Sophos

[ChriZ]

How did you update?
Downloaded the package from their ftp and went to "Manual Up2Date Package Upload" ?
Mine at overview says:

Show

Current firmware version:9.315-2
Your firmware is up to date.

So I am guessing that manual is the only way, right?
And I suppose I must first install 9.317-3 first...
Could you please tell me what version you had before?
I am left a bit behind...

 

[joeschmuck]

Mine was an automatic update but I manually select when I allow it. Also, you and I are on different software paths, not exactly sure why Sophos developers did this but they did. I actually think your version is the better one and I'm hoping that my upgrade today catches me up.

From the Sophos forums from a few weeks ago...
"The upgrade path from 9.317 to 9.35 will be provided soon to make sure all fixes which went into 9.317 are also available in 9.35."

Sorry, I'm still not the expert on Sophos but eventually these two different software paths will merge.

 

[gpsguy]

I'm running the latest 9.35... at work, without issues.

Just updated to version 9.351003...

 

[joeschmuck]

I'm running the latest 9.35... at work, without issues.

The old version was 9.350-12 for me, new version did do quite a bit of updates. 9.350-12 worked flawlessly for me so I'm hoping the same can be said of the update. I just cringe at times when I update something that is working so well but I understand there were things that needed to be fixed so I upgraded.

 

[TheDubiousDubber]

This forum madness is killing me. Web filtering is inhibiting my ability to download anything onto my Xbox One, like new apps/games. It's also inhibiting my ability to download certain software on my workstation. My solution thus far has been to turn it off while it downloads and turn it back on after. I had asked for help on the forum and now it's impossible for anyone to reply!

 

[pirateghost]

This forum madness is killing me. Web filtering is inhibiting my ability to download anything onto my Xbox One, like new apps/games. It's also inhibiting my ability to download certain software on my workstation. My solution thus far has been to turn it off while it downloads and turn it back on after. I had asked for help on the forum and now it's impossible for anyone to reply!

You can bypass filtering for specific devices.

Look under advanced under web filtering options

 

[anodos]

I think it is humorous that one of the longest-running FreeNAS forum threads is about sophos. You've managed to surpass cyberjock's presentation. :D

 

[gpsguy]

Yeh, I have 9.350. 9.351 was downloaded early this AM. I will probably wait a bit before deploying it.

The old version was 9.350-12 for me ....

Sent from my phone

 

[ChriZ]

Mine was an automatic update but I manually select when I allow it. Also, you and I are on different software paths, not exactly sure why Sophos developers did this but they did. I actually think your version is the better one and I'm hoping that my upgrade today catches me up.

From the Sophos forums from a few weeks ago...
"The upgrade path from 9.317 to 9.35 will be provided soon to make sure all fixes which went into 9.317 are also available in 9.35."

Sorry, I'm still not the expert on Sophos but eventually these two different software paths will merge.

Well my version is 9.315 not 9.35 so perhaps I am the one with the older one..
I suppose there is an upgrade to 9.316, then 9.317, then 9.35, since they will provide upgrade from 9.317 to 9.35 (????)
I am really confused...

 

[ChriZ]

Ok, I think that sophos people are watching this thread...
15 minutes ago my utm sent me 2 emails:
Versions 9.316004 and 9.317005 are available for automatic installation...loll

 

[pirateghost]

Lol

 

[zoomzoom]

This forum madness is killing me. Web filtering is inhibiting my ability to download anything onto my Xbox One, like new apps/games. It's also inhibiting my ability to download certain software on my workstation. My solution thus far has been to turn it off while it downloads and turn it back on after. I had asked for help on the forum and now it's impossible for anyone to reply!

Once their forum is fixed (to the point all past posts are showing), I would recommend looking at the master list sticky under Web Protection, as it's of great help.

To get it up and running, do the following:

1. Ensure your internal network group is added under Web Protection - Web Filtering - Allowed Networks
2. Create a profile under Web Protection - Web Filtering - Exceptions:
   • Skip (tick) the following: Authentication, Block by Download Size, Extension blocking, MIME type blocking, URL Filter, Content Removal, SSL Scanning, Certificate Trust Check, Certificate Date Check, Do not display Download/Scan progress page
   • For all requests coming from these networks:
     • Create and Add a network group for your Xbox One
       • Create individual hosts for each LAN and WiFi IP (2 total, type: Host)
       • Create individual DNS hosts for each LAN and WiFi card (2 total, type: DNS Host)
3. Under Web Protection - Web Filtering - Application Control - Advanced - Skip Hosts/Nets
   • Add the Network Group for your Xbox
4. Under Web Protection - Web Filtering - Policies
   • Click Default Content Filter Action
     • Go to Downloads and delete the extensions you don't want to be blocked. This is generally used to secure corporate workstations.
     • If you utilize Netflix, you'll also want to add the following under Websites:
       • Add a new entry under Allow These Websites:
         • Match URLs based on: Domain
         • Under Domains, tick Include Subdoamins, click the drop down, and select import (paste the below):
         • Code:

