Using the firewall as a web proxy.

Hi Jason,

Thank you for reaching out to Sophos Community.

Kindly try to create a firewall rule to only allow traffic via 3128, then make another firewall rule to block all (https/http) incoming traffic via port 80/443.

Upon applying to Firefox. Kindly check the logs viewer/monitor traffic via packet capture.

It is actually slightly more complicated.  There still needs to be a rule for HTTP/HTTPS for the proxy to talk externally - otherwise you will get the page attempting to load and then timeout with a sophos generated error page.

In effect you have two connections
PC <--> SFOS  <--> website

The PC to SFOS is 3128 and needs a firewall rule.
The SFOS to website is 80/443 and needs a firewall rule.  Web policy is not applied to traffic generated from the web proxy.

The firewall rules are re-evaluated on the external connection.  Otherwise web proxy can be used to bypass some firewall rules (such as GeoIP counry blocks).

Recommendation is

Rule 1 - Service 3128.  Web policy what you want.
Rule 2 - Service HTTP/HTTPS.  Web policy Block All.

Note:  Transparent mode traffic will hit the Block All policy, so they get a block page.  However exceptions are still applied, therefore they will still be able to do things like get to microsoft.com (for windows updates).  You can watch the Web Filter log for connections that are using that firewall rule and determine if you want to allow/block them via exception.

If I recall there are some other possible setups that block transparent HTTP/HTTPS more completely but are more complex.  And that customers found that some updaters and things just do not support direct mode so they found that supporting a little bit of transparent mode was nice to have.

It is suggested that if you are doing this you may want to use WPAD/PAC to deploy the proxy settings.  That way any browser configured for proxy "automatically detect settings" picks it up.  That will also catch a few non browsers as well.

It is actually slightly more complicated.  There still needs to be a rule for HTTP/HTTPS for the proxy to talk externally - otherwise you will get the page attempting to load and then timeout with a sophos generated error page.

In effect you have two connections
PC <--> SFOS  <--> website

The PC to SFOS is 3128 and needs a firewall rule.
The SFOS to website is 80/443 and needs a firewall rule.  Web policy is not applied to traffic generated from the web proxy.

The firewall rules are re-evaluated on the external connection.  Otherwise web proxy can be used to bypass some firewall rules (such as GeoIP counry blocks).

Recommendation is

Rule 1 - Service 3128.  Web policy what you want.
Rule 2 - Service HTTP/HTTPS.  Web policy Block All.

Note:  Transparent mode traffic will hit the Block All policy, so they get a block page.  However exceptions are still applied, therefore they will still be able to do things like get to microsoft.com (for windows updates).  You can watch the Web Filter log for connections that are using that firewall rule and determine if you want to allow/block them via exception.

If I recall there are some other possible setups that block transparent HTTP/HTTPS more completely but are more complex.  And that customers found that some updaters and things just do not support direct mode so they found that supporting a little bit of transparent mode was nice to have.

It is suggested that if you are doing this you may want to use WPAD/PAC to deploy the proxy settings.  That way any browser configured for proxy "automatically detect settings" picks it up.  That will also catch a few non browsers as well.