Scribd Logo
Upload

Welcome to Scribd!

  • FW4025 20.0v2 Troubleshooting Web Categorization On Sophos Firewall

    Uploaded by

    fredsky324
    3 views14 pages

    Original Title

    FW4025 20.0v2 Troubleshooting Web Categorization on Sophos Firewall

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views14 pages

    FW4025 20.0v2 Troubleshooting Web Categorization On Sophos Firewall

    Uploaded by

    fredsky324

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 14

    Copyright © 2024 Sophos Ltd

    Troubleshooting Web
    Categorization on
    Sophos Firewall

    Sophos Firewall
    Version: 20.0v2

    [Additional Information]

    Sophos Firewall
    FW4025: Troubleshooting Web Categorization on Sophos Firewall

    May 2024
    Version: 20.0v2

    © 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
    consent of Sophos.

    Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
    trademarks or registered trademarks of Sophos Limited or their respective owners.

    While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
    or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

    Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
    Oxfordshire, OX14 3YP.

    Troubleshooting Web Categorization on Sophos Firewall - 1


    Copyright
    Copyright ©
    © 2024
    2023 Sophos
    Sophos Ltd
    Ltd

    Troubleshooting Web Categorization on Sophos Firewall


    In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
    to investigate and resolve when ✓ How to configure web protection on Sophos
    URLs are being miscategorized. Firewall

    DURATION 5 minutes

    In this chapter you will learn how to investigate and resolve when URLs are being miscategorized.

    Troubleshooting Web Categorization on Sophos Firewall - 2


    Copyright © 2024 Sophos Ltd

    Categorization Process
    4.sophosxl.net:443

    No No
    Does it match a local
    nSXLd receives request Is it in local cache? Cloud lookup
    custom category?

    Yes Yes

    Category Information

    Allow/Deny

    Sophos Firewall uses the Sophos eXtensible Lookup service to categorize URLs for both DPI scanning
    and the web proxy. Sophos Firewall also uses this service for IP reputation in email protection and web
    server protection.

    To use SXL, Sophos Firewall needs to be able to access 4.sophosxl.net on port 443.

    When Sophos Firewall uses SXL for a lookup, the SXL service (nSXLd) first checks the local cache. If
    there is no answer in the local cache or it has expired, it will check against local custom categories. If
    there is no match, it performs a cloud lookup and caches the response.

    Troubleshooting Web Categorization on Sophos Firewall - 3


    Copyright © 2024 Sophos Ltd

    Categorization Logging

    You can find the category for each web request in the web filter log in the log viewer.

    Troubleshooting Web Categorization on Sophos Firewall - 4


    Copyright © 2024 Sophos Ltd

    Categorization Logging
    SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# service nSXLd:debug -ds nosync

    SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# tail –f /log/nSXLd.log


    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: [0x2685120/922] Categorization request, url:
    w3schools.org/
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: Cache::lookup NOT_FOUND
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: CategoryDB::lookup NOT_FOUND
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: Not found in cache. SXL query:
    w3schools.org/
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: CREATED 41975616, fd: 16
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: DNS query was sent, host: 4.sophosxl.net,
    index: 65
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: Read data count: -1 on descriptor 12
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: DNS query result: 0, index: 65
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: DNS query result: 1, index: 65
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: Status code: 1
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: Url Size: 1
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: [0x2685120/922] SXL Response:
    AppCategories[] WebCategories[Educational Institutions]
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: SimpleConnection::out response length: 10
    [2020-09-23 09:10:20] <140287661696320> [debug] nSXLd: Read data count: 40 on descriptor 11

    If you are seeing an issue with categorization you may need to enable debug logging for the nSXLd
    service to see what is happening.

    In this example log you can see SXL check the local cache, and then the category database, before
    sending the cloud query.

    SXL responds with the category information that will be used to allow or deny the traffic based on the
    policy.

