This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MATCH KNOWN USERS ISSUE WITH PROXY

Hello,

I'm using Sophos XG2300 SFOS 19.0.1 MR-1-Build365 and I would like to ask why do I get blocked when I'm trying to browse the internet with configured proxy, match known users turned on and web filtering set to none. Through testing and searching I managed to make a workaround where I had to make a new firewall rule for proxy only.

  • first firewall rule (LAN to WAN) has these settings: Services HTTP/S, ICMP; Match known users and Web proxy instead of DPI engine
  • second firewall rule (LAN to WAN PROXY) has these settings: Services PROXY(TCP 3128); Web proxy instead of DPI engine

If I enable match known users on the second firewall rule I get blocked from all websites even if I don't have web filtering on. I don't quite understand why that is happening so I would like to ask anyone who could tell me the reason why this is happening.

Another problem with match known users is that the Web proxy transparently handles traffic only on TCP ports 80 and 443. If I have match known users on and proxy turned off for the browser I can't seem to get on any website, I get stuck on loading and then the connection times out. If I have match known users off and proxy turned off for the browser I manage to get on websites

LAN to WAN

LAN to WAN

LAN to WAN PROXY

LAN to WAN PROXY



This thread was automatically locked due to age.
Parents
  • By the log, it shows you have a user but it also shows fw_rule_id=NA which means the traffic did not match any firewall rule.

    If you are using transparent and you don't match any firewall rule you should be blocked.  This done by not allowing the packets.  Traffic denied by the most base Deny All rule is not logged (as that would be too noisy).
    If you are using direct proxy and you don't match any firewall rule you should be blocked.  This done by applying the Deny All web policy and would appear in the web filter log.

    So you need to look at why your traffic is not matching the rule that you expect.

    I can see the Match user rule has some groups set.  Is your user a member of one of those groups?
    Can you try specifying the user specifically, or remove all groups so that it goes to "All".  If that causes it to start working then you know the problem is in the user-to-group matching.

    As you test, pay attention to the matching firewall rule.

    You can also use the Policy Tester.  Note that this assumes you are doing transparent mode.

Reply
  • By the log, it shows you have a user but it also shows fw_rule_id=NA which means the traffic did not match any firewall rule.

    If you are using transparent and you don't match any firewall rule you should be blocked.  This done by not allowing the packets.  Traffic denied by the most base Deny All rule is not logged (as that would be too noisy).
    If you are using direct proxy and you don't match any firewall rule you should be blocked.  This done by applying the Deny All web policy and would appear in the web filter log.

    So you need to look at why your traffic is not matching the rule that you expect.

    I can see the Match user rule has some groups set.  Is your user a member of one of those groups?
    Can you try specifying the user specifically, or remove all groups so that it goes to "All".  If that causes it to start working then you know the problem is in the user-to-group matching.

    As you test, pay attention to the matching firewall rule.

    You can also use the Policy Tester.  Note that this assumes you are doing transparent mode.

Children
No Data