Have you tried using a Custom Category instead of an Exception for this purpose. You can use the YouTube video ID as a keyword in a Custom Category. You can import lists of keywords from a text file. You can then make a web policy rule that allows that Custom Category and place it before the rule that blocks YouTube.
XG Firewall provides a number of enhancements that help in dealing with proxies like Psiphon, including Synchronized App Control, which can identify traffic based on the desktop application that it originates from. Consider upgrading to XG Firewall.
It is not clear what behaviour you want in XG from this post or what problem you are trying to solve.
In version 17.1 we introduced an option in the Firewall rule that allows you to quickly block QUIC traffic, which forces browsers to revert to regular HTTP.
Our recommended solution for this right now is to block QUIC in the firewall. This can be done by adding a rule that blocks outbound connections to UDP ports 80 and 443. Browsers will automatically fall back to using regular HTTP/HTTPS.
In the short term, we plan to add a feature to make this blocking simpelr to implement.
In the longer term we will investigate providing direct support to enable full Web Protection for the QUIC protocol.
I hope I have translated your request correctly.
We are planning a separate update soon after the release of v9.6 that will allow SafeSearch enforcement even without HTTPS decryption, which is why I did not mention that in particular.
88 votesStarted · AdminRich Baldry (Product Owner, Web Protection, Sophos Features & Ideas Laboratory) responded
This feature is currently being worked on for inclusion in version 17.2.
It will enable per-policy settings for SafeSearch as well as separate settings for YouTube, including the ability to select Strict or Moderate mode.
@Jeremy, do you believe we need to do anything special to enable that? My understanding is that if you are logged-in as a user of a GSuite domain that has approved a video or a channel, it will work even though restricted mode is enforced.
Thanks for your idea. I'd like to ask a few questions to help understand the requirement.
1. Which of those lists do you find most useful for the different situations?
2. Do you have more specifics about why you think Sophos's ATP is prone to false positives? This comment also implies that you've found community blacklists to be more reliable? Do you have data to back that up? Or is it simply that you're looking to use lists that are beyond the scope of ATP?
3. You filed this request against Web protection. Are you looking just to block Web traffic with these blacklists? Or do you really want to use the lists to block traffic to specific IP addresses or ranges at the Firewall level?
Note also that Custom Categories under Web Protection provides some abilities to consume blacklists in the right format. This would normally be a URL/Hostname based format rather than IP blacklists.
Can you provide a bit more information about what problem you're trying to solve here? If you're trying to control web access, you can tag URLs/FQDNs in the Websites list under Web Protection and manage access with a Web Policy.
97 votesStarted · AdminRich Baldry (Product Owner, Web Protection, Sophos Features & Ideas Laboratory) responded
This feature is included in the upcoming v17.5 release (v17.2 was renamed).
It's currently slated for v17.3.
Great points. Thanks for the feedback. We'll certainly take it into account and keep brainstorming on how best to provide this kind of feedback when it can't be delivered directly in the browser.
Have you tried running with virus protection in Batch mode? It does provide the notifications when malware is found. You may find that the difference in behaviour is not too noticeable.
As Michael points out, because real-time mode starts sending the file content before the decision is made to block, the browser would mostly fail to recognise or render an HTML block message if we sent it after the aborted file content.
If there was another, out-of-band method for sending such notifications, do you think it would be useful? For example, a message displayed on the Windows desktop via the Authentication Agent, or maybe using a browser add-on?
Are you suggesting that we produce an endpoint client software on Windows (and Mac) that can synchronize web policies with XG Firewall and enforce them even when the endpoint machine is taken away from the corporate network?
You can put a custom logo in the top of the page and also underneath the text in the page.
There is another feature request already open for complete customization of block pages. If you're looking for something beyond the logo customization that's already possible, I suggest you vote for this one.
Can you give more detail about why they want to do this? It will have no impact on product behaviour.
We have QUIC on our radar and are monitoring the business priority of implementing full filtering for this.
For the SG UTM, it is of course possible to create a specific firewall rule that blocks outbound traffic on UDP ports 443 and 80. This has the effect of forcing QUIC-capable browsers to revert to HTTPS. We have not yet come across any situations where this impacts the availability of web sites or services.
We are adding a feature in version 17.1 of XG Firewall where you can specify in a firewall rule that QUIC traffic should be blocked.
This is a tricky area to navigate. We will certainly look at this in the near future, but here is some context:
When the browser initiates a normal HTTP web request, we can intercept that request and substitute the HTML of a block page. Because HTTP has no security or connection validation, the browser just displays that HTML and the user sees a block page.
When the browser initiates an HTTPS request, we see an SSL/TLS handshake packet and make the decision to block based on that. The browser is expecting to receive a server TLS response. If we try to respond with HTML, it will drop the content and not display it. The only way to get the browser to display a block page is for us to pretend to be the server that you were connecting to, complete the TLS tunnel and send the HTML page through that. But that can cause other problems, such as security or certificate alerts popping up in the browser before the message is seen, which can be alarming to end-users.
In the past, Sophos Endpoint would use desktop popup messages to indicate when an HTTPS connection had been blocked. But this caused a lot of complaints, particularly because it would be visible even for blocking 'background' HTTPS connections like advertising or other issues which would have been invisible had they been HTTP.
@Suresh - I suggest you submit a separate feature request for this.
Removing the file size limit risks opening up the device to significant performance hits. Large files take a lot of effort to scan, especially as they tend to be archives or installers with a large number of individual elements inside.
A web gateway or firewall works best when used as a tool for blocking active attacks, not a way to sanitize large archives or ISO images that may have stored malware lurking on them.
Large file downloads should be scanned when they are stored and decompressed/extracted on endpoint devices. Endpoint protection will prevent any malware found there from executing.
Is this still causing issues? FaceTime is definitely on the list of supported apps. If you think it's not being identified correctly, perhaps try contacting support.
Neat idea! We can't tell which endpoint app from simply looking at the connection, but with Synchronized App Control we can find out directly from the source.
The problem with Web-based authentication is that we can challenge the user to login, but it is impossible to tell when they log out. The timeout is required to ensure that user sessions from different users at the same machine don't roll into each other.
It would help us understand the requirement if you could provide a bit more detail about the authentication method you're using. Is it NTLM authentication (where the browser send the user's login credentials behind the scenes), Captive Portal (where a web page is shown for the user to enter their username and password) or are you using STAS (where you install an agent on the AD server and monitor login/logout events directly).