Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Blocking Allowed Category

Good morning Sophos Community,

We have weapons as an allowed category in our Sophos Firewall but today - a user tried to go to a site, and it was blocked as weapons. I dug through the Firewall and can't figure out what is configured incorrectly. 



This thread was automatically locked due to age.
Parents
  • The block page that you have the screenshot for is normally a category block, however it is also a default block page for some rarer conditions that may not be related to category.  Can you please check the Log Viewer in detailed view, as well as let us know what website they are going to.

  • Hi Michael,

    So the site is PMCAmmo.com. I performed a TraceRT thru Command Line and PMCAmmo Resolves to 82.118.225.48

    I checked Log Viewer and it was being blocked as invalid traffic but got it work because I made an exception in Host & Services > FQDN Host > A geoblocking exception list but again it's odd that it's still coming up as invalid traffic as Germany isn't one of our Geoblocked countries, and weapons category isn't blocked. 

  • So in this case it is hitting firewall rule "Outbound Geo Blocking".  The firewall tells the proxy "Here is the connection, but please apply a Deny All policy because they should be blocked.  The proxy sees that category Weapons is blocked in a Deny All policy.  The proxy returns a Block Page with the category blocked.

    The underlying block is Geo Blocking.  I'm not sure if the corresponding firewall log will give more information.

    Some GeoIP databases thinks that the IP is in Bulgaria.
    www.maxmind.com/.../geoip-demo

  • So, the destination is also port 80 which is really odd since the site uses HTTPS. Can you verify that your web filtering rules are not set to deny HTTP traffic? I could see the destination being 443, but why it's trying to connect to port 80 when the site uses HTTPS which should be port 443.

  • Ah I see. So even though weapons is an allowed category, the Sophos Firewall still blocked it as Geoblocking and stated the reason was a category. If I have that correct, that's a bit odd that in the blocking message it doesn't imply that it's a geo issue. 

  • At this point in time the request was http not https.  There are several factors and browser behavior.
    In he address bar type "example.com".
    The browser might first assume it is HTTP so it does a request for http://example.com but also (without being told to) does a request for http://example.com/favicon.ico (which it uses as the icon in the tab).  Most HTTPS sites also run an HTTP redirector so the request is returned with a 302 and redirecting to load the HTTPS site instead.  It happens so quickly that you don't notice.
    Some browsers are moving to "HTTPS first" and attempting HTTPS before HTTP when not specified.  I would assume they also switch he automatic get for favicon to HTTPS but I don't know.

    The request in the log he gave was favicon on HTTP on port 80.

    The block comes from the firewall, but because it is web and a block page is friendlier than just dropping the connection, the firewall asks the proxy to block.  There is no easy way for the firewall to tell the proxy why it is blocked - geoip, no user, or just hit a block rule.

  • Can you do a policy test for PMCAmmo.com

    Sophos firewall dashboard-->diagnostics-->URL category lookup--->PMCAmmo.com

  • Hey Alan,

    I can confirm it is indeed classified as Weapons which is correct. 

  • Hey Michael, thanks for this. I see what you mean, and per your original answer I think that was it, it was geoblocked and since the reason given was category that was were the confusion set in. Moving forward I'm going to sit with my network guy and IT director, and let them know when this comes up again to first test to see where the blocked site is hosted. 

  • I think the more important thing is, when a site it blocked tehe block page presented to the user has limited information.  You need to look at the Log Viewer and may need to look at both Web Filter and Firewall detailed logs.

  • So the problem isn't just that the block page is straight up delivering misinformation, but the firewall is blocking a country that isn't even on your geo blocklisted countries?

    May we see a screenshot of the firewall  rule if you will? I'm curious to see what firewall rule ID #3 looks like.

Reply
  • So the problem isn't just that the block page is straight up delivering misinformation, but the firewall is blocking a country that isn't even on your geo blocklisted countries?

    May we see a screenshot of the firewall  rule if you will? I'm curious to see what firewall rule ID #3 looks like.

Children
  • Weapons by default is an allowed category, it is not part of any policies. When added to my policies, weapons is blocked. Removed and access is allowed. Then I blocked Bulgaria and the block message is Weapons has been blocked, strange result.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • So that settles it then: the website is based in Bulgaria, so it would be blocked if Bulgaria was blocked. I'm still curious about Hey Help Guy's firewall rule ID #3.

  • Hey Alan, so yes after getting everyone's assistance the collective agreement is that the site is blocked because it's in a geoblocked country but since the Firewall can't report that to end users, it simply says it's a blocked category. 

    As for my rules, here is a look at all of my current rules: 

    So if we drill down into rule #3 more it's a geoblocking rule. Pretty much all countries are on our blocked list. 

    Thanks again for your assistance on tackling this issue. I do have a few more other issues but that'll be for other posts. Have a good weekend.