Web Filter "Skip Transparent Mode Source Hosts/Nets" ignored

Some further information on this issue. Each time the Web Filtering gets to the point where sites are not working correctly, even for bypassed clients, the only quick solution is to change the IP on one of the clients. Changing the client IP, either manually, or by editing the static IP assignment on the FW, then renewing the client lease, permits broken sites to work immediately - most commonly Facebook, Flickr and GMail. Symptoms are pages never finishing loading and timing out. This leads me to suspect the FW is not properly handling the MASQ or internal client IPs when web filtering is turned off, but instead is still incorrectly re-directing the requests to the proxy (which is now off). 

I think I've pretty much determined the Web Filtering isn't going to offer me any extra value over L3 rules with time ranges, which is a shame, as I'm now basically back to the function of an iptables/ipchains firewall from 15+ years ago.

If anyone has a way to use quotas that work for streaming media content, and still allow me to properly bypass some clients entirely, I'd love to hear it.

Did you configure web filtering as transparent? Should you have it configured as standard, then a skip transparent source setting will have no effect.

The question is: Is the browser configured to use the proxy default is 8080? Because UTM can skip but the user insist to use the proxy
Is Endpoint configured end enabled web-control? 

Hello,

The clients are not configured to use a proxy; the UTM is transparently redirecting their requests to the Web Filter proxy. This is what I need to happen, since some dumb devices are not capable of proxy configuration, nor do I wish to worry about client proxy settings.

I'm aware of how a transparent proxy works, in theory, and in practice, having built and managed many squid proxies on *nix, including using Cisco WCCP forwarding in Cat6500 switches, but I may be missing some subtle nuance of the UTM configuration. At the moment, the Web Filter proxy is working well, but that is with all clients going through it. The issue that is most important is that I can effectively bypass certain clients and not encounter the connectivity problems I reported in the previous post.

You mentioned Allowed Target Services, which appears to be the equivalent of Safe Ports in squid, meaning those ports which the outbound proxy connection will connect to on behalf of the client. That is simple in standard mode with a client configured to use the proxy, but what is not clear in the docs is how these are interpreted in transparent mode, where it states that only ports 80 and 443 are intercepted. This statement suggests that Allowed Target Services is not applicable when in Transparent mode: "The disadvantage however is that only HTTP requests can be processed". This means that for non HTTP/S requests, a firewall rule (and MASQ entry in my case) are required, as expected.

Under Transparent Mode Skiplist, this is stated: "To allow HTTP traffic (without proxy) for these hosts and networks, select the Allow HTTP/S traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define specific firewall rules for the hosts and networks listed here." Could it be that both checking this box, *and* creating specific firewall rules for the skip hosts creates some kind of odd state where some packets are handled by the hidden Web Filter skip list rule, and others handled by the manual firewall rule? I have not dug into the shell much aside from a few tcpdumps, but maybe I should, to see what these hidden rules look like.

Thanks.

Transparent mode works with configured clients to, For example an outside client. And if he needs to open a page for example x.x.x.x:4444, you have to put the Webadmin port in Allowed Target Services

My Question is if you are using Endpoint Protection, and Where you put the client you want to skip Transparent Mode, In Destination or Source
Because It is hard to believe  this doesnt work.
Do a simple test Exclude one host, and immediately that host  will appear in firewall rules, otherwise we are missing something
Maybe a screenshot will be in help

For #1, here's an example with Netflix, Shawn.  Once a certain number of KB have been downloaded, throughput drops to 1Kbps.  I'd have to play with this, as I suspect the Limit should be for destination instead of source:

Is that what you wanted?

Cheers - Bob

Bob they messed up something. Doing some test now for different purposes I cant access Webadmin from the pc that uses standart proxy, but I get internet

192.168.1.250 Is the Internal Interface of the UTM 

Hi Bob,

Thanks for the example. I've actually done that test already, and it does work. The trick will be to determine the data cap, as Netflix bandwidth does vary quite a bit - old TV shows are much lower than new movies in HD, for example. This is a possible solution, although less precise than time quotas. It also won't address things like online gaming, or general time wasting sites.

Thanks!

Unknown said:

Transparent mode works with configured clients to, For example an outside client. And if he needs to open a page for example x.x.x.x:4444, you have to put the Webadmin port in Allowed Target Services

My Question is if you are using Endpoint Protection, and Where you put the client you want to skip Transparent Mode, In Destination or Source
Because It is hard to believe  this doesnt work.
Do a simple test Exclude one host, and immediately that host  will appear in firewall rules, otherwise we are missing something
Maybe a screenshot will be in help

 

Are you saying a firewall rule should appear, presumably under "Automatic firewall rules"? This is what I would expect also, but it's not happening. I do not have anything appearing under Automatic firewall rules, nor are there any other rules appearing which I have not created myself. I just tested this again, by deleting the entry in "Skip Transparent Mode Source Hosts/Nets", then recreating it. Applying after each step. Whether with the "Allow HTTP/S traffic for listed hosts/nets" checked or not, no rule appears. So either something is broken, or these "automatic" rules aren't supposed to be visible.

something is strange after last update. Yes the rule should be visible and in Firewall Live Log too

I cant blame UTM because this is happening to me right now, but I am connected from outside. I will do the test tomorrow

8444, Olsi? In any case, I skip the proxy for access to the UTM doing proxying for internal users.

Cheers - Bob

Yes Bob, but I was behind one UTM reaching my home UTM.

Anyway I tested from my home if the automatic rule will show up for my internal PC, and nothing

And is not ended...

I have to telnet a mailserver in port 25 from my PC, skipped my PC from transparent in SMTP. Same thing, NO automatic rule created

Yes Bob, but I was behind one UTM reaching my home UTM.

Anyway I tested from my home if the automatic rule will show up for my internal PC, and nothing

And is not ended...

I have to telnet a mailserver in port 25 from my PC, skipped my PC from transparent in SMTP. Same thing, NO automatic rule created