Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 44 subscribers
  • Views 5506 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking Porn Category

Chirag

I blocked the adult and nudity category in my sophos xgs 2100 firewall.

But still many porn sites are accessible. 

Is there any way to block it completely?



This thread was automatically locked due to age.
Parents
  • 0

    H,

    do you have CA installed on all devices on your LAN? Do you have "scan and decrypt" enabled in your firewall rule?

    Ian 

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Good question .  Even without that, though, to ensure the same was captured with SSL/TLS Inspection disabled

    I turned my inspection off, and still get a block page for this site:

    The inspection certainly adds a higher chance of capturing more obscure websites, but without it, the firewall is just as capable.  In your above configuration, do you require the web proxy to be selected?

    Also, just for reference, if you didnt deploy your certificate with TLS inspection enabled, a good method for blocking these items albeit sloppy would be to add an inspection and only target malcious web categories for inspection, it will break the chain and fail inspection, but the site itself will also fail to load at all.

Reply
  • 0 in reply to rfcat_vk

    Good question .  Even without that, though, to ensure the same was captured with SSL/TLS Inspection disabled

    I turned my inspection off, and still get a block page for this site:

    The inspection certainly adds a higher chance of capturing more obscure websites, but without it, the firewall is just as capable.  In your above configuration, do you require the web proxy to be selected?

    Also, just for reference, if you didnt deploy your certificate with TLS inspection enabled, a good method for blocking these items albeit sloppy would be to add an inspection and only target malcious web categories for inspection, it will break the chain and fail inspection, but the site itself will also fail to load at all.

Children
  • 0 in reply to Matthew Ritchie

    Hi Matthew,

    yes I do because SSL/TLS does not always pickup the traffic also you need to enable Application scanning and LAN to WAN type IPS filtering to bring all filtering tools into play. I have experimented with blocking sites and not all work because I haven't enabled sufficient web filters. Micheal Dunn explained what was missing in my setup in a thread a couple months ago about not being able to block embed ads etc. I applied those additional restrictions which worked but needed to many exception for general use.

    Some sites have the porn and ads as side sites.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Another technique worth implementing depending on your view of it is using the firewalls application control policies to restrict "DNS over HTTPS" and of course enabling HTTPS Decryption on your Intercept X Advanced agent as well and setting the category in Web Control for Advertisements to "Block" never hurts.

    or joining the DNS Protection EAP as well Slight smile

  • 0 in reply to Matthew Ritchie

    I have implemented most of those except the dns EAP.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML