Default behavior - allow all or block all?

Hello ecar13,

Thank you for reaching out to the community.

The Internet IPv4 bounds itself to the WAN interface only

When you say users are able to access now to Network B from Network A, you mean they can Ping? 

Also is there any reason you create SNAT rule, instead of only using the Masquerading option?

If you haven't tried with masquerading please try and let me know if this changes the behavior. 

Regards,

Hi Emmanuel.

From a computer on Internal Network A, I can ping a device in Int Network B, and I can access a website of a device on Int Network B by entering it's private IP address into my web browser on a computer in Priv Network A. (The device is not public facing; it only has an internal IP)

In this scenario what is the difference between the SNAT rule and a Masquerading rule?

emmosophos   so I am still able to access Internal Network B from Internal Network A.

Per your advice: I disabled my SNAT rule which gave my Internal Network A access to the Internet. Disabling the SNAT rule also (automatically) removed the auto-created firewall rule.

Disabling the SNAT rule killed Internet access (as expected) but I am still able to ping and browse to a device on Internal Network B.

So I suppose this verifies (and as BAlfson already knew as well as you) that the SNAT rule is/was not the culprit.

Nevertheless, I left the SNAT rule disabled and created a Masquerade rule and then created a Firewall rule. 

Now Internal Network A has Internet Access again.

At this point, from my laptop which is only connected to Internal Network A I can access a website on Internal Network B.

Just spent an hour on a remote support session with another Sophos tech but no solution yet.  :-(

Hello ecar13,

May know the Case ID created for your case.

regards,

Hello ecar13,

May know the Case ID created for your case.

regards,

9947705. Thank you.

Hello ecar13,

I have left a note in the case.

But have you tried following this KB (https://community.sophos.com/kb/en-us/128105)

So once you enable the Proxy, the UTM will intercept that request and pass it down, so the Firewall rule will not block the request, you would need to create a TAG of the IPs you don't want to be accessed for that subnet.

Regards,

Thanks Emmanuel,

The KB shows a quick and easy solution if other issues are already addressed.

My document takes a different approach and specifies more details about firewall rules, masquerading, DNS, etc.

Cheers - Bob

BAlfson and emmosophos thanks for all your help with this so far. I am reading through Bob's document and also the KB article mentioned above, but ... how is what I am trying to do, different from the way every other interface works on my firewall?  Meaning, let's say I have a brand new UTM appliance and I create 2 internal interfaces. Isn't the DEFAULT behavior to BLOCK ALL TRAFFIC between these 2 interfaces (subnets)? Why is my UTM allowing traffic from Internal Network A to Internal Network B?

Hi ecar13,

1) pings are allowed automatically anywhere when "Gateway forwards pings" in Network Protection -> Firewall -> ICMP is enabled 

2) Web access is automatically allowed anywhere when the "Web protection" is enabled, in transparent mode and the source network is in "allowed Networks" ...

Josef gave you the right answer to your last question.  For a broader understanding, study #2 in Rulz (last updated 2019-04-17).

Cheers - Bob