Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 1421 views
  • Users 0 members are here
Options
Suggested

Web filter log inconsistency

Ilkka Ruuskanen

Hi.

I have a default firewall policy configured like this and web filtering is not configured to any other firewall rule. I do not use HTTPS decryption.

Web filter works and I get a block message for denied HTTP sites and certificate error for HTTPS sites. This is as expected. 

However, when looking at web filter logs and I filter "Log subtype Denied" I only get list of blocked HTTP sites and not HTTPS sites even when they were actually blocked from access, I do get logs of all allowed HTTPS sites. 

What makes this even more confusing is the exception of "Advertisements" category which is denied and blocking gets logged even with HTTPS sites when they are categorized as advertisements.



Edited TAGs
[edited by: Erick Jan at 12:17 AM (GMT -8) on 2 Dec 2024]
Parents Reply Children
  • +1 in reply to Ilkka Ruuskanen

    Hi Ilkka Ruuskanen

    Use web proxy instead of DPI engine by Enable Filtering common web ports on firewall rule as below configuration and check the denial logs 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    That did it! Thank you. I assume it's a bug that logging requires web proxy to work properly

  • +1 in reply to Ilkka Ruuskanen

    If you are using the DPI mode and you are blocked it will force HTTPS decryption in order to display the block page (actually it redirects you to a block page).

    If the CA is installed then the redirection should work, the block page displayed, and there will be a Web Filter log for Block of the https site.

    If the CA is not installed the browser will not allow the secure connection and you get a browser warning.  There is a SSL/TLS Inspection Log saying there was a decryption problem.  There is no Web Filter block log.  This is because the TLS error occurs before the block.

    It is known behaviour that currently we have no plans to change.

    Workaround 1:
    Install the CA so that you can decrypt block pages.

    Workaround 2:
    In Web Settings > General > for Block on HTTPS.  Change to Drop rather than Decrypt.  I am 95% sure this will log.

    Workaround 3:
    Use web proxy instead of DPI mode.

    Workaround 4:
    Use the SSL/TLS Inspection Log to see the list of blocked HTTPS sites.

Unfiltered HTML