Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule - apply traffic with specific DSCP marking only - not works

Hello everybody,

I would have a question to the firewall rules and DSCP marking under "Other security features"...
My Sophos instance is running in bridge mode in front of my router's WAN interface (with only one public IP).
I apply the function "Scan HTTP and decrypted HTTPS" for outgoing web traffic.
Of course here is necessary to use certificate of the Sophos machine imported in the PC...
Because I use several vlans inside my LAN, I would like to apply the rule with HTTPs scanning only to some of them, or exclude some IPs from scanning.
My primary router is Mikrotik. I am able to mark outgoing traffic going to the internet (to Sophos bridge) with a new DSCP (TOS) value.
My idea is to catch the HTTPs traffic marked as such with a simple rule before the "scanning" rule itself. Other untagged traffic reaches the scanning rule.

My problem is that a rule that should only be applied with a specific incoming DSCP tag (e.g. #46) match all HTTP/S traffic.
The DSCP tag is present in the traffic - checked by Wireshark.

Can you please advise me where I am making a mistake or whether Sophos firewall rules support this feature?

Many thanks.
Kind regards,
Libor

P.S. I cannot change the topology...
(SFOS 20.0.1 MR-1-Build342)





This thread was automatically locked due to age.
Parents
  • Am I reading correctly that you want SSL inspection for most systems but not for some (subnets) for traffic going to the internet?

    If that is the case you can create "do not encrypt" rules for these hosts under Rules & Policies => SSL/TLS inspection rules


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Am I reading correctly that you want SSL inspection for most systems but not for some (subnets) for traffic going to the internet?

    If that is the case you can create "do not encrypt" rules for these hosts under Rules & Policies => SSL/TLS inspection rules


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • Hello Apijnappels,
    Yes, you're right. I want SSL inspection for most systems but not for some (subnets) for traffic going to the internet.
    Of course I can use "do not encrypt" rule.
    The problem is that Sophos in BRIDGE mode is placed between the ISP's optical converter and my NAT/VPN Mikrotik router.
    (so on the WAN side). The Mikrotik has a public IP address and a lot of other settings. I can't change the architecture.
    Back to the topic. This means that data going towards the Sophos firewall and to the Internet is already processed by NAT.
    There is only one source IP address for Sophos processing coming from my primary router.
    On the Mikrotik router side I am able to define LOCAL IP addresses or IP "C" ranges with the DSCP tag (Sophos can also do this).
    My question was whether I am able to in Sophos at the firewall rules level match incoming traffic based on tagged packets(e.g. DSCP)?
    I know this is missing in the rule set, or more correctly, the logic is opposite
    (as with Mikrotik, but it can match incoming traffic at the firewall based on DSCP)
    Maybe it would be possible to compare the traffic first with some QoS rule and then apply this in the Firewall???
    As a workaround, I now do this by having two NAT rules on the Mikrotik and changing the source ports in 10,000 port ranges for each rule.
    But this is not a pretty solution :)
    I know this has been asked in other discussions.
    Of course I would like this functionality, but I don't know if I'm not "alone" in thinking this way.
    It would be the subject of a feature request…

    regards, libor