This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy helpdesk shows allowed, but still blocked

Hi, 

I'm trying to allow staff to upload images to prezi.com, which they were previously able to do, i have had a look at the web log and the only block i can see is from https://s3.amazonaws.com/0103.static.prezi.com Which i have allowed. I have also tested on Policy Helpdesk and it reports them being able to resolve and access the URL. But when i check the logs, they are still being blocked. 

 

Any ideas at all? They are under the right tag, otherwise policy helpdesk would report blocked right? Any help would be greatly appreciated! 



This thread was automatically locked due to age.
Parents
  • Hi, Chris, and welcome to the UTM Community!

    Please show the line from the Web Filtering log file where this URL was blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob, 

    Thank you! It seems the rule i put in for s3.amazon has taken, but since last test another URL has come up as blocked.

     

    2017:04:28-08:34:41
    ********
    172.20.3.99
    pass
    ---
    2017:04:28-08:34:41
    ********
    172.20.3.99
    block
    ---

    It seems to be allowing the above address, which is the same as the blocked URL for all but the last part. I have allowed prezi.com with all subdomains, strange that it's blocking /xhr_streaming?

  • If you are using https inspection, there are a bunch of certificate issues that can cause a site to be blocked:   root certificate in chain, intermediate certificate missing, certificates out of order, wrong server certificate (often a cloud service which enables port 443 for everything whether the client needs it or not),  DNS synonym that was not included in the certificate, expired certificate, and inappropriate wildcard use (trying to cover two levels with one *).   This show up in the logs with an empty string in the error="" clause.

    Similarly, with https inspection, you can be blocked if the server does not support TLS 1.2

    Both of these can be tested using the server test option at ssllabs.com, or an equivalent one provided by most certificate issuing services.

    Of course, since Chrome 58 was released, you should probably be running with HTTPS inspection disabled.

    For any other error, we need the statuscode="" and error="" clauses from the log entry, and I don't see that information in what you provided.   If the site was blocked for something other than a certificate problem, you should have useful information in the error="" clause.

  • As Doug's comment implies, it's always necessary to show the whole line(s) from the logs unless you already know the answer.  A special case is the Firewall Live Log.  Alone among the logs, the Firewall Live Log presents abbreviated information in a format easier to read quickly.  Usually, you can't troubleshoot without looking at the corresponding line from the full Firewall log file.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Guys, apologies, i posted the report format. 

     

    Here is a blocked line, it mentions blocked file type, but all we are doing here is uploading a png, which is not blocked, going out. 

     

    <2017:05:02-08:23:58 sophos httpproxy[6462]: id="0064" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden file extension detected" action="block" method="POST" srcip="172.20.3.99" dstip="52.216.227.59" user="dummystu" group="Students over 16" ad_domain="SDC" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffStude16Plus (Student 16 plus)" size="2561" request="0xddd44c00" url="s3.amazonaws.com/0103.static.prezi.com" referer="prezi.com/.../" error="" authtime="95" dnstime="11405" cattime="14540" avscantime="65765" fullreqtime="1141652" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.87 Safari/537.36" exceptions="" overridecategory="1" category="177" reputation="trusted" categoryname="Content Server" sandbox="-" application="amazonws" app-id="800" reason="extension" extension="com" filename="0103.static.prezi.com">
  • Hi Chris,

    Looking at the log line, the URL might be allowed as seen in the Policy HelpDesk but, the file extension is blocked through the Default Web Filter Profile > Filter Action = Stude16Plus. Allow the file extension, clear the browser cache and check if that works.

    Cheers-

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi sachingurung, 

     

    I did see this blocked file extension, it's blocking "com" so is it somehow picking the TLD up as a file extension?

  • There should be a file associated with the page which is why the UTM is detecting a file type. What happens when the file type is allowed, any change?

    Cheers

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachingurung, 

     

    I created a tag to allow com file extensions and applied that to the filtering rule and it worked, but isn't it strange that it picked up a URL as a file extension? Must be an odd one, because it definitely isn't a file! But alas, the extension allowance worked, so it solves the issue, if it happens again i will have to investigate further, i appreciate everyones help, you have made my first time here a rewarding one! 

     

    Chris

Reply
  • Hi Sachingurung, 

     

    I created a tag to allow com file extensions and applied that to the filtering rule and it worked, but isn't it strange that it picked up a URL as a file extension? Must be an odd one, because it definitely isn't a file! But alas, the extension allowance worked, so it solves the issue, if it happens again i will have to investigate further, i appreciate everyones help, you have made my first time here a rewarding one! 

     

    Chris

Children
No Data