Guest Wireless Information/Question

Question

There was a thread on the old forum for this, but since we can't post over there anymore I am posting a new thread here: 
 We want to start implementing "Guest Wireless" for some customers and are in the middle of testing. When enabling wireless protection, the wizard automatically creates a "Wireless Guest Network". Couple things we noticed, is that a user connected to this network could still PING devices on the "Internal" network. Under Network Protection>Firewall>ICMP we have Unchecked "Gateway forwards pings" and now the only device that resonds is the Sophos UTM, so we beleive this is all set? The next issue we ran into is this: Under Web Protection>Web Filtering>Global, if we add the Wireless Guest Network to the Allowed Networks, then any device on the Internal network is "reachable" from the Guest network. But if we remove the Guest wireless Network from the allowed networks, it seems like that removes the ability for someone on the Guest network to reach a device on the Internal network. We understand that now the Guest network isn't going through the Web Protection. What Problems/Security issues do we potentionally have by doing this and how do we seperate the networks if both are added to the Allowed Networks tab. We have read the document "Configure HTTP Proxy for a Network of Guests - V9.3 EN.pdf", but it seemed like most of that document was created before the wizard was put in place????

Scott_Klassen · Accepted Answer

"have Unchecked "Gateway forwards pings" and now the only device that responds is the Sophos UTM, so we beleive this is all set" Yes, by having this option checked, it creates a rule allowing ping to anywhere. 
 
"We understand that now the Guest network isn't going through the Web Protection. What Problems/Security issues do we potentionally have by doing this and how do we seperate the networks if both are added to the Allowed Networks tab."When you have a network or host using the Web Filtering proxy, the proxy controls all available traffic and manual firewall rules will not be used. If you do not have the guest network use the proxy, then the traffic would be controlled by firewall rules, but will not be filtered or AV scanned. If you want to use Web Filtering, Just set up the guest network in a separate profile, in which you can then create a block rule to disallow access to your internal network. This is covered in the document that you reference. I haven't correlated Bob's document with the current GUI, but everything is still there, just possibly in a slightly different place. Don't get hung up on specific paths in the document if the location has changed, just take a few minutes to click through the Web Filtering sections of your UTM and you'll quickly find whatever it is.