Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 1590 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy Routes vs Web Filtering

usec-dz

Hello,

I found similar topics on the forum but none on them clearly explained what the problem is. It seems Web filtering is taking priority over Policy Routes.

I have the following routing problem : 

Network 10.10.10.0/24, which is a production network, is allowed to browse the web (HTTP & HTTPS) via the Web Filtering "Allowed Network" Field.

A policy route is configured for host 10.10.10.253. All traffic originated from 10.10.10.253 should be routed to another gateway. Obviously is the 10.10.10.253 host part of 10.10.10.0/24 subnet.

All ICMP-UDP traffic is correctly routed. HTTP and HTTPS (TCP 80 + TCP 443) is routed via the Sophos UTM.

Because the Web filter "Allowed Network" field only allows networks to be added, I cannot add the IP address I want to exclude.

The only solution I imagined is to add the following subnets to the Web Filter config.

CIDR Start IP End IP Subnet mask Addresses Hosts Wildcard mask
10.10.10.1/32 10.10.10.1 10.10.10.1 255.255.255.255 1 1 0.0.0.0
10.10.10.2/31 10.10.10.2 10.10.10.3 255.255.255.254 2 2 0.0.0.1
10.10.10.4/30 10.10.10.4 10.10.10.7 255.255.255.252 4 2 0.0.0.3
10.10.10.8/29 10.10.10.8 10.10.10.15 255.255.255.248 8 6 0.0.0.7
10.10.10.16/28 10.10.10.16 10.10.10.31 255.255.255.240 16 14 0.0.0.15
10.10.10.32/27 10.10.10.32 10.10.10.63 255.255.255.224 32 30 0.0.0.31
10.10.10.64/26 10.10.10.64 10.10.10.127 255.255.255.192 64 62 0.0.0.63
10.10.10.128/26 10.10.10.128 10.10.10.191 255.255.255.192 64 62 0.0.0.63
10.10.10.192/27 10.10.10.192 10.10.10.223 255.255.255.224 32 30 0.0.0.31
10.10.10.224/28 10.10.10.224 10.10.10.239 255.255.255.240 16 14 0.0.0.15
10.10.10.240/29 10.10.10.240 10.10.10.247 255.255.255.248 8 6 0.0.0.7
10.10.10.248/30 10.10.10.248 10.10.10.251 255.255.255.252 4 2 0.0.0.3
10.10.10.252/32 10.10.10.252 10.10.10.252 255.255.255.255 1 1 0.0.0.0

Not sure if the Sophos will accept the /32 masks though.

Does anyone have a solution for this?



This thread was automatically locked due to age.
  • +1

    i would configure a WebFiltering-Option // Transparent Proxy Exception for the destination Host/Network

    So the proxy should not grab the traffic and the policy-Route can take palce.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • +1

    Hallo and welcome to the UTM Community!

    Dirk's suggestion is a great solution simple and elegant.

    There is a way to create a separate Web Filtering Profile for 10.10.10.253.  Web Filtering Profiles are in an ordered list, so the additional Profile would take precedence over the default profile.  Then, you need to run the following command to be able to specify in WebAdmin the outgoing interface for each Profile:

    cc set http enable_out_interface 1

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Many thanks  and  for the replies.

    I configured a new Web Filter Profile: 

    - As allowed network, one can add a single host  > I added 10.10.10.253

    - Operation mode : transparent mode

    - On the HTTPS tab, I selected "Do not proxy HTTPS traffic in transparent mode"

    Now my client HTTPS/HTTP traffic is not ROUTED through the Sophos itself (Masquerading/SNAT + Default Sophos GW). HTTP and HTTPS are now explicitly allowed in a firewall rule, and traffic is routed according to the policy route I configured.

    This was tricky but 100% solved.

    The "cc set http enable_out_interface 1" option for the is interesting to know, but wasn't necessary in my case.

    Thanks a lot 

  • 0 in reply to BAlfson

    There is no way use Policy Route for 10.10.10.0/24 + Using the webfilter profile right?

    I'll explain it simply :

    • I have a static route to internet over eth1.
    • My policy route is over eth5.
    • Webfilter profile takes the eth1 path over the internet, instead of eth5

    Would "cc set http enable_out_interface 1" change this behavior? Does this setting survive a firmware upgrade ?

  • 0 in reply to usec-dz

    No, WebAdmin won't make a Static Route that takes precedence over the Web Filtering settings, so neither of those routes is working as you thought.

    I think you can use Multipath rules to accomplish what you want.  See Rule #2.1 in Rulz (last updated 2020-11-12).

    Yes, the cc setting does survive reboots and upgrades.  This setting doesn't change the behavior relative to Static Routes.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for the reply.

    Interesting. I just found out that there is a multipath rule for HTTP/HTTPS which is already active. This multipath rule seems to be routing the traffic via the uplinks.

    The production network 10.10.10.0/24 is probably using this route since the beginning in order to browse the web.

    This whole topic was about routing a host through another gateway. I guess I will then just add a rule before, specifying the correct gateway.

Unfiltered HTML