Web filtering suddenly blocks everything!

Question

Hi, 
 
 Firmware : 9.705-3 
 My UTM suddenly blocks all internet traffic. It took me some time to pinpoint the problem to the web filtering module. Disabling web filtering fixes the problem. 
 I have no experience with live log reading but I cant really see what causes the issue. 
 Anyone has any ideas ? 
 Live log below was captured when a url was tested on policy helpdesk.. 
 
 2021:01:09-11:17:43 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="early_scr_scanner.c" line="783" message="server 'cffs14.astaro.com' access time: 488ms"
2021:01:09-11:17:43 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="early_scr_scanner.c" line="783" message="server 'cffs15.astaro.com' access time: 888ms"
2021:01:09-11:17:44 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_check_servers" file="early_scr_scanner.c" line="783" message="server 'cffs16.astaro.com' access time: 790ms"
2021:01:09-11:17:45 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scanner_init" file="saviscanner.c" line="521" message="Successfully loaded SAVI threat data, engine 3.80.1, threat data 5.80 from 1/12/2020 (57338572 detected threats)"
2021:01:09-11:17:45 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="libnavl_log" file="navl_externals_posix.c" line="43" message="E: InitInstance: Error initializing instance of plugin HPACK_UTIL"
2021:01:09-11:17:45 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="356" message="notifiying argos daemon"
2021:01:09-11:17:45 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="362" message="finished startup"
2021:01:09-11:17:45 sophos httpproxy[13265]: Integrated HTTP-Proxy (c) 2007-2016 Sophos Ltd, Release 266.gd33137cb.rb3
2021:01:09-11:17:46 sophos httpproxy[13265]: [tid 4021934960]: [aptp_connect]: aptp socket connect succeeded
2021:01:09-11:17:55 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="sc_log" file="early_scr_scanner.c" line="1050" message="Signed databases are required and no signature founnd on incremental file: /var/pattern/tscontrol/tscontrol.96135"
2021:01:09-11:21:11 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5711100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:13 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5711800" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:15 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5740700" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:17 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5741500" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:19 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5742300" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:21 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5743100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:23 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5743800" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:25 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc584ee00" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:28 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc578e700" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:30 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5790300" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:32 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5791100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:34 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5897500" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:36 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc57ce300" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:38 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc57cf100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:40 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5609500" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:42 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc560a300" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:44 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc560b100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:47 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc560b800" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:49 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc56dc300" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:51 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc56dd100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:53 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc570e000" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:55 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc570ee00" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:57 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc570fc00" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:21:59 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5711100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:22:02 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5711800" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:22:04 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5741500" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:22:06 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5742300" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:22:08 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5743100" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:22:10 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc5743800" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"
2021:01:09-11:22:10 sophos httpproxy[13265]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="127.0.0.1" dstip="" user="" group="" ad_domain="" statuscode="404" cached="0" profile=" ()" filteraction=" ()" size="2635" request="0xc5743800" url="http://passthrough.fw-notify.net/policytest/191090" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="483" device="0" auth="0" ua="libwww-perl/6.05" exceptions=""
2021:01:09-11:22:39 sophos httpproxy[13265]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xc578ee00" function="p0f_add_request" file="p0f-client.c" line="286" message="requset auth: profile is null, using AUTH_NONE"

GeneC1 · Accepted Answer

We started seeing this on ~15 UTMs Friday. I'm not sure if support ever got back to us with an answer. From what I can tell, it's bad incremental categorization database updates. This will happen if your DB mode is not "none" (query server every time). 
 The only way I've seen that allows us to check mode is this: 
 cc get http sc_local_db; cc get http use_sxl_urid 
 And for the affected systems, the database was generally "mem" or "disk". To fix it, I did the following: 
 cc set http sc_local_db none; cc set http use_sxl_urid 1 
 The second command enables the sxl uri system which I've heard called hybrid since it is more responsive than none by caching results but doesn't use up as much disk/RAM space. 
 Calling "cc" (aka confd-client.plx) requires root shell access which carries the obligatory warranty/support warning.

Web filtering suddenly blocks everything!

Top Replies