Web Proxy Policy

Hi,

I'm using Sophos XG virtual appliance and trying to add users as exclusions for the Web Proxy - Transparent mode (Direct Mode off). If Anybody is used, policy is doing the job and blocking .exe files (as example). But i need that some users to be able to download them. So i have created two groups (imported from AD),one is Restricted and the second Relaxed. Restricted is assigned to Risky downloads and Relaxed to Suspicious. From this point it seems that there's no effect from policy, users can download .exe. etc. Web Policy is assigned to LAN to WAN firewall rule LAN / ANY as source and service, WAN / ANY as destination and service. Web enabled settings for the firewall policy: Scan HTTP and decrypted HTTPS / Use web proxy instead of DPI engine / Decrypt HTTPS during web proxy filtering. Also appliance certificate is imported into users devices (Trusted Root).

Is there something else that i have to configure to make it work?

The purpose is to block internet to all users and allow only for dedicated groups and also split the internet policy restrictions between groups like the issue explained.

Thank you.

Added TAGs
[edited by: Erick Jan at 10:19 AM (GMT -7) on 21 Sep 2023]

Top Replies

rfcat_vk 2 months ago +1 suggested

Hi, basically you need two firewall rules, One for the allowed group and one for the limited group. ian

Parents

0 Erick Jan 2 months ago
Hi Radu,

Thank you for reaching out to Sophos Community.

Have you tried to use any how-to videos, documentation, Sophos Assistant, or KBA to try to check the issue?

Kindly check the log viewer to see if other FW Rule is hitting the policy

Placed the allowed on the top FW rule before the blocked and other rules.
Erick Jan
Community Support Engineer | Sophos Technical Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Radu Mirea 2 months ago in reply to Erick Jan

Hi,

Used the policy tester and it indicates the expected results - block Risky downloads for the Restricted group. But in reality this is not happening, users still download .exe files.

Thank you.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rfcat_vk 2 months ago in reply to Radu Mirea

Please post a screenshot of your policy tester result.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Radu Mirea 2 months ago in reply to rfcat_vk
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rfcat_vk 2 months ago in reply to Radu Mirea

what does logviewer show for the source IP access? Sounds to me like the users are not hitting the rule?

Please post an expanded copy of the rules.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Radu Mirea 2 months ago in reply to rfcat_vk

Web Filter logs:

Firewall Rules:

Web Policy:

If i change from Relaxed group to Anybody, policy is working.

Thank you.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rfcat_vk 2 months ago in reply to Radu Mirea

Hi,

you need to enable application control at least to allow all.

i will update further when I have access to a bigger screen.

ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Radu Mirea 2 months ago in reply to rfcat_vk

Hi,

Enabled Application Control with Allow All - should this have an impact, as i do not see any

Thank you.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 rfcat_vk 2 months ago in reply to Radu Mirea

Hi,

you do not have any user controls enabled, all users can access rule 11. You need to enable the user function and add your allow group and in the next rule your disallow group.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 rfcat_vk 2 months ago in reply to Radu Mirea

Hi,

you do not have any user controls enabled, all users can access rule 11. You need to enable the user function and add your allow group and in the next rule your disallow group.

Ian

XG115W - v20 GA - Home

XG on VM 8 - v20 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 LuCar Toni 2 months ago in reply to rfcat_vk

The context of user is missing.
So essentially: under live users you have to list the user context by using any of the authentication methods, SFOS offers.
You can choose from:
Sophos Endpoint, STAS, Kerberos, Captive Portal and many more. But you have to configure one.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Radu Mirea 2 months ago in reply to LuCar Toni

Hi,

I have created another Web Policy using Relaxed group and assign it to a top firewall rule with matching users enabled for Relaxed group. Old Web policy was set to use Anybody and assigned to Firewall policy 11 (without) matching users enabled. Seems to be working now, i'll do more tests to make sure this is the correct approach.

Thank you.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel