Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 6879 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Test Policy Web Pages

Gary Parr

Does this website not work anymore with XG? 

https://sophostest.com/index.html

Running a policy test against just the web policy seems to show the correct result...

But this test fails, and even classifies the address incorrectly...

Going to these pages in a web browser doesn't seem to trigger the web filtering on the FW rule either. But, going to some websites that I know will trigger the web filtering do seem to work as expected.

Thanks,
Gary



This thread was automatically locked due to age.
Parents
  • 0

    Ah, never mind. I had removed the SSL decryption for some other testing. Hitting the site with http worked and the individual category pages tripped the filter. I'm guessing without SSL decryption, filtering doesn't bother to look past the root domain?

  • +1 in reply to Gary Parr

    Not that is "doesn't bother" but that it cannot.  A secure SSL/TLS connection is made to the domain, with the SNI in connection identifying the name of the server.  Once the encrypted tunnel is established a GET request containing the path is made.  But if the XG is not decrypting, it does not see the request with path.

    When you test "Web Policy Only" it does not know if you are decrypting or not, it assumes you are.  When you test with firewall rules and TLS rules, then it can apply the correct decryption decision.

Reply
  • +1 in reply to Gary Parr

    Not that is "doesn't bother" but that it cannot.  A secure SSL/TLS connection is made to the domain, with the SNI in connection identifying the name of the server.  Once the encrypted tunnel is established a GET request containing the path is made.  But if the XG is not decrypting, it does not see the request with path.

    When you test "Web Policy Only" it does not know if you are decrypting or not, it assumes you are.  When you test with firewall rules and TLS rules, then it can apply the correct decryption decision.

Children
No Data
Unfiltered HTML