At Web Filter Profiles | Block these websites , I use following string in Regular Expression and Domain:
1) ^https?://([A-Za-z0-9.-]*\.)?.poki.com/
2) poki.com
But the user still can entry this website, how to solve this problem?
I would try with the following: ^https?://[A-Za-z0-9.-]*poki.com/
If that doesn't block the user, show us a line or two from the Web Filtering log where the user was able to reach the game.
Cheers - Bob
Hi Bob,
After changing the parameter, it still will not be blocked.
Following is the Log:
2018:11:02-08:33:20 XXXXXX httpproxy[25197]: id="0062" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden url detected" action="block" method="CONNECT" srcip="10.77.192.90" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2974" request="0xcf153000" url="https://a.poki.com/" referer="" error="" authtime="0" dnstime="0" cattime="39644" avscantime="0" fullreqtime="248391" device="0" auth="0" ua="" exceptions=""
2018:11:02-08:33:20 XXXXXX httpproxy[25197]: id="0062" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden url detected" action="block" method="CONNECT" srcip="10.77.192.90" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2974" request="0xddb30800" url="https://g.poki.com/" referer="" error="" authtime="0" dnstime="0" cattime="40540" avscantime="0" fullreqtime="244922" device="0" auth="0" ua="" exceptions=""
2018:11:02-08:33:20 XXXXXX httpproxy[25197]: id="0062" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden url detected" action="block" method="CONNECT" srcip="10.77.192.90" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2978" request="0xc3f75000" url="https://img.poki.com/" referer="" error="" authtime="0" dnstime="0" cattime="41357" avscantime="0" fullreqtime="245628" device="0" auth="0" ua="" exceptions=""
2018:11:02-08:33:20 XXXXXX httpproxy[25197]: id="0062" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden url detected" action="block" method="CONNECT" srcip="10.77.192.90" dstip="" user="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2974" request="0xe0d11800" url="https://i.poki.com/" referer="" error="" authtime="0" dnstime="0" cattime="43962" avscantime="0" fullreqtime="249580" device="0" auth="0" ua="" exceptions=""
Thanks for help!
I am guessing that the parenthesis are producing unexpected results. RegEx is more fun than crossword puzzles, but rarely necessary in UTM. There is a much easier solution.
Create a Websites object for poki.com and check the option to include subdomains. Then either give it a blocked category, blocked reputation, or make up a tag. If you use the tag, then add a tag rule for block to the Filter Actions. I prefer the tag approach because I can choose a tag name that documents my purpose.
Thanks for lot!
It is work!
Hi
Last night, I tried ^https?://([A-Za-z0-9.-]*\.)?poki\.com/ and although the policy helpdesk test indicated that both block https://www.poki.com and https://poki.com would be blocked (Reason: URL blocked by blacklist) and trying www.poki.com in a browser did indeed return the Sophos content blocked page, poki.com still worked. I left it a wee while (30 mins or so) and then tried it again, but curiously, I could still access poki.com.
I've just tried accessing the site this morning and I see that it's now all working as expected (both www.poki.com and poki.com now bring up the Sophos content blocked page) so I'm wildly guessing that it was maybe a caching issue (though I've not seen that happen when blocking other sites, so it is a minor mystery).
Bri
PS I loved the 'RegEx is more fun than crossword puzzles' comment! :-) I'm a techy, but I'm not a programmer (Z80 CPUs were considered as being esoteric when I was at school) so I'd not had reason to explore regular expressions until trying UTM (been running it at home for over 2.5 years). Last week, I finally got around to procuring the 1997 O'Reilly book 'Mastering Regular Expressions' (by E.F. Friedl) from a well known on-line auction site and I am looking forward to some great fun learning times ahead (by parsing text, playing with Linux scripts, etc, etc).
The logs show that, after changing the REGEX, all attempts to access via Web Filtering were unsuccessful: "web request blocked, forbidden url detected".
Cheers - Bob
Hi
It's interesting in that a few moments ago, I tried both www.poki,com and poki.com and both resulted in the expected Sophos UTM blocked page stating 'The URL you have requested is blocked by a blacklist.', then when I accessed 'Web filter profiles' -> 'Filter actions' -> 'Default content filter action [This is the default content filter action profile]' -> 'Websites' and edited my 'Block these websites' entry to change it from ^https?://([A-Za-z0-9.-]*\.)?poki\.com/ to ^https?://([A-Za-z0-9.-]*\.)?ooki\.com/, I could then immediately access both www.poki.com and poki.com.
When I then changed the RegEx back to ^https?://([A-Za-z0-9.-]*\.)?poki\.com/, I tried www.poki.com (in a browser) and it was immediately blocked, but when trying just poki.com, the poki page was shown. I left it for a few minutes and the situation was the same, but then after about 10 minutes, I tried again and both www.poki.com and poki.com resulted in the UTM blocked page appearing.
Both of the above implied - to me - that the RegEx was doing its job (though the delay puzzles me) but the below tests highlight that I'm not understanding the interaction between the RBL and my RegEx entry.
For the above test, in the 'Web filter profiles' -> 'Filter actions' -> 'Default content filter action [This is the default content filter action profile]' -> 'Websites' and edited my 'Categories' section, I had all categories set to 'Allow', so I had assumed that the RBL was not coming into play, but I did have the 'Default content filter block action [This is the default content filter block action profile]' entries set to the defaults (Block all content, except as specified below). When I then changed that one to from 'Block' to 'Allow' (via the tick-box to globally change all entries), it then permitted browser access to both poki.com and www.poki.com (thus appearing - to my mind - to be overriding the RegEx in the default content filter section).
I then toggled the 'Default content filter block action [This is the default content filter block action profile]' back to all being set to 'Block' and it resulted in an identical behaviour to that described in my first paragraph (www.poki.com being immediately blocked, poki.com being accessible, then after a few minutes, both being blocked).
So. would I be correct in assuming that the basic RBL is enabled via setting the 'Default content filter block action' into 'block' mode and it is then appended with entries set in the 'Default content filter action' section and that this all takes a few minutes to happen (downloading the on-line RBL and then building up a local one appended with my own entries) or am I not correctly understanding the relationship between RBL and local entries (the latter being the most likely)? [:$]
Sorry to be a such a major pain and please do feel free to just ignore the above question (or if possible, perhaps just point me to a tutorial or other resource which might help better my understanding; I have looked, but I've not yet found anything to explain how it all interacts).
Kind regards
Briain
