Though you have not blocked Google URLs, they are being blocked by country blocking. Users see the block screen below with 'Country' shown as 'China':
A corresponding log entry will look like the following:
2014:04:28-12:00:00 UTM httpproxy: id="0067" severity="info" sys="SecureWeb" sub="http" name="web request blocked, connection to forbidden country" action="block" method="CONNECT" srcip="192.168.0.10" dstip="" user="" statuscode="403" cached="0" profile="REF_DefaultHTTPCFFProfile (Default content filter profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3258" request="0x1d352ee0" url="https://www.google.de" exceptions="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="5999" device="0" auth="0" country="China"
First seen in
On your Sophos UTM, you have Country Blocking enabled for China and Google has routed traffic through their servers located in China. This is not a UTM-specific problem or unexpected behavior, as it is caused by accessing a service or host with an IP addresses located in China.
Note: All other Firewall manufactures which utilize Country Blocking are affected as well. It also seems to be a problem with different GeoIP Providers, as some show the IP in China others in California.
What To Do
One solution is to disable Country blocking for China:
- Login to the WebAdmin.
- Go under Network Protection > Firewall > Country Blocking.
- Change China to 'Off':
- Click on 'Apply' at the bottom.
Another solution is to add a Country Blocking Exception for the affected Google IP addresses:
- In WebAdmin, browse to Network Protection > Firewall > Country Blocking Exceptions.
- Click 'New Exception List...'
- Add a name.
- Under 'Skip blocking of these', do not select a country (in CBEs, as per the Live Help / Administrator Guide, countries to except should only be added for internal sites).
- Under 'For all requests', select 'going to these', and add a network object for the Google IP ranges you want to except into the 'Hosts/Networks' box.
- Under 'Using these services', add Any or HTTP & HTTPS.
- Click Save.