MAC Address definition - Can they be used to allow unauthenticated outbound access?

Question

Hi, 
 UTM 9.5x 
 We have a small team of web developers, each has a VM running locally that they develop on. 
 The VM's need unauthenticated outbound access so they simulate the production environment. We currently have IP reservations for the VM's and rules set up to allow those IP's out unauthenticated but the Dev's are now visiting various other corporate sites so we would potentially need to set up IP reservations (we have about a hundred DHCP scopes across the company) and rules accordingly. It seems like a fair bit of overhead. especially as they rebuild the VM's relatively often so we have to change the IP reservations. 
 I have created a MAC address definition containing all the MAC's but i don't seem to be able to add it like a network definition. 
 If possible i would like to allow the MAC outbound unauthenticated so it does not matter where they are or what IP they have. On rebuild its just a case of updating the definition with the new MAC. 
 Can this be done? 
 
 NB. We used to have the VM's hosted in Hyper-V/VMWare centrally but for one reason and another they are now local to their machine.

Cheers 
 
 Geoff

DouglasFoster · Answer

The MAC address is lost as soon as a packet is routed from one LAN to the next. UTM cannot filter on what it cannot see, so your goal is not reachable. Web filtering can only filter on Source IP address, so even in a single-LAN environment, the solution would be to give the device a static IP address or a DHCP reservation. You need a different approach., 
 I have encountered several fat-client applications that need to connect to a cloud-based service, and have trouble with web filtering based on AD SSO. Although some fat-client applications are wrappers around a web browser, and can take advantage of transparent AD SSO authentication, most are not. Without NTLM, the application's web actions appear to be unauthenticated. 
 Three alternatives: 
 #1 The best solution is for the application to support proxies. This involves prompting and probably storing a set of manually-entered credentials. When the application detects a 407 status code, it responds with the stored credentials. If you are building a commercial product, it is likely that some of your customers will have web proxies as well, so the application should be designed to cope with both standard-mode and transparent-mode proxy configurations. UTM is a great tool for testing those features. 
 #2 Website exception for the destination website(s). I am assuming that you have a finite number of web destinations that need to be accessed without authentication. 
 
 My preferred method is to create a website object for the organization (e.g. example.com with "include subnets" checked) or a list of FQDN names (web7.example.com and static3.example.com). Assign a tag to the website object, then create an authentication-not-required exception for the tag. This eliminates regular expression headaches, which tend to have design mistakes which produce unintended consequences. 
 If the exception is only needed and only desired for a portion of a website, then you can use regular expressions to match the host name and path. This only works if the connection is ftp, http, or https-with-inspection, because https-without-encryption hides the path and query string from UTM in the encrypted portion of the packet. Any connection to your cloud service should be https, so I doubt that path-based filtering will be workable for you. 
 
 #3 Create a filter Action based on host name. Create a DNS Host object for each of the special PCs. Assign those host objects to the Allowed Networks list of a new Filter Profile, and configure the Filter Profile with Authentication=None. Then position the Filter Profile at the top of the list so that it always applies to those PCs. This approach is closest to your desired configuration, and it does not depend on a limited number of destination websites. You are still able to enforce normal UTM protections like Antivirus Scanning, Website Reputation, Category Filtering, and IPS/ATP filtering. If you configure Reverse DNS for each of your internal subnets, you can also get host names in the webfilter log file instead of source IP. That last step is not strictly required, because the webfilter log also contains the Filter Profile name and the authentication method code, both of which will tell you whether it is one of the special PCs or not.

geoff morgan · Answer

Thank you @DouglasFoster 
 
 That is very helpful. I will look into option 3. 
 
 Many thanks

geoff