Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

[7.080] HTTP Proxy - Time events do not work correctly [CONFIRMED]

Hi.

A new Thread for an old problem.
Time events in HTTP Proxy Profiles (transparent proxy) are without any function in my case.

Here my configuration:

Time Event definitions:

Time-EveryDay-0-00-7-00 [Recurring event]
From 00:00 until 07:00 on Mon, Tue, Wed, Thu, Fri, Sat, Sun
Täglich 0:00 - 7:00

Time-Fr-Sa-Evening [Recurring event]
From 23:00 until 23:59 on Fri, Sat
Freitag, Samstag Spaetabend

Time-So-Do-Evening [Recurring event]
From 22:00 until 23:59 on Mon, Tue, Wed, Thu, Sun
Sonntag-Donnerstag Spaetabend


HTTP Profile filter action:

Filter-Protect
Mode: Whitelist
Anti-Virus scanning Dual Scan, Single Scan

(No HTTP access allowed - so it is simple to check, no effect by adding one URL to "allow this URLs/sites" - a must be in 7.011 )


Filter assignments:

HTTP-Protect-Time1
User/Groups NONE !!
Time-EveryDay-0-00-7-00
Filter Action: Filter-Protect

HTTP-Protect-Time2
User/Groups NONE !!
Time-So-Do-Evening
Filter Action: Filter-Protect

HTTP-Protect-Time3
User/Groups NONE !!
Time-Fr-Sa-Evening
Filter Action: Filter-Protect


Proxy Profile:

HTTP-Surf-Protect []
Transparent mode enabled
Source networks: HL_Surf_Protect (a Group of IP-Numbers)
Filter Assigments:
HTTP-Protect-Time1
HTTP-Protect-Time2
HTTP-Protect-Time3
Fallback action: Default content filter action


The filter action "filter-protect" is never used !
In all cases only the default filter action ist used.


If i change the time event in one of the filter assignements to "Allways" the filter "filter-protect" is used correct.

No time filter is used correct.

To Tom Kistner:
I canceled the users/groups in the filter assignements, you said it must work now - but it doesn't work.

I think the configuration ist correct, isn't it?

Regards Juergen
  • Hi Juergen, 

    can you please attach the file or the content of the following config file
    /var/chroot-http/etc/httpproxy.ini

    thanks
    Gert
  • Hi Gert.

    I have problems with upload, i copied the content here.
    (I know the blacklist0 - blacklist2 in action_REF_DefaultHTTPCFFAction will not work. I tested to reproduce my high level packet filters)

    If you want i can send you a mail with the file.

    regards Juergen


    [global]
    listenport = 8080
    debug = none
    deferlength = 1048576
    deferagents = ozilla
    undefercontent = text/*;image/*;script/*;audio/*;video/*;application/x-flash;application/flash;application/x-shockwave;application/shockwave;application/pn-real;application/x-pn-real;application/real;application/x-real;application/vnd.ms.wms-hdr.asfv1;application/mpeg;application/audio;application/video;application/sound;application/x-audio;application/x-video;application/x-mpeg;application/x-sound;application/quicktime;application/x-quicktime;application/mms;application/x-mms;application/x-msdownload
    noscancontent = audio/*;video/*;application/x-flash;application/flash;application/x-shockwave;application/shockwave;application/pn-real;application/x-pn-real;application/real;application/x-real;application/vnd.ms.wms-hdr.asfv1;application/mpeg;application/audio;application/video;application/sound;application/x-audio;application/x-video;application/x-mpeg;application/x-sound;application/quicktime;application/x-quicktime;application/mms;application/x-mms;application/x-mms-framed;application/x-rtsp-tunnelled
    modulepath = /usr/lib
    usefwnotify = 1
    fqdn = firewall.hl.mdv
    configprefix=/etc

    [diskcache]
    maxcachesize = 50097
    maxobjectsize = 3795
    usecache = 1

    [threads]
    maxthreads = 50
    maxunused = 5

    [scanners]
    pcrescanner.so=1
    regexscanner.so=1
    fileextensionscanner.so=1
    #ncorescanner.so=1
    clamscanner.so=1
    cssscanner.so=1
    scr_scanner.so=1

    [headers]
    remove_response = vary
    remove_request = accept-encoding;te

    [aua]
    port=15723
    addr=127.0.0.1
    ttl=360
    size=2048

    [ntlm]
    msdomain=
    mshost=FIREWALL
    port=1337
    addr=db_host.local

    [parent]
    status=0
    addr=
    port=
    useauth=0



    [ssl]
    keyfile=/etc/ssl/key.pem
    certfile=/etc/ssl/cert.pem
    certstore=/etc/ssl/certs
    ciphers=ALL:!ADH:!MD5:!LOW:!EXP:@STRENGTH
    strictssl=0

    [profile_0]
    networks=192.168.18.180/32;192.168.18.80/32;192.168.18.2/32;192.168.18.78/32;192.168.18.3/32;192.168.18.79/32;192.168.18.4/32;192.168.18.1/32;192.168.18.77/32;
    auth=none
    filterassign=assign_REF_wJQFodfVnB;assign_REF_XVLiWrhNyU;assign_REF_qQRoyYmnSo;
    defaultaction=action_REF_DefaultHTTPCFFAction
    ssl=1
    plain=1
    accesslog=1

