Professional Documents
Culture Documents
FW4020 20.0v1 Troubleshooting Web Scanning On Sophos Firewall
FW4020 20.0v1 Troubleshooting Web Scanning On Sophos Firewall
Troubleshooting Web
Scanning on Sophos
Firewall
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW4020: Troubleshooting Web Scanning on Sophos Firewall
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 6 minutes
In this chapter you will learn the logs and commands that can be used to troubleshoot web scanning
when using the DPI engine or using a web proxy.
If web protection is configured to use DPI scanning, the log viewer will provide useful information for
troubleshooting, and this should always be the place to start.
If you are not able to determine what is happening to resolve the issue from the log viewer, you may
need to enable web debug logging for the DPI engine.
Toggle web filtering debug logging on/off service ips:debugp -ds nosync
The DPI engine relies on Snort and the IPS service, and so it is in the IPS service that debug logging is
enabled for web scanning. When you enable debug logging, it can log such a vast volume of data that
it makes it hard to see what is going on. Before enabling the debug logging, you can optionally create a
mask that will enable debugging for only specific components, allowing you to focus your
troubleshooting.
To create a mask, you echo the values for the components into a configuration file using the Advanced
Shell. You can see an example here for web categorization and antivirus. You then need to toggle on
the debug logging. Please note that this uses ‘debugp’ instead of plain ‘debug’. This will then log to the
file /log/ips.log.
[Additional Information]
Full set of debugp masks
DEBUGP_NONE 0x00 // 0
DEBUGP_CONFIG 0x01 // 1
DEBUGP_ACL 0x02 // 2
DEBUGP_EPOLL 0x04 // 4
DEBUGP_WEBCAT_INIT 0x08 // 8
DEBUGP_WEBCAT 0x10 // 16
DEBUGP_AV 0x20 // 32
DEBUGP_AV_CACHE 0x40 // 62
DEBUGP_LOG 0x80 // 128
DEBUGP_POLICY 0x100 // 256
DEBUGP_REQ_FSM 0x200 // 512
DEBUGP_DECOMPRESS 0x400 // 1024
Here you can see an example of the ips.log with debugging enabled for just web categorization.
Further down you can then see the request for categorization and the result.
We’ll now look at a scenario where Sophos Firewall is configured to use the web proxy instead of DPI
web scanning, and users are reporting slow browsing.
Without proxy
When using the web proxy, it is expected that there is a reduction in throughput of up to 25%.
When troubleshooting reports of slow browsing, start by comparing the throughput with and without
the web proxy. The Advanced Shell can be used for testing. The first command configures proxy
settings before using curl to download a .zip file. The second command downloads the file without a
proxy.
In this example, you can see that, with the proxy, the throughput is approximately 30% of the
throughput without the proxy, a reduction of 70%. This may indicate an issue that needs to be
resolved.
To get more detailed information, enable debug logging for awarrenhttp – this is the web proxy.
For each transaction you can see how long different parts of the transaction took. These are measured
in microseconds.
High authtime?
If you are seeing a high authentication time, check the configuration for authentication servers.
For each authentication server, check the connectivity and responsiveness and ensure that the most
responsive is at the top of the list.
Check the resource utilization on the authentication servers. If they are overloaded this could cause
delays.
High dnstime?
;; QUESTION SECTION:
;sophostest.com. IN ANY
;; ANSWER SECTION:
sophostest.com. 21599 IN NS ns-93.awsdns-11.com.
If you are seeing a high DNS time, check the time to resolve various domains using the Sophos
Firewall. Try to include domains that are unlikely to be in the cache to get the most real-world figures.
You can do this from the advanced shell with the command: host -a <domain> <Sophos
Firewall IP address>
Please note that for this example, the output has been truncated.
Once you have resolved the cause of any high time values, re-test with and without a proxy.
The time with the proxy should be within 25% of the time without the proxy.
Chapter Review
Debug logging for DPI can be enabled using the command ips:debugp –ds nosync which will then log to
the file /log/ips.log. Optionally a mask can be created to enable debugging only for specific components.
The Advanced Shell can be used to test throughput for web requests. The curl command can be used to
download a file, with and without a proxy configured. The reduction in throughput with a proxy is
expected to be up to 25%.
Debug logging can be enabled for awarrenhttp, which is the web proxy. This will show times recorded for
transactions, including authenticating the request (authtime) and the time for DNS resolution (dnstime).
Debug logging for DPI can be enabled using the command ips:debugp -ds nosync which will then log
to the file /log/ips.log. Optionally a mask can be created to enable debugging only for specific
components.
The Advanced Shell can be used to test throughput for web requests. The curl command can be used
to download a file, with and without a proxy configured. The reduction in throughput with a proxy is
expected to be up to 25%.
Debug logging can be enabled for awarrenhttp, which is the web proxy. This will show times recorded
for transactions, including authenticating the request (authtime) and the time for DNS resolution
(dnstime).