Limit device access to specific domains and IPs

Hi,

the XG is different to the UTM in firewall rule setup and policies.

You do not need your top rule because if an IP addresses does not match any that are in the rule they will be blocked by default. Did you enable logging in your rule?

I would recommend not to use ANY as a service group, but use specific services or range of services.

Ian

Thanks for the response. The drop rule was made because I have another allow rule for the Home Lan zone under this one which allows all devices a WAN connection. The reason for that is that this zone includes multiple other devices /laptops, tablets, phones/ I don’t want to block. Or is there an other way to achieve this?

Logging is enabled

Hi,

your basic allow rule would be

Source LAN -> list of devices you want to allow out -> destination WAN -> FQDN list -> port ranges -> log.

Assumes you are using the WEB proxy and assuming you are using V18?

Then you need to create web exceptions in the WEB -> Exceptions tab, but remember that these exceptions apply to all firewall rules or alternatively you can create web policy and apply it to this rule but you will need use http enabled.

Ian

Hi,

I’m running v18 and I’m using custom web policies also app filter. I tested both and they are working. The reason why I need a default allow ANY devices rule is because I don’t have all the connected hosts set in XG so these unset hosts’s internet access would be blocked.
Why do I need a WEB Exception? I only want to limit the internet access of some devices in a zone and I don’t see how this could help.

Now I created two rules, one to allow the traffic from the devices to the FQDN group and below that an ANY block. It is still not working just the Youtube loading screen appears, no violations in the live log.

Hi,

we are flying blind without seeing all your firewall rules.

You will need an exception to get facebook to work. Something like this.

Ian

As I wrote, the firewall logs showed no errors. But now it seems to be working. What I did: just rebooted the server..

Actually this is the second time since I’m using XG that something like this happened to me, on the first day I made some changes to the email scanning in the rule which controls my PC’s connection and after that I couldn’t access the internet. I reverted the changes  - which were not related to internet access – but nothing.
In the policy tester I saw the drop and that no rules were applied, while the rule was there it was active and it was working before. I couldn’t figure out what the problem was so after an hour of playing in a desperate move I deleted the rule and recreated it with the exact same settings. Suddenly everything was back to normal.

It seems I was too fast, some videos are working but most are not.

The top two rules in the Traffic to WAN group look like this now:

1. Name: Device Allow
Action: Accept
Source zone: Home LAN
Source devices: Chromecast, Denon X2300, Samsung SmartTv, NAS
Destination zone: WAN
Destination networks: The FQDN hosts that worked in UTM
Services: ANY

2. Name: Device block
Action: Drop
Source zone: Home LAN
Source devices: Chromecast, Denon X2300, Samsung SmartTv, NAS
Destination zone: WAN
Destination networks:ANY
Services: ANY

I see two strange things in the live log, first a lot of Invalid traffic entries coming from the TV’s IP I’m trying to play Youtube videos.

The second one:

11 is the Device block rule . How can this rule be Allowed and Denied if it’s a basic drop rule? And why is no Out interface for some requests?

Can you capture the packets from a couple devices and post them here.

https://community.sophos.com/kb/en-us/127647

Hi,

rule 11 lookalike it is using the HTTP proxy and does not have drop traffic enabled that is why you don't see the outgoing port. Rule effectiveness is depent where on the rule search path eg a block rule has to be higher up the rule search path.

The others are a mix of broadcast traffic which is not passed by the firewall and rule 0 drops are either timed out connections or connection attempts with no matching rules.

Ian

Hi,

rule 11 lookalike it is using the HTTP proxy and does not have drop traffic enabled that is why you don't see the outgoing port. Rule effectiveness is depent where on the rule search path eg a block rule has to be higher up the rule search path.

The others are a mix of broadcast traffic which is not passed by the firewall and rule 0 drops are either timed out connections or connection attempts with no matching rules.

Ian

Hmm, HTTP proxy isn't even enabled. I'm trying to understand the logic here, how can a traffic be allowed and denied by one simple drop rule? 

Hi,

if you aren't using the proxy then you are using SSL/TLS inspection.

Please  post a copy gf your rule, not what you think is says, but a screenshot and of where it sits in your rule list.

Ian

Hi

thank you for those details. Where does the group sit in your firewall rule listing?

There is nothing obviously wrong that I can see, so that points to a problem with other rules/configuration confusing the XG processing.

Ian

If i understand your Problem, your concerns are, Log viewer shows traffic, which should be not allowed by Rule 7, but shows Rule 7 as "Allowed" anyways.

That is a tricky issue right now in the Log Viewer (database) itself.

As XG has two different mechanism to allow/deny traffic, you can allow traffic going "Through" and going "to" XG. 

One is Firewall, you can deny and allow traffic via Firewall rule going through XG (LAN-WAN).

The Other is Device Access, you can allow Traffic going to XG (LAN to LAN Interface). 

As XG is aware of the Sessions, most likely a session could be going to XG, but build up another session. 

For example: Transparent Web Filtering is a Proxy. Hence you are "actually" communicate with XG LAN Interface, as XG will use a Proxy on LAN Port. 

The Connection will be: Client - WAN, but actually you have two different sessions: Client to LAN Interface (Port 443). WAN Interface to Server (Port 443). 

Therefore we are now in the tricky spot. As you deny the Traffic from Client to Server (LAN to Server), but allow LAN to Proxy Interface. 

This transparent Proxy will actually perform a redirect of the Port from 443 to 3128 (internally). 

So we are sitting there and do not know, what to do. As the session is actually allowed (TCP) by the Proxy (Device Access) but on the other site not allowed for the actual session.

So we are allowing the Client to communicate to the proxy, as you allowed this in the Device Access page, but the Proxy will deny the request anyway (as Firewall Rule).

Hence: TCP is allowed, Application based is deny. 

Hope this makes sense? 

It's on the top of incoming rules. I tried to disable all unrelated rules too but no luck.

Thanks for the detailed explanation, this makes sense.

My main concern is not the log itself,  it’s that the way I’m trying to control my devices’s internet access like I used to do on UTM isn’t working for some reason. I thought that maybe this strange behavior I saw in the logs gives an explanation why Youtube videos are stuck at the loading screen on my TV most of the time, but not always.

I don’t have proxy enabled, basically all the advanced features are turned off now in this rule.  

Hi,

What services have you allowed in your home LAN zone?

Ian