This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setting up policy. From block all, to allow specific sites but filter them

Dear all,

I have tried to find a answer to my question but after searching and trying a lot of things in the web filter i could not find a solution.

We are evaluating sophos UTM in the company i work. I am using it on my Home and thus it is the one on top of the list.

We are mostly concerned regarding the web filtering.

We wanted to do the following configuration.

Since we have a very strict security policy we want to configure the following.

Our default policy is block all internet.

For specific AD group we would like to allow access to specific domain.

We do not want to allow for anyone to be able to login to those websites, only search and read.

Thus we want full access to domain and subdomains but block some specific urls.

Those urls are either static or dynamic, thus expressions is best for this.

Up to this point i could find a way to do so.

Any idea that could help or give me a clue?

Thank in advance.



This thread was automatically locked due to age.
Parents
  • Geia sou, Nikos, and welcome to the UTM Community!

    Start with Configuring HTTP/S proxy access with AD SSO which also works with Transparent mode.  The things you want to do should be straightforward for a person that's installed several sites with WebAdmin.

    To get good help here, one must ask questions that are more specific.  Show us an example of several URLs that you want to allow and related ones you want to block.  That will allow folks to see what approach should work best for you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Bob,

     

    Thanks for your reply.

    I have already read and tried the instructions provided. Although it did not worked for me, I have opened a ticket to Sophos Support Team and expecting a reply. Since although i have successfully configured and the AD Integration and passed both tests. It is not possible to receive the Domain Users list.

    Despite that, I will try to explain what we are trying to implement in our environment.

     

    I want to create a group with Users named "FloorA".
    The FloorA users should only have access to specific webpages. e.g embarcadero.com and all the subdomains.

    But i do not want to be able to login or register to the website or to their forums. Thus i want to block access to specific urls e.g. 

    https://community.embarcadero.com/login?return=aHR0cHM6Ly9jb21tdW5pdHkuZW1iYXJjYWRlcm8uY29tL2ZvcnVt

    https://community.embarcadero.com/registration-form

    By using the expression ^https?:\/\/([A-Za-z0-9.-]*\.)?embarcadero.com\/(registration|login)([A-Za-z0-9.?=-]*)? which in theory complies to our needs i can capture the websites.

    The issue here is how to force the Web Filter to firstly block and then allow the rest of the same domain.
    I tried to create a policy where i would allow a specific site and block the expression without luck.
    Created a policy where it would allow the specific websites and another higher policy which blocks with the expression above, again no luck.

     In the future we want to make one policy with many expressions that could block urls which include words like login, register, authenticate, account

    Any suggestions?

     

    Thanks in advance.

Reply
  • Dear Bob,

     

    Thanks for your reply.

    I have already read and tried the instructions provided. Although it did not worked for me, I have opened a ticket to Sophos Support Team and expecting a reply. Since although i have successfully configured and the AD Integration and passed both tests. It is not possible to receive the Domain Users list.

    Despite that, I will try to explain what we are trying to implement in our environment.

     

    I want to create a group with Users named "FloorA".
    The FloorA users should only have access to specific webpages. e.g embarcadero.com and all the subdomains.

    But i do not want to be able to login or register to the website or to their forums. Thus i want to block access to specific urls e.g. 

    https://community.embarcadero.com/login?return=aHR0cHM6Ly9jb21tdW5pdHkuZW1iYXJjYWRlcm8uY29tL2ZvcnVt

    https://community.embarcadero.com/registration-form

    By using the expression ^https?:\/\/([A-Za-z0-9.-]*\.)?embarcadero.com\/(registration|login)([A-Za-z0-9.?=-]*)? which in theory complies to our needs i can capture the websites.

    The issue here is how to force the Web Filter to firstly block and then allow the rest of the same domain.
    I tried to create a policy where i would allow a specific site and block the expression without luck.
    Created a policy where it would allow the specific websites and another higher policy which blocks with the expression above, again no luck.

     In the future we want to make one policy with many expressions that could block urls which include words like login, register, authenticate, account

    Any suggestions?

     

    Thanks in advance.

Children
  • Note 2017-03-16: this doesn't do what I wanted.

    What happens if you block everything and make an Exception for the following?

     ^https?://([A-Za-z0-9.-]*\.)?embarcadero\.com/((?!(registration|login)).)*$

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • This expression will allow again access to the whole domain if included in the Exception list and disable URL filter.

    If i do not select URL Filtering the default block all policy will apply.

     

    Still this not a solution or i am missing something.

     

    What i have done on another Proxy web filtering utility is the following:

    I have created a policy which allow the domain and any subdomain that we desire for employees to have access. Policy list position number set to 2

    I have created another policy which blocks specific URLs or by using a wildcard, blocking pages starting with a URL. Policy list position number set to 1

    I have created a default policy to block all traffic. Policy list position number set to 3.

    By using the above configuration we have managed to block users from accessing specific webpages in an allowed domain and want to do the same exact result via Sophos UTM v9 thus to migrate. The example above was provided in order to provide details in what we want to accomplish.

     

    Thanks in advance for your effort and time.

  • I'm not 100% confident in my REGEX Kung Fu, but that should allow only URLs that don't include registration or login.  Registration and login URLs should not be included in the Exception using that expression.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Bob thank you for your time and effort.

    I appreciate your replies and i am thankful for your time.



    Using exclude in order to allow websites with expressions is not optimal for me.
    There are many expressions that should be created, and might break something that could at the end let the users to have access to unwanted webpages.
    So this makes it unfriendly for use and not possible to train my colleagues how to use if required.

    I would like to avoid using expressions and block specific webpages, but in most cases the URL is dynamic.

    Thus it is not possible to block without expressions and since wildcards does not apply.

    I will try to contact the Support Team regarding this issue, despite that i have 1 week now a reported simpler issue without a fix.

    If we do not find a solution then sadly will not implement Sophos UTM to our environment.

    Any other ideas or suggestions would be appreciated, i do not want to give up that easily.

     

    Thanks in advance.

  • Hi Nikos,

    I think the best solution for your requirement is to work with tags. Please try following solution.

    Step 1:

    Go to Web Protection / Filtering Options / Websites and create a new site.

    type community.embarcadero.com as domain

    create a new Website Tag "Allowed Websites"

    save

    create new site

    type community.embarcadero.com/login and community.embarcadero.com/registration-form

    create a new Website Tag "Login and Registration"

    save

    Step 2:

    Create a Filter Action that blocks all

    Edit the Filter Action and switch to Websites

    Add under "Control sites tagged in the Website List" the two new Website Tags

    For the Login and Registration Tag choose Block and for the Allowed Websites Tag choose Allow

     

    Is this what you need?

    Regards

    mod

     

     

  • I like this answer.  I tested my suggested REGEX and it doesn't work!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I will test and provide a feedback, due to didn't have time to test today.

     

    Thanks for your reply.

  • I know, this is working. I've tested it by myself ;)

    vg

    mod

  • Sadly it does not work for me.

    Please find attached my configuration if it is helpful. Although I am allowed to access

    community.embarcadero.com

    I am also allowed to access 

    https://community.embarcadero.com/login?return=aHR0cHM6Ly9jb21tdW5pdHkuZW1iYXJjYWRlcm8uY29tLw==

    and

    https://community.embarcadero.com/registration-form

    I do not have access to any other website e.g. https://www.embarcadero.com/ which is the desired.

     

     

    Maybe I am doing something wrong?

     

    Thanks in advance for your time.

  • I did not manage to make it work.
    A reply with screenshots of my configuration will be provided soon, as soon as my appeal be reviewed by admins.