Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
In reply to BrucekConvergent:
ok i ge it, but why this service does not work if i set it up in the firewall Rules ? i need to set it for a vlan ! not for the whole Network
thanks in advance and regards.
In reply to LuisApodaca:
I'm not sure what you want to do, Luis. If you want the traffic to be handled by the Web Filtering Proxy used in Standard mode, you must add the Service on the 'Misc' tab. If you don't want to use the Proxy and you already have a firewall rule, do you have a masquerading rule for the VLAN?
Cheers - Bob
In reply to BAlfson:
I am tring to allow a new service, port 141 tcp/udp, we had not this one before, so i made a new service definition but, I dont really like to setup those ports in " Web Protection / Filtering Options / Misc Settings / Allowed Target Services ", because I wont use those for the whole network
I need to allow the service in just one particular vlan, that is why I tried to set it up the port in the Firewall rules and it doesn´t work, untill i set it up in Target Services
i am doing somethig wrong ? or that's the way it should be ?, i am confused !
Adding that service in Filtering Options allows it to be used with the Web Filtering Proxy. Check #2 in Rulz and you will see that your firewall rule can have no effect on traffic handled by the Proxy. It sounds like you need to have a separate Web Filtering Profile for that VLAN that is allowed access to some sites that the subnets in the Default Profile are not allowed to reach. Or, you could do the same with an Exception from URL Filtering for requests coming from the VLAN and going to sites that are prohibited in the Default Profile.
ok, i think the first time i read Rulz i got it right, and if i did, the right way is web Filtering before Firewall rules
and in my web Filtering i have the entire Lan in allowed Networks with the default setting (HTTP, HTTPS, plus HTTPProxy) an in the Firewall rules i only have setups for other services that are not the default, and we have them in separated vlans
sorry if i forgot to tell you all this !!
that´s why i am confuse, the port 141 tcp/udp it is not one by the default, it is not some http port and if is not, why is not working whe i set it up in the firewall rules? and it work only in the web Filtering ?
I just want to avoid my confusion, but hey, remember this is working by now, it is not something to hurry
thanks and regards
When you configure a browser with an explicit proxy, it sends all of the traffic to the UTM Proxy, regardless of the port used in the URL.
ok, i let you an example of why i am confused;
Everything started when i needed to set a service definition for
this webpage send a "target service not allowed" message so i set that URL in "Filtering Options / Exceptions" and didnt work, and also in "Filtering Options / Websites" and didnt work either
in that moment i didnt get "Rulz" as i get it now, but at the end when i set it up this "SMS Bulker" - TCP:3000 in Firewall Rules for the vlan needed, it worked
This port 141 is not a default one as like 3000 either, that is why i wont set them in "Allowed Target Services"
so why this method is working with one port and not with "EMFIS" - TCP:141 ? what is the diference ?, did i loss something ?
Please show pictures of what you did to make 3000 work.
kind a magic !! or in the moment i configured i wasn't focused, right now is working as you told me, i setup a "Filtering Options / Websites" , and i deleted the rule from the Firewall rules and still working, i dont know why it worked before
so, the most probably thing it was my mistake, really sorry for lose your time, at least i can now make a more clean config in the UTM, by deleting the not useful config´s
In my case "Web Protection / Filtering Options / Misc Settings / Allowed Target Services" worked for me to allow content to TCP port 8443. All other attempts to add URL exceptions did not work until I applied this port change.
Standard mode asks the browser to send all traffic to the proxy. The proxy only allows 80, 443, and any ports added to the additional services list. Other ports are blocked, as you have discovered.
If standard mode is bypassed for any reason, transparent mode might be triggered, depending on your configuration. Transparent mode only sees ports 80 and 443. All other ports will bypass the proxy.
Traffic that is handled by the proxy will bypass the firewall rules completely. Traffic that is not handled by any proxy will be evaluated by the firewall rules.
Chrome has the QUIC protocol which uses UDP 443 for TLS (primarily with Google-technology servers)
This traffic may evade your proxy and be processed by firewsll rules. So QUIC may be the reason your firewall rule had some effect.
You should block UDP 443 in the firewall to disable QUIC from bypasding the proxy. You can condider adding it as an additional service to allow it as long as the standard proxy is used. If QUIC is blocked, normal TCP 443 is used.
Sophos has made no statement about their ability to evaluate QUIC traffic, so I have chosen to keeo it blocked.
In reply to DouglasFoster:
To elaborate on QUIC: my testing says that Chrome behaves as follows:
1) attempt UDP 443 on standard proxy (UTM will return an error by default, causing the search to continue.)
2) attemot UDP 443 without proxy (UTM will typically allow because of a catch-all "allow all outgoing" rule.)
3) attempt TCP 443 using standard proxy. (UTM will typically respond somehow, ending the search sequence)
4) attempt TCP 443 without proxy.
If standard mode is not used, UDP 443 is not detected by the proxy.
So you need to block UDP 443 at the firewall, in all configurations, to prevent Chrome from byoasssing your proxy, regardless of which proxy mode is used.
Adding UDP 443 to allowed services will allow QUIC to flow through the standard proxy, if you consider this desirsble and you are using standard mide.
ok, thanks everyone