You may see some common sites in this list, such as microsoft.com, and (rightfully) wonder what it is doing in the Uncategorized section.
1. Reports show the Category as per Sophos UTM's logs
The first point to understand is that Fastvue Sophos Reporter is simply reporting on what Sophos UTM is logging. When Sophos UTM does not log a category for a web hit, it will be displayed as Uncategorized in Fastvue Sophos Reporter.
2. Reports often show the Domain only, not the Full URL.
The second point to understand is that Fastvue Sophos Reporter's Overview Reports only report the website domain. Sophos UTM performs URL categorization on the entire URL as well as the page content itself.
This can be a common source of confusion. For example, the website fastvue.co should be categorized as Information Technology, however the URL fastvue.co/careers may be categorized as Job Search.
If the Fastvue Report is only showing the domain, then fastvue.co may be shown in the Job Search category.
You can find the full URL for uncategorized traffic in Fastvue Sophos Reporter:
- Go to Reports | Activity Report and click the Filters button.
- Enter the filter:
Category 'Equal to' Uncategorized
Site Domain 'Equal to' microsoft.com (or any other site you are confused about)
- Select your desired date range (such as 'Today') and click Run Report.
- Expand the rows in the Activity Report to view the full URLs
Here you can see that my Uncategorized web traffic to microsoft.com is for the following URLs:
Now that we know the full URLs that Sophos UTM is not categorizing, we can check the URL on the UTM itself using the Policy Helpdesk feature (see below).
3. URL Filtering Exceptions Will Not Have a Category
The third point to understand is that Sophos UTM will not log a category when the web traffic is excluded from URL Filtering. In your Sophos UTM's web admin interface, go to Web Filtering | Filtering Options | Exceptions. You will notice quite a few exception that come default on Sophos UTM, some of which exclude the URL filtering feature.
Web traffic that is excluded from URL Filtering will never make it into Sophos UTM's content filtering and categorization engine, and Sophos UTM will not log a category for it.
4. Test the Uncategorized URL's Using Sophos UTM's Policy Helpdesk Feature
The best way to find out how Sophos UTM is categorising and handling a URL is to use the UTM's Policy Helpdesk feature.
- Go to Web Protection | Policy Helpdesk
- Enter the uncategorized full URL from your Fastvue Activity Report (see Step 2 above)
- Click the Test button. (Note: You may also need to enter an IP or Username if your web filter profiles require authentication, or firewall rules block specific subnets)
- The URL Category will be shown along with the Action (Result), Policy and any Web Filtering exceptions.
5. Add URL Category Overrides
You can ensure that these full URLs are categorized appropriately by adding URL Category Overrides in Sophos UTM:
- Go to Web Protection | Filtering Options | Websites
- Click New Site
- Add the URLs you want to categorize into the top edit box
- Select the desired Category and Reputation and click Save.
Any future traffic to those URLs should now be categorized appropriately, and reported correctly in Fastvue Sophos Reporter.