Blocked Web Filter category not showing in web filter log

Question

Hi all, new Sophos XG user after some time away. 
 Setting up my new v21 Firewall in the last week I had an issue where I was not able to cast from Spotify on my IOS device to any of my Google Home Mini's. While testing all devices are on the same subnet. 
 I checked the web filter logs but could not find anything being blocked. After some trial and error, I found the issue was caused by the "Bandwidth-heavy Browsing" web filter being enabled on the rule both these devices were using, in particular the "Radio & Audio Hosting" category included in that filter. Once I removed that everything started working. 
 I'm looking to understand if I'm missing anything and why I didn't see that being blocked in the Web filter log, which would have made troubleshooting much easier if it did. Could this be a bug or am I missing something obvious? 
 Thanks!

rfcat_vk · Accepted Answer

If you are using SSL/TLS then you are scanning according to your web policies etc. 
 If you are satisfied then the you leave the thread as it is or if the thread has been answered you tick verify answer in th more menu. 
 Ian

Michael Dunn · Answer

If you are using DPI mode when a connection blocks it wants to show a block page. In order to do that, it starts HTTPS decryption. After the HTTPS is decrypted it will re-run policy (perhaps you won't be blocked after it knows more information). Therefore the state is a bit of soft-block. When it starts HTTPS decryption, the device that does not have the CA rejects the connection. Therefore the connection "fails" rather than is "blocked". Because the connection was technically not blocked by web policy it does not appear in the Web Filter logs. Annoying, I know. Now whether it appears in the SSL/TLS Inspection Log is based on whether it hits an SSL/TLS Rule that has Log on. The default hidden rule at the bottom (fall through to Do Not Decrypt) does not log. So what you want to do is add your own SSL/TLS rule that is Do Not Decrypt that applies to all traffic, but that has the checkbox for logging on. Now when you have an HTTPS connection that is blocked, you won't see anything in the Web Filter log, but you will in the SSL/TLS Log saying there was a failed decryption. An alternative is to go to Web > General Settings > " For errors and block/warn policy actions on HTTPS connections when Decrypt & Scan is disabled" Change from Display Notification to Drop. That way it won't try to decrypt. Instead it just drops all connections that are blocked and will log it to Web Filter log.

rfcat_vk · Answer

Hi, 
 more than likely it is a secure connection that does not like being scanned. The connection has been established and corrupted by the scanning process. 
 ian

Blocked Web Filter category not showing in web filter log

Top Replies