SSL/TLS : ERR_CONNECTION_RESET Issue

Hi,

which firewall rule is blocking the traffic? There is also  possibility that the tecmint site is using other URLs which you have blocked.

Please post the bottom half of the firewall rule.

A suggestion, you could simply your rules by using LAN as the source zone.

Ian

Hi rfcat_vk ,

Thank you for your reply. The issue is related to my SSL/TLS policy ID 6 (MyExclusions). Please note that the firewall rules where these sites are whitelisted do not have web and app filtering enabled.

The URLs belong to Information Technology and online shopping categories, which are not blocked by my web filtering. I’m using a single web filtering policy for all my LAN to WAN traffic, as detailed below:

Web Policy (HomeWeb-Filter)

List of web categories: Advertisements, Anonymizers, Auctions & Classified Ads, Command & Control, Criminal Activity, Gambling, Hacking,

Marijuana, Nudity, Peer-to-peer & torrents, Personals & Dating, Phishing & Fraud, Pro-Suicide & Self-Harm, Sex Education, Sexually Explicit,

Spam URLs, Spyware & Malware

SSL/TLS Policy:

Firewall Rules (MyExclusionList)

I’ll keep your suggestion in mind. The reason I set up the LAN zoning was to easily identify each network within my home.

Hi,

a zone and a network are different. You have identified each network in the network field.

I have access the tecmint site without any issues and I have a way more complex firewall rule set.

Further I would suggest you select the WEB proxy rather than the DPI. The SSL/TLS does not look at UDP packets where as the proxy does.

Ian

Hi  rfcat_vk  

Yes, I mean using zones to separate my network into categories like HOME, PROXMOX, KIDS, etc., which utilize multiple networks to segregate them. However, I don’t think this setup is related to the current issue.

By the way, can the WEB Proxy detect malware? I’m particularly concerned about files that might be downloaded by home users and the implementation of zero-day protection.

As I’m new to Sophos, based on your experience, which is better in terms of security: DPI or Web Proxy? From my previous experience, I’ve used DPI with other firewall vendors.

Hi,

I was suggesting using LAN zone because you have already identified your networks in the network field. I was suggesting the change to make rule modification and management easier. All your categories are LAN zone.

The web proxy can detect malware though you will need to reduce the port range to http/s 

Also to detect malware you will need to change applications to allow all and add LAN to WAN in IPS regardless of DPI or web proxy.

Web proxy allows you to use google safe browsing etc which is not currently supported in DPI.

Ian

Hi,

I was suggesting using LAN zone because you have already identified your networks in the network field. I was suggesting the change to make rule modification and management easier. All your categories are LAN zone.

The web proxy can detect malware though you will need to reduce the port range to http/s 

Also to detect malware you will need to change applications to allow all and add LAN to WAN in IPS regardless of DPI or web proxy.

Web proxy allows you to use google safe browsing etc which is not currently supported in DPI.

Ian

Hello rfcat_vk 

Thank you for the suggestion; I’ll take note of that. Regarding malware scanning, is it correct that I need to allow all applications in the application filter rules with IPS enabled? Is this how Sophos Firewall handles malware scanning with either DPI or web proxy enabled?

What if I need to block specific applications like torrents and proxies? Additionally, if I use the web proxy, does Sophos support a transparent proxy? I’d like to avoid configuring each device manually to use the proxy, especially considering the applications used in my local network.

By the way, is it possible to use both DPI and Web Proxy simultaneously? For example, can some rules use DPI while others use the Web Proxy?

HI,

you can use DPI in one rule and web proxy in another but you need applications and IPS enabled. DPI does not support keyword filtering.

You enable the web proxy in your rule and limit the ports to http/s. With the web proxy you can block a lot of sites but not with DPI. 

Ian

Extra info: - there is a very good article by Michael Dunn in the KBAs if you do a search it might provide you with some guidance

Thanks for the suggestion. I really appreciate your response to my inquiry, and that will be the next topic as I continue my Sophos journey. One step at a time, as they say. I am eager to understand why some websites are getting a "connection reset" when DPI is enabled. I think there's something there that needs to be figured out. Also, in my opinion, the Web Proxy (Legacy) is not yet an option, as I’m not using it.

I hope someone from the Sophos support community can take a look or replicate my issue.

Hi,

I have tested the tecmint site and can connect to it without any issues, I use the web proxy.

Ian

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122357/sophos-firewall-life-of-a-packet

How about with DPI? 

I don't use DPI because the limitations of blocking sites.

Ian

I see, that’s why you didn’t encounter the issue I faced with DPI, where some sites throw a "connection reset" error. Did you try replicating this behavior in your own environment?

Also, I believe Sophos uses web filtering to block sites, maintaining a dedicated and regularly updated set of categories. My understanding of DPI (Deep Packet Inspection) is that it scans and decrypts traffic, blocking malicious payloads or malware when detected, but it is less focused on site blocking. Blocking becomes more comprehensive when the two approaches are combined. Both DPI and Web Proxy have their own advantages and disadvantages, depending on the user’s implementation and requirements. In my case, I prefer to use DPI.

Now I have the network to myself, I will setup a rule and try.

Ian

I tested without any issues.

I think I see your problem. You need to enable web using allow all.

Ian

It looks like you’re right. When I allowed all web filter rules, it worked. I’ll try to figure out what’s stopping it when the web filter is enabled. You may also be correct that they’re using a different link upon loading, or perhaps a 301 redirect is causing the connection reset (Server did not respond to client hello) in the Sophos SSL/TLS filter logs.