This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to define the outgoing interface for Web Filtering

Hi,

For the first time, I've tried to activate the optional outgoing interface with the command "cc set http enable_out_interface 1", like described in https://community.sophos.com/kb/en-us/126892.

The new field appears in the WebAdmin Web filtering, have tried to put some of my secondaries WAN IP addresses, but without success, the source IP address for Web traffic is always my default WAN address.

Please, can someone confirm that this feature works, and with version 9.605?

Thank you,

Romano



This thread was automatically locked due to age.
Parents
  • Salut Romano,

    Please show us a picture and a log line like:

    2019:10:31-10:39:43 secure httpproxy[21585]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.2x.y.65" dstip="" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_RMxbSZXQTi (Office)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe1d53800" url="https://client.dropbox.com/" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="342" device="1" auth="2" ua="" exceptions="auth,content,url,cache,size"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    like you can see :

    2019:11:03-18:57:19 portal-2 httpproxy[6301]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.x.x" dstip="62.2.148.4" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default filter action)" size="173" request="0xc79e4a00" url="http://www.myip.ch/" referer="" error="" authtime="0" dnstime="72038" aptptime="84" cattime="43228" avscantime="7297" fullreqtime="162368" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="178" reputation="unverified" categoryname="Internet Services" country="Switzerland" sandbox="-" content-type="text/html"
     
    And the resulting IP address is my WAN address, not the WAN Tests address.
     
    Cheers,
    Romano
     
     
  • OK, Romano, we are led ineluctably to conclude that there's an SNAT rule capturing the traffic.  Do you have an SNAT that uses "WAN (Address)" for traffic from Any?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I have just one SNAT rule, but not for WAN IP.

    I have tried to disable Masquerading, SNAT, WAF, without success.

    If it's working for other's, I think some setting (HA, Uplink balancing, GeoIP, ??) disturb this option....

    Cheers,
    Romano

  • Please show us a picture of your Multipath rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Today, Uplink Balancing is not activated, but it was some months ago.

    I was thinking about that too, because the Multipath is activated on the other customer device where I have tried to set the outgoing interface for Web Filtering.
    But the Uplink Interfaces seems to be deleted on mine.

    Cheers,

    Romano

  • I think you will need someone to look at your setup, Romano.  Please tell us what Sophos Support says about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Are you sure is it possible to choose a secondary WAN IP address for the outgoing interface ?

    It's like the UTM always use the primary (default) IP address of the chosen Interface Address.

    Cheers,
    Romano

  • I've used this successfully and Jaydeep just confirmed that it works, Romano.  I hope this isn't a glitch that requires you to reload from ISO and then restore from backup.  Sophos Support might see something in there that we haven't thought of, so I would go there next.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I've used this successfully and Jaydeep just confirmed that it works, Romano.  I hope this isn't a glitch that requires you to reload from ISO and then restore from backup.  Sophos Support might see something in there that we haven't thought of, so I would go there next.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data