Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best way to setup Web and Firewall rules for a college

Hi all,

We are in the process of moving to Sophos XG from our existing firewall and web filter solution. 

As a college we have a few different setups for our proxy/web filter and I was wondering if it would be possible to replicate or create a similar setup to what we have currently. I will try to explain our current setup:

We have four main zones/locations which are represented by the following:

  • Staff Corporate Network - 172.16.0.0/16
  • Student Corporate Network - 172.16.0.0/16
  • Staff WiFi BYOD - 10.16.0.0/16
  • Student WiFi BYOD - 10.16.0.0/16

 The above four areas allow different categories. For example, on Student WiFi BYOD we want to allow games, but on the Student Corporate Network we do not want games to be allowed. Because our staff and student corporate network is in the same range/VLAN it is going to need to apply policies based on location and Active Director groups, is there a way to build this up? For example, all of our staff are in a group called "All Staff", all students in a group called "All Students". 

If anyone could offer a little advice on the best way to set something like this up and where to go, it would be much appreciated.

Thanks in advance.



This thread was automatically locked due to age.
Parents
  • This looks to be working, Sophos Endpoint seems to be authenticating users correctly and all seems to be looking good.

    One question about the firewall rules:

    Under "Destination & services" The "Services" section is set to ANY. I changed this to just be port 80, 443 and DNS. But whenever I try to go to any website it seems to block everything now, if I change it back to ANY, then it seems to block according to the web policy.

    What other services are needed in here for it to work? I would rather not allow every single port out.

     
  • FormerMember
    0 FormerMember in reply to David Ashcroft

    Hi David Ashcroft,

    I would suggest you to take packet capture on one source IP address of one test machine to find out if the traffic is hitting correct rule as your firewall rule is configured to allow services like DNS, HTTP, HTTPS and port 8080 so this rule is enough to allow internet access. Navigate to the Diagnostics > Packet Capture > Configure > Enter BPF string e.g host 192.168.1.2 > Click on Save and turn on packet capture. Please share the screenshot of the packet capture. 

    Thanks,

  • When I change this rule from ANY, all the packet captures seem to just show ARP requests. Do I need to somehow bypass all internal to internal traffic from being proxied in any way. If so, how? 

  • FormerMember
    0 FormerMember in reply to David Ashcroft

    Hi David Ashcroft, 

    You do not have to bypass all internal to internal traffic from anywhere on the firewall. Can you please let us know where you changed ANY? 

    I would also like to know what is the web proxy mode? Please follow this KB Article : Sophos XG Firewall: Web proxy deployment modes. If it is transparent mode you would have to allow port 3128 from the firewall rule.

    Thanks,

     

Reply Children