This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Proceed on content warning not working

Hello Community,

 

we have UTM 9 SG230 (Firmware 9.407-3) configured Webfilter at standard mode.

We have 2 profiles. One of these profiles allow download of files (exe etc.) with Warning.

Our problem is, that the proceed button not working sometimes. Only the Warning page is reloading.

 

Best greatings

David



This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    sure! Here we go:

    2016:10:19-13:56:07 sophosutm httpproxy[6153]: id="0074" severity="info" sys="SecureWeb" sub="http" name="File extension warned and proceeded" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe srcip="172.20.220.106" extension="exe" filename="iview442g_x64_setup.exe" user="administrator"
    2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.20.220.106" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2507" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="3" dnstime="0" cattime="0" avscantime="0" fullreqtime="120" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions=""
    2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.20.220.106" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2507" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="20" dnstime="0" cattime="0" avscantime="0" fullreqtime="95" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions=""
    2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0073" severity="info" sys="SecureWeb" sub="http" name="web request warned, forbidden file extension detected" action="warn" method="GET" srcip="172.20.220.106" dstip="2.21.78.129" user="david.migdol" group="Admin Internet" ad_domain="INTERN" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAdminUser (Admin User)" size="3277" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="95" dnstime="148" cattime="131" avscantime="0" fullreqtime="132912" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" reason="extension" extension="exe" filename="iview442g_x64_setup.exe"

    Greatings
    David
  • Hi,

    sure here we go:

    2016:10:19-13:56:07 sophosutm httpproxy[6153]: id="0074" severity="info" sys="SecureWeb" sub="http" name="File extension warned and proceeded" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe srcip="172.20.220.106" extension="exe" filename="iview442g_x64_setup.exe" user="administrator"
    2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.20.220.106" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2507" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="3" dnstime="0" cattime="0" avscantime="0" fullreqtime="120" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions=""
    2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.20.220.106" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2507" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="20" dnstime="0" cattime="0" avscantime="0" fullreqtime="95" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions=""
    2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0073" severity="info" sys="SecureWeb" sub="http" name="web request warned, forbidden file extension detected" action="warn" method="GET" srcip="172.20.220.106" dstip="2.21.78.129" user="david.migdol" group="Admin Internet" ad_domain="INTERN" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAdminUser (Admin User)" size="3277" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="95" dnstime="148" cattime="131" avscantime="0" fullreqtime="132912" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" reason="extension" extension="exe" filename="iview442g_x64_setup.exe"

    Greatings

    David

  • Hi Jurgen,

    For the proceed button to work the UTM uses what is known as the "Passthrough" functionality.

    • Are you using the filtering in standard or transparent mode?
    • Have you got an internal DNS that is used instead of the UTM or do your devices use a WAN DNS?
    • Have you configured any of the hostname for end user pages under Web Protection > Filtering Options > Misc Tab?
    • What IP does passthrough.fw-notify.net resolve to when you run an nslookup in command prompt?

    Common problems with Warned, Bypass Block pages not working or elements in blocked/warned pages not showing properly is generally because the client is not properly resolving the passthrough or the route to the "passthrough" does not reach the UTM. The passthroughs functionality is a publicly resolveable IP address that is owned by Sophos that the UTM uses to intercept traffic that is destined for it, if the internal DNS does not resolve it or it does not hit the UTM properly then the pages will not function properly.

    Emile

  • Hi Emile,

    1) in standard mode

    2) we use internal DNS Server

    3) we use standard mode

    4) IP: 213.144.15.19

     

    Greatings

  • Hi Jurgen,

    Question 3 is about the Certificates for End User Pages, have you made any configurations under Web Protection > Filtering Options > Misc and set a custom certificate there? If so, what is the hostname you have entered there.

    Emile

  • Hi Emile,

     

    sorry i missunderstood this!

    We have no custom certificate set there!

     

    Greatings

  • Hi Jurgen,

    What have you set your "Do not proxy" on your endpoint device? I've just re-tested and if I trust the certificate being presented by the UTM (i.e. the appliance certificate) which initially they are just generated on the fly and are "broken" certs.

    What you should do to test this is generate a certificate for passthrough.<hostname of UTM> which you can do from Webserver Protection > Certificate Management and set the VPN ID to Hostname and enter the FQDN I mentioned above there. Then go to Web Protection > Filtering Options > Misc Tab and scroll down to Certificate for End-User pages and just enter the <hostname of UTM> portion (without the passthrough in front of it as this is auto tacked on) and select the cert you've just created.

    Then, on your internal DNS you will want to make an A record for that same FQDN you just generated a cert for with the following IP address: 213.144.15.19.

    That is assuming you're using an internal DNS server and request routing for your local domain, if not then you can ignore the last step as the UTM will auto resolve it itself.

    Now you can download the certificate you've created then trust it by installing it as a trusted root authority and try again. This is a bit over the top for a test, but the passthrough can be broken easily and the best way to properly test it is from the above :)

    Also make sure once you've done all this that you do proxy all requests to passthrough.<hostname of UTM> which can be a little difficult because commonly people set do not proxy "*.domain" which can break the passthrough. Because if a user is talking Standard or Transparent then the passthrough HTTP GET request has to hit the UTM on the same way it was presented to the user.

    Hope that makes sense and looking forward to hearing how it goes!

    Emile