    Troubleshooting Web Categorization on Sophos Firewall - 5


    Copyright © 2024 Sophos Ltd

    Testing Categorization

    When investigating categorization, another useful tool is the Policy Test. This is available in a separate
    tab in the log viewer.

    The Policy Test allows you to quickly and easily test URLs to show how they are classified. It will also
    indicate whether the DPI engine or web proxy is being used for the matching firewall rule.

    Troubleshooting Web Categorization on Sophos Firewall - 6


    Copyright © 2024 Sophos Ltd

    Category Reassessment
    Submit the URL: https://support.sophos.com

    Include:
    ▪ The URL being accessed

    ▪ The category reported on


    Sophos Firewall

    ▪ The expected category for the


    URL

    If you encounter a URL that you think is being miscategorized, you can submit it for reassessment from
    the Sophos website.

    When doing this, include the URL being accessed, the category being reported on the Sophos Firewall
    and the expected category for the URL.

    Troubleshooting Web Categorization on Sophos Firewall - 7


    Copyright © 2024 Sophos Ltd

    Incorrect Action for Website 1

    Let’s look at an example where you see an incorrect action being applied to a website.

    Here you can see a blog page that can be accessed, even though you are blocking blogs in your web
    policy.

    Troubleshooting Web Categorization on Sophos Firewall - 8


    Copyright © 2024 Sophos Ltd

    Incorrect Action for Website 2

    Checking the log viewer, you can see that the category ‘None’ has been applied to this URL.

    Some URLs may be categorized as either ‘None’ or ‘Uncategorized’ by Sophos.

    Troubleshooting Web Categorization on Sophos Firewall - 9


    Copyright © 2024 Sophos Ltd

    Incorrect Action for Website 2

    To manage these instances, you can use URL groups to assign actions for the specific domains or URLs.
    In the example, the URL of the blog site has been added to ‘Blocked URLs for Default Policy’.

    Troubleshooting Web Categorization on Sophos Firewall - 10


    Copyright © 2024 Sophos Ltd

    Incorrect Action for Website 2

    Alternatively, you can set an action for the ‘None’ and ‘Uncategorized’ categories in your policy.

    You might also choose to submit the URL for reassessment.

    Troubleshooting Web Categorization on Sophos Firewall - 11


    Copyright © 2024 Sophos Ltd

    Incorrect Action for Website 3

    Once the changes have been applied to the web policy, this blog site is no longer accessible.

    Troubleshooting Web Categorization on Sophos Firewall - 12


    Copyright © 2024 Sophos Ltd

    Chapter Review

    When performing a URL category lookup, the SXL service (nSXLd) first checks the local cache. If there is no
    answer in the local cached or is has expired, it will check against local custom categories. If there is no
    match, it performs a cloud lookup and caches the response.

    Policy Test allows testing or URLs to show how they are classified. Enabling debug logging for the nSXLd
    service shows the process by which the category is determined.

    Specific domains can be added to URL groups such as ‘Blocked URLs for Default Policy’, or an action for
    the ‘None’ and ‘Uncategorized’ categories can be configured in the policy. You can also submit the URL for
    reassessment.

    Here are the main things you learned in this chapter.

    When performing a URL category lookup, the SXL service (nSXLd) first checks the local cache. If there is
    no answer in the local cache or it has expired, it will check against local custom categories. If there is
    no match, it performs a cloud lookup and caches the response.

    Policy Test allows testing of URLs to show how they are classified. Enabling debug logging for the
    nSXLd service shows the process by which the category is determined.

    Specific domains can be added to URL groups such as ‘Blocked URLs for Default Policy’, or an action for
    the ‘None’ and ‘Uncategorized’ categories can be configured in the policy. You can also submit the URL
    for reassessment.

    Troubleshooting Web Categorization on Sophos Firewall - 18


    Copyright © 2024 Sophos Ltd

    Troubleshooting Web Categorization on Sophos Firewall - 19

    You might also like