Block internet usage from SSL VPN users

Hi Phan Tuấn,

Thank you for reaching out to Sophos Community.

Add required internal networks in SSL remote access profile.

But I can't find the Internal (network) section. 

"Internal" is only the name of his internal network interface, you can name it as you want.

Click on the (lower) orange icon and select "Interface networks" in the upper left corner. Then you can see all your firewall's interfaces, or more precisely the networks behind those interfaces.

But as an explanation: you do not have to select complete networks in the "Local Networks" section of the RAS profile. You can limit access to every destination (hosts, networks, ranges) that you want. If you want them only to reach 1 servers through the VPN then pack only a host definition for that single server in "Local Networks".

Technically you define there, which destination traffic should be tunneled (to you). If you want to limit protocols you can limit that by firewall rules, the "Automatic firewall rules" checkbox per default allows the service definition "Any".

Any traffic to other destination is not tunneled and will leave their local internet connection.
If your goal was preventing them from reaching anything else while connected to you the configuration has to be different.

Thank you, I understand. When I use SSL VPN my pc will have 2 IP addresses. When I block on UTM, I only block the VPN's IP, and the other IP can still access the internet. Because I need internet to use VPN, right?

Not exactly but it goes in that direction.

The IP of the client's local network adapter itself doesn't change. When Sophos SSLVPN is installed it creates a second, virtual network adapter that is only used when you are logged in to SSLVPN. When you are logged in that adapter gets an IP address, gateway, and (if configured) DNS or WINS settings from the firewall.

For the firewall ruleset only this virtual IP address is of interest.

Your client PC normally has an IP address and a default gateway, where all traffic that does not point to the same local network is sent to. When you are connected to SSLVPN the routing of your client is changed. All hosts/networks, that were configured in the firewall's RAS profile will get an extra routing entry, which points to a virtual address of the firewall.

You can review this (on windows) by running cmd and typing the command "route print" before and after connecting to SSLVPN.

Not exactly but it goes in that direction.

The IP of the client's local network adapter itself doesn't change. When Sophos SSLVPN is installed it creates a second, virtual network adapter that is only used when you are logged in to SSLVPN. When you are logged in that adapter gets an IP address, gateway, and (if configured) DNS or WINS settings from the firewall.

For the firewall ruleset only this virtual IP address is of interest.

Your client PC normally has an IP address and a default gateway, where all traffic that does not point to the same local network is sent to. When you are connected to SSLVPN the routing of your client is changed. All hosts/networks, that were configured in the firewall's RAS profile will get an extra routing entry, which points to a virtual address of the firewall.

You can review this (on windows) by running cmd and typing the command "route print" before and after connecting to SSLVPN.