The setup is a layer 2 switch with 2 vlans, Management (172.20.20.0/24) and Data (192.168.100.0/24). The vlans are separate port groups. The switch has a physical connection for each vlan connected to 2 interfaces on the UTM. The UTM is the default gateway for each vlan and is handling all routing, DHCP & DNS. It appears by default the UTM is routing between the two interfaces. I am able to access the Management network while connected to the Data network. I want to keep the Management network separate and only accessible by physically plugging into one of the dedicated switch ports. I have tried firewall rules but that did not work. The only way I was able to prevent accessing the Management network from the Data network was to setup a DNAT blackhole rule. However, I am still able to access the UTM WebAdmin Management interface from the Data network. Does the UTM automatically route between it's interfaces? Is a NAT rule the only way to prevent it? Is there anyway to prevent accessing the WebAdmin Management interface from the Data network?
Firewall rules won't prevent the Web Proxy from passing traffic. If a DNAT blackhole works, then you're using Web Filtering in Transparent mode.
You could add the Management VLAN to the 'Transparent…
You could add the Management VLAN to the 'Transparent Mode Skiplist' and uncheck 'Allow HTTP/S traffic for listed hosts/nets.'
A better approach would be a separate Web Filtering Profile for the Management VLAN. Then, block the website(s) in the Management VLAN in the Profile for the Data VLAN. This second approach also blocks Data->Management traffic if the user addresses the Proxy in Standard mode.
Cheers - Bob
Thanks Bob. I was able to add the CIDR range under Filtering Options->Websites, tag it and add it to the Data network filter action "Control sites tagged in the Website List". This worked for all of the sites on the Management network except the UTM WebAdmin address. I'm still able to access he WebAdmin Management interface from the Data network. Is this expected behavior?
That's OK for accesses by IP, but if DNS resolves an FQDN for a device in the Management VLAN, the access won't be blocked.
In 'WebAdmin Settings', remove "Any" from 'Allowed Networks' and replace it with the "Management (Network)" object. I usually add my "(User Network)" object in there along with my home IP and other sites I control.
Cheers - Bob
Thanks for the help.