Question for excepting certain destination on the web filtering

Hi,

do you have a firewall rule that will allow this site to be accessed?

I suspect you need to add something like this *.google.com.*

Hi, 

www.google.com is just example for explaining. 

When i tested i tried to access www.npr.org. 

and i added a reject firewall rule for www.npr.org for blocking at the level of firewall. 

Thanks, 

Yujin, If I understand what you are trying to ask, you are using the product in a very nonstandard way.

It may be better if you describe your ultimate goal, and we can tell you how to meet that goal.

Right now you've already decided on a solution and are asking for help in that solution but we're having trouble understanding what you are doing.

Note:  The transparent mode skip is in the Web section, however strictly speaking it is not a Web rule, it is a firewall rule.

When you configure the Web "Allowed networks" what you are really doing is creating a firewall rule that says "anything coming in on port 80 from this network going out to the internet, forward the packets to the Web Proxy".  When you create a destination skiplist what you are really doing is creating a firewall rule above that saying "anything going to port 80 to these IP addresses, do not forward the packet to the Web Proxy".  The skiplist must work on IPs (to UTM objects that resolve to one of more IPs).

Hello All,

Ultimately, my goal is that adding a firewall rule to block certain destination including web server at the level of firewall when web filtering is enabled.

== Scenario for my goal ==

• Issue: 1.1.1.10 is a web server. If I add a firewall reject rule for destination 1.1.1.0/24 , it is impossible to block 1.1.1.10 at the level of firewall because 1.1.1.10 is a web server.
• Goal: block for 1.1.1.0/24 at the level of firewall including web server
• SG firewall configuration: enable for firewall and web filtering.
• Expectation
  Adding a 1.1.1.0/24 to the transparent skiplist at web filter.
  I expected that if 1.1.1.0/24 is bypassed at the level of web filter, it might be possible to block for all 1.1.1.0/24 including 1.1.1.10 at the level of firewall.
• Result
  Clients behind the SG firewall can access the 1.1.1.10 even though it has a firewall reject rule for 1.1.1.0/24. Because web filter is enabled.
  That means web traffic is proxied.

I found a helpful article and then i could understand why i can't achieve my goal.
https://community.sophos.com/kb/en-us/115155 - Create A Basic Firewall (Packet Filter) Rule in Astaro Security Gateway

KB115155 explains the Proxied Services.
Based on the explanation of Proxied Service, it is impossible to control(allow or deny) web traffic at the level of firewall when web proxy is enabled.

Maybe, I tried to use nonstandard way like the Michael's mention.

Thank you very much for all for help me.

You must uncheck 'Allow HTTP/S traffic for listed hosts/nets' underneath the Skiplists and make your own firewall rules for each of the listed destinations.

Cheers - Bob

Hello Bob,

I thinks it is impossible to control(allow or deny) for web traffic using firewall when web filter is enabled even though if i uncheck ''Allow HTTP/S traffic for listed hosts/nets' underneath the Skiplists. Because web traffic is proxied when web filter is enabled.

Please refer the KB115155.
This KB article that explained the Proxied server would be helpful for understanding.

Thanks,

You've misunderstood how the UTM works.  In Transparent mode, the Transparent mode Skiplists prevent the UTM from proxying the traffic.  If you have configured your browser to use the UTM's Web Filtering, you must configure the browser to skip the proxy as the Transparent mode Skiplists do not apply.

If you're still not able to get firewall rules to allow or block HTTP & HTTPS, paste a line here from the Web Filtering log file for an access that you wanted to skip the Proxy and show a picture of your Skiplists.

Cheers - Bob

It is possible that i have misunderstanding about how the SG work because I just have an experience under 6 months about SG.
But based on my test result, it looks like impossible to control(allow or deny) using firewall rule even though i add a destination in the transparent mode skiplist.

I added the DNS host that i want to bypass at the web filter in the Transparent mode skiplist like below.
(My test SG is in Transparent mode and Web filter is in full transparent mode. So i don't need to consider the web browser setting for proxy.)