           ^https?://[a-za-z0-9.-]*netflix-*.vo.llnwd.net/
           ^https?://[a-za-z0-9.-]*nflximg.com/
           ^https?://[a-za-z0-9.-]*nflxvideo.net/
           ^https?://[a-za-z0-9.-]*netflix.com/
           ^https?://([a-za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
           ^https?://[\d+(\.\d+){3}/]*/[0-9]{8}\.ism
           ^https?://([a-za-z0-9.-]*\.)?netflix-*\.vo\.llnwd\.net
           ^https?://[\d+(\.\d+){3}/]*/[0-9]{9}\.ism
           ^https?://[\d+(\.\d+){3}/]*/[0-9]{10}\.ism
           ^https?://([a-za-z0-9.-]*\.)?nflximg\.com\.?/
           ^https?://([a-za-z0-9.-]*\.)?nflxvideo\.net\.?/
           ^https?://([a-za-z0-9.-]*\.)?netflix\.com/
           ^https?://([a-za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
           ^https?://secure\.netflix\.com/*
           ^https?://uiboot\.netflix\.com/*
           ^https?://nintendo.nccp.netflix.com/
           ^https?://customerevents.netflix.com/
           ^https?://api-global.netflix.com/
           ^https?://([a-za-z0-9.-]*\.)?nflxvideo.net/
           ^https?://ipv6_1.lagg0.c[0-9]{1,3}.[a-za-z][a-za-z][a-za-z][0-9]{1,3}.ix.nflxvideo.net/
           ^https?://([a-za-z0-9.-]*\.)?nflximg\.net\.?/
           ^https?://cdn[0-9].nflximg.com/
           ^https?://cdn[0-9].nflximg.net/
           ^https?://108.175.[0-9]{1,3}.[0-9]{1,3}/\?o=([a-za-z0-9.-]*\.)?

5. Netflix also requires an additional filtering profile. Create a profile under Web Protection - Web Filtering - Exceptions:
   • Skip (tick) the following: Authentication, Block by Download Size, Extension blocking, MIME type blocking, URL Filter, Content Removal, SSL Scanning, Certificate Trust Check, Certificate Date Check, Do not display Download/Scan progress page
   • For all requests Matching these URLs (drop down menu, import)
   • Code:

     ^https?://[A-Za-z0-9.-]*netflix-*.vo.llnwd.net/
     ^https?://[A-Za-z0-9.-]*nflximg.com/
     ^https?://[A-Za-z0-9.-]*nflxvideo.net/
     ^https?://[A-Za-z0-9.-]*netflix.com/
     ^https?://([A-Za-z0-9.-]*\.)?ne?t?fli?x(img|ext|video)?\.(com|net)/
     ^https?://[\d+(\.\d+){3}/]*/[0-9]{8}\.ism
     ^https?://([A-Za-z0-9.-]*\.)?netflix-*\.vo\.llnwd\.net
     ^https?://[\d+(\.\d+){3}/]*/[0-9]{9}\.ism
     ^https?://[\d+(\.\d+){3}/]*/[0-9]{10}\.ism
     ^https?://([A-Za-z0-9.-]*\.)?nflximg\.com\.?/
     ^https?://([A-Za-z0-9.-]*\.)?nflxvideo\.net\.?/
     ^https?://([A-Za-z0-9.-]*\.)?netflix\.com/
     ^https?://([A-Za-z0-9.-]*\.)?netflix-*.vo.llnwd.net/.*
     ^https?://secure\.netflix\.com/*
     ^https?://uiboot\.netflix\.com/*
     ^https?://nintendo.nccp.netflix.com/
     ^https?://customerevents.netflix.com/
     ^https?://api-global.netflix.com/
     ^https?://([A-Za-z0-9.-]*\.)?nflxvideo.net/
     ^https?://ipv6_1.lagg0.c[0-9]{1,3}.[A-Za-z][A-Za-z][A-Za-z][0-9]{1,3}.ix.nflxvideo.net/
     ^https?://([A-Za-z0-9.-]*\.)?nflximg\.net\.?/
     ^https?://cdn[0-9].nflximg.com/
     ^https?://cdn[0-9].nflximg.net/
     ^https?://108.175.[0-9]{1,3}.[0-9]{1,3}/\?o=([A-Za-z0-9.-]*\.)?
     ^https?://108.175.(3[2-9]|4[0-7]).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))/\?o=([A-Za-z0-9.-]*\.)?
     ^https?://198.38.(9[6-9]|1([0-1][0-9]|2[0-7])).([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))/\?o=([A-Za-z0-9.-]*\.)?
     ^https?://[0-9]{1
     3}.[0-9]{1
     3}/\?o=([A-Za-z0-9.-]*\.)?

