Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Deny Direct IP access from browser ?

Trio Fandi

Hi,

I need advice how to Deny Direct IP access from browser. So, it only allow access by domain-name.

How it done through Sophos Firewall configuration rule?

I use Sophos XG 310, SFOS v20.0

Thanks



This thread was automatically locked due to age.
  • 0

    Hi,

    you need to be using the web proxy with a deny IP address policy. There are policies setup, you just need to select it for your web proxy. You will probably need to install the XG CA on the offending devices. Depends on what other features in the web proxy setting you choose to use, if none you use DPI (SSL/TLS).

    I would also suggest you read this article.

    https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121482/sophos-firewall-https-decrypt-and-scan-faq

    Ian

    XGS118 - v21.5.0

    XG115 converted to software licence v21.5.0

    If a post solves your question please use the 'Verify Answer' button.

    • 0 in reply to rfcat_vk

      Hi  

      Thanks for your advice. But I'm didn't get it yet.

      Currently I have deploy SSL Sectigo CA in Sophos Firewall. And then, what's next ?
      Could you share to me step by step guidance to set up web proxy in Sophos?

      Sophos firewall is protecting our server farm. I want to deny incoming access from outside, if it using direct IP xxx.xxx.xxx.xxx .

      • 0 in reply to Trio Fandi

        Hi,

        that is totally different to what you asked. You never mentioned servers or incoming traffic.

        ian

        XGS118 - v21.5.0

        XG115 converted to software licence v21.5.0

        If a post solves your question please use the 'Verify Answer' button.

        • 0 in reply to rfcat_vk

          Hi,

          My bad. Any suggestion for my scenario ?

          • 0 in reply to Trio Fandi

            Hi,

            you can’t, how else would the network locate your firewall?
            ian

            XGS118 - v21.5.0

            XG115 converted to software licence v21.5.0

            If a post solves your question please use the 'Verify Answer' button.

            • 0 in reply to rfcat_vk

              Hi,

              I tried once using virtual host configuration in our server. Actually It's worked.

              But unfortunately, domain-name access became failed due to DNS (we use Cloudflare) unable to read SSL certificate in our server.

              Therefore, I'm looking different way to do that from Firewall side.

              • 0 in reply to Trio Fandi

                If you're looking to protect an internal webserver from being accessed by IP-address then you can use the Web Application Firewall. You can find it under Protect -> Webserver. This will allow you to determine which URLs are being passed to which internal servers.

                Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

                • 0 in reply to apijnappels

                  Hi,

                  I have existing WAF Rules as below.

                  Any advice how to set up as what I need ?

              • +1

                So in general - I think this is not possible in SFOS right now - Why do you need to do this? Because on a general level - IP and domain are the same access - Just the webservice afterall could deny the access. 
                Is there a compliance reason for blocking the web access? 

                Or are you speaking about a webserver behind SFOS? 
                Then you need a static hardening: 

                This will make sure, nobody enters other domains or URLs you dont have, like an IP.

                __________________________________________________________________________________________________________________