This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WebProxy (WebFiltering) allows https traffic to internal network through IPSec tunnel that only aallows specific source net to external partner

Hello there,

i am quite confused. We've built up a new ipsec tunnel with an external partner. He and we only defined one single network as the "local" network to have access to the external network net (eg. 192.168.66.0). There is only https traffic needed to access the partner network. Unfortunately we see that every single network in our site has access to the partners network with https (But not with other protocols). I've also backtested it. If i remove the network from webfiltering on the sophos then https traffic is blocked by packet filter. So i have my confirmation that it is about the web proxy (webfiltering). It seems as the webfiltering allows access to all network AND natting it as the partners firewall also only allows this one speciif network and not all of our internal networks. Any clues?



This thread was automatically locked due to age.
Parents
  • Hi,

    Copy a line here from the Web Filtering log where an access occurred that should not have been allowed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2022:07:01-08:56:12 sophossg01-2 httpproxy[6683]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.2.210" dstip="11.11.77.79" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5895" request="0xdbdce300" url="">https://11.11.77.79/" referer="" error="" authtime="0" dnstime="1" aptptime="190" cattime="207" avscantime="0" fullreqtime="25797" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="N/A"

  • That looks like an internal access to a public, external IP, but 11.11.77.79 isn't even in Germany.

    Show us a picture of the SA from the 'Site-to-site VPN Tunnel Status' like:

         

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • That looks like an internal access to a public, external IP, but 11.11.77.79 isn't even in Germany.

    Show us a picture of the SA from the 'Site-to-site VPN Tunnel Status' like:

         

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi,

    oh, i changed the internal ip addresses to not show our real internal range. You really need the original one? It's all about internal ips. There is not external access here. 

  • Your IPsec SA picture confirms that Web Filtering was allowed to handle that traffic.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sorry Balfson. I've made a mistake. I've now changed the picture aboth to illustrate that the source client (192.168.2.210) that has access to 11.11.77.79 through https is NOT listed in the IPSec settings. Please review it. 

    So why does he still get access to it? Alone through being listed in "Web Filtering"? Do i have to remove the source net from web filtering or is there a way to stop allowing the "web filtering" to grant access to networks in IPSec?

  • Just a guess - add the 11.11.77.0/24 subnet to ' Skip Transparent Mode Destination Hosts/Nets'.

    In future posts, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Nice one Balfson. This solved my problem. I added the corresponding target network to "Skip Transparent Mode Destination Hosts/Nets) and created an extra rule for the concerning network.