This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Sophos UTM Notification PopUps

Not sure where to posting problem.

A month ago on 10/20/2021, first reports from users unable to open PDF documents.   Had users send screen shots of Sophos 'Content Warning' for a PDF document.  We have a policy that users downloading certain file extensions such as PDF and ZIP files, they are prompt with a warning message and must click the [Proceed] button to continue the download process. 

The problem is on a Sohos UTM HA software appliance v9.707-5 running on two Dell servers.  On 10/15/2021 installed three updates Sophos UTM 9.705-7, 9.706-9 then 9.707-5 on Node 2.  Then on 10/19/2021 upgrade Node 1.   Also on had cert expiration 11/3/2021.

The issue is with all the Sophos Notification 'Warning/Error'  Pop Ups are not rendering the HTML GUI and only displays the text content of the message. 

Was able to replicate problem on my WS.  Viewed 'Page Source' and can see the problem.  Link refers to  unsolvable source

Had though it was suppose to refer 'passthrough.fw-notify.net'   That evening I checked my home UTM which was running 9.707-5 code.

Confirmed I was correct.

Back at work next day searched for the template which generates the popup and found it here...

The template uses the '<?host?>'  variable but I have searched from root for a way to find the variable and it's value. 

Can not see any way to reset it in the WebAdmin GUI.  At this point I am stumped.

Strongly suspect it is related to updating Node 2.

Bob G.



This thread was automatically locked due to age.
  • Hi Bob,

    It looks like the file is being blocked, not warned.  Please copy here the relevant line(s) from the Web Filtering log.  Also, show us a picture of the 'Downloads' tab  in the Filtering Action shown in the log line.

    Sometimes, an Up2Date will create a wrinkle in the configuration.  What happens if you force a failover to the other node?  Also, you might try restoring from the automatic backup made just prior to your last Up2Dates.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob 

    Thanks for the reply but "The issue is with all the Sophos Notification 'Warning/Error'  Pop Ups are not rendering the HTML GUI and only displays the text content of the message."   

    Yes the user is temporary being blocked downloading a PDF document until they click on [Proceed] button to resume the PDF download.   This step is used to prevent drive-by downloads.

    If you notice the pop up is not rendering the html code.  Specific due to the "https://passthrough." link is incorrect and users browser can not resolve links to style sheet, javascript code and image files.  This problem is effecting all popup messages since the ?host? variable value is incorrect.

    Bob G.

  • Bob, please let us know what solution Sophos Support provided.  I hope restoring a backup will fix this and that you aren't put in a position where you must backup the configuration and /var/log then re-image and restore.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BobA My issue now is getting the HA Node1 back online.  Used ha_utils It seems that the root partition ran out of diskspace while it was running in slave mode.  Purge of older backup copies, a few core dumps,  The freed space would fill back up to 100%.  Node2's (Master) root is at 85%.    Just disable HA to do a reinstall.  Thanks again...

  • Solved: Found the where the cause of the issue.  It was related to the new certificate installed in October.   

    As a work around thought just create a 'passthrough.cmh-utm-3' host record.  When creating it, got a message that host record already exist.  So searched 'Network Definitions' for an entry and found a record.  Weird thing is it was a [view] only.  Thought this might be something push out of SUM.  Search SUM and found no entries.  

    Back on the UTM WebAdmin, Looked to see where that host record was used. Showed this path 'WebProtection -> Filtering Options -> Misc' where this object was used. 

    Browse to [Misc] page, scolled down and found in the "Certificate for End-User Pages' section 'Use a custom certificate for HTTPS pages' checked. The hostname is 'cmh-utm-3' .  I had recently selected the new cert.   Unchecked the 'Custom Certificate'  checkbox and [Apply].   The view-only host record disappeared.

    Tested by accessing web page to download a PDF document.  This time the page render the GUI elements and viewed the page code shows the 'passthrough' URL changed back to default:   <link href="https://passthrough.fw-notify.net/static/default.css" rel="stylesheet" type="text/css" />

    Going to leave it as is.

    Bob G.