Hello Community,
we have UTM 9 SG230 (Firmware 9.407-3) configured Webfilter at standard mode.
We have 2 profiles. One of these profiles allow download of files (exe etc.) with Warning.
Our problem is, that the proceed button not working sometimes. Only the Warning page is reloading.
Best greatings
David
Hi David,
Can you show us few lines from the http.log when you get this issue.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Hi,
sure here we go:
2016:10:19-13:56:07 sophosutm httpproxy[6153]: id="0074" severity="info" sys="SecureWeb" sub="http" name="File extension warned and proceeded" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe srcip="172.20.220.106" extension="exe" filename="iview442g_x64_setup.exe" user="administrator"
2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.20.220.106" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2507" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="3" dnstime="0" cattime="0" avscantime="0" fullreqtime="120" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions=""
2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="172.20.220.106" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2507" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="20" dnstime="0" cattime="0" avscantime="0" fullreqtime="95" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions=""
2016:10:19-13:56:08 sophosutm httpproxy[6153]: id="0073" severity="info" sys="SecureWeb" sub="http" name="web request warned, forbidden file extension detected" action="warn" method="GET" srcip="172.20.220.106" dstip="2.21.78.129" user="david.migdol" group="Admin Internet" ad_domain="INTERN" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAdminUser (Admin User)" size="3277" request="0xd4183600" url="dl.cdn.chip.de/.../iview442g_x64_setup.exe referer="dl.cdn.chip.de/.../iview442g_x64_setup.exe error="" authtime="95" dnstime="148" cattime="131" avscantime="0" fullreqtime="132912" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" reason="extension" extension="exe" filename="iview442g_x64_setup.exe"
Greatings
David
Hi Jurgen,
For the proceed button to work the UTM uses what is known as the "Passthrough" functionality.
Common problems with Warned, Bypass Block pages not working or elements in blocked/warned pages not showing properly is generally because the client is not properly resolving the passthrough or the route to the "passthrough" does not reach the UTM. The passthroughs functionality is a publicly resolveable IP address that is owned by Sophos that the UTM uses to intercept traffic that is destined for it, if the internal DNS does not resolve it or it does not hit the UTM properly then the pages will not function properly.
Emile
Hi Emile,
1) in standard mode
2) we use internal DNS Server
3) we use standard mode
4) IP: 213.144.15.19
Greatings
Hi Jurgen,
Question 3 is about the Certificates for End User Pages, have you made any configurations under Web Protection > Filtering Options > Misc and set a custom certificate there? If so, what is the hostname you have entered there.
Emile
Hi Emile,
sorry i missunderstood this!
We have no custom certificate set there!
Greatings
Hi Jurgen,
What have you set your "Do not proxy" on your endpoint device? I've just re-tested and if I trust the certificate being presented by the UTM (i.e. the appliance certificate) which initially they are just generated on the fly and are "broken" certs.
What you should do to test this is generate a certificate for passthrough.<hostname of UTM> which you can do from Webserver Protection > Certificate Management and set the VPN ID to Hostname and enter the FQDN I mentioned above there. Then go to Web Protection > Filtering Options > Misc Tab and scroll down to Certificate for End-User pages and just enter the <hostname of UTM> portion (without the passthrough in front of it as this is auto tacked on) and select the cert you've just created.
Then, on your internal DNS you will want to make an A record for that same FQDN you just generated a cert for with the following IP address: 213.144.15.19.
That is assuming you're using an internal DNS server and request routing for your local domain, if not then you can ignore the last step as the UTM will auto resolve it itself.
Now you can download the certificate you've created then trust it by installing it as a trusted root authority and try again. This is a bit over the top for a test, but the passthrough can be broken easily and the best way to properly test it is from the above :)
Also make sure once you've done all this that you do proxy all requests to passthrough.<hostname of UTM> which can be a little difficult because commonly people set do not proxy "*.domain" which can break the passthrough. Because if a user is talking Standard or Transparent then the passthrough HTTP GET request has to hit the UTM on the same way it was presented to the user.
Hope that makes sense and looking forward to hearing how it goes!
Emile
Hi Jurgen,
What have you set your "Do not proxy" on your endpoint device? I've just re-tested and if I trust the certificate being presented by the UTM (i.e. the appliance certificate) which initially they are just generated on the fly and are "broken" certs.
What you should do to test this is generate a certificate for passthrough.<hostname of UTM> which you can do from Webserver Protection > Certificate Management and set the VPN ID to Hostname and enter the FQDN I mentioned above there. Then go to Web Protection > Filtering Options > Misc Tab and scroll down to Certificate for End-User pages and just enter the <hostname of UTM> portion (without the passthrough in front of it as this is auto tacked on) and select the cert you've just created.
Then, on your internal DNS you will want to make an A record for that same FQDN you just generated a cert for with the following IP address: 213.144.15.19.
That is assuming you're using an internal DNS server and request routing for your local domain, if not then you can ignore the last step as the UTM will auto resolve it itself.
Now you can download the certificate you've created then trust it by installing it as a trusted root authority and try again. This is a bit over the top for a test, but the passthrough can be broken easily and the best way to properly test it is from the above :)
Also make sure once you've done all this that you do proxy all requests to passthrough.<hostname of UTM> which can be a little difficult because commonly people set do not proxy "*.domain" which can break the passthrough. Because if a user is talking Standard or Transparent then the passthrough HTTP GET request has to hit the UTM on the same way it was presented to the user.
Hope that makes sense and looking forward to hearing how it goes!
Emile
