I blocked the adult and nudity category in my sophos xgs 2100 firewall.
But still many porn sites are accessible.
Is there any way to block it completely?
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Good question rfcat_vk. Even without that, though, to ensure the same was captured with SSL/TLS Inspection disabled
I turned my inspection off, and still get a block page for this site:
The inspection certainly adds a higher chance of capturing more obscure websites, but without it, the firewall is just as capable. In your above configuration, do you require the web proxy to be selected?
Also, just for reference, if you didnt deploy your certificate with TLS inspection enabled, a good method for blocking these items albeit sloppy would be to add an inspection and only target malcious web categories for inspection, it will break the chain and fail inspection, but the site itself will also fail to load at all.
Hi Matthew,
yes I do because SSL/TLS does not always pickup the traffic also you need to enable Application scanning and LAN to WAN type IPS filtering to bring all filtering tools into play. I have experimented with blocking sites and not all work because I haven't enabled sufficient web filters. Micheal Dunn explained what was missing in my setup in a thread a couple months ago about not being able to block embed ads etc. I applied those additional restrictions which worked but needed to many exception for general use.
Some sites have the porn and ads as side sites.
Ian
XG115W - v20.0.2 MR-2 - Home
XG on VM 8 - v21 GA
If a post solves your question please use the 'Verify Answer' button.
Another technique worth implementing depending on your view of it is using the firewalls application control policies to restrict "DNS over HTTPS" and of course enabling HTTPS Decryption on your Intercept X Advanced agent as well and setting the category in Web Control for Advertisements to "Block" never hurts.
or joining the DNS Protection EAP as well