Webpages are not showing correctly - UTM in transparent mode

Question

Hi, 
 We currently have a Sophos UTM SG330 cluster. 
 We are in the process of setting up web content filtering and have run into some issues by where certain webpages don't display correctly. - The sites appear to have lots of their graphic content striped from the site, even though the site is on the allow list. I'm not sure if it specific to flash based content or content being pulled from external sources from other sites. 
 We are on the most up-date available firmware version, which we recently updated to. 
 The UTM is in transparent mode and most sites appear correctly. 
 Any help would be much appreciated. 
 Regards, 
 Daniel.

harrisonpensa · Accepted Answer

If using transparent proxy, I have found that if you use "WARN" in any of the categories within your policy filter action it can create this issue. This is particularly true if you use WARN for Uncategorized Websites. 
 When a category group is set to WARN, when a user first goes to a warned page, they get the option to proceed. That works fine but if the resulting page has content that comes from other "warned" sites, then the web page breaks and of course, there is no option to proceed with content on the page. I think this is more problematic on iFrame pages as well. 
 Essentially, this makes the WARN option pretty much useless. Some sites will work and many others will not work. 
 Also, this can break applications (non-browser applications) that use http/https to connect to outside servers. The applications will stop working with WARN selected. I would say if you have any categories set to WARN or if you have set Uncategorized to WARN, that is what is causing the problem. 
 I am not sure how to get around this or how Astaro can get around this issue. The WARN option was added not all that long ago and I think it is a work in progress.

mod2402 · Answer

Hi there, This is the same behavior as I've descriped in the german forum. These warnings are comming up in the backround. You can't see it in the browser and you can't klick on proceed. community.sophos.com/.../google-maps---satellitenbilder---unscharf-flackern-laden-schlagt-fehl For every Link that is blocked or warned in the backround you must create URL Filter Exceptions. Example from german forum: The client has some Problems with google maps. In the webfilter log you can see some warnings for following urls: url=" khms0.google.com/.../v=717 url=" khms1.google.com/.../v=717 These two servers are not categorized yet and in the filter action is configured, warning for all sites that are not categorized. Solution: Create a new Exception with "Skip URL Filter" and "matching these URLs" -> ^ https://khms.\.google.com This Regex matches all servers with name kms0-9, khmsa-z, khms- .... With this Exception, google maps is working without any issue. You should create such Exceptions for all URLs that are blocked / warned in the backround. You find all these URLs in the webfilter log. regards mod

BLS · Answer

There is another thread which explains the root cause of the issue. 
 I've spent some time trying to work out what is going on, and from what I can tell it's down to a DNS issue. 
 Part of the problem is when images are held on img.abc123.com, and the main web-site is on www.abc123.com . 
 The HTTP server doesn't always for unknown reasons resolve the DNS for the img.abc123.com site, if you search through your HTTP.log file, have a look for "retransmitting" 
 2016:04:21-12:03:37 phobos httpproxy[16820]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query cdad (safebrowsing-cache.google.com) timed out, retransmitting (retry 1)" 
 2016:04:21-12:03:47 phobos httpproxy[16820]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 2383 (safebrowsing-cache.google.com) timed out, retransmitting (retry 1)" 
 2016:04:21-13:25:27 phobos httpproxy[16820]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="dns_expire" file="dns.c" line="195" message="dns query 92ed (www.ebay.co.uk) timed out, retransmitting (retry 1)" 
 This is not only affecting the transparent proxy, but also general DNS lookups if you are using the UTM as your DNS Server. 
 The problem is a lot worse on a Mac than on a Windows PC, just down to how the Mac handles DNS timeouts and the safari DNS caching - it will remember that it didn't get a reply to a DNS request for a site for a period of time, therefore you get page cannot be displayed. 
 Basically, the machine is requesting the web-page, then told where the images are, the DNS resolution doesn't work for the images and the page displays how you are seeing it. 
 Windows will recover at the press of the reload button, but you will have to wait for Mac OS X before the page will load again.