Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 7480 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why does one website get blocked but a similar one does not?

SteveGross

I am trying to block a couple of bad websites.  I went into base policy and created a list of sites, including "*.badsite1.com" and "*.badsite2.com".  The first site is blocked with a message of "an error occurred while handling your request" and "connection refused".  The second site gets the message of "Content blocked" with a button that allows for unblocking.  Why the difference?

Here's the log entries for each site:

2018:04:18-16:43:28 tsefw-1 httpproxy[5784]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.24.32.252" dstip="209.239.175.95" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="2543" request="0x1db71000" url="http://www.badsite1.com/" referer="" error="Connection refused" authtime="0" dnstime="88" cattime="110" avscantime="0" fullreqtime="57988" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0" exceptions="" category="130" reputation="malicious" categoryname="Malicious Sites"

2018:04:18-16:42:50 tsefw-1 httpproxy[5784]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="172.24.32.252" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3213" request="0x17f8c600" url="http://www.badsite2.com/" referer="" error="" authtime="0" dnstime="0" cattime="75" avscantime="0" fullreqtime="269" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 5.2; rv:47.0) Gecko/20100101 Firefox/47.0" exceptions="" reason="category" category="149" reputation="neutral" categoryname="Pornography"





This thread was automatically locked due to age.
  • 0

    Hello SteveGross,

    I'm not familiar with the UTM but ...
    a similar one
    on a higher level perhaps though badsite1 has reputation="malicious" categoryname="Malicious Sites" whereas badsite2 reputation="neutral" categoryname="Pornography", note also that for the former no reason tag is logged, for the latter it's reason="category". This might explain the different behaviour.

    Christian

  • 0 in reply to QC

    Thanks Christian.  I think this would mean that the emails get processed first by something other than the Default Block Policy.  Would anyone know what that is?

  • 0 in reply to SteveGross

    Hello SteveGross,

    emails
    emails? Isn't this about web and HTTP?
    I hoped that some UTM expert (like Bob - ) would give a more helpful answer - just threw in my two cents when I saw that you query was unanswered for "many hours" [:)].

    First of all, I noticed statuscode="502" together with error="Connection refused" in the first entry so maybe the destination did actually refuse the connection.
    But anyway, I'd have thought that a blacklist/whitelist would have precedence - how did you add it to your policy?

    Christian

  • 0

    Your customizations did not work.

    "Connection refused" means that the connection was attempted, but the other end did not want to talk to you!   If it had been blocked by web proxy, the connect would not have been attempted.

    *.badsites.com is not a valid regular expression for use in the Exceptions object.   Those must use regular expression syntax.

     The easiest way to get your desired result is to create a TAG for badstes.com with the box checked for "include subdomains", then create an exception object for "going to sites tagged as" that tag.

    If an exception is applied, you will see an exceptions='feature,feature" or override='1" in the logs.  

  • 0

    As Doug said, Steve, the first access was not blocked "by" Web Filtering.  When you see statuscode="50?", you can assume that the web server doesn't like something about the proxy.  If this were an access you had wanted to allow, the first thing to try would have been an Exception for antivirus scanning.  When that doesn't work, the only solution is to skip the Proxy for  the site.

    His advice too about tagging domains and subdomains is spot on.  I think you want to use that technique to Block on the 'Websites' tab of Filter Actions instead of allowing them in an Exception.  Use REGEX, not Windows notation in every place except email addresses.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML