Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Blocking Allowed Category

Good morning Sophos Community,

We have weapons as an allowed category in our Sophos Firewall but today - a user tried to go to a site, and it was blocked as weapons. I dug through the Firewall and can't figure out what is configured incorrectly. 



This thread was automatically locked due to age.
Parents
  • The block page that you have the screenshot for is normally a category block, however it is also a default block page for some rarer conditions that may not be related to category.  Can you please check the Log Viewer in detailed view, as well as let us know what website they are going to.

Reply
  • The block page that you have the screenshot for is normally a category block, however it is also a default block page for some rarer conditions that may not be related to category.  Can you please check the Log Viewer in detailed view, as well as let us know what website they are going to.

Children
  • Hi Michael,

    So the site is PMCAmmo.com. I performed a TraceRT thru Command Line and PMCAmmo Resolves to 82.118.225.48

    I checked Log Viewer and it was being blocked as invalid traffic but got it work because I made an exception in Host & Services > FQDN Host > A geoblocking exception list but again it's odd that it's still coming up as invalid traffic as Germany isn't one of our Geoblocked countries, and weapons category isn't blocked. 

  • If you are trying to track down the cause of web blocking, load the Log Viewer.  Change the dropdown from Firewall to Web Filter.  On the blocked traffic, however over the icon to get full details.

    Alternately, click the icon that says "detailed view".  This will switch to all log modules.  Use the dropdown to only select Web Filter.

  • Good call Michael. So I did that and saw the traffic:  

    2023-05-25 07:51:13Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="3" fw_rule_name="Outbound Geo Blocking" fw_rule_section="Local rule" user="" user_group="" web_policy_id="2" web_policy="Deny All" category="Weapons" category_type="Objectionable" url="">pmcammo.com/favicon.ico" content_type="" override_token="" src_ip="192.168.130.234" dst_ip="82.118.225.48" protocol="TCP" src_port="32791" dst_port="80" bytes_sent="0" bytes_received="0" domain="pmcammo.com" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.50" status_code="403" transaction_id="" referer="">http://pmcammo.com/" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1972062890" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

  • So in this case it is hitting firewall rule "Outbound Geo Blocking".  The firewall tells the proxy "Here is the connection, but please apply a Deny All policy because they should be blocked.  The proxy sees that category Weapons is blocked in a Deny All policy.  The proxy returns a Block Page with the category blocked.

    The underlying block is Geo Blocking.  I'm not sure if the corresponding firewall log will give more information.

    Some GeoIP databases thinks that the IP is in Bulgaria.
    www.maxmind.com/.../geoip-demo

  • So, the destination is also port 80 which is really odd since the site uses HTTPS. Can you verify that your web filtering rules are not set to deny HTTP traffic? I could see the destination being 443, but why it's trying to connect to port 80 when the site uses HTTPS which should be port 443.

  • Ah I see. So even though weapons is an allowed category, the Sophos Firewall still blocked it as Geoblocking and stated the reason was a category. If I have that correct, that's a bit odd that in the blocking message it doesn't imply that it's a geo issue. 

  • At this point in time the request was http not https.  There are several factors and browser behavior.
    In he address bar type "example.com".
    The browser might first assume it is HTTP so it does a request for http://example.com but also (without being told to) does a request for http://example.com/favicon.ico (which it uses as the icon in the tab).  Most HTTPS sites also run an HTTP redirector so the request is returned with a 302 and redirecting to load the HTTPS site instead.  It happens so quickly that you don't notice.
    Some browsers are moving to "HTTPS first" and attempting HTTPS before HTTP when not specified.  I would assume they also switch he automatic get for favicon to HTTPS but I don't know.

    The request in the log he gave was favicon on HTTP on port 80.

    The block comes from the firewall, but because it is web and a block page is friendlier than just dropping the connection, the firewall asks the proxy to block.  There is no easy way for the firewall to tell the proxy why it is blocked - geoip, no user, or just hit a block rule.

  • Can you do a policy test for PMCAmmo.com

    Sophos firewall dashboard-->diagnostics-->URL category lookup--->PMCAmmo.com

  • Hey Alan,

    I can confirm it is indeed classified as Weapons which is correct. 

  • Hey Michael, thanks for this. I see what you mean, and per your original answer I think that was it, it was geoblocked and since the reason given was category that was were the confusion set in. Moving forward I'm going to sit with my network guy and IT director, and let them know when this comes up again to first test to see where the blocked site is hosted.