=57496 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=4168966711 masterid=0 status=256 state=1, flag0=551905394688 flags1=0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    packet capture

    Ethernet header
    Source MAC address:00:50:56:b5:2e:53
    Destination MAC address: c8:4f:86:fc:00:01
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:xxx.xxx.xxx.xxx
    Destination IP address:204.79.197.203
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 52 Bytes
    Identification:57812
    Fragment offset:16384
    Time to live: 127
    Checksum: 6479

    TCP Header:
    Source port: 59675
    Destination port: 443
    Flags: SYN
    Sequence number: 3991552999
    Acknowledgement number: 0
    Window: 64240
    Checksum: 22230

    0x0000: 4500 0034 e1d4 4000 7f06 194f 0a21 6464 E..4..@....O.!dd
    0x0010: cc4f c5cb e91b 01bb edea 43e7 0000 0000 .O........C.....
    0x0020: 8002 faf0 56d6 0000 0204 05b4 0103 0308 ....V...........
    0x0030: 0101 0402 ....

    drop packet capture with proxy on on my device

    2022-09-23 09:39:48 0101021 IP xxx.xxx.xxx.xxx.59342 > 20.190.159.68.443 : proto TCP: S 3905985973:3905985973(0) win 64240 checksum : 57735
    0x0000: 4500 0034 786c 4000 7f06 60d0 0a21 6464 E..4xl@...`..!dd
    0x0010: 14be 9f44 e7ce 01bb e8d0 9db5 0000 0000 ...D............
    0x0020: 8002 faf0 e187 0000 0204 05b4 0103 0308 ................
    0x0030: 0101 0402 ....
    Date=2022-09-23 Time=11:04:40 log_id=0101021 log_type=Firewall log_component=Firewall_Rule log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port1.500 out_dev=Port2.92 inzone_id=1 outzone_id=2 source_mac=00:50:56:b5:2e:53 dest_mac=c8:4f:86:fc:00:01 bridge_name= l3_protocol=IPv4 source_ip=xxx.xxx.xxx.xxx dest_ip=20.190.159.68 l4_protocol=TCP source_port=59342 dest_port=443 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 hotspotuser_id=0 hb_src=0 hb_dst=0 dnat_done=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=0 dn_classid=0 nat_id=0 cluster_node=0 inmark=0x0 nfqueue=0 gateway_offset=0 connid=1967544130 masterid=0 status=256 state=1, flag0=551905394688 flags1=0 pbrid[0]=0 pbrid[1]=0 profileid[0]=0 profileid[1]=0

    packet capture


    Ethernet header
    Source MAC address:00:50:56:b5:2e:53
    Destination MAC address: c8:4f:86:fc:00:01
    Ethernet type IPv4 (0x800)

    IPv4 Header
    Source IP address:xxx.xxx.xxx.xxx
    Destination IP address:40.127.240.158
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 52 Bytes
    Identification:1570
    Fragment offset:16384
    Time to live: 127
    Checksum: 28159

    TCP Header:
    Source port: 60835
    Destination port: 443
    Flags: SYN
    Sequence number: 3314963583
    Acknowledgement number: 0
    Window: 64240
    Checksum: 58119

    0x0000: 4500 0034 0622 4000 7f06 6dff 0a21 6464 E..4."@...m..!dd
    0x0010: 287f f09e eda3 01bb c596 547f 0000 0000 (.........T.....
    0x0020: 8002 faf0 e307 0000 0204 05b4 0103 0308 ................
    0x0030: 0101 0402 ....

  • Port 443 is getting dropped allow on LAN to WAN rule on proxy rule 

    Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • So I allowed http and https on LAN to WAN PROXY rule and I'm still getting blocked. For some reason it's not using any firewall rules which I created.

    Packet Capture:

    Ethernet header
    Source MAC address:00:50:56:b5:2e:53
    Destination MAC address: xx:xx:xx:xx:xx:xx
    Ethernet type IPv4 (0x800)
     
    IPv4 Header
    Source IP address:xxx.xxx.xxx.xxx
    Destination IP address: proxy
    protocol: TCP
    Header:20 Bytes
    Type of service: 0
    Total length: 40 Bytes
    Identification:61598
    Fragment offset:16384
    Time to live: 128
    Checksum: 34954
     
    TCP Header:
    Source port: 56554
    Destination port: 3128
    Flags: FIN
    Sequence number: 693917171
    Acknowledgement number: 3255315882
    Window: 8207
    Checksum: 46584
  • Please post your firewall rules and NAT rules along with block message getting from Sophos XG firewall 

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Here are the rules and message. I did try to create a linked NAT rule but that didn't work either.