Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule - apply traffic with specific DSCP marking only - not works

Hello everybody,

I would have a question to the firewall rules and DSCP marking under "Other security features"...
My Sophos instance is running in bridge mode in front of my router's WAN interface (with only one public IP).
I apply the function "Scan HTTP and decrypted HTTPS" for outgoing web traffic.
Of course here is necessary to use certificate of the Sophos machine imported in the PC...
Because I use several vlans inside my LAN, I would like to apply the rule with HTTPs scanning only to some of them, or exclude some IPs from scanning.
My primary router is Mikrotik. I am able to mark outgoing traffic going to the internet (to Sophos bridge) with a new DSCP (TOS) value.
My idea is to catch the HTTPs traffic marked as such with a simple rule before the "scanning" rule itself. Other untagged traffic reaches the scanning rule.

My problem is that a rule that should only be applied with a specific incoming DSCP tag (e.g. #46) match all HTTP/S traffic.
The DSCP tag is present in the traffic - checked by Wireshark.

Can you please advise me where I am making a mistake or whether Sophos firewall rules support this feature?

Many thanks.
Kind regards,
Libor

P.S. I cannot change the topology...
(SFOS 20.0.1 MR-1-Build342)





This thread was automatically locked due to age.
Parents
  • Hi,

    you could make a firewall rule for each protocol you wish to set a dscp for and make seperate rules for the iprnges you wish to allow without scanning enabled. There is a lot of work involved and I am not sure wHat advantages you see from this approach.

    As dirkkotte advised the DSCP values have no affect on the firewall performance or throughput and you would need to check with your ISP as to what DSCP values are processed and what are ignored.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    you could make a firewall rule for each protocol you wish to set a dscp for and make seperate rules for the iprnges you wish to allow without scanning enabled. There is a lot of work involved and I am not sure wHat advantages you see from this approach.

    As dirkkotte advised the DSCP values have no affect on the firewall performance or throughput and you would need to check with your ISP as to what DSCP values are processed and what are ignored.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data