Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Proxy Policy


I'm using Sophos XG virtual appliance and trying to add users as exclusions for the Web Proxy - Transparent mode (Direct Mode off). If Anybody is used, policy is doing the job and blocking .exe files (as example). But i need that some users to be able to download them. So i have created two groups (imported from AD),one is Restricted and the second Relaxed. Restricted is assigned to Risky downloads and  Relaxed to Suspicious. From this point it seems that there's no effect from policy, users can download .exe. etc. Web Policy is assigned to LAN to WAN firewall rule LAN / ANY as source and service, WAN / ANY as destination and service. Web enabled settings for the firewall policy: Scan HTTP and decrypted HTTPS / Use web proxy instead of DPI engine / Decrypt HTTPS during web proxy filtering. Also appliance certificate is imported into users devices (Trusted Root).

Is there something else that i have to configure to make it work?

The purpose is to block internet to all users and allow only for dedicated groups and also split the internet policy restrictions between groups like the issue explained.

Thank you.

This thread was automatically locked due to age.
Parents Reply
  • Hi,

    you do not have any user controls enabled, all users can access rule 11. You need to enable the user function and add your allow group and in the next rule your disallow group.


    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • The context of user is missing. 
    So essentially: under live users you have to list the user context by using any of the authentication methods, SFOS offers. 
    You can choose from: 
    Sophos Endpoint, STAS, Kerberos, Captive Portal and many more. But you have to configure one. 


  • Hi,

    I have created another Web Policy using Relaxed group and assign it to a top firewall rule with matching users enabled for Relaxed group. Old Web policy was set to use Anybody and assigned to Firewall policy 11 (without) matching users enabled. Seems to be working now, i'll do more tests to make sure this is the correct approach.

    Thank you.