Web Filtering "Allow All" versus "None"

Hi Wayne Folta

When None web filter is applied firewall will bypass from scanning the traffic from firewall and acts as switch and with Allow all it will intercept the traffic, can you confirm the issue is not related to websocket ?

Can you share the error or error message or the name of the messaging application?

what is the status  for  

sys application_classification microapp-discovery show
sys application_classification show

Regards

console> sys application_classification microapp-discovery show
off
console> sys application_classification show
On

I don't get any errors on the iPhone app, it just sits there with "Connecting"  indefinitely.

The messaging application is Telegram.

This is on a VLAN/SSID I'm using for employer equipment, which is segregated from my home equipment and in general has less security (doesn't do SSL/TLS inspection, etc) because I don't have admin rights on the devices.

Thanks!

Hey Wayne Folta ,

For instance if you set it to none, you'll not see website browsing logs under the webfilter as well as /log/awarrenhttp for the site you browsed, but if I keep allow all and browse to facebook.com I'll be able to capture the logs [as it goes through the proxy] as seen under the /log/awarrenhttp.log
for e.g - 
1668686403.140310167 [ 7515/0x7f323aae7400] fwid=5 fwflag="VN" iap=1 aap=0 conn_id=1797583488 id="0001" name="http access" action="pass" method="CONNECT" srcip="192.168.97.104" dstip="31.13.79.35" user="administrator@sophos.creed" statuscode=200 cached=0 trxlen=581 rxlen=2411 url="">https://www.facebook.com/" referer="" type="" upload_file_name="" upload_file_type="" download_file_name="" download_file_type="" authtime=0 dnstime=2 cattime=141509 avscantime=0 fullreqtime=6216273 ua="" activity="" av_transaction_id="" categoryname="Social Networking" category="67" app_id=0 app_name="None" app_cat="None" exceptions=""

If there is a site works fine, with the option none, meaning there is no restrictions what-so-ever, working as a normal direct ISP connection to a laptop. With the allow all, a web proxy/DPI comes into the picture depending upon the option you enable it or not "Use web proxy instead of DPI engine" and with that "allow all" option if a site is not working meaning FW proxy/DPI is intervening the traffic and needs to be diagnosed further to understand the root cause !! 


If web policy is None and Malware scanning is unselected, you cannot turn on proxy mode (WebAdmin will not allow you).  Basically, if you don't want the XG to do anything then it forces it into DPI mode.  If for some reason you want it to go through proxy mode then you'll need to set Allow All.

In DPI mode, there are several reasons that the XG may want to interpret the HTTP.
Any web policy except None will cause DPI to look at HTTP.
Malware scanning will cause DPI to look at HTTP.
ATP will cause DPI to look at HTTP.

When DPI looks at HTTP it will enforce the HTTP specification (traffic must conform to what it cab process) and it will log (in Web Filter logs, which will also power reports).  But if there is no reason to look at the HTTP at all then it won't.  So if web policy is None (and no malware or ATP) then web-in-snort DPI will not try to interpret the HTTP at all, will not enforce HTTP spec, and will not log web traffic.

Filtering: Select the settings to filter web traffic over common web ports. If you want to select web proxy filtering, you must first select a web policy or malware and content scanning for HTTP and decrypted HTTPS.

Sophos Firewall identifies micro apps, such as Dropbox and Gmail attachment upload and download, based on their URLs. When you specify an application filter policy for these micro apps in the firewall rule and set the matching SSL/TLS inspection rule to decrypt, the DPI engine identifies micro apps based on the decrypted URL. This applies even if you set Web policy to None and turn off malware scanning and advanced threat protection. Sophos Firewall takes the action specified in the application filter policy.

Sophos Firewall skips decryption, malware and content scanning, Zero-day protection analysis, and policy checks for the corresponding exceptions you specify in Web > Exceptions. Exceptions apply both to DPI and proxy modes. However, in DPI mode, web policies (including exceptions) only apply if one of the following is true:

• A web policy is set.
• Malware and content scanning is turned on.
• ATP is turned on.

I have the same problem with the Telegram iOS App and the XG-Firewall.
We have a basic WebFilter in the Firewall and then the App simply is stuck at Connecting.

I could not read a solution from this post?
What did you do for it to work other than disabling webfilter althogether on the Firewall?

Hey Mathias Kessler , Query is different. 
In regards to the telegram iOS app, this are the primary domains, which you can add them into exceptions:
^([A-Za-z0-9.-]*\.)?telegram\.me/
^([A-Za-z0-9.-]*\.)?telegram\.org/
^([A-Za-z0-9.-]*\.)?telesco\.pe/
^([A-Za-z0-9.-]*\.)?tg\.dev/
^([A-Za-z0-9.-]*\.)?t\.me/

Hi Vivek Jagad ,
I tried to add the Exception but it does not work.
It still spins on Connecting.

What bugs me most is that there is no log indicating that something is being blocked...

Under the firewall rule > "Log firewall traffic" option enabled ?
And have you applied a custom "web" or "Identify and control applications (App control)" policy under the firewall rule ?
You can refer - Allow/block websites using custom categories and/or URL groups.
Additionally you can also refer the following:
> How to create an exception in application filter.
> Block applications using the application filter.

It does not matter what exceptions I add to the firewall rule.
Only when I select none in the web policy it will work.
Even when I select Allow All it does not work anymore.

Yes I have enabled logging on the rule and it shows that everything is being allowed but that cannot be true when the App is not working except when I disable the webpolicy altogether.

But I got it working now after creating a new Firewall rule that has no filtering on it with the destination 149.154.167.50.
It is not the most elegant solution but it works for me as of now

Thank you for the update, glad it worked for you now !