This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering with URL Only

Hi!

 

I am testing Sophos UTM in a VM, before buying the hardware to run it. I already used before Sophos UTM for a customer having SG230s. So, Everything is working fine, I got my IPS, firewall, NAT, etc.. Arrived to the web filter. I did a default rule then set HTTPS to url only. No SSL Inspection/scanning.

 

THe problem, everytimes I test a blocked website, my AV always telling me that there is an untrusted certificate, which is the UTM Proxy CA.

 

Is there a way, (without having to import the certificate) to have only URL filtering? I remember that I I can do this on some other brand firewall, and I remember that when I used it for a customer, there was no problem with the certificate. The thing is that my computers are not in a domain, or when mobile device or guest device are connected, I don't want them to see any certificate error, just get the website blocked by URL filtering.

 

Thanks



This thread was automatically locked due to age.
Parents
  • No, I do not think there is any way to configure UTM to do what you want.   I do not think most sites would be happy with the result.

    IPS blocks effectively simulate what you want, because they block the reply without the browser's knowledge.   When comparing my IPS logs to my webfilter logs, I noticed that the difference in timestamps could be up to two minutes, which seems to be the amount of time required for the browser to time out.   The problem with silent blocks is that the user will see a lot of delay.

    If you are blocking Web Ads, as I do, those timeouts will occur even on sites that can display acceptably with blocked ads.

    After the timeout occurs, the user sees a "page cannot be displayed" error, which does nothing to tell them why.   I do not see an advantage for "page cannot be displayed" as an alternative to "certificate cannot be trusted".   The latter option will be displayed more quickly, and if the user clicks through the warning (as I suspect most house guests will do), the block page explains the reason.

    Given that the product is built for business, and free to home users, I do not expect that a feature request will do much good.

Reply
  • No, I do not think there is any way to configure UTM to do what you want.   I do not think most sites would be happy with the result.

    IPS blocks effectively simulate what you want, because they block the reply without the browser's knowledge.   When comparing my IPS logs to my webfilter logs, I noticed that the difference in timestamps could be up to two minutes, which seems to be the amount of time required for the browser to time out.   The problem with silent blocks is that the user will see a lot of delay.

    If you are blocking Web Ads, as I do, those timeouts will occur even on sites that can display acceptably with blocked ads.

    After the timeout occurs, the user sees a "page cannot be displayed" error, which does nothing to tell them why.   I do not see an advantage for "page cannot be displayed" as an alternative to "certificate cannot be trusted".   The latter option will be displayed more quickly, and if the user clicks through the warning (as I suspect most house guests will do), the block page explains the reason.

    Given that the product is built for business, and free to home users, I do not expect that a feature request will do much good.

Children
No Data