Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 3576 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering with URL Only

Christian Briere

Hi!

 

I am testing Sophos UTM in a VM, before buying the hardware to run it. I already used before Sophos UTM for a customer having SG230s. So, Everything is working fine, I got my IPS, firewall, NAT, etc.. Arrived to the web filter. I did a default rule then set HTTPS to url only. No SSL Inspection/scanning.

 

THe problem, everytimes I test a blocked website, my AV always telling me that there is an untrusted certificate, which is the UTM Proxy CA.

 

Is there a way, (without having to import the certificate) to have only URL filtering? I remember that I I can do this on some other brand firewall, and I remember that when I used it for a customer, there was no problem with the certificate. The thing is that my computers are not in a domain, or when mobile device or guest device are connected, I don't want them to see any certificate error, just get the website blocked by URL filtering.

 

Thanks



This thread was automatically locked due to age.
  • +1

    No, I do not think there is any way to configure UTM to do what you want.   I do not think most sites would be happy with the result.

    IPS blocks effectively simulate what you want, because they block the reply without the browser's knowledge.   When comparing my IPS logs to my webfilter logs, I noticed that the difference in timestamps could be up to two minutes, which seems to be the amount of time required for the browser to time out.   The problem with silent blocks is that the user will see a lot of delay.

    If you are blocking Web Ads, as I do, those timeouts will occur even on sites that can display acceptably with blocked ads.

    After the timeout occurs, the user sees a "page cannot be displayed" error, which does nothing to tell them why.   I do not see an advantage for "page cannot be displayed" as an alternative to "certificate cannot be trusted".   The latter option will be displayed more quickly, and if the user clicks through the warning (as I suspect most house guests will do), the block page explains the reason.

    Given that the product is built for business, and free to home users, I do not expect that a feature request will do much good.

  • 0

    No option currently.

    If UTM/SG block a HTTPS page these Block-page use the same Name and must use HTTPS too.

    So the Proxy-CA has to sign the blockpage.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0

    Thanks for the reply. I thought maybe the UTM was able to do SNI (server name indication) before the certificate is queried between browser and web server.

    Or any blacklist using categories before, as a workaround.

    Thanks again. I could maybe use open dns for that kind of block. The utm is doing very fine for all the other options, i am happy of it

  • 0 in reply to Christian Briere

    Please be aware that UTM filters on whatever portion of the URL it is able to see.   For http websites, and for https websites with inspection enabled, different portions of a website may be assigned to different categories.

    If DNS block is implemented as a NXDOMAIN result (no IP address), the block will be detected immediately. 

    However, if the DNS block is implemented as a redirect to a block message, you will have the certificate problem all over again, when the requested URL uses https protocol.

     

  • 0

    When the UTM blocks, it wants to display a block page to tell the user what it is doing and why.  Therefore it must do man-in-the-middle and sign the block page with its own certificate.

    The XG product has another option, that if HTTPS scanning is off and the request should be blocked that it just drops the connection.  That way the browser will not get an error about certificates, however it may display errors about "cannot connect".

     

Unfiltered HTML