Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Blocking Allowed Category

Good morning Sophos Community,

We have weapons as an allowed category in our Sophos Firewall but today - a user tried to go to a site, and it was blocked as weapons. I dug through the Firewall and can't figure out what is configured incorrectly. 



This thread was automatically locked due to age.
Parents Reply Children
  • At this point in time the request was http not https.  There are several factors and browser behavior.
    In he address bar type "example.com".
    The browser might first assume it is HTTP so it does a request for http://example.com but also (without being told to) does a request for http://example.com/favicon.ico (which it uses as the icon in the tab).  Most HTTPS sites also run an HTTP redirector so the request is returned with a 302 and redirecting to load the HTTPS site instead.  It happens so quickly that you don't notice.
    Some browsers are moving to "HTTPS first" and attempting HTTPS before HTTP when not specified.  I would assume they also switch he automatic get for favicon to HTTPS but I don't know.

    The request in the log he gave was favicon on HTTP on port 80.

    The block comes from the firewall, but because it is web and a block page is friendlier than just dropping the connection, the firewall asks the proxy to block.  There is no easy way for the firewall to tell the proxy why it is blocked - geoip, no user, or just hit a block rule.

  • Hey Michael, thanks for this. I see what you mean, and per your original answer I think that was it, it was geoblocked and since the reason given was category that was were the confusion set in. Moving forward I'm going to sit with my network guy and IT director, and let them know when this comes up again to first test to see where the blocked site is hosted. 

  • I think the more important thing is, when a site it blocked tehe block page presented to the user has limited information.  You need to look at the Log Viewer and may need to look at both Web Filter and Firewall detailed logs.

  • So the problem isn't just that the block page is straight up delivering misinformation, but the firewall is blocking a country that isn't even on your geo blocklisted countries?

    May we see a screenshot of the firewall  rule if you will? I'm curious to see what firewall rule ID #3 looks like.

  • Weapons by default is an allowed category, it is not part of any policies. When added to my policies, weapons is blocked. Removed and access is allowed. Then I blocked Bulgaria and the block message is Weapons has been blocked, strange result.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • So that settles it then: the website is based in Bulgaria, so it would be blocked if Bulgaria was blocked. I'm still curious about Hey Help Guy's firewall rule ID #3.

  • Hey Alan, so yes after getting everyone's assistance the collective agreement is that the site is blocked because it's in a geoblocked country but since the Firewall can't report that to end users, it simply says it's a blocked category. 

    As for my rules, here is a look at all of my current rules: 

    So if we drill down into rule #3 more it's a geoblocking rule. Pretty much all countries are on our blocked list. 

    Thanks again for your assistance on tackling this issue. I do have a few more other issues but that'll be for other posts. Have a good weekend.