Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

XGS4300 Web filter cloudflare-ech Problem.

Hello;


There is a situation I just noticed on the XGS4300 fully licensed firewall.
In URL category lookup, the URL appears in the adult category. However, users can access this adult site even though all adult categories are blocked in the web filter in the rule where users access the internet.
When I looked at the logs, I could not see any logs related to this adult site.
Then I realized that there is cloudflare-ech.com address in the logs and when I blocked access to cloudflare-ech.com, access to these adult sites was also blocked.

There is some kind of masking, the adult site address is not in the log, the adult sites are blocked in the web filter and can access the site. thanks to cloudflare-ech.com.
This is a very serious problem, how can I overcome this problem?



Edited TAGs
[edited by: Erick Jan at 12:37 AM (GMT -8) on 30 Dec 2024]
Parents Reply
  • Why another solution blocks?  Cloudflare (a server company) wants to have clients connect without anyone (for example a firewall) knowing where they are connecting to - in the name of privacy.  So this is a battle of privacy (no firewall should know where the browser is going) versus control (firewalls should block browsers from going to some sites).

    The sophos KB provides a way of forcing them off without decryption (just block).

    Cloudflare provides a different method.  Configure your DNS server to do NXDOMAIN to use-application-dns.net.  This cannot be done within the XG's DNS server but if you are using your AD server as a DNS server it would work.

    developers.cloudflare.com/.../

Children
No Data