This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Google Ad Services still blocked

Hi everyone,

 

that one bugs me:

In Web Protection I blocked the category "Web Ads" but made an exception for "^https?://([A-Za-z0-9.-]*\.)?googleadservices\.com/" and skipped: "URL Filter / Content Removal / SSL scanning / Certificate trust check / Certificate date check"

The URL https://www.googleadservices.com/pagead/aclk?sa=L&ai=CEb3U2hlSWZq7M4vZYrW1kfgMn5zB-0nT3afH0QW809H82ggICRABIN7Nzx4oFGCVsp-CsAegAajT5MMDyAEHqQIlrw1sP8iyPqoELU_QvG5X9l6EVcmggtaBVp03lZD8dhWTjwzZu4hyqPEjckjbAwbH8tSOTPuA-MAFBaAGJoAHjPKRKJAHA6gHpr4b2AcB4BLW1pesz_DKqd8B&ctype=5&ved=0ahUKEwjVj4qY0N3UAhUBzxQKHVPvAu0QrkMIEg&dblrd=1&val=GgiPEqqs-cZEEiABKAAwnbC04-fz_tIDOPOwyMoFQMyzyMoF&sig=AOD64_1JJfde0vdqfelTrICIy-nxWu3uuA&adurl=http://clickserve.dartsearch.net/link/click%3Flid%3D92700021927041567%26ds_s_kwgid%3D58700002543180166%26ds_s_inventory_feed_id%3D97700000002396362%26%26ds_e_adid%3D202212242552%26ds_e_matchtype%3Dsearch%26ds_e_device%3Dc%26ds_e_network%3Dg%26ds_e_product_group_id%3D299298482620%26ds_e_product_id%3D1486163%26ds_e_product_merchant_id%3D15143421%26ds_e_product_country%3DDE%26ds_e_product_language%3Dde%26ds_e_product_channel%3Donline%26ds_e_product_store_id%3D%7Bproduct_store_id%7D%26ds_url_v%3D2%26ds_dest_url%3Dhttp://r.refinedads.com/r.rfa%3Fv%3Dg3%26oid%3D2286%26aid%3D4014%26critValues%3D%26cid%3D864997103%26agid%3D49355159411%26tid%3Dpla-299298482620%26fid%3D%26adid%3D202212242552%26networkType%3DSearch%26n%3Dg%26p%3D%26q%3D%26mt%3D%26ap%3D1o1%26adt%3Dpla%26merchantid%3D15143421%26productid%3D1486163%26d%3Dc%26dm%3D%26p1%3D%26p2%3D%26r%3D16640977220556452153%26url%3Dhttp://www.mediamarkt.de/catentry/1486163

passes right through the Policy Helpdesk Tool as "passed" based on the exception I made. But the URL is not accessible via web browser.

When removing the S from https, the URL works.

In the Web Protection log I have to entries. One as allowed and one as blocked because of category "Web Ads".

 

Proxy is set to transparent, allthough the clients currently do not use the UTM as a gateway. The Web Protection is used by Sophos Enterprise Console and the Endpoint Protection.

 

I hope you guys can help me ... or girls ... no offense ;-)

 

BR,

Volker



This thread was automatically locked due to age.
Parents
  • Hi, Volker, and welcome to the UTM Community!

    Please show the two lines from the Web Filtering log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    as requested the log entries from my post date regarding my user and "googleadservices.com".

    As you can see, http is allowed while https is blocked. Under "Web Protection => Web Filtering => HTTPS" I just selected "URL filtering only" and the "Policy Helpdesk" tells me https is allowed.

     

     

    2017:06:27-07:37:49 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="216.58.210.2" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
    2017:06:27-08:03:32 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.16.162" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
    2017:06:27-10:18:38 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="216.58.207.34" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
    2017:06:27-10:39:59 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
    2017:06:27-10:40:02 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
    2017:06:27-13:04:15 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.18.2" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
    2017:06:27-14:23:27 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"

Reply
  • Hi Bob,

    as requested the log entries from my post date regarding my user and "googleadservices.com".

    As you can see, http is allowed while https is blocked. Under "Web Protection => Web Filtering => HTTPS" I just selected "URL filtering only" and the "Policy Helpdesk" tells me https is allowed.

     

     

    2017:06:27-07:37:49 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="216.58.210.2" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
    2017:06:27-08:03:32 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.16.162" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
    2017:06:27-10:18:38 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="216.58.207.34" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
    2017:06:27-10:39:59 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
    2017:06:27-10:40:02 HOSTNAME eplog[9560]: id="0060" severity="info" sys="SecureWeb" sub="eplog" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="403" cached="0" profile="" filteraction="" size="0" request="" url="www.googleadservices.com/" exceptions="" error="" reason="category" category="154" reputation="trusted" categoryname="Web Ads"
    2017:06:27-13:04:15 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.18.2" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"
    2017:06:27-14:23:27 HOSTNAME eplog[9560]: id="0001" severity="info" sys="SecureWeb" sub="eplog" name="http access" action="pass" method="GET" srcip="xx.xx.xx.xx" dstip="172.217.23.130" user="DOMAIN\user" statuscode="200" cached="0" profile="" filteraction="" size="5236" request="" url="www.googleadservices.com/.../conversion_async.js" exceptions="" error="" reason="" category="154" reputation="" categoryname="Web Ads"

Children
  • Please show a picture of the Exception.  Also, I don't see a block of https in the log lines you show above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    unfortunately you have to hover the www.googleadservices.com in order to see that those are https ... the forum converted the web addresses to real links on saving the post.

    As you wished, here is the screenshot of my exception:

     

    The regex expression is correct. The UTM validates it but just doesn't care ...

  • Volker, you're right that your configuration is correct and that it makes no sense that the blocks occur.  Is this V9.5?  In any case, I would get a ticket open with Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think it's not the webfilter. It is blocked from the pua (antivirus).
    I try to make an autorisation on the puas.

    I hope it would work...

  • One complication is that I can see from your logs "eplog".  The is a log coming from the Endpoint.

    The UTM creates a configuration, sends to the the endpoint.
    The endpoint applies the policy logic
    The endpoint sends the logs to the UTM.
    The UTM displays the logs.

     

    From the logs it suggests that the exceptions are not being applied to the traffic by the endpoint.

     

    Two things:

    1) Make sure that the endpoint is receiving configuration updates from the UTM.  Can you make a policy change (like block search engines) on the UTM and prove that change occurred on the endpoint?

    2) It might be that the RegEx isn't applied quite right on the endpoint.  Can you add another RegEx, just a bare "googleadservices\.com" ?