Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 15500 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Webfilter not applying rules correctly

Maxmilian Boss

Hello Community.

 

I have a Problem with the webfilter in Sophos UTM 9.4. Since about a month we see a bug where our policy is not applied correctly. Like a AD User was put in a AD security group which has access to the internet by a policy for a test. We removed this user from the security group and even after manually synchronizing with the AD he is still able to connect to the internet. This is independent from which PC we try it.

A User added to the AD group for internet is blocked by the UTM. The integrated policy test states correct values for "blocked/not blocked" and which policy is being used.

 

Browsing through Groups and User in the AD through the UTM is presenting a correct image of our AD.

 

In the log the user who should not have access is listed in sais internet group, but the user who should have access is listed in no group.

 

Can someone explain this behaviour or guide me to workaround? I thank you in advance!



This thread was automatically locked due to age.
  • 0

    Hi Maxmimilian,

    Check which profile filters the user traffic through Policy helpdesk and verify if it is the same profile configured to do that.

    If the user group association is incorrect, verify the group association of the User in the AD. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thank you sachingurung.

    I already did that. The association is correct. The Policy Helpdesk states also the correct situation. But the webfilter still applies them wrongly ind the log. How can that be?

    What I forgot to mention was, that blocking of filetypes is also not working. The users can download all files like .exe...

    BTW: I see that I spelled my name wrong. Where can I change it?

     

    Here an example of a user who should have internet access:

    2016:10:25-14:56:42 xxxutm httpproxy[6972]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="172.16.1.213" dstip="" user="vkiebe" group="" ad_domain="xxx" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3520" request="0xe0723600" url="http://api.bing.com/qsml.aspx?query=w&src=IE-Address&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SSC&market=de-DE" referer="" error="" authtime="55" dnstime="0" cattime="97" avscantime="0" fullreqtime="2760" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="145" reputation="neutral" categoryname="Search Engines" reason="category"

     

     

    Example of the user who should not have access:

     

    2016:10:27-13:58:16 xxxutm httpproxy[11876]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="POST" srcip="172.16.1.194" dstip="216.58.213.238" user="deru_scan" group="Sophos-Proxy-O4" ad_domain="LINKORTHO" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="463" request="0xe1331600" url="http://clients1.google.com/ocsp" referer="" error="" authtime="0" dnstime="0" cattime="90" avscantime="720" fullreqtime="31974" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" sandbox="-" content-type="application/x-x509-ca-cert"

     

  • 0 in reply to Maxmilian Boss

    I found something interesting in the changelog of UTM Version 9.407-3.

    : NUTM-2447 [Web] 36231: HTTP proxy policy matching with backend groups is sometimes not working.

    Seems like we still have this bug.

    Our SG 330 is up to date.

  • 0 in reply to Maxmilian Boss

    In the Backend Group definition, instead of using the full Distinguished Name, try just the content of the CN= without CN=.  If the name of the AD Group has any spaces or characters other than alphanumeric or a dash, you may need to rename the AD Group.

    This was an old bug that might have come back.  Any luck with that approach?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello BAlfson.

     

    Do mean like this? I am in this AD group.

    Here the Log and a Screenshot from the Policy Test. Nothing changes. I still have internet access. I think that deleting the "CN=" should compromise the backend group or not?

     

    2016:10:31-08:54:52 xxxUTM httpproxy[11876]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="xxx" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2621" request="0xe0e3ac00" url="https://plus.google.com/" referer="" error="" authtime="12" dnstime="0" cattime="0" avscantime="0" fullreqtime="125" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions=""

     

  • 0 in reply to Maxmilian Boss

    Hi,

    PM me your exact name I will do the necessary changes as required.

    RUN adsiedit.msc on AD and verify if the exact Bind DN and Base DN is configured in the UTM for Active Directory server.

    Post a screenshot of the AD server configuration on UTM.

    Clear the authentication caches from Definitions & Users > Authentication Services > Authentication cache; and restart httpproxy, "/var/mdw/scripts/httpproxy restart"

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to Maxmilian Boss

    Maximillian, I would have only Sophos-Proxy-all-access in there and NOTHING else, getting rid of the full Distinguished Name and leaving only the content of the CN=.  That's the way I've done Backend Groups for at least 8 or 9 years.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to sachingurung

    Hello,

     

    after going through both of your solutions nothing has changed. I tested with a new AD-User Account and the sophos sync's every change correctly. But not for some users.

    Here is te picture of the AD-Config in the UTM.

  • 0 in reply to Maxmilian Boss

    Does your testing methodology take into account the fact that SSO caches authorization for five minutes?

    What do you see that makes you conclude that "the sophos sync's every change correctly" for some but not for others?

    Please show a picture of the Edit of the Backend Group that's not working correctly.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML