Masters!
There's a specific website that I can't access. But I can access it when bypassing Sophos FW.
This thread was automatically locked due to age.
Masters!
There's a specific website that I can't access. But I can access it when bypassing Sophos FW.
Musta Randolf and welcome to the UTM Community!
Guys, the hint in the log lines is statuscode="50?" - the server doesn't "like" our Proxy. If adding an Exception for Antivirus doesn't resolve this problem, the only solution is to skip the Proxy.
Also, the folks at eastwestbanker.com might need to fix their authoritative name server entries. www.eastwestbanker.com resolves to 210.1.80.122 (a single A record), but both that IP and 203.177.229.122 have rDNS records pointing at www.eastwestbanker.com. I don't claim to be a student of DNS functionality, but if there's a reason to configure that way, it's unknown to me. Maybe some workaround for some sloppy coding of their website???
Cheers - Bob
Yes, so we need to look at the Edits of the "Eastwest" and "eastwest2" definitions with the 'Advanced' section open.
Cheers - Bob
Hmmm - that should work. Are you certain that you don't have your browser set for explicit proxy? If Web Filtering in Transparent mode sees an access to it from a browser configured to use it explicitly, Web Filtering will respond as if it were in Standard mode. How about a picture of your LAN Settings as below or the equivalent for the browser you're using?
Cheers - Bob
And you're still seeing www.eastwestbanker.com in theWeb Filtering log? What are we not seeing?
Cheers - Bob
You're still seeing www.eastwestbanker.com in the Web Filtering log?
Cheers - Bob
Yes Sir.
OK, it's gotta be a DNS issue. www.eastwestbanker.com now resolves to 58.71.116.122, not to the IP listed in your log line. For some reason, your UTM and your desktop are getting different name resolution for that FQDN. Does clearing the DNS cache on your desktop resolve this? If not, please compare your configuration to DNS best practice.
Cheers - Bob
NOTE a few minutes later: Yuck, I see the problem now, the A record for that FQDN has a TTL of 30 seconds. That's not something I would expect a legitimate company to do. All you can do is ping that FQDN, note the IP, clear your DNS cache, wait for thirty seconds and start over. Once you have a list of all possible IPs, make a Host for each IP, put the Hosts in a Network Group and put that group in the Destination list - no point in having it in the Source list. Let us know!
I haven't tried the following, Randolf, but I think it should work to get a list of IPs:
zgrep 'www\.eastwestbanker\.com' /var/log/http/2020/12/* |grep -oP 'dstip=".*?"' |sort -n |uniq -c
Any luck with that?
Cheers - Bob