Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Blocking Allowed Category

Good morning Sophos Community,

We have weapons as an allowed category in our Sophos Firewall but today - a user tried to go to a site, and it was blocked as weapons. I dug through the Firewall and can't figure out what is configured incorrectly. 



This thread was automatically locked due to age.
Parents Reply
  • So in this case it is hitting firewall rule "Outbound Geo Blocking".  The firewall tells the proxy "Here is the connection, but please apply a Deny All policy because they should be blocked.  The proxy sees that category Weapons is blocked in a Deny All policy.  The proxy returns a Block Page with the category blocked.

    The underlying block is Geo Blocking.  I'm not sure if the corresponding firewall log will give more information.

    Some GeoIP databases thinks that the IP is in Bulgaria.
    www.maxmind.com/.../geoip-demo

Children
  • So, the destination is also port 80 which is really odd since the site uses HTTPS. Can you verify that your web filtering rules are not set to deny HTTP traffic? I could see the destination being 443, but why it's trying to connect to port 80 when the site uses HTTPS which should be port 443.

  • Ah I see. So even though weapons is an allowed category, the Sophos Firewall still blocked it as Geoblocking and stated the reason was a category. If I have that correct, that's a bit odd that in the blocking message it doesn't imply that it's a geo issue. 

  • At this point in time the request was http not https.  There are several factors and browser behavior.
    In he address bar type "example.com".
    The browser might first assume it is HTTP so it does a request for http://example.com but also (without being told to) does a request for http://example.com/favicon.ico (which it uses as the icon in the tab).  Most HTTPS sites also run an HTTP redirector so the request is returned with a 302 and redirecting to load the HTTPS site instead.  It happens so quickly that you don't notice.
    Some browsers are moving to "HTTPS first" and attempting HTTPS before HTTP when not specified.  I would assume they also switch he automatic get for favicon to HTTPS but I don't know.

    The request in the log he gave was favicon on HTTP on port 80.

    The block comes from the firewall, but because it is web and a block page is friendlier than just dropping the connection, the firewall asks the proxy to block.  There is no easy way for the firewall to tell the proxy why it is blocked - geoip, no user, or just hit a block rule.

  • Hey Michael, thanks for this. I see what you mean, and per your original answer I think that was it, it was geoblocked and since the reason given was category that was were the confusion set in. Moving forward I'm going to sit with my network guy and IT director, and let them know when this comes up again to first test to see where the blocked site is hosted. 

  • I think the more important thing is, when a site it blocked tehe block page presented to the user has limited information.  You need to look at the Log Viewer and may need to look at both Web Filter and Firewall detailed logs.

  • So the problem isn't just that the block page is straight up delivering misinformation, but the firewall is blocking a country that isn't even on your geo blocklisted countries?

    May we see a screenshot of the firewall  rule if you will? I'm curious to see what firewall rule ID #3 looks like.

  • Weapons by default is an allowed category, it is not part of any policies. When added to my policies, weapons is blocked. Removed and access is allowed. Then I blocked Bulgaria and the block message is Weapons has been blocked, strange result.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • So that settles it then: the website is based in Bulgaria, so it would be blocked if Bulgaria was blocked. I'm still curious about Hey Help Guy's firewall rule ID #3.