Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 1697 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about getting HTTPS Scanning to work in Standard Mode

Chad Lechan

I have an SG330 UTM9 v 9.5.

In Web Protection > Web Filtering HTTPS I have Decypt and Scan Checked.

In Filtering Options > HTTPS CAs, I've Downloaded the Signing CA and created a GPO to deploy it to Trusted root folder for all users. The GPO is working as the Cert is in the trusted root folder.

When I'm monitoring traffic in the logs, I don't see it working as I'm only seeing the domain and not the sub pages they visit. I'm viewing the sites on a browser that is set to go through the proxy.

Also, it lets me download https://secure.eicar.org/eicar_com.zip without issue (if I disable my Anti Virus)

 

Any ideas on what else I missed? Can't seem to find any other info on what to do in the KBs. Thanks.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Chad Lechan

    All I can say for certain, is that I have exercised the web filter pretty extensively, and it works.   You have a configuration problem somewhere, so your best bet is to call Sophos support.

    Since you are unfamiliar with the pre-existing proxy script, I now suspect that the proxy script is directing traffic to some other web filter, and that UTM is not involved at all.

    But someone has to lay eyes on your configuration to find your problem.

  • 0 in reply to DouglasFoster

    Thanks. I did contact their support. Reading our WPAD script it does appear to direct the proxy to use the IP of our UTM.

    Without revealing too much,

    the wpad starts off like this, and lists some other IPs outside of our network that I have not included.

    function FindProxyForURL(url, host)
    {
    //Variables
    var proxy_yes = "PROXY (our UTM's IP):8080";
    var proxy_no = "DIRECT";
    if (shExpMatch(url, "https://(first 2 octets of our subnet).*")) { return proxy_no; }
    if (shExpMatch(url, "http://(first 2 octets of our subnet).*")) { return proxy_no; }

    (more not listed)

    Because it's saying not to use our subnet as the proxy in the sceipt could this be the reason?

  • 0 in reply to Chad Lechan

    Your summary information looks typical -- all of the special destination are sent "DIRECT" (bypass the proxy).   If no exceptions are identified, the last line is to use the proxy.   For internal addresses, it is critical for the browser to connect directly to your internal server.   If the browser put the proxy in the middle of all of your internal traffic, you would have a terrible performance bottleneck.

    You have not mentioned what the logs show.   Every webfilter log entry includes the Filter Profile and the Policy that was selected.   Crank up the live log (on a different PC from the one under test), filter the live log on the IP address of your test PC, then perform the test.   If the traffic hits the proxy, see what Profile and Policy are selected.  If it never hits the proxy, that is important information as well.

    Undocumented feature:   Transparent Proxy Filter Profiles also act as Standard Mode profiles.   So the Standard Mode profiles should have higher priority (closer to the top) than any Transparent Mode profile for the same IP range.

  • +1 in reply to DouglasFoster

    Just wanted to update the resolution here in case someone was having same issue I was and stumbled upon this thread.

    The reason it wasn't working was because Decypt and Scan wasn't being enabled at the Profile level.

    Under Web Protection > Web Filter Profiles > Filter Profiles > HTTPS tab, had to enable Decypt and Scan for the individual profiles.

    Appreciate the help!

Unfiltered HTML