This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exception List Query

Hi all,

We are running 2 X SG450 Appliances (Active Passive), Firmware Version 9.404-5.

I have created a Web Filter Profile for a specific VLAN on our internal network. It has a pretty restrictive policy imposed upon it (authentication required, limited categories etc.).

However, there is an appliance on this VLAN (a postal franking machine to be precise) which requires anonymous access to the Internet. I have created an exception in Web Protection - Filtering Options - Exceptions. This exception skips Authentication and SSL Scanning from the IP address of the franking machine. At this point everything works as expected. Web Filter logs indicate that the exception is being applied correctly.

The problem comes when I attempt to add a second parameter to the exception. I want to ensure that no other sites are being accessed from the franking machine except the one that it requires access to. Therefore I created a web site entry in Web Protection - Filtering Options - Websites detailing the site the machine needs to access and Tagged it as a site that can be accessed from the machine.

I then attempted to add this tagged website as a second parameter on the original exception, using the And option.

What now happens is when I attempt to access the site from the source IP address of the franking machine I get prompted to enter user credentials. My understanding of this exception was that providing requests came from the specified source IP address and were destined for the specified tagged website, there would be no need for authentication and SSL Inspection.

Could someone please advise me where I may have gone wrong here or possibly suggest a better way of doing this?

Many thanks in advance,

John P



This thread was automatically locked due to age.
Parents
  • John, it sounds like you might want to skip the Proxy for the target site and then just make a Web Filtering Profile for the IP of the franking machine and have it block everything.  Does that do what you want?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob and Michael,

    Many thanks for your prompt and helpful replies.

    I'll probably go along the lines of Bob's recommendation, create a specific Web Filter Profile for the franking machine and block everything except traffic bound for the approved destination.

    However, Michael, is the addition of extra parameters to any exception likely to cause similar difficulties in the future,or is it only exceptions which contain a mix of 'tagged' sites and skipping of SSL Scanning which are likely to be problematic? I only ask as I'm sure, in my own opinion of course, that it isn't beyond the realms of belief that someone would wish to use the same combination of parameters in an exception.

    Anyway, not to worry as they say, a workaround is possible.

    One again, thanks guys for giving me your time and assistance, it is truly much appreciated.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • This quick answer is "I don't know" and that exceptions allow you to configure some nonsensical things, like "If Bob is logged in then skip authentication".

    We decided not to put anything in the UI that prevented problematic things like that, the combinations are good and bad are complex.

    Note that the exception you wrote should work for non-SSL.


    Also...  You could try "Matching these URLs" rather than "Going to websites tagged as".  I don't know (off the top of my head) whether that would also have the same problem.

Reply
  • This quick answer is "I don't know" and that exceptions allow you to configure some nonsensical things, like "If Bob is logged in then skip authentication".

    We decided not to put anything in the UI that prevented problematic things like that, the combinations are good and bad are complex.

    Note that the exception you wrote should work for non-SSL.


    Also...  You could try "Matching these URLs" rather than "Going to websites tagged as".  I don't know (off the top of my head) whether that would also have the same problem.

Children
  • Hi Michael,

    Thank you for the additional input. I have to say that I do find the UTM UI relatively easy to use and quite intuitive and kudos to Sophos for making it so.

    However, in relation to your statement "If Bob is logged in then skip authentication", what if 'Bob' is a largely inanimate object and in fact is not logged in as he doesn't have a user account, just an assigned IP address? Hence the need to bypass authentication. The URL 'Bob' checks for firmware updates is (as far as I'm aware) hard-coded into it's existing firmware and is accessed exclusively over HTTPS.

    By the way, I have tested a similar scenario combining skipping of authentication with going to a tagged site over HTTP and it also failed. I'm also curious as to why the option to select 'Going to these networks' is missing altogether from the list of available choices when creating an exception. Maybe that is something that will come along in a future release.

    In the meantime, I have created a specific Web Filter Profile for the franking machine (forever now known as Bob) and the issue has been resolved.

    Many thanks and best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • Apologies to Bob Alfson (who is a great resource by the way).  My "go-to" username for everything is Bob.  It is short and simple.  When I really need it, I have my friends Abe, Bob, Carl, Doug, and Eric come over to help me test - it is wonderful that they come alphabetized.  :)

    Scenarios like you describe are why we don't disallow it in the UI.  But you can understand that the code starts getting quite complex as there are interdependencies with these items.  We've made sure that it works for all common use cases, there could be cases that we don't cover as well as we could.  The question is could we cover them better without changing behavior for the existing exceptions.

    Feel free to raise an issue with support or a feature request.  Given that you were able to get the franken machine working (I smile whenever I see that) using another method I suspect it isn't worth it.