PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
You may occasionally see the domain fw-notify.net used when your Sophos UTM is filtering web traffic. This may cause some questions, as the domain appears to be external.
This article explains how and why this domain is used, and confirms that internal information is not being sent to this external domain.
The fw-notify.net domain is a placeholder domain, used to point users to the Sophos UTM that protects their network.
In certain circumstances, the UTM may need to display information to a client computer which it is filtering traffic for. For example, a web request may time out, or receive an error response back from the remote host, or the UTM may be blocking a URL due to filter settings, or the need to request authentication before allowing a user to surf.
The UTM could simply return this error as the contents of the requested page, but this could be problematic for a number of reasons. The best practice is to redirect the client to a separate URL, and display the error from that address. Under these circumstances, the UTM could use an IP address, but there are circumstances where this may also be problematic.
In cases where the UTM needs to display a message, it is already filtering outbound web requests, so the safest way to perform the redirect is to redirect to an external URL and intercept that. This ensures that the client request for that URL will also be handled by the UTM.
To accomplish this safely, Sophos uses the fw-notify.net domain. Sophos owns the DNS name fw-notify.net, and it exists as a publicly resolvable domain, but any web traffic sent to that domain is intercepted by the UTM.
There is no webserver running at the IP that *.fw-notify.net resolves to. When a request is made to that domain, the UTM will treat that request as a redirect to itself. The request will not pass outward to the internet, but will be processed by the UTM. For example, the URL http://passthrough.fw-notify.net/cacert.pem will return the public HTTPS signing certificate of the filtering UTM, which it will use for HTTPS scanning.
Using this externally resolvable domain ensures that no matter what the network setup, the UTM always has a URL that can be safely given to client computer that will point back to itself.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.