Troubleshooting Sophos Firewall Web Policies and HTTPS Decryption Issues

A common problem occurs when the default web policy "NO GAMES ADS OR EXPLICITI CONTENTS" didn't deny access to porn web sites. In such cases, all porn sites might be working and SOPHOS does not deny them as expected. To address this, first verify on the logs, on what policy the traffic is traversing and see if they are passing through the intended policy.

Web Filter and DNS Verification

To ensure the filtering system is functional, you can check if you are able to connect to the following hostnames:

• primary.wing.sophosxl.net
• peak.wing.sophosxl.net

Under Monitor Analyze > Diagnostics > Tools, you can check if your Firewall and DNS settings were able to resolve those hostnames. If issues persist, try changing one of your XG's DNS servers to 8.8.8.8 and ensure it is positioned first in the configuration.

Rule Configuration and IPS Settings

A significant oversight in configuration is that none of the rules have access rule enabled. It is important to understand that turning on the feature in the application page does not cause it to be applied to any rule. You need to add that selection in your rule along with your IPS settings. Furthermore, the rule needs to be the top one in the selection process for general access.

HTTPS Decryption and Certificate Errors

Users often report that when decrypt and scan https is checked, they cannot reach any websites anymore, such as Google or Yahoo. If you use Decrypt and Scan for HTTPs, there will be 2 HTTPs tunnels:

• The first one is between XG and Client (using the CA from Webadmin).
• The second tunnel is between XG WAN Interface and Internet.

If you encounter the message "HTTPS access is denied due to invalid server certificate," you may need to disable "Block invalid certificates" from Web -> Protection -> HTTPS Decryption and Scanning to access specific sites.

Antivirus Scanning and Pattern Update Failures

If web browsing is non-functional, it may be because of the AV Scanner. This often happens because you don't have valid AV signatures downloaded via up2date (u2d). In Backup and Firmware > Pattern Updates, check if "Avira AV" and "Sophos AV" show Success. If they are just blank, the system is failing to check for updates.

Setting/Service	Status/Requirement	Action
Avira AV / Sophos AV	Success with current dates	Verify Pattern Updates
Anti Virus Service	Running	Check System Services
Action on Malware scan failure	Block (best protection)	Change to "Allow" for troubleshooting
HTTPS Decryption	Enabled	Install certificate to trusted root container

Under Web > General Settings > Malware and Content Scanning, if you change Action on Malware scan failure from "Block" to "Allow", the webpages may load, but this means you are bypassing the scanning. To diagnose the update failure, go to the Advanced Shell (Option 5 > Option 3 in the admin menu) and check the /log/u2d.log for errors.