HTTPS "URL filtering only" option enabled shows ssl warnings on all https websites or the page cannot be displayed after a while.

Hi,

a question, why do you have your external interface in the allowed networks, you should only have your internal networks in allowed networks?

Ian

Hi Ian,

This is because I still have some clients on that network (192).
Also because I have the UTM behind an existing NAT (ISP router)
So my UTM "external" interface is actually an internal ip because the UTM is not directly attached to the internet/ISP.
The External_192.168.1.0 Interface is using the GW address internal ip adres of my ISP router to communicate to external/WAN.

So now I have two gateways on the same UTM. One for 192 network and the other one for 172 network.

Hope this answered your question.

Regards.

Hi Stephan,

thank you it does answer the question, but is not logical to have the web proxy loop back on itself. I doubt whether any 192 traffic will actually go through the UTM, but that will depend on your gateway on the other devices?

Ian

Hi Ian,

That's the funny thing. I was testing if it was capable to loopback the traffic and it does :)
When I change the gateway of a client on the 192 network to the 192 gateway of the UTM the traffic will go through the UTM.
Also with WAF the traffic from the WAN (ISP router) to the UTM then loopsback to the Service in the 192 network.

I agree that this solution is not the most logical and absolutely not recommended for business but for a home network it's working just fine.
But mabey not for web filter anymore?

Regards.

I have to agree with Ian, Stephan.  In fact, if you can't put the UTM at the edge where it can get a public IP, I would bridge the two interfaces and change the topology so that everything is behind it.  In that way, you can use Web Filtering in Transparent mode for all of your web traffic.  Since the UTMs interfaces are bridged, I would use 'Full Transparent' mode.  With that choice, the HTTP Proxy doesn't masquerade the web requests.

Cheers - Bob
PS Moving this thread to the Web Filtering forum.

Hi Guys,

Thanks for the feedback!
I have put the other clients on my 192 to my 172 network.

I also have tried to bridge without any luck (must been doing something wrong here). Do you know if there is some good documentation about bridging the UTM?

Anyway, so at this moment the UTM still behind my existing NAT (ISP router) and all other clients from the 192 are now on the 172 network. Works like a charm and no loopback!

Situation now: ISP router --> <--192-- UTM --172--> Clients (web filter activated only on 172_internal).

Thanks and regards!

About the S.S.L. warnings:

To display a block or warn message, UTM has to impersonate the target server -- no other option.   This means that you need to distribute the proxy ca certificate even if you had not intended to do https decrypt-and-scan.   But once it is distributed, you might as well do https inspection as well.

The warnings indicate that it has not been pushed out to your clients.

The need for two profiles  is harder for me to explain.   But it is best to have a separate profile for each security zone.     If you need to restrict traffic from crossing from zone 1 to zone 2, this goes in the filter action website block list for zone 1.

About the S.S.L. warnings:

To display a block or warn message, UTM has to impersonate the target server -- no other option.   This means that you need to distribute the proxy ca certificate even if you had not intended to do https decrypt-and-scan.   But once it is distributed, you might as well do https inspection as well.

The warnings indicate that it has not been pushed out to your clients.

The need for two profiles  is harder for me to explain.   But it is best to have a separate profile for each security zone.     If you need to restrict traffic from crossing from zone 1 to zone 2, this goes in the filter action website block list for zone 1.