Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 34 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 13270 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

So... why are NVIDIA drivers suddenly taboo to download?

Amodin

Not changed a thing on XG, even downloaded these drivers, using the same application, several times in the past. For the first time in weeks, I haven't had to mess with anything.  This worked just fine before.

I even have a 'Safe Downloading' exception for NVIDIA, yet the firewall is denying the download.  Today, the moon or the sun, or someone screwing with something must be the issue.  Had this happen before on UTM with Windows Updates, and then it magically fixed itself days later. 

What prompts this behavior to change and decide, "Oh well today I think it's okay, so I'm going to allow a download.  Yesterday didn't work for me."

I really don't understand this logic with the firewall.

messageid="16002" log_type="Content Filtering" log_component="HTTP" log_subtype="Denied" fw_rule_id="5" fw_rule_name="#Default_Network_Policy" fw_rule_section="Local rule" user="" user_group="" web_policy_id="12" web_policy="Default Policy" category="Download Freeware & Shareware" category_type="Objectionable" url="">international-gfe.download.nvidia.com" content_type="" override_token="" src_ip="172.18.0.98" dst_ip="192.229.211.70" protocol="TCP" src_port="63610" dst_port="443" bytes_sent="0" bytes_received="0" domain="international-gfe.download.nvidia.com" exception="" activity_name="" reason="" user_agent="" status_code="403" transaction_id="" referer="" download_file_name="" download_file_type="" upload_file_name="" upload_file_type="" con_id="3501233152" app_name="" app_is_cloud="0" override_name="" override_authorizer="" used_quota="0"


This thread was automatically locked due to age.
  • 0 in reply to Amodin

    So then it looks like webfilter exceptions override firewall rules? I remember this happening with the UTM too. It just must have to do with the flow of how data is inspected.

    I'm not going to lie to you, the firewall is very tricky to configure and I spend a lot of time trying to figure things out with multiple ways of accomplishing the same thing. 

    Have you tried my method, of changing the category of downloads.nvidia.com from Unacceptable to Acceptable? This essentially overrides the shareware & freeware categorization block for that downloads.nvidia.com driver. But if the exception worked, then it worked. It would be good to see some more screenshots to be sure.

    Either change the category from Unaccptable to Acceptable, or this exception should be all you have to do: something similar to this...

  • 0 in reply to rfcat_vk

    Classified as Executable files.....

    For that error to occur, you must have HTTPS inspection enabled with .EXE or .MSI as a blocked filetype.

  • 0 in reply to Amodin

    This is getting stupid.

    I tried to download a driver.

    As you said the test for download.nvidia.com returns shareware.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    As does mine, however my original post for downloading shows otherwise, because it's from download.nvidia.com, which does get categorized as Shareware... which its not at all.

    I'm still just reeling on the fact that I can add a URL category to completely bypass a top list firewall rule, and something as trash as Shareware at that...

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Hi Amodin,

    my XG shows Nvidia.com as

    When I connect to the site it show America. I have a country block for China, but not Taiwan. I did not try to download and drivers, but I do get a selection list.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Just... wow.  I can't believe this.

    So trying to figure this out again, I get a notification of another download for drivers.  I created a web exception in my Safe Downloading exceptions list which I add a regex entry for ^([A-Za-z0-9.-]*\.)download\.nvidia\.com/ and try again.

    Nope, not allowed.

    Then I look at the log viewer, and I see that my Country Blocking Rule to China is denying me any access to the download.  No problem, I get that, the CDNs probably are redirected all over the place.

    But - I then do something that I tell myself, "No way, this shouldn't be allowed."

    I add back the Download Shareware and Freeware category back into my same Safe Downloading exceptions.

    It starts downloading.

    Why on this earth, would you tell someone's top rule of "No, not at all" to be bypassed by a shareware category of all things?  Am I just not getting this methodology? That's okay, but adding my explicit regex exception isn't allowed?  Does this not make sense to anyone else?  For me, this just screams "Foul".

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to alan weir

    I'd rather keep the Shareware out of acceptable, and rather have the domain acceptable.  I have a regex exception for nvidia.com, I will try it with download.nvida.com and see if I can mess with that.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Likely you have to separate between the CDN and the Nvidia Website. 

    So the CDN Part of your URL is categorized by Intelix as Shareware/Freeware Download CDN: intelix.sophos.com/login

    __________________________________________________________________________________________________________________

  • 0 in reply to Amodin

    Could you change the category of Download Freeware and Shareware from Objectionable to Acceptable?

    Or perhaps create a URL entry for all download.nvidia.com subdomains, and classify them as Acceptable?

    I don't think it's possible to use regex for URL entries though.

  • 0 in reply to LuCar Toni

    I checked my log viewer this morning, and I don't have anything identical to downloading drivers, which is about right - it's been over a month since the last driver update for me (Log goes back 30 days).  However, there are a lot of other entries with that domain, but different sub-domains that were allowed and categorized as 'Information Technology'.  

    I don't see how the drivers would be any different of a category.  They aren't shareware.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Unfiltered HTML