Thread Info
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 2544 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Web Protection opening vlan seperation of the Firewal

Rene Böhres

Hello everyone,
a customer requires us to use the Web Protection of his UTM. He wants to block all sorts of traffic.
The moment I activate the Web Protection all VLAN Network separation that is configured in the Firewall is basically gone and I can ping/access everything I like.
I'm using Web Protection a lot with all XG Firewalls and I never had any issues.
I suspect that there is maybe something I need to configure?
I started the Web Protection in "Half Transparent" mode since both "Standard" and "Full Transparent" would both be a HUGE pain in the A to roll out.
The customer has 11 different VLANS on different (physical) NIC's / lag's.
Can anyone explain to me a) what is happening and b) what I need to do to use VLANs + the web protection without having multiple networks "open to everyone".
I'm familiar with all the basic concepts of proxies but I'm not aware of how exactly UTM's handle the VLAN Traffic internally if I use Web Protection.

Thanks Slight smile



This thread was automatically locked due to age.

  • Hallo Rene,

    I don't know what "Half Transparent" means.  A Transparent Mode Web Filtering Profile will also respond to a Standard Mode access.

    You may be able to solve your problem for a short time by adding the VLAN subnets to the 'Skip Transparent Mode Destination Hosts/Nets' box.  The best solution is to make it so that even Standard Mode accesses can't get to other VLAN sites by blocking those sites in the Filter Action(s).  You might need to make Exceptions for traffic in the same VLAN that passes through the UTM.

    Pinging is regulated on the 'Firewall' 'ICMP' tab. If you don't want to have the VLANs ping each other, you must disable 'Gateway forwards pings' and then create firewall rules that allow the pining you want.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML