Policy Routes vs Web Filtering

Question

Hello, 
 I found similar topics on the forum but none on them clearly explained what the problem is. It seems Web filtering is taking priority over Policy Routes. 
 I have the following routing problem : 
 Network 10.10.10.0/24, which is a production network, is allowed to browse the web (HTTP & HTTPS) via the Web Filtering "Allowed Network" Field.

A policy route is configured for host 10.10.10.253. All traffic originated from 10.10.10.253 should be routed to another gateway. Obviously is the 10.10.10.253 host part of 10.10.10.0/24 subnet. 
 
 All ICMP-UDP traffic is correctly routed. HTTP and HTTPS (TCP 80 + TCP 443) is routed via the Sophos UTM. 
 
 Because the Web filter "Allowed Network" field only allows networks to be added, I cannot add the IP address I want to exclude. 
 The only solution I imagined is to add the following subnets to the Web Filter config.

CIDR 
 Start IP 
 End IP 
 Subnet mask 
 Addresses 
 Hosts 
 Wildcard mask

10.10.10.1/32 
 10.10.10.1 
 10.10.10.1 
 255.255.255.255 
 1 
 1 
 0.0.0.0

10.10.10.2/31 
 10.10.10.2 
 10.10.10.3 
 255.255.255.254 
 2 
 2 
 0.0.0.1

10.10.10.4/30 
 10.10.10.4 
 10.10.10.7 
 255.255.255.252 
 4 
 2 
 0.0.0.3

10.10.10.8/29 
 10.10.10.8 
 10.10.10.15 
 255.255.255.248 
 8 
 6 
 0.0.0.7

10.10.10.16/28 
 10.10.10.16 
 10.10.10.31 
 255.255.255.240 
 16 
 14 
 0.0.0.15

10.10.10.32/27 
 10.10.10.32 
 10.10.10.63 
 255.255.255.224 
 32 
 30 
 0.0.0.31

10.10.10.64/26 
 10.10.10.64 
 10.10.10.127 
 255.255.255.192 
 64 
 62 
 0.0.0.63

10.10.10.128/26 
 10.10.10.128 
 10.10.10.191 
 255.255.255.192 
 64 
 62 
 0.0.0.63

10.10.10.192/27 
 10.10.10.192 
 10.10.10.223 
 255.255.255.224 
 32 
 30 
 0.0.0.31

10.10.10.224/28 
 10.10.10.224 
 10.10.10.239 
 255.255.255.240 
 16 
 14 
 0.0.0.15

10.10.10.240/29 
 10.10.10.240 
 10.10.10.247 
 255.255.255.248 
 8 
 6 
 0.0.0.7

10.10.10.248/30 
 10.10.10.248 
 10.10.10.251 
 255.255.255.252 
 4 
 2 
 0.0.0.3

10.10.10.252/32 
 10.10.10.252 
 10.10.10.252 
 255.255.255.255 
 1 
 1 
 0.0.0.0

Not sure if the Sophos will accept the /32 masks though. 
 
 Does anyone have a solution for this?

dirkkotte · Accepted Answer

i would configure a WebFiltering-Option // Transparent Proxy Exception for the destination Host/Network 
 So the proxy should not grab the traffic and the policy-Route can take palce.

BAlfson · Answer

Hallo and welcome to the UTM Community! 
 Dirk's suggestion is a great solution simple and elegant. 
 There is a way to create a separate Web Filtering Profile for 10.10.10.253. Web Filtering Profiles are in an ordered list, so the additional Profile would take precedence over the default profile. Then, you need to run the following command to be able to specify in WebAdmin the outgoing interface for each Profile: 
 cc set http enable_out_interface 1 
 Cheers - Bob

BAlfson · Answer

No, WebAdmin won't make a Static Route that takes precedence over the Web Filtering settings, so neither of those routes is working as you thought. 
 I think you can use Multipath rules to accomplish what you want. See Rule #2.1 in Rulz (last updated 2020-11-12) . 
 Yes, the cc setting does survive reboots and upgrades. This setting doesn't change the behavior relative to Static Routes. 
 Cheers - Bob

Policy Routes vs Web Filtering

Top Replies