Explicit Proxy usage - Not working as expected

 Hi,

I upgraded an XG to v18 yesterday.
Since the update, access to the Internet, for the CLients on the LAN, no longer works.
The clients use an explicit proxy server (XG).

At first I thought there was a problem with the migrated NAT rules, I deleted all superfluous ones and currently used the default snat rule. But to get the clients to the internet I had to add HTTP and HTTPS to the destination in addition to TCP_3128.

Otherwise I got the message that the proxy server did not react.

Does anyone have any idea what could be the reason for this?

Translated with www.DeepL.com/Translator (free version)

  • Can you look at:

    https://community.sophos.com/kb/en-us/132117

     

    There is an issues in XG (including both 17.5 and 18.0) that if you have an explicit drop all rule for source any dst any, that interferes with a direct proxy only.  You need to include http/https service as well or change the drop all rule to specify specific zones.  I don't think that this would have changed between 17.5 and 18.0.  Please let me know.

  • In reply to Michael Dunn:

    Hi,

    first thank you for your help.
    What I don't understand, why it worked with SFOS 17.5.8 MR-8 and now it did not work with the latest v18?

    What I've seen is that the NAT is running over the default SNAT rule, that okay I hope?

    Is it correct to check the: Use web proxy instead of DPI engine .....in this case?
    I dont get it, what the HTTP/HTTPS rule with WebPolicy Deny All really does.

     

    Any help is welcome :)

  • In reply to Mr.Roboto:

    I also do not know why it used to work and does not, except that it probably has to do with the changing of NAT rules.

    Yes, you should have "use web proxy" checked (as you you for any upgraded rule) although for explicit mode it doesn't really matte.

     

    The underlying issue is that with the proxy there are two connections.  From the client to the XG proxy and then from the XG proxy to the web server.

    In a configuration where there is just the default drop rule (readonly) the XG to web server works fine.

    In a configuration where an admin has created their own default drop rule, the XG to web servier connection fails.  The firewall doesn't allow connections on those ports.

    By creating a port 80/443 rule, you are telling the firewall to open the ports.  When the XG's web proxy is making a connection to the outside web server the Deny All policy does not take affect (it already has a policy from the client connection).  But if there are any transparent clients that try to connect they will have the Deny All policy enforced.

  • In reply to Michael Dunn:

    Do you have any sort of SD-WAN Rules and a Multi WAN concept?