Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 3908 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Blocking Download by File Size

Nushrat Sahana

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended read describe on how to block by file size and troubleshooting.

Configuration

Note:  Before applying the Web filtering option you need to import the "SecurityAppliance_SSL_CA "certificate to the end machine. 

See Certificate Section for instruction.

Web Policies

Login to Sophos Firewall with an account with administrator rights.

Go to Protect>Web>Policies>Add Policy 

The Add Web Policy panel will appears, and will name it "Block by file size".

Next is to expand the policy created and click Edit additional settings.

In Advanced settings, enable Prevent download of files larger than "File Size" MB

  • As indicated, value size between 1 and 1536 are permitted.

Upon saving, this will prompt us to redirect to Firewall Rule and we need to attached the this to a Firewall Rule

In Protect>Rules & Policy> will apply this to  use the firewall rule for Internet access, This will differ. As for example will be using #Default_Network_policy rule.

Under Security Features>Web Filtering>Web Policy. Select the created web policy "Block by file size"

Sophos Certificate

Downloading Certificate

Download Sophos certificate and import them into your computer. Go to Certificates> Certificate Authorities> download SecurityAppliance_SSL_CA. To download, click the download icon on the right side of the CA.

Importing Certificate 

In End User windows machine, run ctrl+r or by clicking the windows button to open up search.

Open mmc as Run as Administrator 

Click File> Add / Remove Snap-in.

Select Certificates> Add> Computer Account> Next > Finish> OK

Go to Console Root path>Certificates>Trusted Root Certification Authorities> Certificates.

Right click on Certificates> All Task> Import.

Import the downloaded Certificate from Sophos 

Note: Upon importing, Restart the browser completely. 

Once complete, go to download page and test by downloading a file larger than the configured in the web policy.

As a result, Sophos Firewall policy has block upon downloading large file

Troubleshooting

Verify the End-user IP address 

Packet Capture

Go to Monitor & Analyze> Diagnostic> Packet Capture.

To validate traffic, we use packet capture to determine where the packet is passing.

To figure out on which rule the traffic is passing, we did a ping test on 1.1.1.1 to probe and did a packet capture

Debugging Log File

Awarrenhttp handles HTTPS Proxy service. For more details.

To debug awarrenhttp run the following command. To go to Advanced shell go to 5.Device Management>3. Advanced Shell.

#service awarrenhttp:debug - ds nosync

Note: Turn off the Debug by entering the same command after troubleshooting.

Checking Status

To check the status of the services(Running,debug or Stopped).Run in Advanced Shell the following command.

#service -S| grep awarren

Checking Logs

Run the following command

#tail -f awarrenhttp_access.log | grep " download exceeds maximum allowable size"

Logs awarrenhttp_access.log

Log Viewer

For more details. see reference Log viewer



Added TAG
[edited by: Erick Jan at 5:50 AM (GMT -7) on 28 Oct 2024]
Unfiltered HTML