    [profile_1]
    networks=192.168.18.55/32;192.168.18.241/32;192.168.18.60/32;192.168.18.51/32;192.168.18.61/32;192.168.18.50/32;192.168.18.56/32;
    auth=none
    filterassign=assign_REF_UoVJUyqNNY;
    defaultaction=action_REF_EqKBoJONAC
    ssl=1
    plain=1
    accesslog=1

    [profile_2]
    networks=192.168.18.0/24;
    auth=none
    filterassign=assign_REF_DefaultHTTPCFFProfile;
    defaultaction=action_REF_DefaultHTTPCFFAction
    ssl=1
    plain=1
    accesslog=1

    [assign_REF_DefaultHTTPCFFProfile]
    filteraction=action_REF_DefaultHTTPCFFAction
    aaa=

    [assign_REF_UoVJUyqNNY]
    filteraction=action_REF_EqKBoJONAC
    aaa=

    [assign_REF_qQRoyYmnSo]
    filteraction=action_REF_xNGBYmppCI
    time=time_REF_IybdboODMe
    aaa=

    [assign_REF_XVLiWrhNyU]
    filteraction=action_REF_xNGBYmppCI
    time=time_REF_rYsJWkMuuo
    aaa=

    [assign_REF_wJQFodfVnB]
    filteraction=action_REF_xNGBYmppCI
    time=time_REF_bFxgVykXcD
    aaa=

    [time_REF_IybdboODMe]
    event=recurring
    start=23:00:00
    end=23:59:00
    weekdays=5;6;

    [time_REF_bFxgVykXcD]
    event=recurring
    start=00:00:00
    end=07:00:00
    weekdays=1;2;3;4;5;6;7;

    [time_REF_rYsJWkMuuo]
    event=recurring
    start=22:00:00
    end=23:59:00
    weekdays=1;2;3;4;7;

    [action_REF_EqKBoJONAC]
    defaultallow=1
    blockedurlcats=1920;
    fileext=
    avengines=css;clam;
    maxscansize=52428800
    targetservices=80;443;389;8080;21;3840-4840;4444;

    [action_REF_xNGBYmppCI]
    defaultallow=0
    allowedurlcats=
    fileext=
    avengines=css;clam;
    maxscansize=52428800
    targetservices=80;443;389;8080;21;3840-4840;4444;

    [action_REF_DefaultHTTPCFFAction]
    defaultallow=1
    blacklist0=10.128.128.0/24
    blacklist1=192.168.16.0/24
    blacklist2=192.168.1.0/24
    blockedurlcats=0210;0220;0230;0240;0310;0320;0330;0340;0510;0710;0720;0730;1410;1420;1430;1810;1920;
    fileext=msi;com;bat;vbx;hta;inf;jse;wsh;vbs;vbe;lnk;chm;pif;reg;scr;cmd;
    avengines=css;clam;
    maxscansize=52428800
    targetservices=80;443;389;8080;21;3840-4840;4444;

    [exception_0]
    domain0=windowsupdate.com
    domain1=microsoft.com
    skipav=1
    skipext=1

    [exception_1]
    domain0=apple.com
    skipav=1
    skipext=1

    [exception_2]
    domain0=adobe.com
    domain1=netbeans.org
    domain2=symantecliveupdate.com
    domain3=ps3.update.playstation.net
    domain4=download.astaro.de
    domain5=img.darktown.to
    domain6=freedb.freedb.org
    skipav=1
    skipext=1
    skipurl=1
    skipcontent=1

    [exception_3]
    domain0=hanisauland.de
    domain1=travian.de
    skipurl=1
    skipcontent=1
  • Hi Gert.

    It is now 1:45 AM - i tested more and more (with a glas of red wine).

    I found the following:

    I disabled the both filter assignements 
    HTTP-Protect-Time2 [time_REF_rYsJWkMuuo]  and
    HTTP-Protect-Time3 [time_REF_rYsJWkMuuo]

    and played with HTTP-Protect-Time1 [time_REF_bFxgVykXcD]

    I found:

    real-Time= 1:40 AM, Time-Dashboard=0:40  corresponding time event Start time = 2:45  -> The time event Filter is active!!
    (I reside in Time Zone Europe/Berlin (exact Münster): GMT+1, i think this is the difference between the real time and the dashboard-time)

    real-Time= 1:41 AM, Time-Dashboard=0:41  corresponding time event Start time = 2:40  -> The time event Filter is NOT active!!

    So the ASG have a time problem (in the wrong direction).
    I have to add 2 hours (twice the difference to GMT ??) to the time-filter start and end time??

    Please check.

    Good night
    best regards Juergen
  • Hi Gert.

    Please let me add the following information:

    The packet filter works with the correct time in the time event packet filters!

    So i have to define now (until the system will work correct) two different time event definitions
    one for the packet filters (with the real time)  and
    one for the HTTP-Proxy Profile (real-time + 2 h).

    I hope these information can help you.

    Regards Juergen
  • Confirmed. We're now looking for the source of the problem.
  • Any Progress on this bug?  I cannot get any timed event to work in web proxy even if I make it all 24 hours. 
    Thanks
    Art
  • The main problem is solved. Ths solution is part of V7.100.

    There are still two Problems (I know):
    - time events dont work on sunday - this is actual in progress
    - no chance to define a time filter that includes 23:59:00 - 23:59:59

    regards Juergen
  • Today is Sunday, so Sunday is not functional??
    tommorrow it will work??
    Art
  • In version 7.101 this issue is still not solved.
    Any ideas when it will be done ?

    thanks.