This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why the link can't be blocked?

I am very tired because UTM 9 can't block the link successfully.

Following is the link

https://scratch.mit.edu/explore/projects/all "

I tested follow Regular Expression :

https://scratch.mit.edu/explore/projects/[all] "

" https://scratch.mit.edu/explore/projects/[a-zA-Z0-9] "

When I use policy test, it shows blocked. However I try the user computers (total 10 different computers), it can be passed. 

Include the last "Lego" Game link, this is the second link that can't be blocked.

 

Please help!



This thread was automatically locked due to age.
Parents
  • Do you have access to support, or are you a home user?   You may have found a bug that Support needs to investigate.

    I have reproduced your symptoms.

  • I think I repeated your problem because I repeated your mistake.

    Escape all of the "/" characters -- replace them with "\/" -- and see if it fixes the problem.   I do not have time to repeat my tests right now.

  • DouglasFoster said:

    I think I repeated your problem because I repeated your mistake.

    Escape all of the "/" characters -- replace them with "\/" -- and see if it fixes the problem.   I do not have time to repeat my tests right now.

     

    Hi DouglasFoster,

    Thanks for reply!

      I test this Regular Expression:

    "^https?://scratch.mit.edu\/explore\/projects\/[A-Za-z0-9] "

    and 

    "^https?:\/\/scratch.mit.edu\/explore\/projects\/[A-Za-z0-9] " 

    Same as before, the policy test shows blocked. But the user's computer can be passed too.

    Also, I found a new problem. I open the live log and go to scratch.mit.edu by chrome. Strangely, the live log will not show anything about it but it will show other website status.

    Thanks a lot.

  • Hi Perry,

    Does the following work?

    ^https?://scratch.mit.edu/explore/projects/

    If not, show us the line from the Web Filtering log file where a URL was not blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Sorry, it still not work.

    Admin Console:

    User Computer :

    Log :

    2018:12:08-11:15:35 httpproxy[5763]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="151.101.2.133" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="24217" request="0xdc862000" url="https://api.scratch.mit.edu/" referer="" error="" authtime="0" dnstime="2" cattime="140" avscantime="0" fullreqtime="61958215" device="0" auth="0" ua="" exceptions="" category="111" reputation="neutral" categoryname="Education/Reference"
    2018:12:08-11:15:35 httpproxy[5763]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.77.192.90" dstip="151.101.194.133" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3233490" request="0xe1069800" url="https://scratch.mit.edu/" referer="" error="" authtime="0" dnstime="2" cattime="96" avscantime="0" fullreqtime="62455812" device="0" auth="0" ua="" exceptions="" category="111" reputation="neutral" categoryname="Education/Reference"

     

    But the log can match "scratch" word , which has two lines only. Also, the live log window show above information around 30 second. Is this reasonable?

    Thanks Bob

  • The lines you show from the log are not accesses you said you wanted to block.  The pictures are too small to see, but I suspect that the accesses are not being seen by Web Filtering or that you need to block other URLs than the one you've identified.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    The lines you show from the log are not accesses you said you wanted to block.  The pictures are too small to see, but I suspect that the accesses are not being seen by Web Filtering or that you need to block other URLs than the one you've identified.

    Cheers - Bob

     

     

    Hi Bob,

    I re-insert the image.

    Proxy Test Tools:

    User's Computer :

     

    About the log, I don't know why that's like the LEGO URL. Even I open the live log window and go to the URL, it will not show the URL in the live log. I refresh the URL 3 Times and after around 30 second, live log show above two log data only. Does it wants to set anything?

    I have already rebooted the firewall, but the live log has the same status.

    Please Help!

  • Without HTTPS inspection, UTM only logs one entry for the session, with method="CONNECT", and only at the end of the session.   The size="value" field of the log entry is the total of all traffic seen during the session.   Live Log is probably not helping because you are opening the page, which starts a session, and then expecting a log entry to appear.   You may be able to make the live log entry appear by navigating away from the page, to something unrelated.

  • Sharp eye, Doug!  I admit to scanning too often without looking closely.

    Perry, if you're not using decrypt and scan for HTTPS traffic, you won't be able to block traffic inside the encrypted tunnel, just as Doug commented twice above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    Sharp eye, Doug!  I admit to scanning too often without looking closely.

    Perry, if you're not using decrypt and scan for HTTPS traffic, you won't be able to block traffic inside the encrypted tunnel, just as Doug commented twice above.

    Cheers - Bob

     

     
    Hi Bob and DouglasFoster
     
    Thanks you for your's big HELP!
     
    About the decrypt and scan function, does the CA download from Web Protection|Filtering Options|HTTPS CAs and install to all client computers before enabling the decrypt and scan function?
     
    Again , thank you for help!
  • Yes, Perry, if you don't install the Proxy CA in all computers, they will get a certificate warning.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    Yes, Perry, if you don't install the Proxy CA in all computers, they will get a certificate warning.

    Cheers - Bob

     

     
    Hi all, 
     
    When enable the "decrypt and scan" function, it has a new problem as follows.  I already install the Cert download from "Web Protection|Filtering Options|HTTPS CAs".
     
