This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I Use UTM Firewall to Block "Internal" Communications through RED 15?

Pardon the stupid question. We have a RED 15 in a remote site on the other side of the planet, and a UTM in the local headquarters. The RED 15 is running in Standard/Unified mode, and the two networks are bridged into a single common network. All network traffic from the remote office is routed through the RED 15 tunnel, through the UTM, before it reaches the headquarters network or the internet.

I have an infected device in the remote office, turned off. I need to get it fixed, but do not want it attacking computers on the local network or the headquarters network, which are really the same network.

If the infected device were on a hub or unmanaged switch in the local network, then it could see and attack other devices on the LAN, bypassing the UTM firewall. That is my concern. My goal is to give the infected device access to the internet to update its anti-malware, but prevent it from seeing or attacking other devices on the remote network behind the RED 15 or the headquarters network behind the UTM (which are the same LAN, of course). Here is my plan:

* Disconnect the other devices in the remote network behind the RED 15.

* Give the infected device a fixed IP address.

* Configure the UTM firewall so that the infected device cannot reach the devices in the headquarters, and cannot reach anything on the internet, other than updating its anti-malware.

HERE ARE MY QUESTIONS:

-> Can I configure the UTM firewall so that the infected device on a fixed IP address behind the RED 15 cannot reach the other devices on its headquarters LAN behind the UTM?

-> If not, can you suggest a way to allow the infected device behind the RED 15 to reach restricted addresses on the internet, but nothing else, especially nothing in the LAN?



This thread was automatically locked due to age.
  • Hi  

    First of all, can you not try to isolate this infected device and give it a different internet connection(not from UTM) to update its anti-malware? That would be the best thing to do.

    However, if the above is not possible then you will have to carefully play the next part especially when you have RED and LAN network bridged into the common network. Now before making these changes for an infected device, please create it with a normal device and check and observe its network accessibility. So here it is how you should go:

    1. Make sure that all other devices behind RED are turned off so that it does not get any traffic from an Infected device.

    2. If you have Web Protection enabled for that Network, make sure that you create a new Web Filter profile with fixed IP of the Infected machine and block all internet access except the update servers of anti-malware.

    3. Make sure that this IP is not added Transparent Mode Source Skip List in Web Protection > Filtering Options > Misc. 

    4. Check if there are no SNAT, DNAT or Full NAT rules are created for this Infected device.

    5. Create a Block rule to any network for the Infected device in the Firewall rule and give the rule top priority.

     

    Ideally, this should allow you to deal with the situation. However, please try all these changes for a non-infected device first and try to connect our head-quarter resources and see if it's getting blocked properly and then device if this is good to follow up with the changes for the infected device.

    If you have a Licensed product, please raise a case with Sophos Support to ask for their opinion as well since the Risk here is too big to ignore.

    Hope this helps.

    Regards

    Jaydeep