Web protection - enforce proxy standard mode

Hej,

is it possible to reduce firewall rule or web protection profiles to proxy standard mode and deactivate transparent mode for this rule?

Parents Reply Children
  • You may already have discovered this, but it is actually not possible to allow access via direct proxy without also allowing access transparently, unless knows something that I've missed.

    If you create a firewall rule that only allows the configured proxy port as a destination service, the client devices are able to connect to the proxy, but the proxy is blocked from creating the outbound connections on behalf of the client device.

    In order to allow the proxy to make the upstream connections, there must also be firewall rules allowing the original client devices to connect directly to the web ports on the WAN.

    Obviously, this means that any application on the client device that doesn't respect direct proxy settings will still be able to connect, and will still have its traffic inspected by the proxy. What's the use case for wanting to force only direct proxy access?

  • We must comply with requirements that prohibit a transparent/direct connection. So I can't switch from the UTM to the XG until then.

    With best regards,

    Steppenwolf

  • Hello Steppenwolf,

    You can prevent transparent access to the internet on 80/443. I'm not sure where the miscommunication has occurred but if you only want proxied access to the internet you only need a firewall rule (LAN to WAN) with the Proxy port found under Web Protection > General Setting. Default is 3128 but i like to change it to 8080. The allowed destination services are are also enabled in the same place as the port. I have several deployments where this is being done. So to summarise:

    • Source Zone: LAN
    • Destination Zone: WAN
    • Service: Proxy port service definition
    • Enable a Web Policy of choice
    • Enable MASQ

    By doing this, the XG will allow access to the internet if you proxy via it but will not allow general access to the internet via 80/443 transparently.

    I have selected the appropriate answer in this thread.

    Emile

  • RichBaldry said:

    You may already have discovered this, but it is actually not possible to allow access via direct proxy without also allowing access transparently, unless knows something that I've missed.

     

    Actually Rich, you can.

    Create a Service for 3128.  Create a firewall rule that applies only to that service that has web settings.

    Off the top of my head, in v17 as long as you have that and nothing else you are good to go.  However if you have that and you also have a manually created drop all rule then you have problems.  This can be solved, see here.  https://community.sophos.com/kb/en-us/132117

    If there are other problems it may be specific to your configuration.  But it is possible.

    In v18 you might need to do a bit more fiddling on the NAT rule.

  • Hi Michael,

    Yeah, I think I'm having some trouble with a NAT in my brief test earlier.

    Will retest!

    Emile