Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 11127 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Full Transparent, VLANs, and Policies...things aren't working.

ChristianMcDonald

I am currently testing a Sophos UTM in full transparent bridge mode.

I have a 5 VLANs passing through the bridge. I need to apply different policies to each of them.

Before turning on web protection, everything worked just fine.

I define a network as 192.168.40.0/24 and apply it to allowed networks (this is my lab testing network).

As soon as I click apply, all computers in the 192.168.40.0/24 network stop passing web traffic. Although they still pass other types of traffic just fine (SMB for example works just fine to my network shares).

Any ideas what I'm missing?



This thread was automatically locked due to age.
Parents
  • 0

    Christian, as my dad used to say, "If that's the way you want to solve the problem, you've got a mell of a hess on your hands!" [;)]

    WebAdmin does a lot of things automatically.  It is, in essence, a GUI that manipulates databases of objects.  Behind the scene, the configuration daemon consults these databases and writes the individual command lines that actually do the work.  Changing one entry in WebAdmin can result in rewriting a 1000 lines of code.

    Please tell us what you're trying to accomplish and show us the network topology before you setup the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Comcast CPE --> pfSense --> UTM --> Switch --> Network

    pfSense runs virtually on ESXi and handles 5 VLANs. These VLANs are tagged by the ESXi host itself.

    So the cable going from pfSense to UTM is trunking 5 vlans with no native vlan.

    Once inside the UTM I have a bridge interface and a management interface. The management interface plugs back into the switch and connects into my management vlan. Simply enabling the bridge interface, traffic works just fine and all is well.

    I have very promiscuous firewall settings temporarily enabled on both the UTM and pfSense to remove that as variable.

    As soon as I flip the switch on Web Filtering and use the "Any" network, I get no web traffic passed.

    The only thing I see under the live log is this:

    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"

    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_loop" file="epoll.c" line="862" message="starting exit cleanup"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="636" message="reloading config done, new version 35"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="910" message="scanner subsystem shutting down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="916" message="scanner subsystem shut down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="682" message="epoll subsystem shutting down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="699" message="epoll subsystem shut down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="46" message="writing cache index"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="48" message="writing cache index done"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="384" message="shutdown finished, exiting"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_loop" file="epoll.c" line="862" message="starting exit cleanup"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="636" message="reloading config done, new version 35"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="910" message="scanner subsystem shutting down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scan_exit" file="scanner.c" line="916" message="scanner subsystem shut down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="682" message="epoll subsystem shutting down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="epoll_exit" file="epoll.c" line="699" message="epoll subsystem shut down"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="46" message="writing cache index"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="disk_cache_exit" file="diskcache.c" line="48" message="writing cache index done"
    2016:04:15-21:59:04 utm httpproxy[23409]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="384" message="shutdown finished, exiting"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="271" message="reading configuration"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="464" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="3616" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="295" message="caching templates"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="298" message="reading profiles"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="scanner_init" file="aptpscanner.c" line="173" message="ATP unavailable"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="337" message="notifiying argos daemon
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="argos_notify" file="httpproxy.c" line="199" message="connect: Connection refused"
    2016:04:15-22:14:05 utm httpproxy[24740]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="main" file="httpproxy.c" line="343" message="finished startup"
    2016:04:15-22:14:05 utm httpproxy[24740]: Integrated HTTP-Proxy (c) 2007-2015 Sophos Ltd, Release 168.gee8544d.rb2

     

    TestSource is a host definition of 192.168.10.219. What is interesting is that only computers that fit into the definitions defined under allowed networks lose browsing ability.

  • 0 in reply to ChristianMcDonald

    Besides my use of vlans across the bridge, I followed this article to the letter with no luck.

    fastvue.co/.../

  • 0 in reply to ChristianMcDonald

    Sure enough I failed to realize that I need to define vlans on br0. I did that. Now I'm seeing the sophos block page but I'm seeing "host not found" for every website I visit. Once I turn off web protection, I can browse normally.

  • 0 in reply to ChristianMcDonald

    Your solution won't work. We can't help you unless we know what you want to accomplish. Also, what was the topology before you added the UTM?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    My goal is to utilize web protection for web filtering and application control (I assumed that was known because I stated I am trying to enable full transparent mode in my original post and I'm posting under the Web Protection sub-forum.)

    My topology is very simple. My edge router/firewall is pfSense. This has 5 VLANS (10, 20, 30, 40, and 50) all tagged on a trunk into the UTM. I have very promiscuous firewall rules established on both pfSense and UTM to remove any chance of firewall issues (I'm temporarily allowing all traffic types to/from all interfaces on both pfSense and UTM).

    pfSense <--Trunk--> UTM <--Trunk--> Core Switch

    I want to have granular control of individual networks and apply different protection policies and schedules.

    The above setup works in my environment. The trick was setting the gateway on the management vlan. Not only is this required for talking to the UTM across layer 3, but it appears the Web Protection module requires a gateway to do its work. 

Reply
  • 0 in reply to BAlfson

    My goal is to utilize web protection for web filtering and application control (I assumed that was known because I stated I am trying to enable full transparent mode in my original post and I'm posting under the Web Protection sub-forum.)

    My topology is very simple. My edge router/firewall is pfSense. This has 5 VLANS (10, 20, 30, 40, and 50) all tagged on a trunk into the UTM. I have very promiscuous firewall rules established on both pfSense and UTM to remove any chance of firewall issues (I'm temporarily allowing all traffic types to/from all interfaces on both pfSense and UTM).

    pfSense <--Trunk--> UTM <--Trunk--> Core Switch

    I want to have granular control of individual networks and apply different protection policies and schedules.

    The above setup works in my environment. The trick was setting the gateway on the management vlan. Not only is this required for talking to the UTM across layer 3, but it appears the Web Protection module requires a gateway to do its work. 

Children
No Data
Unfiltered HTML