CSS Formatting Issue through Sophos

Hello, 

Do the users access this from external -> LAN/DMZ? if yes, are you using WAF or DNAT?  Or do you access this from LAN->LAN/WAN(internet)? 

What are the security features enabled on the FW rule for this traffic?

Have you tried checking if there are any deny message/s in the logs when trying to access this resource? 

Regards,

Hello,

This is all internal. Users are on laptops and/or desktops, they'll typically access the Internet from a wireless point nearby (ethernet for anyone on a desktop). 

I did look on logs, but there's nothing to suggest anything is being blocked. I also created an exception rule, but this didn't change the outcome either. Any domains that I have found connected to the website I have put into our unblock filtering policy, and even in the SSL/TLS exception.

It's just bringing that blue background forward for some reason, and it's causing us grief as so many people are using the website now.

Thanks,

Sam

Hello Sam,

Thanks for your response. Have you tried putting the domain/s in local TLS exclusion list: https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/SSL/TLSInspectionRules/index.html#exclusions-to-ssltls-inspection-rules then set action to don't decrypt.

Since this is a finance/banking site, cert pinning could be the potential cause why the site only loads partially. 

Kindly let us know how it goes. Thank you

Regards,

Hello,

Yes - it's one of the first things I did. The domains that I believe are connected to the website and all in the local TLS exclusion list in Web > URL Groups. I would have assumed it's set to don't decrypt, but I don't know where I would see that?

Thanks,

Sam

Hello Sam, 

You may configure it under Rules & Policies > SSL/TLS Inspection Rules

Select Action > Don't Decrypt 

Then, fill out the source and destination section then, under websites include the local TLS inclusion list

Also, there is a 'exclusion by website or category' rule which is by default under SSL/TLS inspection rule, which includesthe  Local TLS exclusion list as well

Please ensure that the rule is toggled on:

Hope this helps.

Regards,

Hello,

Thanks for the detailed response.

I have checked this, and it's all already set under the rule that you mentioned, the 'Exclusions by website or category' rule. This is set with the local TLS list, is set to 'dont decrypt', all sources and destinations, and is turned on.

Am I recommended to create an entirely new rule just focused on the website I am having an issue with? I would have assumed that the current default rule would have worked otherwise.

Thanks,

Sam

Hello Sam,

Thanks for your response.

Could you try creating an FW rule without security features (web filter, IPs, app) from LAN to WAN and setting the destination network to the site's FQDN?

Regards,

Often what happens is that a website loads an external resource which is either blocked or fails to load.

For example the page
domain.com/foo.html

tries to load
otherdomain.com/foo.css
domain.com:8080/foo.css
Maybe it is loading from another domain that is blocked by category, or it has hardcoded loading on other ports which you don't have a firewall rule for.

I would go to the client browser, open a private window/incognito.  His F12 and bring up the network.  Load the page.  Wait several seconds.  Look at the browser networks tab to see if something was blocked (return 403) or did not load.

Personally, I suspect ports.  If you don't want to do the F12 browser test, try making the firewall rule apply to Services All rather than HTTP/HTTPS.

Often what happens is that a website loads an external resource which is either blocked or fails to load.

For example the page
domain.com/foo.html

tries to load
otherdomain.com/foo.css
domain.com:8080/foo.css
Maybe it is loading from another domain that is blocked by category, or it has hardcoded loading on other ports which you don't have a firewall rule for.

I would go to the client browser, open a private window/incognito.  His F12 and bring up the network.  Load the page.  Wait several seconds.  Look at the browser networks tab to see if something was blocked (return 403) or did not load.

Personally, I suspect ports.  If you don't want to do the F12 browser test, try making the firewall rule apply to Services All rather than HTTP/HTTPS.

Hi Michael,

I did do this, it came back with an error on the bootstrap.min.css saying '(failed) net:ERROR_CONNECTION_CLOSED' and goes to ajax.aspnetcdn.com, which is in my whitelist of domains already.

Connection closed means it is more likely you have a firewall rule problem than a web proxy problem.  I don't think that F12 tells you the port.

Three things to try

1)
Go to the page and View Source.  Look for ajax.aspnetcdn.com.  Does it include a port?

2)
Use wireshark on the client to watch the packets.  You should see exactly where it is trying to go and what port.

3)
On SFOS look at Log Viewer.  I would try Detailed View so that you can see all the logs types together and then filter by source IP.  See if there is a log of the block.


Firewall blocks can be for a variety of reason, I don't know your config. Port not allowed is a possibility, but then so is GeoIP blocking.  App control and IPS.

Note: The default drop rule (the read only rule at the bottom of firewall rules) does not log - would be way to noisy.  If you are not getting anything in the log you can try adding your own Drop rule as the last firewall rule, with logging on.

Hi Michael,

I had ran wireshark, as I couldn't see anything in the source, or the detailed version of the log viewer. Wireshark did bring up red fields, but I am quite limited with my knowledge of it, so I can't say for certain if they are coming from the website, but I can at least test them.

So where should I go to try unblocking this port that I have?

Save the wireshark pcap and send it to me in a private message, I will take a look.