UTM 9.7 SSL - SSL VPN allows Local Network Access when only Internet IPv4 is configured

Hi All,

An Update incase anyone ever runs into the same issue:

After hours of searching i found the culprit myself. ->> Web Filtering!!! It seems to be a more general issue.. It looks like LAN traffic on ports 80, 443 is only controlled by the Web proxy and not the Firewall. This is quite wierd because WAN Traffic is blocked by the firewall if there are no firewall rules explicitely allowing it. The workaround I implemented was a web filter profile for the SSL VPN Network with Regex rules blocking traffic to the LAN. This would however be very cumbersome to implement in an envrironment with several LANs having internet access and granular rules to control inter-network traffic.

I would be interested in Sophos take on the issue. Is this intended to work this way or was it a programming oversight? ..Or do i have a misconfiguration somewhere?

Regards

Eugene

Hello,

this is by design. You just confused what is meant by "local networks" in that vpn settings, you shouldn't put the object "Internetv4" in there.

Local means LOCAL. "Internetv4"is everything BUT local. If you want your VPN clients to access the internet through your WebProxy running on the Sophos, access to your local LANs is sufficient. So this is indeed a misconfiguration. Further on, if using the Webfilter-proxy, you should not allow any clients to go to the Internt directly. (circumventng the proxy)

HI  jprush,

Thanks for your reply. I have tried adding ONLY a LAN network with access to internet and excluding Internet IPv4. This doesnt work. It results in a Split Tunnel. Only traffic to the selected LAN is allowed. Somehow there doesn't seem to be any difference between "Any" and "Internet IPv4". When i only include internet IPV4 or any then define  firewall rules etc and include the SSL pool in the webfilter, internet traffic is proxied.

Hello,

maybe you are missing the MASQ entry for the VPN-Pool towards the Internet-Interface?

I have masquerading  set up and can access the internet, through the Utm and web proxy when I have internetIpv4 added to the local networks.. If i don’t add internetipv4 or „Any“ i have a split tunnel. 
My issue is only that if I do this I can also access LAN services on ports 80 and 443. 

Just to be clear, you are saying that if I set up Only a LAN network in the local networks section I should also be able to connect to the internet? Wouldn’t that be in contradiction of the Sophos userguide? ..and this would create another „problem“ if I don’t want VPN users to access the internet through the UTM.

Local Network means local network, please believe me.

There is a misconfiguration in your setup that I will really help you to figure out.

If you do not want the VPN Clients to access the internet, then just do NOT setup a firewall rule like I told before. It‘s that simple!

What do you mean by contradiction to the userguide? Please cite that passus.

Local Network means local network, please believe me.

There is a misconfiguration in your setup that I will really help you to figure out.

If you do not want the VPN Clients to access the internet, then just do NOT setup a firewall rule like I told before. It‘s that simple!

What do you mean by contradiction to the userguide? Please cite that passus.

Hi Again,

I have done a few more tests with your recommended configuration.

Following scenario:

1 LAN (LAN 1) in the SSL VPN  local networks section with with firewall rules set up masq. and ssl vpn network included in the webfilter.

VPN Client - Device with IPv4 XX

Result:

Client with IPv4 XX connects to VPN and gets an internal ip from SSL VPN Pool. The client has access to LAN1 and internet access which is controlled by the firewall but does NOT go through Webfiltering (No entries in Webfilter Log). The internet address seen when surfing is still XX although there is additionally an IPV6 address which was not there before when not connected to the VPN.

When I include "Internet IPV4" or "Any" in the Local Networks, the device surfs the internet with the UTM IPv4 address (External Address YY and NOT XX) and traffic goes through the webproxy. BUT the VPN client also can access LAN 2 services on port 80 and 443 which is not configured anywhere!

I found a 4 year old thread in the German Forum which is basically the issue but from a diifferent perstpective.. It seems like all port 80 and 443 traffic for networks configured to use the Webfilter is controlled by the Webfilter regardless of the Firewall config. Hence when i configure "Internet IPv4" or "Any" in the Local Networks section of SSL VPN and add SSL VPN pool to the webfilter, the VPN user gets access to all "Port 80 and 443" by default. The rest is controlled by the firewall. The VPN user can thus already access these port services in the Local Networks but requires Masq. and at least DNS allowed in the firewall to get to internet locations.

Interesting but it seems the only way to have VPN internet proxied is by selecting "Internet IPV4" or "Any" in the local networks section, and then blocking the local networks (Ports 80 and 443) in the Webfilter for networks that should not be accessed.

I have also tested this generally (Now regardless of VPN). I have LAN1 and LAN2 in the webfilter and my first firewall rule is to block ALL traffic from LAN1 to LAN2, i can still access ports 80 and 443 on LAN2 unless i block them explicitly in the webfilter. Maybe Sophos should add this information on the Webfilter page. It is not intuitive and i had to really search to discover this.

Here's a link to the thread:

https://community.sophos.com/utm-firewall/f/german-forum/94073/utm9-firewall-port-80-und-443-standard-erlaubt/341204