Youtube and Google bypass Web Filtering Profile Block once content is loaded in Chrome tabs

Question

I've got a weird one here thats making my head spin. 
 Ill try to keep this simple using images. 
 So I have Web Filter Profiles, the below one is for the kids, it has the kids devices defined in "Allowed networks" to filter them in here, as you can see I have a bunch of Policies defined for certain times which allowed them to surf. 
 
 When they fall out of scope of these times, they fall to the Base policy with BLOCK ALL which has everything blocked:

So my aim here is simply to allow them to surf between certain times (time definitions exist as per the Policy names) and when they fall out of these times, they land up in the Block All policy which shuts them down. 
 
 This works and has been working all along until now for some reason. 
 What I'm finding is if Chrome downloads youtube and google into its cache (eg the chrome browser has a tab with https://www.youtube.com loaded and a tab with https://www.google.com loaded) once the times are not allowed and BLOCK ALL takes effect, the tab that has the youtube player active can be used to watch video after video. 
 I also see that if I load up https://www.google.com I can search for anything I want, but clicking any results get blocked. 
 Flushing the browser cache and then attempting to establish a connection to https://www.google.com or https://www.youtube.com gets blocked. 
 Its almost like since the youtube player and google search page has been already downloaded into the webbrowser cache, that the searches and media streams bypass the webproxy until they get flushed and need to be re-downloaded. 
 
 I may be going about setting time limits here the hard and silly way, but I have not had any issues where youtube didnt get blocked (stream would stop) once the time limits ran out and it fell to the BLOCK ALL Policy. 
 
 Im hoping this makes sense, has anyone had any such experiences or does anyone have any advice? 
 
 Thanks much 
 
 Sheldon

Sheldon Botha · Accepted Answer

As some extra information, watching the web filter live log, I don't see much traffic other than the occasional ad which gets blocked, while media is being watched outside of the allowed times (and new videos selected). 
 Putting in a firewall rule based on the same time limits stops the videos and searching 100%, so I'm wondering if the traffic (maybe an established connection) is sliding under the proxy under these circumstances. 
 I would simply build up a similar filter based on time via the firewall, but that's a bunch of rules vs having them all defined as policies in a single profile for the kids. 
 Thanks much 
 Sheldon

BAlfson · Answer

Hi, Sheldon, and welcome to the UTM Community! 
 Several years ago, Sophos "fixed" firewall rules so that they would break existing connections if a different time-based rule was in effect. They didn't do the same for the hidden firewall rules created automatically by WebAdmin when you configure Web Filtering. Thanks for trying that and posting about it here. 
 In fact, you only would need the firewall rules for one minute after you change from a Filter Action allowing traffic to one blocking it. 
 Cheers - Bob

BAlfson · Answer

This is less a bug than a suggested improvement. You can offer your suggestion at Ideas . 
 Cheers - Bob

Sheldon Botha · Answer

Thanks Stephen 
 
 Yes so I found something else out that I did not know about Sophos UTM.... (correct me if im wrong) 
 Apparently unlike most other firewall/UTM solutions I've used in the past, the Web Proxy comes first, before firewall rules.... 
 So if something goes to the proxy, it escapes the firewall rules, thus the firewall really is only to catch things escaping from the Proxy. 
 
 So i got to thinking..... 
 I created 1 rule for the "Children Devices" group for my son and allowed the services of "http proxy, NTP and DNS" to ALLOW (I dont even know if this is needed...) 
 Next in line I created a firewall rule for "Children Devices" for ALL services as REJECTED

I then tested this knowing that any protocols escaping the web proxy (such as UDP 443 here) will fall down to the REJECT rule since Rule 1 wont match, and get blocked. 
 I repeated my test with an active youtube video in play, the time limit then occured to shut down traffic and GUESS WHAT....no longer could I reproduce the issue as I originally stated, about being able to click to new video's. 
 I'll watch this over the long haul here, one more change I did (not sure if this will be of any benefit), I changed my Web Proxy Filter Action for the kids from " Allow all content, except as specified below" to " Block all content, except as specified below" and then defined what I wanted to Allow. 
 Let me know any comments/thoughts here, I'm not 100% sure if Rule #1 is needed, or if it does not exist, that the firewall will get traffic to itself (LAN interface) for DNS or NTP and say "no" since these services are not specified as being allowed for the devices in question. 
 
 Thanks guys!, really happy so far on this one, lets hope my facts are straight here, if so then we dont need to worry about making firewall rules with time limits to break connections for this scenario where I can use the firewall to open up ports to services as needed outside of web browsing which is controlled by the web proxy. 
 -Sheldon