This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unexpected Web Filter Profile Use

I have endpoints in a network group in a web profile that are hitting the default web profile. Specifially, I have endpoints in a host group called Recruiter TLS Inspection that is in Standard mode that have hosts hitting the Default Web Filtering Profile that is in Transparent mode. Not all requests are hitting the default profile. I have our LAN network in the allowed networks for the Default Web Filter Profile. Have I misconfigured something or is this expected behavior that I'm ignorant of?



This thread was automatically locked due to age.
Parents
  • For one of the endpoints, Ryan, copy here a line from the Web Filtering log showing the IP going through the Standard profile and one going through the default.  Also pictures of those Profiles.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I figured someone would ask for that, and I still didn't attach them.

    Here is the policy they're in.

    Confirmation of host group membership:

    Web filter log entry showing the same IP address hitting different web filter profiles:

    2021:06:11-09:59:24 httpproxy[5989]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.106" dstip="x.x.x.x" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcc9b5800" url="">https://xxx/" referer="" error="" authtime="0" dnstime="89" aptptime="161" cattime="156" avscantime="0" fullreqtime="1063" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"
    2021:06:11-09:59:27 httpproxy[5989]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.106" dstip="x.x.x.x" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaProduNetwo (Recruiter TLS Inspection)" filteraction="REF_HttCffRecruiters (Recruiters)" size="2478" request="0xc8456700" url="">https://xxx/" referer="" error="Host not found" authtime="0" dnstime="35154" aptptime="172" cattime="205" avscantime="0" fullreqtime="280272" device="0" auth="0" ua="standBy/10041.5.2021.508" exceptions="ssl,certcheck,certdate" category="197" reputation="trusted" categoryname="Web Meetings"
    2021
    Default profile configuration:
Reply
  • I figured someone would ask for that, and I still didn't attach them.

    Here is the policy they're in.

    Confirmation of host group membership:

    Web filter log entry showing the same IP address hitting different web filter profiles:

    2021:06:11-09:59:24 httpproxy[5989]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.106" dstip="x.x.x.x" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcc9b5800" url="">https://xxx/" referer="" error="" authtime="0" dnstime="89" aptptime="161" cattime="156" avscantime="0" fullreqtime="1063" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"
    2021:06:11-09:59:27 httpproxy[5989]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.106" dstip="x.x.x.x" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaProduNetwo (Recruiter TLS Inspection)" filteraction="REF_HttCffRecruiters (Recruiters)" size="2478" request="0xc8456700" url="">https://xxx/" referer="" error="Host not found" authtime="0" dnstime="35154" aptptime="172" cattime="205" avscantime="0" fullreqtime="280272" device="0" auth="0" ua="standBy/10041.5.2021.508" exceptions="ssl,certcheck,certdate" category="197" reputation="trusted" categoryname="Web Meetings"
    2021
    Default profile configuration:
Children
  • How about a pic of the Recruiters Profile?

    Are the dstip and the url identical in both log lines?  Do all of the accesses handled by the Default have size="0" in the log line?

    Strange that the FQDN seems to be resolved differently by the user's PC and the UTM.  How does your config compare to DNS best practice?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The firewall DHCP server sets our primary and secondary domain controllers with the DNS role as DNS server 1 and 2 respectively. Root hint servers are turned off and the forwarder is set as the firewall for both DNS servers. Allowed networks is populated with the host definition of both domain controllers. No forwarders are configured in the firewall DNS server so it reaches out to the root servers. Workstation -> DC 1 or 2 -> firewall -> root servers is the path. The log shows access to two different services. The first long entry is a web page and the second log entry is video conferencing.

  • OK, so it's not a DNS issue.  Please replace the two log lines in your 4pm post yesterday with ones that give us a better idea of what was happening.   Obfuscate IPs like 192.168.x.21 and 98.x.y.131 and, similarly, other elements you don't want to completely expose.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA