Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Subscribers 7 subscribers
  • Views 22090 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone using UTM in Bridged mode?

DouglasFoster

There are four possible configurations for UTM:

  1. UTM is the perimeter firewall, supporting all features
  2. UTM is immediately behind the perimeter firewall on a bridged connection, supporting all features
  3. UTM is immediately behind the perimeter firewall on a routed connection, supporting all features
  4. UTM is out-of-band (anywhere else on the intranet), supporting only Standard Proxy and Internal features

Bridged and Routed connections should be functionally identical.   However, inserting UTM into the network using a bridged connection should require no changes to the firewall or the internal router, while inserting UTM into an existing network using a routed connection will require addressing and routing changes on one of the adjacent devices.  So option 3 can be ignored.

I don't want to use UTM as my firewall, and option 4 doe snot support all features, so bridged mode has the most appeal.   On a UTM bridge, the system administrator must specify all of the ethertypes that are supposed to be passed, and I don't know how to determine which ones will be needed.  I did find an RFC with all of them listed, but it is a long list and UTM requites them to be entered one at a time.

My one brief attempt to use a bridged configuration failed miserably, mostly because I could not figure out how to debug problems, and I did not have the luxury of waiting while a support case percolated through Sophos.  The test was at least a year ago, so I don't remember many details, other than that Internet traffic was not flowing properly.   My unused bridge configuration is still preserved in UTM:

  • Ethertypes passed:  8887, 0806, 814c, 8035, 876b
  • Allow arp broadcasts: Yes
  • Allow IPV6:  No (not required)
  • Spanning tree:  Off
  • Aging timeout: 30 seconds (default)
  • Virtual MAC addresss:  default (lowest of member MAC addresses)

Has anyone made bridged mode work?   What settings did you use?   If you tried and failed, do you know why it failed for you?



This thread was automatically locked due to age.
Parents
  • 0

    Follow up:  

    I am preparing to try again with Bridged Mode, with UTM still behind another firewall.   With bridge mode enabled, UTM can implement transparent proxies, and the other firewall configuration does not need to change.   If a UTM upgrade creates disaster, I could take it out of the configuration and still have a working network.   The bridge is the only interface that needs to be active.

    The downside to this configuration, per KB# 121221 is that if Transparent AD SSO is used, it needs to hog ports 80 (and presumably 443) on the (only) interface, which disables any ability to use User Portal and SSL VPN on that IP address and port.   The KB article implies that it might even block WAF traffic on one of the interface's additional addresses, which surprises me.

    I am planning to use Transparent Web Proxy primarily to find traffic that is bypassing Standard Proxy.   Some of that traffic will be from servers, and I don't want to break existing functionality by triggering a login prompt.   So the Transparent Proxy will use Authentication None, because reconfiguring that other traffic to another port would be too disruptive to me and to my users.

  • +1 in reply to DouglasFoster

    Adding notes to provide a consolidated reference on what I have learned:

    Converting Exception sites from the proxy script:

    In standard mode, I use a proxy script to bypass certain highly-trusted websites.   These have been configured as wildcards, such as "contains .123rescue.com/" (which Sophos Support uses for screen sharing).   I want to keep these sites bypassed when I activate Transparent Mode, but the Transparent Mode Skip List does not support domain wildcards.   Since the bypassed sites have never been logged, I have no way of knowing what host names might be needed for this to work (and the list would probably be incomplete anyway.)

    Fortunately, this issue was discussed previously in this link

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/76428/wild-card-dns-definitions-in-transparent-skip-list

    The solution is to use a website exception instead of using the skip list.    The link suggested using Regex, but I think I have an easier method:

    • Create a new Website Override and paste in all of the sites referenced in the proxy script.   
    • Assign a tag, such as "Web Proxy Bypass", check the option for "Include Subdomains", then save.   
    • Create an exception, with as few or as many features disabled as you desire, and link it to the Tag "Web Proxy Bypass".

    Choose "Full Transparent Mode", not "Transparent Mode"

    This option is only enabled when bridge mode is active, and the discussion on this link says that it is actually required when bridge mode is active.

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/73266/bridge-web-protection-transparent-block-traffic-http-https

    When changing from out-of-band to bridge mode, create a UTM firewall rule for ANY-ANY = ALLOW, or something similar as appropriate

    When UTM is out-of-band, no firewall filtering occurs because only Standard Proxy traffic moves through the UTM.   Once UTM is in-line, all unproxied traffic flows through the firewall layer.   Since UTM is not zone-based, even outbound traffic needs to be explicitly authorized.  Assuming that traffic filtering is performed correctly by the firewall that is in front of UTM, then an ANY-ANY-ALLOW rule should be sufficient.   A more restrictive rule will usually be needed for sites with DMZ, Remote Access, or Guest WiFi users connecting through the UTM. 

    (On my first attempt to use Bridge mode, I probably failed because I did not create a Firewall-allow rule and I did not use Full Transparent Mode.)

Reply
  • +1 in reply to DouglasFoster

    Adding notes to provide a consolidated reference on what I have learned:

    Converting Exception sites from the proxy script:

    In standard mode, I use a proxy script to bypass certain highly-trusted websites.   These have been configured as wildcards, such as "contains .123rescue.com/" (which Sophos Support uses for screen sharing).   I want to keep these sites bypassed when I activate Transparent Mode, but the Transparent Mode Skip List does not support domain wildcards.   Since the bypassed sites have never been logged, I have no way of knowing what host names might be needed for this to work (and the list would probably be incomplete anyway.)

    Fortunately, this issue was discussed previously in this link

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/76428/wild-card-dns-definitions-in-transparent-skip-list

    The solution is to use a website exception instead of using the skip list.    The link suggested using Regex, but I think I have an easier method:

    • Create a new Website Override and paste in all of the sites referenced in the proxy script.   
    • Assign a tag, such as "Web Proxy Bypass", check the option for "Include Subdomains", then save.   
    • Create an exception, with as few or as many features disabled as you desire, and link it to the Tag "Web Proxy Bypass".

    Choose "Full Transparent Mode", not "Transparent Mode"

    This option is only enabled when bridge mode is active, and the discussion on this link says that it is actually required when bridge mode is active.

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/73266/bridge-web-protection-transparent-block-traffic-http-https

    When changing from out-of-band to bridge mode, create a UTM firewall rule for ANY-ANY = ALLOW, or something similar as appropriate

    When UTM is out-of-band, no firewall filtering occurs because only Standard Proxy traffic moves through the UTM.   Once UTM is in-line, all unproxied traffic flows through the firewall layer.   Since UTM is not zone-based, even outbound traffic needs to be explicitly authorized.  Assuming that traffic filtering is performed correctly by the firewall that is in front of UTM, then an ANY-ANY-ALLOW rule should be sufficient.   A more restrictive rule will usually be needed for sites with DMZ, Remote Access, or Guest WiFi users connecting through the UTM. 

    (On my first attempt to use Bridge mode, I probably failed because I did not create a Firewall-allow rule and I did not use Full Transparent Mode.)

Children
No Data
Unfiltered HTML