Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 0 subscribers
  • Views 17003 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Web Filtering Appliance

chipsnham

Hi all,

I have recently implemented a Sophos Virtual Web Filter appliance and I have  few questions:

In the reporting, 'Top Users By Browse Time' is showing 18+hours browsing per day for some users, is there any way to make this more accurate as this is obviously not correct?

Report Exemptions allow me to exempt a category or an individual url from being included in a report, is there anyway to exempt ALL url’’’’s ending with the same domain e.g all of our servers are xxxxxxx.DOMAIN.LOCAL?

Also in report Exemptions I need to exclude the whole of our internal IP range, does anyone know how you would do this as it only seems to let me add 1 x IP address at a time.

I did ask these questions to Sophos Support but wanted to see if anyone here had any suggestions on any of these.

Thanks in advance.

:37351


This thread was automatically locked due to age.
  • 0

    Hi. Welcome to Sophostalk!

    It could be that the user has left their system on overnight and there is some automated software which repeatedly accesses the web.  Unfortunately there is no way for the appliance to distinguish this from 'normal' traffic.  

    If it is caused by some specific traffic you can exclude that from reports to improve accuracy.

    By the way, if you're interested in how the report is calculated...

    /search?q= 13773

    --------------------

    For the exemptions, domain.local will exclude sub-domains / hosts.  

    However, you can't exempt an IP range.  You could disable the logging of internal traffic completely by following these steps:

    • Go to 'Configuration | Group Policy | Local Site List'.   Add your IP range as CIDR:  Eg. 192.168.0.0/16
    • Create a tag for the entry and Save.
    • Go to 'Configuration | Group Policy | Additional Policies'.  Add a new policy
    • All users must be a member of the policy.  Add a group containing all users
    • Go to the 'Tags' section and add the tag you created earlier.  Set it to 'Allow'
    • *EDIT* On the 'Name and schedule' tab select 'Do not log traffic for this policy'
    • Name and save the policy

    Alternatively, if you don't need internal traffic to go through the appliance at all, you can usually stop that happening.  For example, by using proxy exceptions in the web browser.

    Hope this is of some help.

    - Tom.

    :37369
  • 0

    Thanks tom,

    That's really useful information, exactly what I was looking for.

    Quick question, on the link, you mentioned the following:

    "The appliance counts the time differance between every HTTP request.  So if I did the following web browsing, it would show as 1 minute browsing on google.com:

    01:00:00 google.com

    01:01:00 yahoo.com (1 minute later)"

    however, what happens if a view a page with multiple elements.

    eg youtube.com would be referenced as 'streaming media' but also has adverts on the page which would be classed as 'advertising'.

    Would this show browse time against both categories which would then affect the 'total browse time' results.

    eg if i go to youtube.com for 1 minute, would it show streaming media' for 1 minute + 'advertising' for 1 minute = 2 minutes of total browse time.

    I ca provide a screenshot if that makes it easier to explain

    :37373
  • 0

    Hi chipsnham,

    No problem!

    Ah by the way, I just re-read the above post and I had missed a step.  See the EDIT above.  

    Good question regarding multiple elements.  We actually exclude certain elements from this report which are commonly loaded in the background, including advertising URLs.  So it shouldn't be a problem.

    In the worst case scanerio that a background element wasn't excluded from the report, it still wouldn't 'double' the browse time.  This is because every new HTTP request stops the clock on the last one.  So for your example of a bunch of sites all being loaded at once, we would only be counting the last HTTP request.

    Thanks,

    Ton.

    :37379
  • 0

    Thanks Tom,

    I guess I was just surprised at some of the Browse Times!

    I actually excluded the 'Computing & Internet' category as well as lots of advertising was being classed in this category.

    The report seems to be fairly accurate now.

    Thanks again

    :37397
Unfiltered HTML