Firewall rule - apply traffic with specific DSCP marking only - not works

Question

Hello everybody, I would have a question to the firewall rules and DSCP marking under "Other security features"... My Sophos instance is running in bridge mode in front of my router's WAN interface (with only one public IP). I apply the function " Scan HTTP and decrypted HTTPS" for outgoing web traffic. Of course here is necessary to use certificate of the Sophos machine imported in the PC... Because I use several vlans inside my LAN, I would like to apply the rule with HTTPs scanning only to some of them, or exclude some IPs from scanning. My primary router is Mikrotik. I am able to mark outgoing traffic going to the internet (to Sophos bridge) with a new DSCP (TOS) value. My idea is to catch the HTTPs traffic marked as such with a simple rule before the "scanning" rule itself. Other untagged traffic reaches the scanning rule. My problem is that a rule that should only be applied with a specific incoming DSCP tag (e.g. #46) match all HTTP/S traffic. The DSCP tag is present in the traffic - checked by Wireshark. 
 Can you please advise me where I am making a mistake or whether Sophos firewall rules support this feature? Many thanks. Kind regards, Libor 
 P.S. I cannot change the topology... (SFOS 20.0.1 MR-1-Build342)

dirkkotte · Answer

Hi, 
 the " DSCP marking " from firewall is a function to mark packets for later devices. it is not a selector or "matching criteria" for the firewall rule. 
 https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/FirewallRuleAdd/index.html

Firewall rule - apply traffic with specific DSCP marking only - not works

Top Replies