Hi all,
I hope someone can shine a light on this.
Yesterday, we suddenly got complaints that some users weren't able to access youtube anymore. It was blocked by category Streaming Media.
Indeed, in the Base policy this category is blocked. But a lot of users are member of an AD group that is attached to a different policy with a filtering action that allows streaming media.
in the logging we see 2 different things;
A lot of correct entries where a username, group and ad_domain is listed correctly. Depending on the membership that user is granted or denied access to e.g. youtube. In this example the user is denied access because he is not member of that particular AD group. So SSO works fine here.
But also a lot of incorrect entries that have statuscode of 407 or 403 and no username, group and ad_domain listed. example:
2021:06:21-13:52:56 dtc-utm1 httpproxy[6027]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.xxx.xxx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterLan (Transparant Proxy voor clients lokaal)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3171" request="0x10b7c700" url="">https://youtube.com/" referer="" error="" authtime="1" dnstime="0" aptptime="62" cattime="24341" avscantime="0" fullreqtime="328158" device="1" auth="2" ua="" exceptions="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"
Btw, I see also a lot of entries where users access youtube and it is tagged as an application (So Application Control is handling those requests)
This issue is happening on both our Default webfilter profile (used with our Citrix environment) and our transparent mode proxy (used to get internet access outside our citrix environment in the office). As the username etc. isn't found, I assume this is a SSO issue right? I tested SSO in the UTM and used the policy helpdesk, these were all fine, no problems overthere.
We had this issue some time ago and it was also solved by itself. I don't know what happened, but it looks like some kind of bug?!
Or has this something to do with conflicting policies / application control / misconfiguration?
Our version is Sophos UTM 9.705-7.
Thanks in advance!
regards,
Wouter
This thread was automatically locked due to age.
