Professional Documents
Culture Documents
FW4025 20.0v2 Troubleshooting Web Categorization On Sophos Firewall
FW4025 20.0v2 Troubleshooting Web Categorization On Sophos Firewall
Troubleshooting Web
Categorization on
Sophos Firewall
Sophos Firewall
Version: 20.0v2
[Additional Information]
Sophos Firewall
FW4025: Troubleshooting Web Categorization on Sophos Firewall
May 2024
Version: 20.0v2
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 5 minutes
In this chapter you will learn how to investigate and resolve when URLs are being miscategorized.
Categorization Process
4.sophosxl.net:443
No No
Does it match a local
nSXLd receives request Is it in local cache? Cloud lookup
custom category?
Yes Yes
Category Information
Allow/Deny
Sophos Firewall uses the Sophos eXtensible Lookup service to categorize URLs for both DPI scanning
and the web proxy. Sophos Firewall also uses this service for IP reputation in email protection and web
server protection.
To use SXL, Sophos Firewall needs to be able to access 4.sophosxl.net on port 443.
When Sophos Firewall uses SXL for a lookup, the SXL service (nSXLd) first checks the local cache. If
there is no answer in the local cache or it has expired, it will check against local custom categories. If
there is no match, it performs a cloud lookup and caches the response.
Categorization Logging
You can find the category for each web request in the web filter log in the log viewer.
Categorization Logging
SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# service nSXLd:debug -ds nosync
If you are seeing an issue with categorization you may need to enable debug logging for the nSXLd
service to see what is happening.
In this example log you can see SXL check the local cache, and then the category database, before
sending the cloud query.
SXL responds with the category information that will be used to allow or deny the traffic based on the
policy.
Testing Categorization
When investigating categorization, another useful tool is the Policy Test. This is available in a separate
tab in the log viewer.
The Policy Test allows you to quickly and easily test URLs to show how they are classified. It will also
indicate whether the DPI engine or web proxy is being used for the matching firewall rule.
Category Reassessment
Submit the URL: https://support.sophos.com
Include:
▪ The URL being accessed
If you encounter a URL that you think is being miscategorized, you can submit it for reassessment from
the Sophos website.
When doing this, include the URL being accessed, the category being reported on the Sophos Firewall
and the expected category for the URL.
Let’s look at an example where you see an incorrect action being applied to a website.
Here you can see a blog page that can be accessed, even though you are blocking blogs in your web
policy.
Checking the log viewer, you can see that the category ‘None’ has been applied to this URL.
To manage these instances, you can use URL groups to assign actions for the specific domains or URLs.
In the example, the URL of the blog site has been added to ‘Blocked URLs for Default Policy’.
Alternatively, you can set an action for the ‘None’ and ‘Uncategorized’ categories in your policy.
Once the changes have been applied to the web policy, this blog site is no longer accessible.
Chapter Review
When performing a URL category lookup, the SXL service (nSXLd) first checks the local cache. If there is no
answer in the local cached or is has expired, it will check against local custom categories. If there is no
match, it performs a cloud lookup and caches the response.
Policy Test allows testing or URLs to show how they are classified. Enabling debug logging for the nSXLd
service shows the process by which the category is determined.
Specific domains can be added to URL groups such as ‘Blocked URLs for Default Policy’, or an action for
the ‘None’ and ‘Uncategorized’ categories can be configured in the policy. You can also submit the URL for
reassessment.
When performing a URL category lookup, the SXL service (nSXLd) first checks the local cache. If there is
no answer in the local cache or it has expired, it will check against local custom categories. If there is
no match, it performs a cloud lookup and caches the response.
Policy Test allows testing of URLs to show how they are classified. Enabling debug logging for the
nSXLd service shows the process by which the category is determined.
Specific domains can be added to URL groups such as ‘Blocked URLs for Default Policy’, or an action for
the ‘None’ and ‘Uncategorized’ categories can be configured in the policy. You can also submit the URL
for reassessment.