This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filter "Skip Transparent Mode Source Hosts/Nets" ignored

 Hello,

I am using UTM 9.503-4 in a home environment. I would like some internal hosts to be bypassed in Web Filtering, so have added them to the "Skip Transparent Mode Source Hosts/Nets", and checked "Allow HTTP/S traffic for listed hosts/nets". However, the policy helpdesk shows that the bypasses clients are still being filtered, and many sites using SSL work erratically or not at all. Turning off Web Filtering completely will usually resolve the issue, and allow traffic to traverse using MASQ and Firewall rules. 

My main reason for using Web Filtering is for Quotas on Youtube and Netflix, but neither of these work, as the quota never cuts off the connection once established (probably because I am not proxying SSL, as this breaks too many sites). So I am then limited to using time ranges, in which case there doesn't seem to be any advantage to using Web Filtering - I can just use regular L3 rules and time ranges. Is it futile to use the Web Filter in transparent mode without a trusted SSL cert on the clients, since most traffic is SSL these days?

I was hoping for something like the Palo Alto level of application awareness and control, but I guess that's not going to happen for free.



This thread was automatically locked due to age.
Parents
  • Some further information on this issue. Each time the Web Filtering gets to the point where sites are not working correctly, even for bypassed clients, the only quick solution is to change the IP on one of the clients. Changing the client IP, either manually, or by editing the static IP assignment on the FW, then renewing the client lease, permits broken sites to work immediately - most commonly Facebook, Flickr and GMail. Symptoms are pages never finishing loading and timing out. This leads me to suspect the FW is not properly handling the MASQ or internal client IPs when web filtering is turned off, but instead is still incorrectly re-directing the requests to the proxy (which is now off). 

    I think I've pretty much determined the Web Filtering isn't going to offer me any extra value over L3 rules with time ranges, which is a shame, as I'm now basically back to the function of an iptables/ipchains firewall from 15+ years ago.

    If anyone has a way to use quotas that work for streaming media content, and still allow me to properly bypass some clients entirely, I'd love to hear it.

     

  • Did you configure web filtering as transparent? Should you have it configured as standard, then a skip transparent source setting will have no effect.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • The question is: Is the browser configured to use the proxy default is 8080? Because UTM can skip but the user insist to use the proxy
    Is Endpoint configured end enabled web-control? 

  • Hello,

    The clients are not configured to use a proxy; the UTM is transparently redirecting their requests to the Web Filter proxy. This is what I need to happen, since some dumb devices are not capable of proxy configuration, nor do I wish to worry about client proxy settings.

    I'm aware of how a transparent proxy works, in theory, and in practice, having built and managed many squid proxies on *nix, including using Cisco WCCP forwarding in Cat6500 switches, but I may be missing some subtle nuance of the UTM configuration. At the moment, the Web Filter proxy is working well, but that is with all clients going through it. The issue that is most important is that I can effectively bypass certain clients and not encounter the connectivity problems I reported in the previous post.

    You mentioned Allowed Target Services, which appears to be the equivalent of Safe Ports in squid, meaning those ports which the outbound proxy connection will connect to on behalf of the client. That is simple in standard mode with a client configured to use the proxy, but what is not clear in the docs is how these are interpreted in transparent mode, where it states that only ports 80 and 443 are intercepted. This statement suggests that Allowed Target Services is not applicable when in Transparent mode: "The disadvantage however is that only HTTP requests can be processed". This means that for non HTTP/S requests, a firewall rule (and MASQ entry in my case) are required, as expected.

    Under Transparent Mode Skiplist, this is stated: "To allow HTTP traffic (without proxy) for these hosts and networks, select the Allow HTTP/S traffic for listed hosts/nets checkbox. If you do not select this checkbox, you must define specific firewall rules for the hosts and networks listed here." Could it be that both checking this box, *and* creating specific firewall rules for the skip hosts creates some kind of odd state where some packets are handled by the hidden Web Filter skip list rule, and others handled by the manual firewall rule? I have not dug into the shell much aside from a few tcpdumps, but maybe I should, to see what these hidden rules look like.

    Thanks.

  • Transparent mode works with configured clients to, For example an outside client. And if he needs to open a page for example x.x.x.x:4444, you have to put the Webadmin port in Allowed Target Services

    My Question is if you are using Endpoint Protection, and Where you put the client you want to skip Transparent Mode, In Destination or Source
    Because It is hard to believe  this doesnt work.
    Do a simple test Exclude one host, and immediately that host  will appear in firewall rules, otherwise we are missing something
    Maybe a screenshot will be in help

  • For #1, here's an example with Netflix, Shawn.  Once a certain number of KB have been downloaded, throughput drops to 1Kbps.  I'd have to play with this, as I suspect the Limit should be for destination instead of source:

      

    Is that what you wanted?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob they messed up something. Doing some test now for different purposes I cant access Webadmin from the pc that uses standart proxy, but I get internet

    20:33:15 WebAdmin connection attempt HTTP  
    192.168.1.250 : 57580
    192.168.1.250 : 8444

    192.168.1.250 Is the Internal Interface of the UTM 

  • Hi Bob,

    Thanks for the example. I've actually done that test already, and it does work. The trick will be to determine the data cap, as Netflix bandwidth does vary quite a bit - old TV shows are much lower than new movies in HD, for example. This is a possible solution, although less precise than time quotas. It also won't address things like online gaming, or general time wasting sites.

    Thanks!

  • Unknown said:

    Transparent mode works with configured clients to, For example an outside client. And if he needs to open a page for example x.x.x.x:4444, you have to put the Webadmin port in Allowed Target Services

    My Question is if you are using Endpoint Protection, and Where you put the client you want to skip Transparent Mode, In Destination or Source
    Because It is hard to believe  this doesnt work.
    Do a simple test Exclude one host, and immediately that host  will appear in firewall rules, otherwise we are missing something
    Maybe a screenshot will be in help

     

    Are you saying a firewall rule should appear, presumably under "Automatic firewall rules"? This is what I would expect also, but it's not happening. I do not have anything appearing under Automatic firewall rules, nor are there any other rules appearing which I have not created myself. I just tested this again, by deleting the entry in "Skip Transparent Mode Source Hosts/Nets", then recreating it. Applying after each step. Whether with the "Allow HTTP/S traffic for listed hosts/nets" checked or not, no rule appears. So either something is broken, or these "automatic" rules aren't supposed to be visible.

  • something is strange after last update. Yes the rule should be visible and in Firewall Live Log too

    I cant blame UTM because this is happening to me right now, but I am connected from outside. I will do the test tomorrow

  • 8444, Olsi? In any case, I skip the proxy for access to the UTM doing proxying for internal users.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes Bob, but I was behind one UTM reaching my home UTM.

    Anyway I tested from my home if the automatic rule will show up for my internal PC, and nothing

    And is not ended...

    I have to telnet a mailserver in port 25 from my PC, skipped my PC from transparent in SMTP. Same thing, NO automatic rule created

Reply
  • Yes Bob, but I was behind one UTM reaching my home UTM.

    Anyway I tested from my home if the automatic rule will show up for my internal PC, and nothing

    And is not ended...

    I have to telnet a mailserver in port 25 from my PC, skipped my PC from transparent in SMTP. Same thing, NO automatic rule created

Children
No Data