Unexpected Web Filter Profile Use

I have endpoints in a network group in a web profile that are hitting the default web profile. Specifially, I have endpoints in a host group called Recruiter TLS Inspection that is in Standard mode that have hosts hitting the Default Web Filtering Profile that is in Transparent mode. Not all requests are hitting the default profile. I have our LAN network in the allowed networks for the Default Web Filter Profile. Have I misconfigured something or is this expected behavior that I'm ignorant of?



my post was missing an article
[edited by: Ryan Miller2 at 2:17 PM (GMT -7) on 10 Jun 2021]
  • For one of the endpoints, Ryan, copy here a line from the Web Filtering log showing the IP going through the Standard profile and one going through the default.  Also pictures of those Profiles.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I figured someone would ask for that, and I still didn't attach them.

    Here is the policy they're in.

    Confirmation of host group membership:

    Web filter log entry showing the same IP address hitting different web filter profiles:

    2021:06:11-09:59:24 httpproxy[5989]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.106" dstip="x.x.x.x" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcc9b5800" url="">https://xxx/" referer="" error="" authtime="0" dnstime="89" aptptime="161" cattime="156" avscantime="0" fullreqtime="1063" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"
    2021:06:11-09:59:27 httpproxy[5989]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.106" dstip="x.x.x.x" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaProduNetwo (Recruiter TLS Inspection)" filteraction="REF_HttCffRecruiters (Recruiters)" size="2478" request="0xc8456700" url="">https://xxx/" referer="" error="Host not found" authtime="0" dnstime="35154" aptptime="172" cattime="205" avscantime="0" fullreqtime="280272" device="0" auth="0" ua="standBy/10041.5.2021.508" exceptions="ssl,certcheck,certdate" category="197" reputation="trusted" categoryname="Web Meetings"
    2021
    Default profile configuration:
  • How about a pic of the Recruiters Profile?

    Are the dstip and the url identical in both log lines?  Do all of the accesses handled by the Default have size="0" in the log line?

    Strange that the FQDN seems to be resolved differently by the user's PC and the UTM.  How does your config compare to DNS best practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The firewall DHCP server sets our primary and secondary domain controllers with the DNS role as DNS server 1 and 2 respectively. Root hint servers are turned off and the forwarder is set as the firewall for both DNS servers. Allowed networks is populated with the host definition of both domain controllers. No forwarders are configured in the firewall DNS server so it reaches out to the root servers. Workstation -> DC 1 or 2 -> firewall -> root servers is the path. The log shows access to two different services. The first long entry is a web page and the second log entry is video conferencing.

  • OK, so it's not a DNS issue.  Please replace the two log lines in your 4pm post yesterday with ones that give us a better idea of what was happening.   Obfuscate IPs like 192.168.x.21 and 98.x.y.131 and, similarly, other elements you don't want to completely expose.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 1) Transparent Mode profiles will also act as Standard Mode profiles, so it is important that the Standard-Mode-only profiles have higher priority.   Since you see intermittent results, this is probably not the cause.   But since it is not well documented, it is worth mentioning.

    2) In my network, there is a lot of web traffic that is not generated by a web browser, and consequently does not use the system proxy.  Windows Update, Adobe Updater, Java Updater, Antivirus updater, Fat-Client applications based on web technology, and probably some others that escape my recollection.   The non-browser web traffic worked out to about 50% of my total web traffic.   Ever since that study, I have been using Standard Mode with A/D SSO, and Transparent Mode with No Authentication.    I would expect that you have similar applications, and they are causing your mixed-mode results.

  • I had noticed that traffic hitting the default web filter was non-browser based. Your explanation makes sense.