Web filter log(http.log) and firewall log(packetfilter.log) were not generated when i tried to access the destination. but i could access the destination even though i added a firewall reject rule against destination.

Below is my firewall reject rule about destination that i want to block at the firewall level.

could you explain me why my test result is different from your thinking?

I am guessing that your problem occurs because npr.org and www.npr.org are different host names.  Your approach should work, but it is unneccessaily complicated.

You can get the result more easily by using the Websites tab of your Filter. It takes host names or regular ecpressions.   It allows both nlock and allow overrides.

i didn't have a test with www.npr.org

when i tested i only used www.globaltelecom.co.kr.
it is very simple website. because this website doesn't contain any other url.

The result is different because you did not do as Bob suggested.  Your traffic is allowed because you have the marked the checkbox "Allow HTTP/S trafic for listed hosts/nets" which creates a firewall rule for you.  Uncheck the box.

Ultimately your problem is that you are trying to use a firewall rule to do the job of the Web Proxy.

If you are you are using the Web Proxy, and you trying to block port 80 traffic on certain hosts, it is much easier to get the Web Proxy to block instead of the firewall to block.

Also, be aware that the Proxy in Transparent mode will accept browser requests sent in Standard mode.  If you have explicitly configured your browser to use the UTMs web Proxy, it will send requests using port 8080 and the Skiplists will not apply because the Proxy handles the traffic in Standard mode.  In Standard mode, you must skip the proxy on your browser's 'Proxy Settings' tab.  The same thing can happen with 'Automatically detect settings', so make sure that's not selected.

Cheers - Bob

Also, be aware that the Proxy in Transparent mode will accept browser requests sent in Standard mode.  If you have explicitly configured your browser to use the UTMs web Proxy, it will send requests using port 8080 and the Skiplists will not apply because the Proxy handles the traffic in Standard mode.  In Standard mode, you must skip the proxy on your browser's 'Proxy Settings' tab.  The same thing can happen with 'Automatically detect settings', so make sure that's not selected.

Cheers - Bob

Thanks for Nichael and Bob.

It worked well as expectation after unchecking the "Allow HTTP/S traffic for listed hosts/nets".
That means it is possible to control using firewall rule after adding the "Transparent Mode skiplist" with unchecking the "allow HTTP/S traffic for listed hosts/nets".

I had understanding that it needs to check the "Allow HTTP/S traffic for listed hosts/nets" for excepting a web proxy.

I have a little bit confuse about the "Allow HTTP/S traffic for listed hosts/nets".
Because As my previous test, it was also not generate a http log when i check the "Allow HTTP/S traffic for listed hosts/nets".

It would be much appreciated, if you explain me about differentiation between check and uncheck for "Allow HTTP/S traffic for listed hosts/nets".

Normally when you create a Web Filter profile and you specific the Source and Destination networks.  This creates a behind-the-scenes firewall rule that says "If port 80 or 443 and this source and this destination, then send it to the Web Proxy for processing".

When you select a destination in the transparent mode skiplist, then it basically modifies that hidden firewall rule so it does not apply to that destination.

Assuming for a second that you have no other firewall rules, at this point if you try to create a port 80 connection to that destination, no firewall rules will match and the connection will be blocked.


Now 99% of the time people who use the skiplist are doing so because they want to have allowed unfiltered access to that destination.  They would then have to create their own firewall rule that then says Source LAN to destination (whatever it is you are going to) service HTTP/HTTPS then Allow.  The checkbox "Allow HTTP/S traffic for listed hosts" basically does that for them.  It creates a firewall rule that says that if they are in the skiplist, then port 80 traffic to that destination should be allowed.

Anything that hits the skiplist will not go to the proxy.  Therefore anything that hits the skiplist will not appear in http.log, however it will appear in firewall logs.

Thank you soooo much for Michael, Bob and all.

I can understand totally about "Transparent Mode Skiplist" and "Allow HTTP/S traffic for listed hosts/nets" because of detailed explanation.
I can resolve easily my issue as a help for this forums.

Thanks again for all.