Unrestricted web site access on wireless network

Hello.

I have a UTM9 (9.605-1 to be exact) and have recently created a new wireless network for staff to use on their personal devices (to allow them access to social media, file sharing, etc without being on the corporate LAN).  It works apart from some sites just time out and don't work (mainly icloud.com, some web mail and online banking).  There is no message to say it has been blocked by the web filtering so I assume it is not.

Have I missed something?  Is there additional configuration required to allow completely unrestricted web access from a particular wireless network?  I've tried creating a firewall rule to allow any traffic to any destination but that doesn't work.

Any help appreciated!

Thanks.

  • I should have mentioned that I have checked the various logs and don't see anything helpful.

  • Hi David,

    Most likely, you will find that those sites don't "like" the Proxy and that there are statuscode="50x" entries in the Web Filtering log.  The first thing to try is an Exception for antivirus scanning.  If that doesn't work, you will need to skip the Proxy for those sites.  Any luck?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob.

    Thanks for the reply.

    These devices aren't using the proxy (or at least it isn't specified in the browser).  Would they use it automatically if transparent mode is enabled?

    The sites work fine if I connect the devices to the WiFi network that is on our corporate LAN, which is odd (it goes through the same UTM).  I just don't want these devices on the corporate LAN, I need them segregated out.

    Where do I configure the AV exceptions for a WiFi network?

    Thanks.

  • In reply to David Webb:

    If the traffic goes through UTM on its way to the Internet, the Transparent Web Filter may be handling the traffic.  The "Allowed Networks" list for each filter profile determines whether the packet is accepted or not.   If you want to exclude that traffic from any filtering, you need to ensure that the subnet is not covered by any of the Allowed Networks lists.   But if Web Filtering is blocking the traffic, you should see a blocked message (for http) or a certificate error (followed by a block message if you proceed anyway) for https. 

    If the traffic matches an Allowed Networks list, the next step is to consider whether https decrypt-and-scan is enabled for that profile or not.   Some sites have locked down their ciphersuites so tightly that UTM cannot connect to them when decrypt-and-scan is enabled.   This should generate a "connection refused" error, which should also produce a certificate error followed by a block page.

    A third possibility is that the IPS subsystem is blocking the traffic.   Check to see if the guest network is considered part of the "Internal Networks" list, and check the logs for evidence of traffic being blocked.   For best security I think you want this traffic excluded from the Internal Networks list used by IPS, but I do not know how that will affect filtering.   IPS blocks replies, so the symptom will be a timeout problem.

    But you may also have a routing or DNS problem.   The evidence against this is that you say it only affects some websites.

    Once your problem is understood, I recommend enabling transparent web filtering for guest users (probably without authentication and without decrypt-and-scan).   Create a profile with only the most objectionable content blocked.   I would also suggest configuring the DHCP server to direct DNS to Neustar DNS or Quad9 DNS, which block DNS lookups for known-bad DNS names.  I am assuming that your company lawyers and your human resources department probably want to prevent users on your guest network from downloading pornography or malware, even if the target is a personal device.   

    You may also want to implement traffic shaping, to prevent one guest user from hogging all the bandwidth.

  • In reply to DouglasFoster:

    A few more things: 

    If you use web filtering, the Filter Action for guest users requires a website setting to block both DNS names and IP addresses associated with internal websites.   Guest users should be forced to use WAF if internal websites are published externally.   

    With or without web filtering, you should have a Firewall Rule to block any traffic from the guest network to the internal network using any service.   Guest users should go through the same remote access mechanisms as home users. 

    Bob Alfson has a document on configuring Wireless Guest Networks.   Send him a private message to obtain a copy.

  • In reply to David Webb:

    Yes, they use it automatically if Transparent is available and the device is in a subnet in 'Allowed Networks'.

    It's likely the Exception will be in Web Filtering, but it depends on the logs.  The first thing to do is find some related lines in the Web Filtering log.  If there's nothing there, inspect the Intrusion Prevention log for anti-DoS activity.

    It would be interesting to know which subnets are in 'Allowed Networks' for which Web Filtering Profiles, whether each is in Transparent or Standard mode and which has 'Decrypt and scan' selection for HTTPS.

    Cheers - Bob

  • In reply to DouglasFoster:

    Hello Douglas.

    Thanks for the reply.

    Apologies, the web filtering is in Standard mode not Transparent.  Also, the WiFi network is not listed in the allowed networks (I added it but it made no difference so removed it) and also there is nothing showing in the web filtering log for this subnet.

    Decrypt and scan is not enabled.

    I've ruled out DNS as I can get to plenty of other sites on this network, I'm just struggling with anything iCloud related, online banking and a few other random sites.

    It's odd that if I change to the Wi-Fi on our 'LAN' (Bridged to AP LAN) it works fine, so there is clearly something I'm missing.

    Thanks.