This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

1. Blocking traffic to an IP range on the Internet & 2. Force traffic to a specific webserver to use only one of our two WAN connections

Hi, I have a Cisco ASA background and find it hard to fully understand the UTM firewall.

For a subnet I want to block all traffic to a specific IP range on internet.
The firewall rules I created do absolutely nothing, as I understand this is because we use Web protection.

But in web protection I can block traffic only based on domain or regular expression. How do I block all traffic to an IP range on internet for a specific VLAN on my network?

Second question, we have 2 internet connections connected to the UTM with load balancing enabled. There is a website that only works on one of the internet connections. How can I force traffic for the website to use that specific interface?

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • You are correct, ASA and UTM are very different, and some important information about its architecture is only documented in this forum.  Short version to your two questions:

    1. UTM Architecture
      UTM is a series of mutually-exclusive proxies (packet filters).   Firewall Rules, being the least sophisticated, is the filter of last resort
      (not the first one).   UTM is also directionless, so you have no equivalent of "security=inside" and "security=outside".  A very few proxies ask for an internal scope definition, but the setting is specific to that proxy.   Most proxies have an "Allowed Networks" filter that determines whether or not the packet enters the filter or keeps looking for a different one.  Once inside the proxy, the source address is generally not usable (except for Firewall Rules), so source-destination pairs are generally not processed in the way that you expect from your experience with ASA.  Consequently, your firewall rules never apply to traffic that is handled by the web filter.   This architecture works, but at first it makes your head hurt a little bit.   My longer writeup on UTM architecture is in the Wiki section.

    2. UTM Web Filter
      The web proxies rely on a source IP (Allowed Networks) filter to determine which (if any) "Filter Profile" is used to begin handling the packet.  Thereafter, all filtering is based on URL.  So a block based on IP address has no effect if the URL is an FQDN, and vice versa.  This is actually a pretty reasonable architecture because SNI means that an IP address and a FQDN may not generate the same web response, and the reputation of a web hosting company's server address may be different than the reputation of a hosted web site that is running on that server.

    A few more critical documents for reading:

    DNAT to a Dead End address is used to discard traffic unconditionally, because Destination NAT rules are applied first, before any of the proxy entry points are evaluated.  So if you want to block anyone from accessing a range of web addresses using ports 80 and 443, a DNAT rule is the way to go.

    Hope this helps.  Once you get over the shock, and the glaring omissions from the documentation, the architecture works.  I am in the minority, because I think it works better behind an ASA or equivalent firewall, instead of in place of one.  At most installations however, it is the firewall.  I have done all that I can to offset the documentation problem.

  • Thank you for the informative answer. Before I go read all this documentation, let's say I have an internal subnet and I want to block traffic to an internet IP range, but only TCP ports 1024 and above. The firewall rules do work now because this is not web traffic and therefore not handled by the web proxy?

     

     

  • Yes.   Each of the proxies listen for specific target ports as well as a source IP list.   If none of the proxies match the packet, then the firewall rules apply.  You can review my Port Usage document, but I think the only high-port usage is Standard Web (8080) and Standard FTP (2121), and these are not worrisome because they must be paired with a UTM destination address on the packet.  

Reply
  • Yes.   Each of the proxies listen for specific target ports as well as a source IP list.   If none of the proxies match the packet, then the firewall rules apply.  You can review my Port Usage document, but I think the only high-port usage is Standard Web (8080) and Standard FTP (2121), and these are not worrisome because they must be paired with a UTM destination address on the packet.  

Children
No Data