This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 blocking whatsapp completly

I found in the webfilter log this event:

2017:08:17-17:46:47 sophos httpproxy[5727]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="POST" srcip="100.0.0.97" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaInterNetwo6 (Mobiles)" filteraction="REF_HttCffAllowForEit (mobiles )" size="0" request="0xd9145600" url="http://c.whatsapp.net/chat" referer="" error="Received invalid request from client" authtime="0" dnstime="0" cattime="130" avscantime="0" fullreqtime="30038442" device="0" auth="0" ua="Mozilla/5.0 (compatible; WAChat/1.2; +www.whatsapp.com/contact)" exceptions="" category="122" reputation="neutral" categoryname="Instant Messaging"

 

any help

 

Thanks



This thread was automatically locked due to age.
  • I have the same issue! except hows this!

    I am using PPPoE to create the internet connection, I can get the Sophos to initiate the connection and everything works. After about 8 minutes whatsapp stops working, yet everything else still works, full internet access.

     

    Been through all the logs, the traffic is even allowed.. I think this as occurred only after the latest firmware upgrade to version 9.502-4.

     

    Can't find a solution!

     

    Regards

  • Hi, Karim and Paul, and welcome to the UTM Community!

    With error="Received invalid request from client" in the log line, you will need to skip the Proxy for WhatsApp.  Also, you might try a Google on:

    site:community.sophos.com/products/unified-threat-management/f whatsapp

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Correct. Whatsapp MUST be excluded from the proxy (or at least from HTTPS scanning).


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Whatsapp is already excluded from HTTPS scanning 

     

    How to exclude Whatsapp from proxy ?! 

  • When using transparent proxy I don't believe you need to exclude it, since it has worked for me for a long time without anything special.

    When using standard proxy it depends on how you configure it, if you just point your clients to the utm at port 8080 then you should also configure your client not to use the proxy for *.whatsapp.com. If you use PAC you can configure it from the PAC file.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Configure the 'Transparent Mode Skiplist' on the 'Misc' tab of 'Filtering Options'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This prior post probably has the answer.  

    There are multiple regex needed.

    Ob, how about turning that answer into a wiki post if it eorks here as well.

  • Hi,

    This is great if you actually are doing the HTTPS inspection and require that to be excluded. But I have added the device to be excluded for all web inspection both HTTP and HTTPS and it still doesn't work. Whatsapp doesn't actually use Web traffic anyway. If you read my original comment, Whatsapp actually works directly after a reboot of the firewall for about 8 minutes and then stops working after that.

    I have the following ports on a different firewall defined and working for whatsapp:

    Messaging: TCP dports 4244,5222,5223,5228,5242

    Voice call: UDP dport 3478

    Regards

  • In transparent mode, non-standard ports bypass the proxy and are handled by firewsll ruled.  Check whether your firewall settings will allow those ports through, and check firewall logs for additional clues.