Can't Access Specific Website

Question

Masters! 
 There's a specific website that I can't access. But I can access it when bypassing Sophos FW. 
 2020:11:23-07:27:40 utm httpproxy[1587]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="172.26.46.9" dstip="203.177.229.122" user="" group="" ad_domain="" statuscode="500" cached="0" profile="REF_HttProContaInterNetwo (Allow All)" filteraction="REF_HttCffAllow (allow)" size="517" request="0xd3c34700" url=" ">www.eastwestbanker.com/" referer="" error="Connection timed out" authtime="0" dnstime="102914" aptptime="483" cattime="44162" avscantime="0" fullreqtime="127336388" device="0" auth="0" ua="" exceptions="sandbox,ssl,certcheck,certdate" category="114" reputation="neutral" categoryname="Finance/Banking" 
 
 2020:11:23-07:27:40 utm httpproxy[1587]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="172.26.46.9" dstip="203.177.229.122" user="" group="" ad_domain="" statuscode="500" cached="0" profile="REF_HttProContaInterNetwo (Allow All)" filteraction="REF_HttCffAllow (allow)" size="517" request="0xda86aa00" url=" ">www.eastwestbanker.com/" referer="" error="Connection timed out" authtime="0" dnstime="103014" aptptime="429" cattime="44316" avscantime="0" fullreqtime="127336458" device="0" auth="0" ua="" exceptions="sandbox,ssl,certcheck,certdate" category="114" reputation="neutral" categoryname="Finance/Banking" 
 
 2020:11:23-07:38:52 utm httpproxy[1587]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="172.26.46.9" dstip="203.177.229.122" user="" group="" ad_domain="" statuscode="504" cached="0" profile="REF_HttProContaInterNetwo (Allow All)" filteraction="REF_HttCffAllow (allow)" size="0" request="0xd6b27100" url=" ">www.eastwestbanker.com/" referer="" error="Connection to server timed out" authtime="0" dnstime="261398" aptptime="109" cattime="144" avscantime="0" fullreqtime="61113784" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) QtWebEngine/5.15.1 Chrome/80.0.3987.163 Safari/537.36" exceptions="sandbox,ssl,certcheck,certdate" category="114" reputation="neutral" categoryname="Finance/Banking" 
 
 Can you help me find the cause of this? 
 
 Thank you!

BAlfson · Answer

Musta Randolf and welcome to the UTM Community! 
 Guys, the hint in the log lines is statuscode="50?" - the server doesn't "like" our Proxy. If adding an Exception for Antivirus doesn't resolve this problem, the only solution is to skip the Proxy. 
 Also, the folks at eastwestbanker.com might need to fix their authoritative name server entries. www.eastwestbanker.com resolves to 210.1.80.122 (a single A record), but both that IP and 203.177.229.122 have rDNS records pointing at www.eastwestbanker.com. I don't claim to be a student of DNS functionality, but if there's a reason to configure that way, it's unknown to me. Maybe some workaround for some sloppy coding of their website??? 
 Cheers - Bob

BAlfson · Answer

OK, it's gotta be a DNS issue. www.eastwestbanker.com now resolves to 58.71.116.122, not to the IP listed in your log line. For some reason, your UTM and your desktop are getting different name resolution for that FQDN. Does clearing the DNS cache on your desktop resolve this? If not, please compare your configuration to DNS best practice . 
 Cheers - Bob NOTE a few minutes later: Yuck, I see the problem now, the A record for that FQDN has a TTL of 30 seconds. That's not something I would expect a legitimate company to do. All you can do is ping that FQDN, note the IP, clear your DNS cache, wait for thirty seconds and start over. Once you have a list of all possible IPs, make a Host for each IP, put the Hosts in a Network Group and put that group in the Destination list - no point in having it in the Source list. Let us know!

Can't Access Specific Website

Top Replies