This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 - Firewall FQDN fail to match if domain match web exception - Yet Another Bug

Firewall FQDN fail to match if domain match web exception 

Duplicate

Create FQDN Firewall rule.  Surf to FQDN and watch traffic hit rule.

Add a web exception with Matching URL regex and skip all.

Surface to FQDN again and watch it the firewall rule, confirm with firewall logs.



This thread was automatically locked due to age.
Parents
  • Hello Brian,

    Thank you for contacting the Sophos Community!

    Just to be clear on your duplication steps:

    1.- Create a Firewall rule with destination set as a FQDN, for example abc.com

    2.- Create a web exception ^([A-Za-z0-9.-]*\.)?abc\.com\.?/ skip all the checks

    3.- Try accessing the FQDN, and the Firewall rule with the FQDN will not be matched? 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Yes,  I am finding that there are a few sites that do not like the DPI engine no matter what settings I use.  So I created a separate rule with destination set as FQDN locations to send those to proxy instead.  If there are any matching rules in web exclusion, the traffic would take the old firewall rule path.  If I disable the matching web exception with the toggle button, I can see the traffic switch to the new FQDN rule.  I see this in the firewall log viewer by firewall rule ID.

    Sites so far are smartthings/samsung, ring, and netflix.

    Thanks.

    Rule #51 with web exception enabled (DPI).

    Rule #2 with web exception disabled. (can see it is heading to proxy at dst_trans_ip = 192.168.8.1)

  • Actually, if i can follow your request, this is not a Bug at all. 

    Firewall Rules have nothing to do with a Web Exception. 

    See: https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

    Basically the Web Module exception will only be called, if the web proxy is enabled for this firewall rule. The firewall rule will hit, no matter what (first match). 

    So maybe i do not understand your issue, it would be better to explain it with more screenshots. 

    __________________________________________________________________________________________________________________

  • Firewall rules are just not getting hitting based on URL see (ring.com)

    Firewall log shows Rule #51.  Should hitting Rule #2 which comes first.  I am finding lots of sites that just don't work with xStream, even when fast-pathed (all rules disabled).  I may have to switch back to v17 for the second time now until v19 comes out.

Reply
  • Firewall rules are just not getting hitting based on URL see (ring.com)

    Firewall log shows Rule #51.  Should hitting Rule #2 which comes first.  I am finding lots of sites that just don't work with xStream, even when fast-pathed (all rules disabled).  I may have to switch back to v17 for the second time now until v19 comes out.

Children
No Data