Web Filtering "Allow All" versus "None"

Question

We're using a particular messaging app that works if the applicable firewall rule has Web Filtering "None", but not if the firewall rule is "Allow All" (or equivalently a Policy that only has the default Allow and everything else turned off). What's the difference? What additional thing is Allow All doing/enabling that "None" is not?

This thread was automatically locked due to age.

Vivek Jagad · Accepted Answer

Hey Wayne Folta , For instance if you set it to none, you'll not see website browsing logs under the webfilter as well as /log/awarrenhttp for the site you browsed, but if I keep allow all and browse to facebook.com I'll be able to capture the logs [as it goes through the proxy] as seen under the /log/awarrenhttp.log for e.g - 1668686403.140310167 [ 7515/0x7f323aae7400] fwid=5 fwflag="VN" iap=1 aap=0 conn_id=1797583488 id="0001" name="http access" action="pass" method="CONNECT" srcip="192.168.97.104" dstip="31.13.79.35" user="administrator@sophos.creed" statuscode=200 cached=0 trxlen=581 rxlen=2411 url=" ">https://www.facebook.com/" referer="" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=2 cattime=141509 avscantime=0 fullreqtime=6216273 ua="" activity="" av_transaction_id="" categoryname="Social Networking" category="67" app_id=0 app_name="None" app_cat="None" exceptions="" If there is a site works fine, with the option none, meaning there is no restrictions what-so-ever, working as a normal direct ISP connection to a laptop. With the allow all, a web proxy/DPI comes into the picture depending upon the option you enable it or not "Use web proxy instead of DPI engine" and with that "allow all" option if a site is not working meaning FW proxy/DPI is intervening the traffic and needs to be diagnosed further to understand the root cause !! If web policy is None and Malware scanning is unselected, you cannot turn on proxy mode (WebAdmin will not allow you). Basically, if you don't want the XG to do anything then it forces it into DPI mode. If for some reason you want it to go through proxy mode then you'll need to set Allow All. In DPI mode, there are several reasons that the XG may want to interpret the HTTP. Any web policy except None will cause DPI to look at HTTP. Malware scanning will cause DPI to look at HTTP. ATP will cause DPI to look at HTTP. When DPI looks at HTTP it will enforce the HTTP specification (traffic must conform to what it cab process) and it will log (in Web Filter logs, which will also power reports). But if there is no reason to look at the HTTP at all then it won't. So if web policy is None (and no malware or ATP) then web-in-snort DPI will not try to interpret the HTTP at all, will not enforce HTTP spec, and will not log web traffic. 
 Filtering: Select the settings to filter web traffic over common web ports. If you want to select web proxy filtering, you must first select a web policy or malware and content scanning for HTTP and decrypted HTTPS. 
 Sophos Firewall identifies micro apps, such as Dropbox and Gmail attachment upload and download, based on their URLs. When you specify an application filter policy for these micro apps in the firewall rule and set the matching SSL/TLS inspection rule to decrypt, the DPI engine identifies micro apps based on the decrypted URL. This applies even if you set Web policy to None and turn off malware scanning and advanced threat protection. Sophos Firewall takes the action specified in the application filter policy. 
 Sophos Firewall skips decryption, malware and content scanning, Zero-day protection analysis, and policy checks for the corresponding exceptions you specify in Web > Exceptions . Exceptions apply both to DPI and proxy modes. However, in DPI mode, web policies (including exceptions) only apply if one of the following is true: 
 
 A web policy is set. 
 Malware and content scanning is turned on. 
 ATP is turned on.

Vivek Jagad · Answer

Hey Mathias Kessler , Query is different. In regards to the telegram iOS app, this are the primary domains , which you can add them into exceptions : ^([A-Za-z0-9.-]*\.)?telegram\.me/ ^([A-Za-z0-9.-]*\.)?telegram\.org/ ^([A-Za-z0-9.-]*\.)?telesco\.pe/ ^([A-Za-z0-9.-]*\.)?tg\.dev/ ^([A-Za-z0-9.-]*\.)?t\.me/

Web Filtering "Allow All" versus "None"

Top Replies