Sophos Blocking Allowed Category

The block page that you have the screenshot for is normally a category block, however it is also a default block page for some rarer conditions that may not be related to category.  Can you please check the Log Viewer in detailed view, as well as let us know what website they are going to.

Hi Michael,

So the site is PMCAmmo.com. I performed a TraceRT thru Command Line and PMCAmmo Resolves to 82.118.225.48

I checked Log Viewer and it was being blocked as invalid traffic but got it work because I made an exception in Host & Services > FQDN Host > A geoblocking exception list but again it's odd that it's still coming up as invalid traffic as Germany isn't one of our Geoblocked countries, and weapons category isn't blocked. 

If you are trying to track down the cause of web blocking, load the Log Viewer.  Change the dropdown from Firewall to Web Filter.  On the blocked traffic, however over the icon to get full details.

Alternately, click the icon that says "detailed view".  This will switch to all log modules.  Use the dropdown to only select Web Filter.

Good call Michael. So I did that and saw the traffic:  

2023-05-25 07:51:13Web filtermessageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="3" fw_rule_name="Outbound Geo Blocking" fw_rule_section="Local rule" user="" user_group="" web_policy_id="2" web_policy="Deny All" category="Weapons" category_type="Objectionable" url="">pmcammo.com/favicon.ico" content_type="" override_token="" src_ip="192.168.130.234" dst_ip="82.118.225.48" protocol="TCP" src_port="32791" dst_port="80" bytes_sent="0" bytes_received="0" domain="pmcammo.com" exception="" activity_name="" reason="" user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.50" status_code="403" transaction_id="" referer="">http://pmcammo.com/" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="1972062890" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"

So in this case it is hitting firewall rule "Outbound Geo Blocking".  The firewall tells the proxy "Here is the connection, but please apply a Deny All policy because they should be blocked.  The proxy sees that category Weapons is blocked in a Deny All policy.  The proxy returns a Block Page with the category blocked.

The underlying block is Geo Blocking.  I'm not sure if the corresponding firewall log will give more information.

Some GeoIP databases thinks that the IP is in Bulgaria.
www.maxmind.com/.../geoip-demo

So in this case it is hitting firewall rule "Outbound Geo Blocking".  The firewall tells the proxy "Here is the connection, but please apply a Deny All policy because they should be blocked.  The proxy sees that category Weapons is blocked in a Deny All policy.  The proxy returns a Block Page with the category blocked.

The underlying block is Geo Blocking.  I'm not sure if the corresponding firewall log will give more information.

Some GeoIP databases thinks that the IP is in Bulgaria.
www.maxmind.com/.../geoip-demo

So, the destination is also port 80 which is really odd since the site uses HTTPS. Can you verify that your web filtering rules are not set to deny HTTP traffic? I could see the destination being 443, but why it's trying to connect to port 80 when the site uses HTTPS which should be port 443.

Ah I see. So even though weapons is an allowed category, the Sophos Firewall still blocked it as Geoblocking and stated the reason was a category. If I have that correct, that's a bit odd that in the blocking message it doesn't imply that it's a geo issue. 

At this point in time the request was http not https.  There are several factors and browser behavior.
In he address bar type "example.com".
The browser might first assume it is HTTP so it does a request for http://example.com but also (without being told to) does a request for http://example.com/favicon.ico (which it uses as the icon in the tab).  Most HTTPS sites also run an HTTP redirector so the request is returned with a 302 and redirecting to load the HTTPS site instead.  It happens so quickly that you don't notice.
Some browsers are moving to "HTTPS first" and attempting HTTPS before HTTP when not specified.  I would assume they also switch he automatic get for favicon to HTTPS but I don't know.

The request in the log he gave was favicon on HTTP on port 80.

The block comes from the firewall, but because it is web and a block page is friendlier than just dropping the connection, the firewall asks the proxy to block.  There is no easy way for the firewall to tell the proxy why it is blocked - geoip, no user, or just hit a block rule.

Hey Michael, thanks for this. I see what you mean, and per your original answer I think that was it, it was geoblocked and since the reason given was category that was were the confusion set in. Moving forward I'm going to sit with my network guy and IT director, and let them know when this comes up again to first test to see where the blocked site is hosted. 

I think the more important thing is, when a site it blocked tehe block page presented to the user has limited information.  You need to look at the Log Viewer and may need to look at both Web Filter and Firewall detailed logs.

Right

So the problem isn't just that the block page is straight up delivering misinformation, but the firewall is blocking a country that isn't even on your geo blocklisted countries?

May we see a screenshot of the firewall  rule if you will? I'm curious to see what firewall rule ID #3 looks like.

Weapons by default is an allowed category, it is not part of any policies. When added to my policies, weapons is blocked. Removed and access is allowed. Then I blocked Bulgaria and the block message is Weapons has been blocked, strange result.

Ian

So that settles it then: the website is based in Bulgaria, so it would be blocked if Bulgaria was blocked. I'm still curious about Hey Help Guy's firewall rule ID #3.

Hi Ian, yes strange indeed.