This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy helpdesk shows allowed, but still blocked

Hi, 

I'm trying to allow staff to upload images to prezi.com, which they were previously able to do, i have had a look at the web log and the only block i can see is from https://s3.amazonaws.com/0103.static.prezi.com Which i have allowed. I have also tested on Policy Helpdesk and it reports them being able to resolve and access the URL. But when i check the logs, they are still being blocked. 

 

Any ideas at all? They are under the right tag, otherwise policy helpdesk would report blocked right? Any help would be greatly appreciated! 



This thread was automatically locked due to age.
Parents
  • Hi, Chris, and welcome to the UTM Community!

    Please show the line from the Web Filtering log file where this URL was blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, 

    Thank you! It seems the rule i put in for s3.amazon has taken, but since last test another URL has come up as blocked.

     

    2017:04:28-08:34:41
    ********
    172.20.3.99
    pass
    ---
    2017:04:28-08:34:41
    ********
    172.20.3.99
    block
    ---

    It seems to be allowing the above address, which is the same as the blocked URL for all but the last part. I have allowed prezi.com with all subdomains, strange that it's blocking /xhr_streaming?

  • If you are using https inspection, there are a bunch of certificate issues that can cause a site to be blocked:   root certificate in chain, intermediate certificate missing, certificates out of order, wrong server certificate (often a cloud service which enables port 443 for everything whether the client needs it or not),  DNS synonym that was not included in the certificate, expired certificate, and inappropriate wildcard use (trying to cover two levels with one *).   This show up in the logs with an empty string in the error="" clause.

    Similarly, with https inspection, you can be blocked if the server does not support TLS 1.2

    Both of these can be tested using the server test option at ssllabs.com, or an equivalent one provided by most certificate issuing services.

    Of course, since Chrome 58 was released, you should probably be running with HTTPS inspection disabled.

    For any other error, we need the statuscode="" and error="" clauses from the log entry, and I don't see that information in what you provided.   If the site was blocked for something other than a certificate problem, you should have useful information in the error="" clause.

  • As Doug's comment implies, it's always necessary to show the whole line(s) from the logs unless you already know the answer.  A special case is the Firewall Live Log.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Guys, apologies, i posted the report format. 

     

    Here is a blocked line, it mentions blocked file type, but all we are doing here is uploading a png, which is not blocked, going out. 

     

    <2017:05:02-08:23:58 sophos httpproxy[6462]: id="0064" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden file extension detected" action="block" method="POST" srcip="172.20.3.99" dstip="52.216.227.59" user="dummystu" group="Students over 16" ad_domain="SDC" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffStude16Plus (Student 16 plus)" size="2561" request="0xddd44c00" url="s3.amazonaws.com/0103.static.prezi.com" referer="prezi.com/.../" error="" authtime="95" dnstime="11405" cattime="14540" avscantime="65765" fullreqtime="1141652" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36" exceptions="" overridecategory="1" category="177" reputation="trusted" categoryname="Content Server" sandbox="-" application="amazonws" app-id="800" reason="extension" extension="com" filename="0103.static.prezi.com">
Reply
  • Hi Guys, apologies, i posted the report format. 

     

    Here is a blocked line, it mentions blocked file type, but all we are doing here is uploading a png, which is not blocked, going out. 

     

    <2017:05:02-08:23:58 sophos httpproxy[6462]: id="0064" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden file extension detected" action="block" method="POST" srcip="172.20.3.99" dstip="52.216.227.59" user="dummystu" group="Students over 16" ad_domain="SDC" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffStude16Plus (Student 16 plus)" size="2561" request="0xddd44c00" url="s3.amazonaws.com/0103.static.prezi.com" referer="prezi.com/.../" error="" authtime="95" dnstime="11405" cattime="14540" avscantime="65765" fullreqtime="1141652" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36" exceptions="" overridecategory="1" category="177" reputation="trusted" categoryname="Content Server" sandbox="-" application="amazonws" app-id="800" reason="extension" extension="com" filename="0103.static.prezi.com">
Children