Web Filtering with Full Transparent Mode on ESXi

Question

I'm trying to run Sophos UTM in Full Transparent mode using a bridged network connection, however web filtering is not working. These forums have a lot of information but I still haven't been able to solve this. If anyone can spot the issue or any other tips I'd really appreciate it!

The network is physically connected as:
ISP modem <-> Sophos UTM <-> Router #1 <-> Router #2

Internet traffic flows through fine, but the Dashboard always says "Web Filtering is active, 0 requests served today" whether I browse the web through Router #1 or Router #2.

Sophos UTM 9.409 has been installed based on these instructions:
http://www.fastvue.co/sophos/blog/easily-evaluate-sophos-utm-9-3-using-full-transparent-mode/

Sophos UTM was installed as a VM on ESXi 6.0 Update 2. ESXi is running on a Dell Optiplex 755 with a 2- NIC network card installed for the bridged interface, and the onboard NIC is used for management.

The management port and the LAN port are plugged into Router #1, while the WAN port is plugged into the ISP modem.

vSphere Client > 192.168.7.99 > Configuration > Networking:

vmnic0
- Management network
- 192.168.7.99
vmnic1
- WAN
- Promiscuous mode turned on
vmnic2
- LAN
- Promiscuous mode turned on

Sophos UTM web admin > Interfaces & Routing > Interfaces:

eth0
- "Internal"
- Dynamic IP: unchecked
- 168.7.100/24
br0
- "External (WAN)"
- Dynamic IP: unchecked
- 0.0.0/0
- IPv4 default GW: unchecked

Router #1:

192.168.7.1
DHCP enabled (192.168.7.2 to 101)
DHCP reservations for:
- 192.168.7.2 (Router #2)
- 192.168.7.99 (ESXi server)

Router #2:

192.168.7.2
OpenWRT running as access point

I added the Any / Any / Any firewall rule as noted in the instructions.

Sophos UTM > Support > Tools > Ping Check always returns "Ping check did not deliver a result, because of a probably non-existing ip address / hostname." whether I use the "Internal" or "External (WAN)" interface.

This thread was automatically locked due to age.

DouglasFoster · Answer

The most important documentation about UTM is not in the manual; we forum users have had to write it. Here is a recommended reading list. You need a baseline understanding of how UTM works before starting deployment. UTM does not have security zones like other firewalls, so you need to get into its mindset. Here is a recommended reading list: 
 Everything in the Wiki Section 
 https://community.sophos.com/products/unified-threat-management/w/utm-wiki 
 Bob Alfson's RULZ document, particularly the part that explains the processing order as a packet goes through UTM. 
 https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz 
 This document on web filtering lessons learned 
 https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/101117/optimizing-web-proxy-lessons-learned 
 and optionally, this document on log analysis using SQL. 
 https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/101117/optimizing-web-proxy-lessons-learned 
 Your goal should be to use both web filtering modes. The reasons why are explained in the Lessons Learned document. You should distribute the UTM CA certificate to all of your desktops for either web filtering mode. Transparent mode needs it when https pages are blocked or warned, Standard Mode needs it for all https pages. 
 As an undocumented feature, a Transparent Mode Filter Profile also enables Standard Mode with the same settings. If you want to use different settings, create Standard Mode profiles and give them higher priority so that they are evaluated first. I use AD SSO for Standard Mode and None for Transparent Mode. 
 In bridged mode, you should specify Full Transparent mode, as you have. AD SSO does not work with Transparent Mode in a bridged configuration, so you need to use a different authentication method or none. 
 But to your current problem. There are only a few possibilities: 
 
 You have not blocked UDP 443 at the firewall, and all of your tests use Chrome with https sites. Chrome has the 'QUIC' protocol which is ignored by the transparent web filter. If UDP 443 is blocked, Chrome will switch to TCP 443 and behave like UTM expects. 
 The web filter is turned off. You assure is that this is not the case. 
 None of the Filter Profiles have the desired IP addresses in the Allowed Networks list. If the Allowed Networks list is correct, the web filter will do something with the packet. So this should be an easy fix. Whether the web filter does what you want will involve other configuration steps, but you have not gotten that far.