XG port 8090 (IPS error messages) not accessible

Question

Hi Sophos Team, 
 I did an upgrade of a software appliance and found out, that the generated error message which will be displayed in the browser are not accessible by the clients. 
 The messages are published through port 8090. You can replicate the issue, e.g. by trying to download EICAR test virus, which triggers the IPS (web malware scanning enabled). 
 
 Is this a bug or is this a new behavior in v18, which means I have to create a FW rule for this? 
 Until v17.5 these things were managed automatically by "Administration --> Device Access". 
 
 My second question on this topic is if there are any details what the "Do not apply this migrated rule to system-destined traffic."-option in the FW rules exactly means amd how we should deal with this. 
 
 Thanks and Best Regards 
 Dom

LuCar Toni · Accepted Answer

There is a mix of both. 
 The new stream based engine has to deal differently with malware scanning. Because XG does not act as a Proxy anymore, it cannot give a direct block page. It will redirect you. Thats the wanted behavior. But the redirect to 8090 needs to work. 
 It will redirect you to the captive portal. Can you check, if the captive portal in Device Access is enabled for this zone? (Port 8090 is captive Portal).

The second question: Please open a new Thread for this to keep one question per Thread.

RichBaldry · Answer

Hi Emile, 
 On the current GA versions of XG, the block/warn messages are all delivered as responses to the blocked requests. This is possible because of the proxy architecture. It only has to use services on port 8090 when there are follow-up actions - such as when you click 'proceed' after a warning, or when you download a file that needs a Sandstorm scan. 
 In version 18, with the DPI engine, we are limited as to how much data we can inject into a filtered stream. This means we have to respond to blocked requests with a small redirect response, which causes the browser to then go to the port 8090 URL on the firewall to retrieve the full block page content. 
 So the impact on version 18 of blocking access to port 8090 services, by disabling access to Captive Portal, is definitely going to be more visible than with v17.x. 
 Cheers 
 Rich

Dom Nik · Answer

Hi LuCar Toni, 
 thanks for your reply. This is the solution! 
 Captive Portal needs to be active, when using the new DPI engine. 
 
 ------- 
 Important, as there are other threads that might point to this topic: 
 This also seems to solve problems with sporadic rendering problems of websites and very long loading times of websites packed with loads of ads and the behavior that browsing with the new DPI engine felt slower than with the old proxy. 
 The reason is that sources of a blocked web category (e.g. advertisements) are redirected to port 8090 which cannot be accessed. The browser then waits "forever" to get all these sources in the background and sometimes doesn't even start to display the page at all...