Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Blocked Web Filter category not showing in web filter log

Hi all, new Sophos XG user after some time away.

Setting up my new v21 Firewall in the last week I had an issue where I was not able to cast from Spotify on my IOS device to any of my Google Home Mini's.  While testing all devices are on the same subnet.

I checked the web filter logs but could not find anything being blocked.  After some trial and error, I found the issue was caused by the "Bandwidth-heavy Browsing" web filter being enabled on the rule both these devices were using, in particular the "Radio & Audio Hosting" category included in that filter.  Once I removed that everything started working.  

I'm looking to understand if I'm missing anything and why I didn't see that being blocked in the Web filter log, which would have made troubleshooting much easier if it did.  Could this be a bug or am I missing something obvious?

Thanks!



Edited TAGs
[edited by: Erick Jan at 2:09 AM (GMT -8) on 30 Dec 2024]
Parents
  • If you are using DPI mode when a connection blocks it wants to show a block page.  In order to do that, it starts HTTPS decryption.  After the HTTPS is decrypted it will re-run policy (perhaps you won't be blocked after it knows more information).  Therefore the state is a bit of soft-block.

    When it starts HTTPS decryption, the device that does not have the CA rejects the connection.  Therefore the connection "fails" rather than is "blocked".

    Because the connection was technically not blocked by web policy it does not appear in the Web Filter logs.  Annoying, I know.

    Now whether it appears in the SSL/TLS Inspection Log is based on whether it hits an SSL/TLS Rule that has Log on.  The default hidden rule at the bottom (fall through to Do Not Decrypt) does not log.  So what you want to do is add your own SSL/TLS rule that is Do Not Decrypt that applies to all traffic, but that has the checkbox for logging on.

    Now when you have an HTTPS connection that is blocked, you won't see anything in the Web Filter log, but you will in the SSL/TLS Log saying there was a failed decryption.

    An alternative is to go to Web > General Settings > "For errors and block/warn policy actions on HTTPS connections when Decrypt & Scan is disabled"
    Change from Display Notification to Drop.  That way it won't try to decrypt.  Instead it just drops all connections that are blocked and will log it to Web Filter log.

  • That is a great explanation, thanks Michael!

    In my case though,i'm not using DPI - at least not to my knowledge.

    On the firewall rule, I do have "Scan HTTP and decrypted HTTPS" which I believe shouldn't be altering any HTTPS packets.

    On the SSL/TLS inspection rules page, I have not added any new rules and the default rule set to Don't Decrypt is still there.

    This one I just chalked up to something I couldn't explain, i've not seen anything else yet that didn't show as blocked in the firewall but will keep testing.   I'm a long time user of Fortigate, Watchguard, Juniper, Untangle, PFsense etc but relatively new to Sophos XG after a brief play with earlier versions many years ago, maybe something I'm missing.

    Thanks!

  • In the firewall if "Use web proxy instead of DPI mode" is unchecked then you are using DPI mode.

Reply Children
No Data