Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 8869 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

forbid Access from / for a specific Network / Subnet

Andreas Czech

Hi Guys,

these Time I've a really strange Situation and hope for your Help / a good Idea.

Situation:

I've a Subnet which should only be able to connect using VPN. So I created the VPN by Remote Access SSL and disabled the Firewall Rule (DNS, Websurfing). I tried to connect to the Internet and to my Surprise it still works. Then I tried to disable this Network completely and disabled (for testing) the Masquerading Rule, but it still works (Internet Access). And now I tried to create an Network Rule which forbids all Traffic from this Subnet and maybe you guess that it still works -> confused.

Maybe someone has an Idea of what goes wrong here?

No Masquerading Rule, nothing that allows the Traffic through the Firewall and although a Rule to block all Network in the Firewall -> but still Internet-Access. I'm confused



This thread was automatically locked due to age.
Parents
  • 0

    On your VPN Profile, you configure an Allowed Networks list.   Traffic for those destinations go through the VPN tunnel, and everything else is handled by the PC's network connection.   I think this is the reason for your symptoms.  It is also probably all that needs to be done for your scenario.   This is called split-tunnel VPN.

    An alternative is for the VPN Profile to allow all networks, to create a full-tunnel VPN .   This forces all network traffic to flow to the UTM, which means that you need to have configuration rules to block whatever is needed.   UTM has a unique architecture:  traffic which goes through a proxy will bypass the firewall rules.   That is why this configuration is more complicated.

    To illustrate:

    Assume you  SSL VPN traffic arrives on 10.10.10./24nd is only supposed to have access to 192.168.10.0/24, but your entire network uses many subnets within 192.168.0.0/16.  VPN access to Internet should also be blocked.

    Firewall Rules

    1. ALLOW traffic from 10.10.10.0/24 to 192.168.10.0/24 port ANY.
    2. BLOCK traffic from 10.10.10.0/24 to ANY port ANY. 

    Web Proxy, FTP Proxy, POP3 proxy, etc

    • Ensure that 10.10.10.0/24 is not on any Filter Profile allow network range, OR
    • Create a Filter Profile for 10.10.10.0/24 which is linked to a policy and a Filter Action that blocks everything, then give it precedence over any filter profile that includes 10.10.10.0/24 in a larger network range.

    WAF

    • Use Access Control on Site Path Routing to prevent access from the VPN subnet
  • 0 in reply to DouglasFoster

    I am not a fan of full tunnel mode.   It prevents the client PC from printing a local file to a local printer if the printer connection uses TCP/IP.   

    An argument for full tunnel is that it prevent the PC from creating an unfiltered pipeline from bad guys on the Internet, through the client PC, then into your network, and forcing the traffic through the tunnel ensures that everything goes through your corporate filters.

    My opinion is that we need to worry about an infected client PC, whether or not it has access to its command-and-control server.   So I limit the VPN clients to web and terminal emulation protocols.  As long as the terminal emulation does not allow file redirection, it should be impossible for an infected client to harm your network.

  • 0 in reply to DouglasFoster

    Hi Douglas,

    thanks for precise Answer.

    Regarding the VPN means -> if I disabled it (or is deleting needed?) this solves the Situation (this Subnet has again no Internet access?

    the VPN shouldn't be reachable by the Internet, which should solve the Problem you describe. Every Client in this Subnet should need to establish a VPN to the UTM to reach the Internet (or other Local Subnets), all other Traffic should be blocked. How would you realize that? What Kind of Remote Access do you prefer (SSL, ...)?

    Andy

  • 0 in reply to Andreas Czech

    If your restricted PCs are already on a subnet that attaches to your PC, you have two network objects to secure:

    • The "Restricted PC without VPN" address range, and
    • the "Restricted PC with VPN" address range.   

    Follow the general outline in my previous note, to ensure that both Firewall Rules and each proxy Allowed Networks matches your requirements.

    For a better background on how UTM works, read the articles in the Wiki section, and these additional posts:

    • HOW TO: Understand UTM Port Usage
    • Optimizing web proxy – Lessons Learned
Reply
  • 0 in reply to Andreas Czech

    If your restricted PCs are already on a subnet that attaches to your PC, you have two network objects to secure:

    • The "Restricted PC without VPN" address range, and
    • the "Restricted PC with VPN" address range.   

    Follow the general outline in my previous note, to ensure that both Firewall Rules and each proxy Allowed Networks matches your requirements.

    For a better background on how UTM works, read the articles in the Wiki section, and these additional posts:

    • HOW TO: Understand UTM Port Usage
    • Optimizing web proxy – Lessons Learned
Children
No Data
Unfiltered HTML