This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to define the outgoing interface for Web Filtering

Hi,

For the first time, I've tried to activate the optional outgoing interface with the command "cc set http enable_out_interface 1", like described in https://community.sophos.com/kb/en-us/126892.

The new field appears in the WebAdmin Web filtering, have tried to put some of my secondaries WAN IP addresses, but without success, the source IP address for Web traffic is always my default WAN address.

Please, can someone confirm that this feature works, and with version 9.605?

Thank you,

Romano



This thread was automatically locked due to age.
  • Hi  

    I just checked on my Test UTM and it works fine.

    Would you please check if the Web Filter profile the traffic passes through also had the correct additional interface configured? As these settings can be applied on each Web Filter profile.

    Regards

    Jaydeep

  • hi Jaydepp,

    I'm sure that my traffic go through, not only because I've checked the log, but because too my masquerading rule who set another ip address.

    If it's working for you (version 9.605 for sure?), it's like something is wrong in my side. but I've tried on another appliance completely different located to another customer, with other settings, and it's the same.

    My WAN IP addressing, in the same subnet, is like:
    - WAN : default interface addr
    - WAN+1 : used for masquerading all my LAN subnet
    - WAN+2 : used for outgoing interface for Web Filtering

    With transparent or standard proxy, my source network traffic to Internet is WAN.
    If I disable my proxy, my source network traffic to Internet is WAN+1.
    if I set the outgoing interface for Web Filtering to WAN+2 on all profiles, my source network traffic to Internet is WAN.

    If someone can have an idea to help me, I will appreciate.

    Regards,

    Romano

  • Salut Romano,

    Please show us a picture and a log line like:

    2019:10:31-10:39:43 secure httpproxy[21585]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="172.2x.y.65" dstip="" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_RMxbSZXQTi (Office)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xe1d53800" url="https://client.dropbox.com/" referer="" error="" authtime="0" dnstime="0" aptptime="0" cattime="0" avscantime="0" fullreqtime="342" device="1" auth="2" ua="" exceptions="auth,content,url,cache,size"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    like you can see :

    2019:11:03-18:57:19 portal-2 httpproxy[6301]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.x.x" dstip="62.2.148.4" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default filter action)" size="173" request="0xc79e4a00" url="http://www.myip.ch/" referer="" error="" authtime="0" dnstime="72038" aptptime="84" cattime="43228" avscantime="7297" fullreqtime="162368" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="178" reputation="unverified" categoryname="Internet Services" country="Switzerland" sandbox="-" content-type="text/html"
     
    And the resulting IP address is my WAN address, not the WAN Tests address.
     
    Cheers,
    Romano
     
     
  • OK, Romano, we are led ineluctably to conclude that there's an SNAT rule capturing the traffic.  Do you have an SNAT that uses "WAN (Address)" for traffic from Any?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I have just one SNAT rule, but not for WAN IP.

    I have tried to disable Masquerading, SNAT, WAF, without success.

    If it's working for other's, I think some setting (HA, Uplink balancing, GeoIP, ??) disturb this option....

    Cheers,
    Romano

  • Please show us a picture of your Multipath rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Today, Uplink Balancing is not activated, but it was some months ago.

    I was thinking about that too, because the Multipath is activated on the other customer device where I have tried to set the outgoing interface for Web Filtering.
    But the Uplink Interfaces seems to be deleted on mine.

    Cheers,

    Romano

  • I think you will need someone to look at your setup, Romano.  Please tell us what Sophos Support says about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Are you sure is it possible to choose a secondary WAN IP address for the outgoing interface ?

    It's like the UTM always use the primary (default) IP address of the chosen Interface Address.

    Cheers,
    Romano