This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bridge web protection transparent block traffic http/https

I configured a bridge with UTM9.  Firewall rules ANY ANY. Everyting work Ok when the Web Protection is disabled.

But when i configure Web protection, Full Transparent, i'm not able to surf to internet with my Workstation.

Others protocols like ICMP or FTP work fine. 

Do you know what si the problem ?  All web sites are alloweds in the Default content filter action.



This thread was automatically locked due to age.
  • Any messages shown in the proxy logs? That would be the first place to check.
  • Bernard,

    can you share the web filter live log? Also which ip is set on UTM bridge interface? Default gateway?

    Luk
  • I'm having the same problem. As soon as I allow "any" for Web filtering, Web traffic stop, but I'm still able to icmp, ftp, rdp, etc. I do not have an IP or gateway configured on the bridge interface because ithe only contains vlans and no untagged traffic. I'm using a separate interface for management access.

  • Hi, Christian, and welcome to the UTM Community!

    If you have the UTM in bridge mode between your network and a router, you must configure the Proxy in "Full Transparent" or "Standard" mode.  In any case, I would never put "Any" in 'Allowed Networks' - always specify your LANs that should have access to the Proxy.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Or course ANY is not ideal but for testing it should work. I'm using full transparent mode and as soon as I define allowedo networks I lose Web connectivity. The bridge works fine and I can see traffic passing through the firewall log. Any ideas why turning on Web filtering and assigning allowed networks causes Web connectivity to drop on client devices. The ustream router I'm using is pfSense. I'm testing out Sophos as a just a Web filter.

  • I am having this exact issue:

    Bridged interface between core router and border router, gateway correct, etc. Web filter in full transparent. Without the web filter on, everything works without issue. As soon as I turn on the web filter even with the default settings (still in full transparent though) with one of my networks, or all of my networks, or only one of my hosts, all http/https traffic stops. The live log has intermittent success/drop notices. All other traffic--mail, icmp, etc, pass through without issue during this. As soon as the web filter has been toggled off, http/https traffic flows immediately.


    I have about 30 hosts across several internal networks.

    [Edit: Additionally, if I turn web filtering on but disable HTTPS through the transparent proxy, HTTPS will work. HTTP won't.]

    [Edit edit: This is my live log when I turn the web filter on:

    2016:05:18-22:35:56 utm httpproxy[61163]: Integrated HTTP-Proxy (c) 2007-2016 Sophos Ltd, Release 296.ga27eda9.rb6

    2016:05:18-22:36:05 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="580" message="reloading config"
    2016:05:18-22:36:05 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="430" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:05:18-22:36:05 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3737" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:05:18-22:36:05 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="636" message="reloading config done, new version 113"
    2016:05:18-22:36:20 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="580" message="reloading config"
    2016:05:18-22:36:20 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="430" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:05:18-22:36:20 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3737" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:05:18-22:36:20 utm httpproxy[61163]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="636" message="reloading config done, new version 114"

    DNS works both for Up2Date and manual tests.

  • Hi, Robert, and welcome to the UTM Community!

    If you're not using IPv6, then googling site:community.sophos.com/products/unified-threat-management/f/55 "failed to resolve passthrough6.fw-notify.net" will show you that this is just the proxy being chatty and that this is only coincidental.

    I wonder if the real problem isn't a routing problem.  Do you have a default gateway assigned to the bridged interface?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello! Thank you for taking the time to follow up.

    I do have a gateway assigned to the bridge. My physical topology definitely requires that link to work in order to bridge traffic between my border and core, since it's positioned to be the transparent proxy.

    Unfortunately those kind of useless error messages are all I get out of it when it's on. I'll probably just rebuild it since it won't take long, and see if that does any good. I'll update when done.

  • (I realised I kind of thread-hijacked, but hopefully this is the same issue as Bernard, Christian, and anyone else and we can all get this sorted out.)

    So, I rebuilt Sophos from the ground up. Fresh install, assign interfaces, create bridge and management, assign proper gateway to bridge, create any/any/any firewall rule, toggle on firewall rule, assign DNS, get Sophos up-to-date, test the bridge successfully (full normal connectivity), turn on Web Filter and immediately lose web browsing by HTTP or HTTPS. All other protocols still work. Turn web filter off and all connectivity resumes. It is, in fact, how I'm writing this post.

    Everything tests fine--DNS test from Sophos and my internal nets and core are great, routing is all fine, the bridge works and passes traffic from core to border. It just refuses to transparently proxy when I toggle it on. There are no hits in the live log when I have it on.

  • I'm not clear:  Was this ever solved?

    Is the restriction that using <ANY> for Allowed Networks causes a failure, but if it is replaced by a list of network ranges, then everything works?

    Also, can someone explain why Full Transparent mode is necessary with Bridged mode, but unnecessary and possibly undesirable otherwise?