Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 34 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 13266 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

So... why are NVIDIA drivers suddenly taboo to download?

Amodin

Not changed a thing on XG, even downloaded these drivers, using the same application, several times in the past. For the first time in weeks, I haven't had to mess with anything.  This worked just fine before.

I even have a 'Safe Downloading' exception for NVIDIA, yet the firewall is denying the download.  Today, the moon or the sun, or someone screwing with something must be the issue.  Had this happen before on UTM with Windows Updates, and then it magically fixed itself days later. 

What prompts this behavior to change and decide, "Oh well today I think it's okay, so I'm going to allow a download.  Yesterday didn't work for me."

I really don't understand this logic with the firewall.

messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" user="" user_group="" web_policy_id="12" web_policy="Default Policy" category="Download Freeware & Shareware" category_type="Objectionable" url="">international-gfe.download.nvidia.com" content_type="" override_token="" src_ip="172.18.0.98" dst_ip="192.229.211.70" protocol="TCP" src_port="63610" dst_port="443" bytes_sent="0" bytes_received="0" domain="international-gfe.download.nvidia.com" exception="" activity_name="" reason="" user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3501233152" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"


This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    As does mine, however my original post for downloading shows otherwise, because it's from download.nvidia.com, which does get categorized as Shareware... which its not at all.

    I'm still just reeling on the fact that I can add a URL category to completely bypass a top list firewall rule, and something as trash as Shareware at that...

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    This is getting stupid.

    I tried to download a driver.

    As you said the test for download.nvidia.com returns shareware.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Classified as Executable files.....

    For that error to occur, you must have HTTPS inspection enabled with .EXE or .MSI as a blocked filetype.

  • 0 in reply to Amodin

    So then it looks like webfilter exceptions override firewall rules? I remember this happening with the UTM too. It just must have to do with the flow of how data is inspected.

    I'm not going to lie to you, the firewall is very tricky to configure and I spend a lot of time trying to figure things out with multiple ways of accomplishing the same thing. 

    Have you tried my method, of changing the category of downloads.nvidia.com from Unacceptable to Acceptable? This essentially overrides the shareware & freeware categorization block for that downloads.nvidia.com driver. But if the exception worked, then it worked. It would be good to see some more screenshots to be sure.

    Either change the category from Unaccptable to Acceptable, or this exception should be all you have to do: something similar to this...

  • 0 in reply to alan weir

    Yes,I do, but the point is the site is classified and blocked as share ware etc.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk
    rfcat_vk said:
    Yes,I do, but the point is the site is classified and blocked as share ware etc.

    Underneath where it says > about this request

    What does it say then you click on it?

    Amodin said:
    So trying to figure this out again, I get a notification of another download for drivers.  I created a web exception in my Safe Downloading exceptions list which I add a regex entry for ^([A-Za-z0-9.-]*\.)download\.nvidia\.com/ and try again.

    I think your regex might be formatted incorrectly. According to the online giude, it looks like it should be this

    ^[A-Za-z0-9.-]*\.download\.nvidia\.com/

    and not...

    ^([A-Za-z0-9.-]*\.)download\.nvidia\.com/

  • 0 in reply to alan weir

    Let me explain what is happening.

    If you have a Firewall Drop rule, SFOS will do a trick to show you the blockpage in the browser and not the "connection timeout" by the Proxy. This is a feature to show the user what is going on. On other products, you will get a browser error like the dino in Chrome. In SFOS, we allow the traffic by the firewall and forward it to the proxy. The proxy will throw the block page. That is only possible, if the browser reaches the packet and the firewall will not deny it. 

    See: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/Logsbehavior/index.html#firewall-action-and-logs

    You could change that by using Reject internally (so the firewall rejects the packet, everything is as usual).

    BTW: SFOS does it only for internal to external. 

    If the proxy does this block page, it also evaluates the exception list. Means, you can allow certain traffic based on your exception, even if you have a block page criteria. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni
    LuCar Toni said:
    If the proxy does this block page, it also evaluates the exception list. Means, you can allow certain traffic based on your exception, even if you have a block page criteria. 

    So does that explain why the Amodin was able to finally download the nvidia driver from China (which is GeoIP blocked in his firewall rules) from a China-based CDN server? 

  • 0 in reply to alan weir

    Only if the CDN block is part of your access rule, if it is a rule at the top of your list then the proxy would never know about it.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to alan weir

    Just follow-up, it didn't work on the regex change.  Also, I copied my regex from Sophos XG from a built-in existing regex entry on their own list, I just changed it for NVidia.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Unfiltered HTML