Firewall policy "drop" shows block page on HTTP connections

Kia ora folks,

I'm new to Sophos XG and so far I'm really liking it but it seems very odd to me that a firewall can be incapable of dropping packets on a drop rule! I have a /29 of public IPs routed to me by my ISP and when some hits them externally they get a Sophos blocked page. I really don't want this. I understand I can use a reject rule but I really just want to drop the packets silently. Just like a firewall would do. I also understand I can also do a clunky workaround with a DNAT rule to NAT it to nowhere, but not ideal. 

The response to this feature request seems to suggest there is a way to turn off the redirect to the blocked page in version 18? But I haven't been able to 

"...redirection to the proxy is now optional."

https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34371889-port-80-and-port-443-is-not-blocked-by-the-firewal

Cheers,

Rhys

Please make sure that your external port is set to be WAN. Make sure that you have no firewall rules with source WAN/Any and Service 80/443/Any. An external client trying to use your XG as a proxy into you network should get a block page from the web proxy. That suggests a poor configuration.

If you are trying to host internal webservers, look at the "Web Servers" tab on the left. This uses firewall "business application rules" (v17) or "server access assistant (DNAT)" (v18). As far as I know if neither of these are configured, you should not be getting a block page.

The link and reply refer to LAN->WAN access.  For LAN->WAN typically you don't want to block all web traffic, you want to do something like block all unauthenticated web traffic.  In order to support that, it is harder to configure completely dropping internal to external traffic.

Hi Michael,

Thanks very much for your reply. I'm quite ok with internal clients receiving a block page. It's just the external visibility I'm concerned about. I don't want to advertise that there is anything there at all.

I'm not actually using any of the /29 addresses at the moment - they are the 202 addresses and the 123 address is the PPPoE WAN address which they are routed to. I've just got a couple of services being DNAT'd from the WAN IP -  SSH and another app on port 52341.

It's worth noting, I don't get a blocked page when hitting the WAN (123.x.x.x) address, only when I hit the /29 202.x.x.x addresses. 

As far as I can tell I've got everything configured as per your advice. Here are my interfaces, rules, and zones: 

*edit* Full size images can be viewed here 

I am not an expert in the full firewall or network.  I'm an expert in the Web proxy.  So I may not be able to help.

Can you open up Log Viewer, use the icon to switch to detailed view, change the log to just Web Filter.

Replicate the problem.

Is there anything about it in the Log Viewer?  If so, can you post here?  This should show the firewall rule that is being hit.

I am not an expert in the full firewall or network.  I'm an expert in the Web proxy.  So I may not be able to help.

Can you open up Log Viewer, use the icon to switch to detailed view, change the log to just Web Filter.

Replicate the problem.

Is there anything about it in the Log Viewer?  If so, can you post here?  This should show the firewall rule that is being hit.