Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 16 replies
  • Subscribers 4 subscribers
  • Views 30936 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup different web filter profiles for different networks.

DamienML

I need some advice about how to setup different (and more secure) web filter profiles based on my network. 

I currently have a LAN with about 30 PC's + servers + printers on a 192.168.0.xx subnet and its plugged into eth0 on my SG135w UTM 9 (DHCP for the LAN is supplied by my Active Directory Domain)

I also have a WiFi network on a 192.168.10.xx subnet which is plugged into eth2 on the appliance (the WiFi access is supplied by a separate wifi system, but the appliance does supply IP address for everyone on the WiFi subnet. 

Eth1 is the WAN port for the network. 

I am trying to make sure there is no routing between the two subnets, which is my first problem. 

Secondly the SG135w is in my Active Directory domain and I want to enable AD authentication for the LAN PC's and to stop using transparent mode. But I don't want it to effect the WiFi (at least not yet) But I am not sure how to have one network using Standard Mode and one network using Transparent Mode, I can see that I can create different profiles but how do I setup the "Default Web Filter Profile" so other profiles can be used for the different networks? 

Cheers....



This thread was automatically locked due to age.
Parents
  • 0
    Go to Web Protection, Web Filtering.  Turn on.
    This will be your "main" profile.  Set the Allowed Networks to be "eth1 (Network)" or whatever your named your wired in computers to be.  Go to Policies tab.  For the Base Policy, set the Default content filter action to whatever policy you want.
     
    Now test - comfirm your wired people can transparently use the network and have that policy applied.  Make sure your wireless have no access.
     
    Now set the mode from transparent to standard.  On your wired clients, change the proxy to eth1's IP, 8080.  Test it works.
     
    Go to Web Filter Profiles and create a new profile for "eth2 (Network)".  Under Policies, click on Base Policy to edit it and create/choose a new filter action (so that it is different from wired).
    Test again, with wireless making sure the correct policy is applied.

    Note: When you configure a profile for "Transparent" it will also work for "Standard" for the same incoming IPs.  In other words, Standard is always on and the radio button is really just turning Transparent on and off.
  • 0 in reply to Michael Dunn

    RE:  Note: When you configure a profile for "Transparent" it will also work for "Standard" for the same incoming IPs.  In other words, Standard is always on and the radio button is really just turning Transparent on and off.

    Michael, I cannot help being impatient with undocumented features. I just checked, and the help page says nothing about "Both".   I hope you are mistaken on this one, only because it would vindicate the documentation.  If "Transparent" means "Both", the user interface should says "Both".   Security products need to help the system administrator know what the product does, so that they configure the product without unexpected behaviors. 

  • 0 in reply to DouglasFoster
    I understand the dislike for poor documentation.  This has been this way since Sophos UTM 9.0 and I suspect the same way in the Astaro ASG 8.x products as well.
     
    There is no harm or potential security hole if Standard mode is enabled.  Standard mode means that the UTM is listening to incoming packets directed to the firewall on port 8080.  But in this case it is already listening on port 80/443.
     
    There is, however, a implication to configuration.
     
    I know it is not in the documentation, but if I recall correctly (a few years ago when UTM was king and I was in these forums) that it was common knowledge that if you wanted to have a Standard Mode and and Transparent Mode for the same network but wanted different behaviour you needed to put the profile for Standard mode first.  This is because the Transparent mode profile includes Standard mode.
     
    So let me be precise:
     
    If the firewall sees incoming packets with destination of the UTM for port 8080 from a network in any active Web Profile's "Allowed networks" they will be forwarded to the httpproxy.  Regardless of the Profile's Standard/Transparent setting.
     
    If the firewall sees incoming packets with destination of something other than the UTM for port 80 or 443 from a network in any active Web Profile's "Allowed networks" they will be forwarded to the httpproxy IF that Web Profile is set to Transparent.
     

    In any case, its been like this for 5+ years and (to my knowledge) this is the first complaint.  I agree with you, but I doubt the documentation will change as management will see this as rock bottom priority compared to the other work we are doing.
     
    You can interpret the options as
    "Standard Mode only"
    "Transparent Mode as well"
    :)
Reply
  • 0 in reply to DouglasFoster
    I understand the dislike for poor documentation.  This has been this way since Sophos UTM 9.0 and I suspect the same way in the Astaro ASG 8.x products as well.
     
    There is no harm or potential security hole if Standard mode is enabled.  Standard mode means that the UTM is listening to incoming packets directed to the firewall on port 8080.  But in this case it is already listening on port 80/443.
     
    There is, however, a implication to configuration.
     
    I know it is not in the documentation, but if I recall correctly (a few years ago when UTM was king and I was in these forums) that it was common knowledge that if you wanted to have a Standard Mode and and Transparent Mode for the same network but wanted different behaviour you needed to put the profile for Standard mode first.  This is because the Transparent mode profile includes Standard mode.
     
    So let me be precise:
     
    If the firewall sees incoming packets with destination of the UTM for port 8080 from a network in any active Web Profile's "Allowed networks" they will be forwarded to the httpproxy.  Regardless of the Profile's Standard/Transparent setting.
     
    If the firewall sees incoming packets with destination of something other than the UTM for port 80 or 443 from a network in any active Web Profile's "Allowed networks" they will be forwarded to the httpproxy IF that Web Profile is set to Transparent.
     

    In any case, its been like this for 5+ years and (to my knowledge) this is the first complaint.  I agree with you, but I doubt the documentation will change as management will see this as rock bottom priority compared to the other work we are doing.
     
    You can interpret the options as
    "Standard Mode only"
    "Transparent Mode as well"
    :)
Children
No Data
Unfiltered HTML