Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2751 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Difficulty setting up a block page through web policy

Daan Heijmans1

Hello All,

I'm trying to set up a block page using web policy but I can't quite get it to work. I think I know where the problem is and how to fix it but I would like to see a different solution than the one I have now applied to a test environment.

The firewall hostname is abc.xyz.com, the first internal address is 10.11.0.1 and an SSL certificate is installed on the firewall for abc.xyz.com. In addition, several networks are supplied with Internet and these networks must have the web filtering policy applied.

LAG (Port1 and Port5): 10.11.0.1

  • VLAN10: 10.11.10.1
  • VLAN11: 10.11.11.1
  • VLAN12: 10.11.12.1
  • and so on

The captive portal and other interactive pages are displayed through the firewall hostname (abc.xyz.com) and I have downloaded and installed the HTTPS scanning certificate authority (CA) on the test machine. In addition, I have created a separate web filtering policy in which I have created a warning for bandwidth-heavy browsing.

My test machine has IP address 10.11.12.99 and when I surf to a website that falls under this category, I am redirected to abc.xyz.com:8090/.../warn and the message Hmmm... can't reach this page is also displayed in the browser (Microsoft Edge). When I ping abc.xyz.com I get a response from the external IP address of the firewall so I added the following to my hosts file: 10.11.0.1 abc.xyz.com and after that I get a warning displayed.

Is there a possible solution where I don't have to make any changes to the hosts file on the machines on the different networks? I tried to solve it by means of a DNS host entry, but because some domain controllers have set the firewall as DNS resolver, connection problems arise for customers with an IPsec VPN and a domain connection.

Thank you in advance and if additional information is required please let me know.



This thread was automatically locked due to age.
  • 0

    Hello Daan,

    Good day and thanks for reaching out to Sophos Community and hope you are well. 

    May we confirm if what you want to achieve is the Sophos Firewall block page be presented to the users whenever they hit a specific block policy?or are you having trouble browsing the Web when there is a set Web Filter policy on Sophos firewall? 

    Kindly let us know. Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi  ,

    Thanks for your reply.

    I have issues with Sophos Firewall block page be presented to the users whenever they hit a specific block policy.

    Thanks in advance.

  • 0 in reply to Daan Heijmans1

    Hello Daan,

    Thanks for your response. Could you show your encountered error on the end machine side and your configured Firewall rule for this? 

    Many thanks for your time and patience and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi  ,

    The error message is described in the description of the problem. I also think it has nothing to do with a firewall rule because you only need to select web filtering here.

    If you read my description carefully you will see the following: My test machine has IP address 10.11.12.99 and when I surf to a website that falls under this category, I am redirected to abc.xyz.com:8090/.../ warn and the message Hmmm... can't reach this page is also displayed in the browser (Microsoft Edge). When I ping abc.xyz.com I get a response from the external IP address of the firewall so I added the following to my hosts file: 10.11.0.1 abc.xyz.com and after that I get a warning displayed.

    This means that the block page in the certificate processes an fqdn that must resolve to the first internal IP address of the firewall. This is also the reason that the block page works after I edited the hosts file.

    The problem is that I don't want to edit hosts files on all machines and networks behind this firewall.

  • 0 in reply to Daan Heijmans1

    Hello Daan,

    Thanks for these information above, I have tried the scenario on my lab and browsing on MS Edge with DPI on Sophos Firewall and presenting the block page and surfing the web is working fine. 

    My settings during the testing are:

    -Installed the Firewall CA on MS Edge( Browser): https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesAddCAManually/index.html#install-the-ca-in-operating-systems

    -Configured Web Filter Block and Warn Rule and Enabled "Scan HTTP and decrypted HTTPS"

    -Tried Setting Both Public DNS and SF as DNS on end machine (both worked fine) the traffic 

    May I confirm the following on your side:

    -What SFOS version you are currently running?

    -Do you use DPI or Web Proxy?

    -Are there any upstream/proxy device above the FW?

    - Does this happen to all browsers you are testing and what location did you installed the Firewall cert? (local computer or Browser) https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesAddCAManually/index.html#install-the-ca-on-mobile-devices 

    -Does the error only appear on your "Warn" action on Web policy or also on "Block" or on all traffic even if it is allowed? 

