This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering with Full Transparent Mode on ESXi

I'm trying to run Sophos UTM in Full Transparent mode using a bridged network connection, however web filtering is not working. These forums have a lot of information but I still haven't been able to solve this. If anyone can spot the issue or any other tips I'd really appreciate it!

The network is physically connected as:
ISP modem <-> Sophos UTM <-> Router #1 <-> Router #2

Internet traffic flows through fine, but the Dashboard always says "Web Filtering is active, 0 requests served today" whether I browse the web through Router #1 or Router #2.

Sophos UTM 9.409 has been installed based on these instructions:
http://www.fastvue.co/sophos/blog/easily-evaluate-sophos-utm-9-3-using-full-transparent-mode/ 

Sophos UTM was installed as a VM on ESXi 6.0 Update 2. ESXi is running on a Dell Optiplex 755 with a 2- NIC network card installed for the bridged interface, and the onboard NIC is used for management.

The management port and the LAN port are plugged into Router #1, while the WAN port is plugged into the ISP modem.

vSphere Client > 192.168.7.99 > Configuration > Networking:

  1. vmnic0
    • Management network
    • 192.168.7.99
  2. vmnic1
    • WAN
    • Promiscuous mode turned on
  3. vmnic2
    • LAN
    • Promiscuous mode turned on

Sophos UTM web admin > Interfaces & Routing > Interfaces:

  1. eth0
    • "Internal"
    • Dynamic IP: unchecked
    • 168.7.100/24
  2. br0
    • "External (WAN)"
    • Dynamic IP: unchecked
    • 0.0.0/0
    • IPv4 default GW: unchecked

Router #1:

  • 192.168.7.1
  • DHCP enabled (192.168.7.2 to 101)
  • DHCP reservations for:
    • 192.168.7.2 (Router #2)
    • 192.168.7.99 (ESXi server)

Router #2:

  • 192.168.7.2
  • OpenWRT running as access point

I added the Any / Any / Any firewall rule as noted in the instructions.

Sophos UTM > Support > Tools > Ping Check always returns "Ping check did not deliver a result, because of a probably non-existing ip address / hostname." whether I use the "Internal" or "External (WAN)" interface.



This thread was automatically locked due to age.
  • Hi, Matthew, and welcome to the UTM Community!

    Pinging is regulated on the 'ICMP' tab of 'Firewall' - that might resolve your secondary question.  If not, then it's likely that one or more of your devices doesn't have the right routes or default gateway - that would be for another thread.  Please supply a diagram there with IPs and subnets annotated.

    What is in 'Allowed Networks' on the 'Global' tab of 'Web Filtering'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    I've tried "External (WAN) (Network)" and/or "Internal (Network)" on the 'Allowed Networks' on the 'Global' tab of 'Web Filtering' however neither of them made web filtering begin working. Should one of these be used?

    I saw your other comments too about pinging so I'll have a go at drawing up a network diagram. Would this diagram help for this thread too?

    Thank you for your time!

    Matthew.

  • Yes, and pictures of your configuration on the UTM.  I'm afraid I can't "see" what you're describing, Matthew.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Here are pictures of my configuration in Sophos UTM:

    Dashboard:

    Interfaces & Routing > Interfaces:

    Web Protection > Web Filtering:

     

    What information would be useful to see in a network diagram?

    Kind regards,

    Matthew Robinson.

  • I'm guessing from the pics you showed that you have clients in "External (Network)" that you want to have pass through Web Filtering, but I'm confused about the topology.

    A diagram would need to show devices (real or virtual), IP addresses and subnets.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    Thank you for your previous response. I know it's been quite a while, and I've decided to tackle this again. Hopefully these extra details are what you need:

     

    vSphere Client - Configuration > Hardware - Network Adapters

    vSphere Client - Configuration > Hardware - Networking

     

    Here's my network diagram - does this have all the info you need? Sorry about the quality - I'm just a network tinkerer, not a network engineer!

    Kind regards,

    Matthew.

  • The most important documentation about UTM is not in the manual; we forum users have had to write it.   Here is a recommended reading list.   You need a baseline understanding of how UTM works before starting deployment.   UTM does not have security zones like other firewalls, so you need to get into its mindset.   Here is a recommended reading list:

    Everything in the Wiki Section

    https://community.sophos.com/products/unified-threat-management/w/utm-wiki

    Bob Alfson's RULZ document, particularly the part that explains the processing order as a packet goes through UTM.

    https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

    This document on web filtering lessons learned

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/101117/optimizing-web-proxy-lessons-learned

    and optionally, this document on log analysis using SQL.

    https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/101117/optimizing-web-proxy-lessons-learned

    Your goal should be to use both web filtering modes.   The reasons why are explained in the Lessons Learned document.   You should distribute the UTM CA certificate to all of your desktops for either web filtering mode.   Transparent mode needs it when https pages are blocked or warned, Standard Mode needs it for all https pages.

    As an undocumented feature, a Transparent Mode Filter Profile also enables Standard Mode with the same settings.  If you want to use different settings, create Standard Mode profiles and give them higher priority so that they are evaluated first.    I use AD SSO for Standard Mode and None for Transparent Mode.

    In bridged mode, you should specify Full Transparent mode, as you have.  AD SSO does not work with Transparent Mode in a bridged configuration, so you need to use a different authentication method or none.

    But to your current problem.   There are only a few possibilities:

    • You have not blocked UDP 443 at the firewall, and all of your tests use Chrome with https sites.   Chrome has the 'QUIC' protocol which is ignored by the transparent web filter.   If UDP 443 is blocked, Chrome will switch to TCP 443 and behave like UTM expects.

    • The web filter is turned off.   You assure is that this is not the case.

    • None of the Filter Profiles have the desired IP addresses in the Allowed Networks list.  If the Allowed Networks list is correct, the web filter will do something with the packet.   So this should be an easy fix.   Whether the web filter does what you want will involve other configuration steps, but you have not gotten that far.