This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web filtering issues since 9.4 update, home license and box, HTTPS traffic

Hey all,

I wonder if anyone else is experiencing similar issues since last upgrade to 9.402-7.

Simply on many sites with HTTPS i have long delay when opening the site, sometimes it just time outs, often it says that DNS could not resolve it, and sometimes site loads in broken state (parts missing, distorted etc). It seems to be like that for 2-3 refreshes than it eventually loads. It happens for many different site on 3 different computers in my household and common thing is that we use Chrome. But when I disable Web Filtering on the UTM it all magically starts working quickly and with no problems?...

Is there a known problem with Web Filtering or there is configuration change somewhere I am not aware of?

Any help would be appreciated.



This thread was automatically locked due to age.
  • I need some details on your configuration, such as.

    1 - DNS Settings.

    2 - Web Filtering settings, items such as pharming protection, HTTPS scanning.

    Is the DNS error a browser error, or a UTM error?

    Tim Grantham

    Enterprise Architect & Business owner

  • Hi,

    LAN uses UTM as DNS. UTM passes queries to DNS group which contains 2 servers.

    Web Filtering uses Transparent Mode, HTTPS is not scanned in Transparent Mode (option not ticked). "Pharming protection"? First time heard here. What is it, where is it? Is it something new in 9.4?

    Also the whole point is that it is all gone when web filtering is turned off. Secondly The setup has been working correctly for around 1.5 year. It started after I upgraded to 9.4 few days ago. It is NOT just DNS, it is about slow loading sites, where parts of them are missing longer, or need refreshing, sometimes many times. Distinctive is message which seems to sit in Chrome status bar for long time "Establishing secure connection" while loading the page. It might be misleading though, as it could be for example Sophos page classification in the background stalling or anything else.

    Thanks.

  • Hello All,

    I found a problem :)

    So it is mentioned above "Pharming protection". I found it now. It is something new in 9.4 isn't it? It was turned on and I dont remember it at all. Anyway, turning it off fixed my issue. 

    This begs a question. Is it this thing working correctly? Does anyone else report similar problems with it? Were there any problems with it at development stage? Why is it on by default at firmware upgrade stage...?

  • How is your DNS configuration - are you using DNSSEC validation?  I've noticed that if a DNS server doesn't support DNSSEC then the Pharming protection can cause these kind of issues.

    Tim Grantham

    Enterprise Architect & Business owner

  • Well, nope. I don't use DNSSEC validation. 

    Again, to confirm that disabling "Pharming" sorted out the problem. It is a new thing, and there is even no entry for it in online help.

  • Are the users here still having this issue?  I've been having issue since around this upgrade with SSL connections if 'Web Filtering' is turned off.  Which is very odd.  I've done several Wireshark captures and Sophos is sending TCP Resets to many SSL connections if I ONLY have the FW on.  Once I turn on Web Filtering things work.  This is causing issues with several streaming services since I like to put the hosts in the Web Filtering By Pass.  

     

    I don't use DNSSEC and have one rule to allow everything outbound. 

  • Hi, Brett, and welcome to the UTM Community!

    I don't know enough about TCP to know which timeout might need to be increased.  You can see the current values with

    cc get packetfilter timeouts

    If  the problem were ip_conntrack_tcp_timeout_last_ack at 30, you could increase this to 60 with

    cc set packetfilter timeouts ip_conntrack_tcp_timeout_last_ack 60

    If you find the correct parameter change, please post your result back here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA