This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about getting HTTPS Scanning to work in Standard Mode

I have an SG330 UTM9 v 9.5.

In Web Protection > Web Filtering HTTPS I have Decypt and Scan Checked.

In Filtering Options > HTTPS CAs, I've Downloaded the Signing CA and created a GPO to deploy it to Trusted root folder for all users. The GPO is working as the Cert is in the trusted root folder.

When I'm monitoring traffic in the logs, I don't see it working as I'm only seeing the domain and not the sub pages they visit. I'm viewing the sites on a browser that is set to go through the proxy.

Also, it lets me download https://secure.eicar.org/eicar_com.zip without issue (if I disable my Anti Virus)

 

Any ideas on what else I missed? Can't seem to find any other info on what to do in the KBs. Thanks.



This thread was automatically locked due to age.
Parents
  • Most likely, you failed to put your internal subnet into the allowed networks list.

    Study this for backgrounnd concepts

  • Thanks for the response. Under the Web Filtering > Global Tab, our Internal subnet is on the Allowed Networks group.

  • Then the proxy configuration is probably not working.

    If your browser is set to use "automatic configuration script", the browser attempts to download proxy.pac from an http web server.   Most likely, the download is not working or the script does not parse correctly.   If UTM is providing your proxy script, the browser configuration syntax should be http://proxyipaddress:8080/wpad.dat

    I thought I had posted a sample proxy script in one of my tutorials, but I cannot find it now.

  • We use WPAD for the proxy script. I did not set this up so I'm unfamiliar with it, but I could post the content of that if it helps. I know the proxy works because content filtering works when the auto detect proxy settings is enabled in the web browser.

  • All I can say for certain, is that I have exercised the web filter pretty extensively, and it works.   You have a configuration problem somewhere, so your best bet is to call Sophos support.

    Since you are unfamiliar with the pre-existing proxy script, I now suspect that the proxy script is directing traffic to some other web filter, and that UTM is not involved at all.

    But someone has to lay eyes on your configuration to find your problem.

  • Thanks. I did contact their support. Reading our WPAD script it does appear to direct the proxy to use the IP of our UTM.

    Without revealing too much,

    the wpad starts off like this, and lists some other IPs outside of our network that I have not included.

    function FindProxyForURL(url, host)
    {
    //Variables
    var proxy_yes = "PROXY (our UTM's IP):8080";
    var proxy_no = "DIRECT";
    if (shExpMatch(url, "https://(first 2 octets of our subnet).*")) { return proxy_no; }
    if (shExpMatch(url, "http://(first 2 octets of our subnet).*")) { return proxy_no; }

    (more not listed)

    Because it's saying not to use our subnet as the proxy in the sceipt could this be the reason?

  • Your summary information looks typical -- all of the special destination are sent "DIRECT" (bypass the proxy).   If no exceptions are identified, the last line is to use the proxy.   For internal addresses, it is critical for the browser to connect directly to your internal server.   If the browser put the proxy in the middle of all of your internal traffic, you would have a terrible performance bottleneck.

    You have not mentioned what the logs show.   Every webfilter log entry includes the Filter Profile and the Policy that was selected.   Crank up the live log (on a different PC from the one under test), filter the live log on the IP address of your test PC, then perform the test.   If the traffic hits the proxy, see what Profile and Policy are selected.  If it never hits the proxy, that is important information as well.

    Undocumented feature:   Transparent Proxy Filter Profiles also act as Standard Mode profiles.   So the Standard Mode profiles should have higher priority (closer to the top) than any Transparent Mode profile for the same IP range.

  • Just wanted to update the resolution here in case someone was having same issue I was and stumbled upon this thread.

    The reason it wasn't working was because Decypt and Scan wasn't being enabled at the Profile level.

    Under Web Protection > Web Filter Profiles > Filter Profiles > HTTPS tab, had to enable Decypt and Scan for the individual profiles.

    Appreciate the help!

Reply
  • Just wanted to update the resolution here in case someone was having same issue I was and stumbled upon this thread.

    The reason it wasn't working was because Decypt and Scan wasn't being enabled at the Profile level.

    Under Web Protection > Web Filter Profiles > Filter Profiles > HTTPS tab, had to enable Decypt and Scan for the individual profiles.

    Appreciate the help!

Children
No Data