    -Is this previously working fine before for the test machine and other users? If yes, are there any recent change on the firewall such as firmware upgrade, config change etc.? or any network change?

    Thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi  ,

    Thanks for your reply and the tests.

    • What SFOS version you are currently running?: 19.5.1 MR1
    • Do you use DPI or Web Proxy?: DPI
    • Are there any upstream/proxy device above the FW?: None
    • Does this happen to all browsers you are testing and what location did you installed the Firewall cert?: Yes this works fine as described in my description
    • Does the error only appear on your "Warn" action on Web policy or also on "Block" or on all traffic even if it is allowed?: Only with warn and block because of the SSL cert.
    • Is this previously working fine before for the test machine and other users?: First time config so no.

    Did you test on a firewall with a resolvable external hostname? The problem with my setup is that we display the warn/block page with Use the firewall's configured hostname from SYSTEM -> Administration -> Admin and user settings -> Admin console and end-user interaction. Because this hostname is resolvable the request talks to the WAN port of the XG and not the LAN port.

    When I add an entry in my HOSTS file on Windows the request doesn't go to the WAN port on the XG but hits the LAN port as it should.

    I don't want to make adjustments to HOSTS files on all the clients and would like to know how to solve this another way. 

    In addition I would like to add that each network behind this firewall has its own domain with customer systems.

    Thanks in advance.

  • 0 in reply to Daan Heijmans1

    Hello Daan,

    Thanks for the additional details.I've tested configuring an external resolvable hostname on my lab and it successfully proceeded toward the warn and block page, You need to add a DNS host entry on the Firewall under Network> DNS > DNS host entry > Enter the external resolvable hostname then bind the internal Sophos Firewall interface (which is the client facing interface) then try browsing again then the warn and block page will proceed over without the "Hmmm... can't reach this page" on Edge and Chrome and would help you eliminate adding host files to end machines.

    Kindly let us know should this resolve your issue. Thanks

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    Hi  ,

    Thanks for the reply.

    I had already tried this solution myself, but unfortunately it doesn't work for all our customers.

    The problem here is that the domain controllers have set up the first DNS forwarder to the firewall and for customers where a VPN between the office and the cloud has been realized, the external address of the firewall will resolve to the DNS entry and the customers will no longer be able to log in.

    I think the only solution here is to put a wildcard certificate on the firewall and then use a different FQDN instead of the hostname for the block/warn page.

  • +1 in reply to Daan Heijmans1

    One thing to check is that in Administration > Device Access the "Captive Portal" is enabled for all the zones that you use.  While it is called "Captive Portal" it actually means all traffic that goes to port 8090 as the note on the page says.

    One solution would be to use the Web Proxy rather than DPI mode.  The Web Proxy can display block pages directly without having to redirect (because it is a full man-in-the-middle proxy) while DPI mode has to redirect to a block page.

    As suggested, the normal solution is generally called "split dns" which means that the same hostname resolves differently depending on whether you are asking an external DNS server or an internal one.  This works for most customers.  You may want to make sure you are using short TTL if you have clients that are switching around.

    Another solution would be as you describe - creating another hostname that always resolves to an internal ip.  However 


    For reference there are two main things that are needed:
    1) The packet arrives on an interface that is part of a Zone and goes to a TCP Port (eg arrives on a LAN port and goes to port 8090).  This is checked against the Device Access / Local Service ACL.  If it is blocked here, it is blocked at the firewall level and typically you'll get a TCP problem (eg it cannot connect, packet is dropped or rejected).

    2) If it get passed that, the firewall gives it to awarrenhttp to process the request.  awarrenhttp looks at the destination IP address in the TCP connection.  If the destination IP is a LAN port then it is allowed and processed.  If the destination IP is the WAN port it is TCP dropped (I think) before it even looks at the HTTP request.  This is done to prevent certain types of attacks against the XG itself.


  • 0 in reply to Michael Dunn

    Hi  ,

    Thanks for your reply.

    I think that I have enough information to get this to work!

Unfiltered HTML