   • OR coming from these user agents (drop down menu, import)
   • Code:

     Mozilla/5.0 (compatible; U; Nflx) Netflix/[0-9].[0-9].[0-9]
     Gibbon/[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}/[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4}: Netflix/[0-9]{1,4}.[0-9]{1,4}.[0-9]{1,4} (DEVTYPE=NFX[0-9]{1,4}-[0-9]{1,4}-; CERTVER=[0-9]{1,4})

 

[joeschmuck]

I think it is humorous that one of the longest-running FreeNAS forum threads is about sophos. You've managed to surpass cyberjock's presentation. :D

As long as it's useful I think it's a good thing, but it has been running much longer than I ever expected.

I am really confused...

I think we all are but I believe 9.317 will eventually upgrade automatically to 9.351-3 (or the current version of that time) in the near future.

This forum madness is killing me. Web filtering is inhibiting my ability to download anything onto my Xbox One, like new apps/games. It's also inhibiting my ability to download certain software on my workstation. My solution thus far has been to turn it off while it downloads and turn it back on after. I had asked for help on the forum and now it's impossible for anyone to reply!

As mentioned above, you can apply an exception to specific devices and I do this to all my cellphones, DVD Player, TV, DirecTv, Roku's, etc... If it's not a typical computer then I allow it to bypass the web filtering. When it comes to my computers, I haven't had an issue with downloading software or even playing Netflix. So to add specific devices you need to bypass the filtering to the "Skip Transparent Mode Source Hosts/Nets" section (see attached image).

Also you might want to try just using URL filtering (see below):

 

[zoomzoom]

...I haven't had an issue with downloading software or even playing Netflix.

You'll only need to create the web filtering rules for Netflix (and other services) in my previous post if you have HTTPS Scan Settings set to Decrypt and Scan. The reason stems from when the packet is re-encrypted, it's done so using the Sophos Proxy CA which isn't trusted by the services, thereby the services reject those packets, as it appears as a possible MITM attack or that the packet is corrupted.

 

[joeschmuck]

I actually think that was one of the reasons I changed to scanning the URL only. It's not the best protection but it's so much better than my crappy NAT only firewall.

 

[zoomzoom]

I completely understand why one would choose to set it to url scanning only, as I spent days and weeks extremely frustrated trying to get services to work one day, only to have something different not work the next. Most simply don't have the time, let alone the patience, to spend hours trying to troubleshoot why traffic is being blocked, by what policy, and how to allow the service access.

Netflix was a huge headache for me, as while some recommendations worked for one series, it wouldn't for another. I finally cobbled together a url list combined from the master list on the astaro forum, as well as from other threads and was finally able to watch Netflix without issue... but it took over a week and hours of research and fiddling to get to that point.

For any that do choose to set it to decrypt and scan, prior to doing so, ensure you add the suggestions from the master list that's stickied on the astaro forum (now the sophos forum). It definitely requires tweaking prior to enabling, otherwise it's a huge headache.

 

[joeschmuck]

otherwise it's a huge headache

I agree. So how is the Orion Nebula these days? Are things still traveling at near the speed of light or has WARPing been put into place?

Cheers!

 

[TheDubiousDubber]

As mentioned above, you can apply an exception to specific devices and I do this to all my cellphones, DVD Player, TV, DirecTv, Roku's, etc... If it's not a typical computer then I allow it to bypass the web filtering.

I have no problem with this in regard to the Xbox One. I had initially tried this, but apparently I was doing it incorrectly. In regards to my PC, one particular issue I have is when it comes to downloading things through Steam. It doesn't appear to work at all. Another is Nvidia updates through the Nvidia Experience app. It recognizes updates are available but will fail to download them when web filtering is active.

 

[zoomzoom]

I agree. So how is the Orion Nebula these days? Are things still traveling at near the speed of light or has WARPing been put into place?

Cheers!

Hot... damn place never cools down lol

I'm having a slight problem getting traffic routed correctly on Sophos to my second LAN on FreeNAS

• Sophos main (br0) subnet 192.168.2.0/26 (of which eth0 on FreeNAS is apart of and traffic routes fine)
• Sophos vlan br0.1 (of br0) subnet 192.168.2.64/26 (of which eth1 on FreeNAS is apart of and assigned .100)
  • I need the second vLAN subnet for the DHCP server I want serving FreeNAS jails

I can ping FreeNAS's eth1 .100 address with no issue, but am unable to access shares or the webadmin via the .100 address (it's bound to 0.0.0.0)

I currently have DNAT setup:

• 192.168.2.0/26 (network) [traffic from] -> Any -> 192.168.2.64/26 (network) [going to] -> Translate to 192.168.2.65 [change destination to]
• Firewall rule allowing access to and from .0/26 and .64/26

 

[zoomzoom]

I have no problem with this in regard to the Xbox One. I had initially tried this, but apparently I was doing it incorrectly. In regards to my PC, one particular issue I have is when it comes to downloading things through Steam. It doesn't appear to work at all. Another is Nvidia updates through the Nvidia Experience app. It recognizes updates are available but will fail to download them when web filtering is active.

Refer to #4