Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule - apply traffic with specific DSCP marking only - not works

Hello everybody,

I would have a question to the firewall rules and DSCP marking under "Other security features"...
My Sophos instance is running in bridge mode in front of my router's WAN interface (with only one public IP).
I apply the function "Scan HTTP and decrypted HTTPS" for outgoing web traffic.
Of course here is necessary to use certificate of the Sophos machine imported in the PC...
Because I use several vlans inside my LAN, I would like to apply the rule with HTTPs scanning only to some of them, or exclude some IPs from scanning.
My primary router is Mikrotik. I am able to mark outgoing traffic going to the internet (to Sophos bridge) with a new DSCP (TOS) value.
My idea is to catch the HTTPs traffic marked as such with a simple rule before the "scanning" rule itself. Other untagged traffic reaches the scanning rule.

My problem is that a rule that should only be applied with a specific incoming DSCP tag (e.g. #46) match all HTTP/S traffic.
The DSCP tag is present in the traffic - checked by Wireshark.

Can you please advise me where I am making a mistake or whether Sophos firewall rules support this feature?

Many thanks.
Kind regards,
Libor

P.S. I cannot change the topology...
(SFOS 20.0.1 MR-1-Build342)





This thread was automatically locked due to age.
  • Hi,

    the "DSCP marking" from firewall is a function to mark packets for later devices.
    it is not a selector or "matching criteria" for the firewall rule.

    https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRuleAdd/index.html


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hello Dirk,

    Thank you for explaining!
    Is there any other alternative in Sophos how to identify with fw rules incoming traffic with a certain DSCP tag?

    Libor

  • I don't know of anything like that.

    I would try to determine it by IP or port.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi,

    you could make a firewall rule for each protocol you wish to set a dscp for and make seperate rules for the iprnges you wish to allow without scanning enabled. There is a lot of work involved and I am not sure wHat advantages you see from this approach.

    As dirkkotte advised the DSCP values have no affect on the firewall performance or throughput and you would need to check with your ISP as to what DSCP values are processed and what are ignored.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Am I reading correctly that you want SSL inspection for most systems but not for some (subnets) for traffic going to the internet?

    If that is the case you can create "do not encrypt" rules for these hosts under Rules & Policies => SSL/TLS inspection rules


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Hello Apijnappels,
    Yes, you're right. I want SSL inspection for most systems but not for some (subnets) for traffic going to the internet.
    Of course I can use "do not encrypt" rule.
    The problem is that Sophos in BRIDGE mode is placed between the ISP's optical converter and my NAT/VPN Mikrotik router.
    (so on the WAN side). The Mikrotik has a public IP address and a lot of other settings. I can't change the architecture.
    Back to the topic. This means that data going towards the Sophos firewall and to the Internet is already processed by NAT.
    There is only one source IP address for Sophos processing coming from my primary router.
    On the Mikrotik router side I am able to define LOCAL IP addresses or IP "C" ranges with the DSCP tag (Sophos can also do this).
    My question was whether I am able to in Sophos at the firewall rules level match incoming traffic based on tagged packets(e.g. DSCP)?
    I know this is missing in the rule set, or more correctly, the logic is opposite
    (as with Mikrotik, but it can match incoming traffic at the firewall based on DSCP)
    Maybe it would be possible to compare the traffic first with some QoS rule and then apply this in the Firewall???
    As a workaround, I now do this by having two NAT rules on the Mikrotik and changing the source ports in 10,000 port ranges for each rule.
    But this is not a pretty solution :)
    I know this has been asked in other discussions.
    Of course I would like this functionality, but I don't know if I'm not "alone" in thinking this way.
    It would be the subject of a feature request…

    regards, libor