This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Youtube and Google bypass Web Filtering Profile Block once content is loaded in Chrome tabs

I've got a weird one here thats making my head spin.

Ill try to keep this simple using images.

So I have Web Filter Profiles, the below one is for the kids, it has the kids devices defined in "Allowed networks" to filter them in here, as you can see I have a bunch of Policies defined for certain times which allowed them to surf.

When they fall out of scope of these times, they fall to the Base policy with BLOCK ALL which has everything blocked:

 

So my aim here is simply to allow them to surf between certain times (time definitions exist as per the Policy names) and when they fall out of these times, they land up in the Block All policy which shuts them down.

 

This works and has been working all along until now for some reason. 

What I'm finding is if Chrome downloads youtube and google into its cache (eg the chrome browser has a tab with https://www.youtube.com loaded and a tab with https://www.google.com loaded) once the times are not allowed and BLOCK ALL takes effect, the tab that has the youtube player active can be used to watch video after video.

I also see that if I load up https://www.google.com I can search for anything I want, but clicking any results get blocked.

Flushing the browser cache and then attempting to establish a connection to https://www.google.com or https://www.youtube.com gets blocked.

Its almost like since the youtube player and google search page has been already downloaded into the webbrowser cache, that the searches and media streams bypass the webproxy until they get flushed and need to be re-downloaded.

 

I may be going about setting time limits here the hard and silly way, but I have not had any issues where youtube didnt get blocked (stream would stop) once the time limits ran out and it fell to the BLOCK ALL Policy.

 

Im hoping this makes sense, has anyone had any such experiences or does anyone have any advice?

 

Thanks much

 

Sheldon



This thread was automatically locked due to age.
  • Sorry, but I didn't get the trick. My network setup is a bit different. The UTM is behind the internet router because of 'phone over viop' issues: dsl router <-> utm <-> wlan acces point <-> clients. The webfilter is set up in transparent mode with user authentication via browser. The "Allowed Network" is internal LAN, the webfilter profile is connected with the user, who has a time limit for games within his profile. Last but not least I have configured firewall rules with the parameters shown by Sheldon's trick but with one exception: There is no DNS service configured. When I am looking into the live protocol only the 'internal LAN' packet filter rule is active, but not the 'Sheldon's" packet filter rules. What I did wrong?

  • We would have to look at the Edits of the firewall rule and the Web Filtering Profile, Manfred.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • My configutation details are:

    In the base policy all categroies with illegal content and all categories with addictive potential ;-), like games, are blocked, all others are allowed.
    In the user's policy 'children-filter' the categories with addictive potential have a time contingent of 60 minutes.
    The time contingent is configured in 'Edit Filter Action' under 'Additional Options > Quotas'.
    Different to Sheldon's configuration the 'Time event' option is set to 'Always'/'Anytime' in both policies.

    Do I have to add the 'Children Devices' and the 'Internal LAN' network group to the 'Allowed Networks' on 'Network Services > DNS' or is it enough to add only the 'Internal LAN' network?

    Do I have to do the same on 'Web Filtering > Global' or not?

    Within the 'Web Filter Profile' I added the 'Children Devices' to the 'Allowed Networks':

    Default authentication goes via Browser.

    The Web Filter Profile 'Children' is assigned to the filter action 'children-filter':

    And last but not least the firewall rules:

    When I am looking on the Live Log of the firewall I only get entries for Packet filter rule #4. 'Log traffic' for #2 and #3 is enabled.

  • After further testing I can say that my configuration according to Sheldon's template was right. And this trick works well for youtube videos. I started an eleven minutes video and after ten minutes (time quota preset) the video stream got automatically blocked. But when playing the online game 'slither.io', after 10 minutes of gaming nothing happens. For analysing this different behaviour of the UTM 9, I compared the 'Web Filtering' live log records when streaming a youtube video with that ones when gaming of 'slither.io'. The sent streaming packages of a youtube video create a lot of requests, that are logged by the 'Web Filtering'. But 'slither.io' creates only a few requests when starting the game. Afterwards no further request is monitored by the 'Web Filtering'. So you have unlimited playtime, as long as you don't klick on the reload button of your browser. I am wondering where else the communication between 'slither.io' and the browser takes place. What is sure is that many requests are sent during the game, but I can't find them anywhere.

  • On the image with the 'Default Web Filter Profile' one detail is wrong. Therefore I upload again the right image. The 'Default authentication' must be activated for forwarding to the 'Children' Web Filter Profile.