    Web Protection Setting:
     
    ERROR:
    For Example: hk.yahoo.com
     
     
    If I am not switching back to "URL filtering only", the error will keep in here.
     
    Please help!!
     
Reply
  • BAlfson said:

    Yes, Perry, if you don't install the Proxy CA in all computers, they will get a certificate warning.

    Cheers - Bob

     

     
    Hi all, 
     
    When enable the "decrypt and scan" function, it has a new problem as follows.  I already install the Cert download from "Web Protection|Filtering Options|HTTPS CAs".
     
    Web Protection Setting:
     
    ERROR:
    For Example: hk.yahoo.com
     
     
    If I am not switching back to "URL filtering only", the error will keep in here.
     
    Please help!!
     
Children
  • Hi,

    Perry the error you get looks like it is from the firefox.

    The firefox uses by default not the certifcate store from windows.

    Here you have to import the CA in the firefox itself.

    Best Regards
    DKKDG

  • DKKDG said:

    Hi,

    Perry the error you get looks like it is from the firefox.

    The firefox uses by default not the certifcate store from windows.

    Here you have to import the CA in the firefox itself.

    Best Regards
    DKKDG

     

    Hi DKKDG,

    I am using Google Chrome and the certificate imports by double click at window file manager.

  • You need to use GPO to push the certificate to all clients.   It is needed whether you https inspection or not, but it is more critical with https inspection enabled.

    You are running into common startup problems, so you need to do some research.  I have tried to use this forum to document everything that I figured out as I worked with web filtering, because the manuals do not provide any tutorials.   

    My earliest material is in the WiKi section, and generally foundational.  There is a post about the UTM Architecture, which contains undocumented information that I learned by unhappy surprise, a tutorial about how the different pieces of the web filtering configuration work together, and a discussion about the different security mechanisms and how they fit together. 

    The newer material is pinned at the top of the Web Filtering sub-forum.    The most recent entry is "Troubleshooting Web Filtering", which you may find useful for rapid response to the next problem.   "Web Filtering Lessons Learned" is the longest document.   It includes a sample proxy script, an explanation of why I use both Standard Mode and Transparent Mode together, and related matters.

     

  • DouglasFoster said:

    You need to use GPO to push the certificate to all clients.   It is needed whether you https inspection or not, but it is more critical with https inspection enabled.

    You are running into common startup problems, so you need to do some research.  I have tried to use this forum to document everything that I figured out as I worked with web filtering, because the manuals do not provide any tutorials.   

    My earliest material is in the WiKi section, and generally foundational.  There is a post about the UTM Architecture, which contains undocumented information that I learned by unhappy surprise, a tutorial about how the different pieces of the web filtering configuration work together, and a discussion about the different security mechanisms and how they fit together. 

    The newer material is pinned at the top of the Web Filtering sub-forum.    The most recent entry is "Troubleshooting Web Filtering", which you may find useful for rapid response to the next problem.   "Web Filtering Lessons Learned" is the longest document.   It includes a sample proxy script, an explanation of why I use both Standard Mode and Transparent Mode together, and related matters.

     

    Hi DouglasFoster,

    First of all, thanks your help and teaching.

    I already installed the CA by GPO and checked by CertMgr but the problem still coming.  Otherwise , I will not call help again. (T_T)

    Does it not work related to the Cloudflare setting?

    Everyday, I am trying and error, I feel very tired!

  • YEAH! The warning hasn't prompt again!

  • All see this for general background information on HTTPS scanning.

    https://community.sophos.com/kb/en-us/132997

  • So you are wanting to bypass your router/firewall/utm and see how your desktop software firewall response to ICMP? Hopefully I am understanding what you want here.

    If that's the case, get the gateway of your ISP modem/router via whatismyip in google. Then connect to a hotspot or external network, or even a VPN then try to ping back to your WAN, does it respond? If it doesn't respond then you need to either bridge your isp gear, set disable firewall for true static, or go into settings and enable ICMP passthrough. After that you need to pass ICMP through your UTM 9 or set your local (LAN) IP for bypass/DMZ then rerun the test. https://tgw.onl/digitalocean/ https://tgw.onl/siteground/ https://tgw.onl/ipage/

    That's pretty much all you need to do either way, but if your ISP is force blocking ICMP and you can't get into it to make changes then you are pretty much out of luck.

  • To elaborate, the basic PING-related settings are in:

    Network Protection... Firewall... ICMP (tab)

    You can enable some of these options, then restrict them using firewall rules.

    Also remember that UTM is largely directionless, so if you want to permit ping out but not ping in, you need to teach UTM to do that with firewall rules, because it does not think in terms of inside and outside inmost contexts.

    Overall, reachability for ping is different than reachability for web traffic.

  • You can enable some of these options, then restrict them using firewall rules.

    It's the other way around, Doug - the settings on the 'ICMP' tab take precedence over manual firewall rules.  If you want to restrict these options, you have to de-select things on the 'ICMP' tab and then create firewall rules for what you want to allow.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Bob.  I have learned much from you