This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Deny Direct IP access from browser ?

Trio Fandi 8 months ago

Hi,

I need advice how to Deny Direct IP access from browser. So, it only allow access by domain-name.

How it done through Sophos Firewall configuration rule?

I use Sophos XG 310, SFOS v20.0

Thanks

This thread was automatically locked due to age.

Top Replies

LuCar Toni 8 months ago +1 verified

So in general - I think this is not possible in SFOS right now - Why do you need to do this? Because on a general level - IP and domain are the same access - Just the webservice afterall could deny the…

Parents

0 rfcat_vk 8 months ago

Hi,

you need to be using the web proxy with a deny IP address policy. There are policies setup, you just need to select it for your web proxy. You will probably need to install the XG CA on the offending devices. Depends on what other features in the web proxy setting you choose to use, if none you use DPI (SSL/TLS).

I would also suggest you read this article.

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121482/sophos-firewall-https-decrypt-and-scan-faq

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Trio Fandi 8 months ago in reply to rfcat_vk

Hi rfcat_vk

Thanks for your advice. But I'm didn't get it yet.

Currently I have deploy SSL Sectigo CA in Sophos Firewall. And then, what's next ?
Could you share to me step by step guidance to set up web proxy in Sophos?

Sophos firewall is protecting our server farm. I want to deny incoming access from outside, if it using direct IP xxx.xxx.xxx.xxx .
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk 8 months ago in reply to Trio Fandi

Hi,

that is totally different to what you asked. You never mentioned servers or incoming traffic.

ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Trio Fandi 8 months ago in reply to rfcat_vk

Hi,

My bad. Any suggestion for my scenario ?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Trio Fandi 8 months ago in reply to rfcat_vk

Hi,

My bad. Any suggestion for my scenario ?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk 8 months ago in reply to Trio Fandi

Hi,

you can’t, how else would the network locate your firewall?
ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Trio Fandi 8 months ago in reply to rfcat_vk

Hi,

I tried once using virtual host configuration in our server. Actually It's worked.

But unfortunately, domain-name access became failed due to DNS (we use Cloudflare) unable to read SSL certificate in our server.

Therefore, I'm looking different way to do that from Firewall side.
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels 8 months ago in reply to Trio Fandi

If you're looking to protect an internal webserver from being accessed by IP-address then you can use the Web Application Firewall. You can find it under Protect -> Webserver. This will allow you to determine which URLs are being passed to which internal servers.

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel
0 Trio Fandi 8 months ago in reply to apijnappels

Hi,

I have existing WAF Rules as below.

Any advice how to set up as what I need ?
Cancel
Vote Up 0 Vote Down

Cancel