This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Google Ad Services still blocked

Hi everyone,

 

that one bugs me:

In Web Protection I blocked the category "Web Ads" but made an exception for "^https?://([A-Za-z0-9.-]*\.)?googleadservices\.com/" and skipped: "URL Filter / Content Removal / SSL scanning / Certificate trust check / Certificate date check"

The URL https://www.googleadservices.com/pagead/aclk?sa=L&ai=CEb3U2hlSWZq7M4vZYrW1kfgMn5zB-0nT3afH0QW809H82ggICRABIN7Nzx4oFGCVsp-CsAegAajT5MMDyAEHqQIlrw1sP8iyPqoELU_QvG5X9l6EVcmggtaBVp03lZD8dhWTjwzZu4hyqPEjckjbAwbH8tSOTPuA-MAFBaAGJoAHjPKRKJAHA6gHpr4b2AcB4BLW1pesz_DKqd8B&ctype=5&ved=0ahUKEwjVj4qY0N3UAhUBzxQKHVPvAu0QrkMIEg&dblrd=1&val=GgiPEqqs-cZEEiABKAAwnbC04-fz_tIDOPOwyMoFQMyzyMoF&sig=AOD64_1JJfde0vdqfelTrICIy-nxWu3uuA&adurl=http://clickserve.dartsearch.net/link/click%3Flid%3D92700021927041567%26ds_s_kwgid%3D58700002543180166%26ds_s_inventory_feed_id%3D97700000002396362%26%26ds_e_adid%3D202212242552%26ds_e_matchtype%3Dsearch%26ds_e_device%3Dc%26ds_e_network%3Dg%26ds_e_product_group_id%3D299298482620%26ds_e_product_id%3D1486163%26ds_e_product_merchant_id%3D15143421%26ds_e_product_country%3DDE%26ds_e_product_language%3Dde%26ds_e_product_channel%3Donline%26ds_e_product_store_id%3D%7Bproduct_store_id%7D%26ds_url_v%3D2%26ds_dest_url%3Dhttp://r.refinedads.com/r.rfa%3Fv%3Dg3%26oid%3D2286%26aid%3D4014%26critValues%3D%26cid%3D864997103%26agid%3D49355159411%26tid%3Dpla-299298482620%26fid%3D%26adid%3D202212242552%26networkType%3DSearch%26n%3Dg%26p%3D%26q%3D%26mt%3D%26ap%3D1o1%26adt%3Dpla%26merchantid%3D15143421%26productid%3D1486163%26d%3Dc%26dm%3D%26p1%3D%26p2%3D%26r%3D16640977220556452153%26url%3Dhttp://www.mediamarkt.de/catentry/1486163

passes right through the Policy Helpdesk Tool as "passed" based on the exception I made. But the URL is not accessible via web browser.

When removing the S from https, the URL works.

In the Web Protection log I have to entries. One as allowed and one as blocked because of category "Web Ads".

 

Proxy is set to transparent, allthough the clients currently do not use the UTM as a gateway. The Web Protection is used by Sophos Enterprise Console and the Endpoint Protection.

 

I hope you guys can help me ... or girls ... no offense ;-)

 

BR,

Volker



This thread was automatically locked due to age.
Parents
  • Update: it is neither an issue of Anti-Virus nor the Endpoint itself

    It is simply the UTM with is incapable of exceptions for SSL URLs while in "Transparent Mode".

     

    There is a little note at the end of the online help. (◔_◔)

     

    Nevertheless it's a bug regarding the UTM itself and is escalated to global support.

    It shouldn't be possible to have URLs listed in an exception while in "Transparent Mode" or the URLs must also be checked for Endpoints and not just the UTM exclusively.

    If the UTM tries to access it's own Broker (HTTPS) and is in "Transparent Mode" it shouldn't be able to communicate at all with Sophos, but the predefined exceptions seem to work, but only for the UTM itself.

     

    So someone at Sophos product development just didn't knew what he was doing. Also the Support told me to apply only IP adresses to the exceptions, as the online help states.

    But in the case of "googleadservices.com" it's a dynamically changing IP address and not an DNS group and also no DNS Groups can be applied to exceptions.

     

    And just for your amusement: try to think of an IP of a cloud provider: 1 IP with thousands of URLs and all kind of different services and categories.

     

    So in conclusion: it is a BUG and Sophos must fix the exceptions to work on URL base in transparent mode or totally redesign the entire web interface of the UTM in order to provide only the functions currently working with the current code.

     

    BR,

    Volker

  • Hello Volker,

    The UTM handles exceptions for SSL URLs in Transparent Mode just fine.  If it didn't we would have thousands of customers complaining.  Since right now we have one customer with a problem the likelihood is that you have a local issue due to your network or configuration. I hope that Support will be able to guide you through the problem.  However much we train them, however, there will be some support people that better than others.  This can also be complicated by the fact that UTM support and Endpoint support are two different groups, and where UTM controls endpoint is a area that neither side is well versed in.  :)

    Based on what you have posted to the forums, I believe this to be an endpoint problem, not a UTM problem.  Now you have have told Support more, and therefore they may know differently, but from what you posted of eplog showing a block, it is endpoint.

    Whereas I think it is highly unlikely that there is a UTM problem (or else we would hear more complaints), there are a fewer people using Endpoint with UTM, and problems with that setup are more possible.

    Did you try changing the exception as I suggested?

    Can you try one other thing.  Disable endpoint altogether (as a Windows Administrator, go into Services and stop all the Sophos8 services) and then try.

    If endpoint is disabled (therefore you are in UTM only) and you are still blocked, I would like to see a copy of those logs.

    Finally, can you please tell me if you have HTTPS scanning on or off?

Reply
  • Hello Volker,

    The UTM handles exceptions for SSL URLs in Transparent Mode just fine.  If it didn't we would have thousands of customers complaining.  Since right now we have one customer with a problem the likelihood is that you have a local issue due to your network or configuration. I hope that Support will be able to guide you through the problem.  However much we train them, however, there will be some support people that better than others.  This can also be complicated by the fact that UTM support and Endpoint support are two different groups, and where UTM controls endpoint is a area that neither side is well versed in.  :)

    Based on what you have posted to the forums, I believe this to be an endpoint problem, not a UTM problem.  Now you have have told Support more, and therefore they may know differently, but from what you posted of eplog showing a block, it is endpoint.

    Whereas I think it is highly unlikely that there is a UTM problem (or else we would hear more complaints), there are a fewer people using Endpoint with UTM, and problems with that setup are more possible.

    Did you try changing the exception as I suggested?

    Can you try one other thing.  Disable endpoint altogether (as a Windows Administrator, go into Services and stop all the Sophos8 services) and then try.

    If endpoint is disabled (therefore you are in UTM only) and you are still blocked, I would like to see a copy of those logs.

    Finally, can you please tell me if you have HTTPS scanning on or off?

Children
  • Hi Michael,

    as I mentioned on 29 Jun 2017 5:41 AM it's only "URL Filtering" not decrypt and scan.

    Nevertheless I did some further research and both, Support Employee and UTM Online Help are incorrect.

    As I stopped all local Sophos services on my computer and entered the UTMs IP and port into my proxy settings, everything works as expected.

    So no error at all at the UTM, my bad. But the Endpoint is not able to make a HTTPS exceptions. The rules are applied, cause a HTTP request is working.

     

    Also: I'm not using the UTM to control the Endpoints. The UTM transfers it's Web Protection config to the broker (if it is available; current downtime 43,66% over 14 days) and the broker is referenced in the Sophos Enterprise Console. No further configuration is done there.

    So when an exception is made, using the given RegEx, the URL is available as http on the client but not as https.

    So my conclusion would be, that there is an endpoint exclusive problem.

     

    BR,

    Volker