Hi,
we just got a little bit confused as we discovered that we can access our intranet (10.10.200.2 /16), http, from any of our other networks as GuestWlan (172.31.0.0/16), the DMZ (172.30.1.0 /24) and others if we call it by ip (http://10.10.200.2).
Other direction (internal to DMZ, Guest-WLAN to DMZ,...) also working.
The problem is, that the proxy is natting internal and even if the traffic is coming from 172.x to 10.x, sophos turns the sender IP to 10.10.1.1, the internal interface, so no firewall can capture and block this traffic. This was confirmed by sophos support.
But only 80, not 443 oder other ports that are allowed in Misc?
It's a proxy problem,no matter if standard or transparent proxy. If i turn of the Proxy WebFilter Profile for the source network, the problem is fixed.
So when I configure a Guest-WLAN with sophos as webproxy our guests can access our internal http sites.
I have 2 choices:
- a secure internal net and my guest can watch porn and do illegal stuff in my network (no proxy, only firewallrules)
- or my guests can enter our internal sites but are restricted to watch porn... (proxy and firewallrules)
I almost tested everything. Application Controll , explicit Drop rules for 80/http, proxysettings of the browser do not affect this problem.
Does anyone know this issue and has a better solution than blocking every single hostname and ip of the internal webservers?
I just found this discussion: https://community.sophos.com/utm-firewall/f/web-protection-web-filtering-application-visibility-control/45178/web-proxy-passing-port-80-to-internal-net-from-dmz
It seems logical to "use the Internet object instead of Any." - but where can I change this?
Greetings
This thread was automatically locked due to age.
