This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cert errors accessing s3.amazonaws.com from backup software

We have nightly backups which point to a bucket in S3.  The traffic leaves the VPC via the UTM.  Ever since I enabled Web Filtering with the defaults except for blocking a few categories, my backups periodically fail with certificate errors.  see below for sample errors.  So I have tried adding domains like s3.amazonaws.com to the whitelist which I thought helped but then another error would show a different IP. When I did an NSlookup on that IP I get another flavor of amazonaws.com like 1-s3.amazonaws.com.  I did check include subdomains in the whitelist.  

I then tried adding IPs and Domains to Filtering Options and marked them as Trusted.  I am still getting the occasional failure though.  Can you tell me if I am working in the right direction?

 

Thanks in advance.

 

Peter

 

“Content blocked While trying to retrieve the URL:https://52.216.65.179/ The content is blocked due to the following condition: The URL you have requested is blocked by Surf Protection. If you think this is wrong, please contact your administrator. Report: Blocked Category (Uncategorized)

2017:05:31-16:59:31 ec2-sophos httpproxy[30558]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="10.0.1.36" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe1718a00" url="https://54.175.125.209/" referer="" error="" authtime="0" dnstime="0" cattime="185" avscantime="0" fullreqtime="269167" device="0" auth="0" ua="" exceptions="" reason="category" category="9998" reputation="unverified" categoryname="Uncategorized"


This thread was automatically locked due to age.
  • I think you would have to create an Exception for URL filtering for all of the AWS subnets - a daunting task.  Instead, why not make that Exception for traffic coming from 10.0.1.36?  Or, even better, create a Web Filtering Profile for 10.0.1.36 where Uncategorized is not blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA