When I configure a policy to "drop" on all destination IPs and ports, I expect it to drop the traffic without notifying the user. However, I am receiving the "Stop! This website is blocked" page when I try to view any HTTP website. I would like it to drop the packets silently. How do I configure this?
I am running SFOS 18.0.1 MR-1-Build396
Edit your Default Drop rule.
Switch ANY (in Source zone and Destination zone) with all zones.
Do not add WAN in the Source zone, instead all other zones.
That should do the trick.
Kia ora folks,
I'm new to Sophos XG and so far I'm really liking it but it seems very odd to me that a firewall can be incapable of dropping packets on a drop rule! I have a /29 of public IPs routed to me by my ISP and when some hits them externally they get a Sophos blocked page. I really don't want this. I understand I can use a reject rule but I really just want to drop the packets silently. Just like a firewall would do. I also understand I can also do a clunky workaround with a DNAT rule to NAT it to nowhere, but not ideal.
The response to this feature request seems to suggest there is a way to turn off the redirect to the blocked page in version 18? But I haven't been able to
"...redirection to the proxy is now optional."
Please make sure that your external port is set to be WAN. Make sure that you have no firewall rules with source WAN/Any and Service 80/443/Any. An external client trying to use your XG as a proxy into you network should get a block page from the web proxy. That suggests a poor configuration.
If you are trying to host internal webservers, look at the "Web Servers" tab on the left. This uses firewall "business application rules" (v17) or "server access assistant (DNAT)" (v18). As far as I know if neither of these are configured, you should not be getting a block page.
The link and reply refer to LAN->WAN access. For LAN->WAN typically you don't want to block all web traffic, you want to do something like block all unauthenticated web traffic. In order to support that, it is harder to configure completely dropping internal to external traffic.
Thanks very much for your reply. I'm quite ok with internal clients receiving a block page. It's just the external visibility I'm concerned about. I don't want to advertise that there is anything there at all.
I'm not actually using any of the /29 addresses at the moment - they are the 202 addresses and the 123 address is the PPPoE WAN address which they are routed to. I've just got a couple of services being DNAT'd from the WAN IP - SSH and another app on port 52341.
It's worth noting, I don't get a blocked page when hitting the WAN (123.x.x.x) address, only when I hit the /29 202.x.x.x addresses.
As far as I can tell I've got everything configured as per your advice. Here are my interfaces, rules, and zones:
*edit* Full size images can be viewed here
I am not an expert in the full firewall or network. I'm an expert in the Web proxy. So I may not be able to help.Can you open up Log Viewer, use the icon to switch to detailed view, change the log to just Web Filter.Replicate the problem.Is there anything about it in the Log Viewer? If so, can you post here? This should show the firewall rule that is being hit.
Thanks LuCar. Yes that did it! Thanks! Although I'm not 100% clear about what I've done or why it works. Are you able to explain a little more.
Its about a smaller difference in the Firewall settings, which will be approach in MR Version of XG. Basically the firewall is pointing to the proxy, what and which traffic the proxy has to pick up. As your firewall tells the proxy to pick up ANY to ANY, it will also pick up WAN to WAN Traffic, which can hit the firewall. The proxy has the option to drop this via block page.
This behavior should will be revisit in some next version to avoid it.
PS: This only occurs, if you choose to forward the traffic of WAN to the proxy. So a XG without this rule will not forward the traffic to the proxy.
Thanks very much for the info LuCar. It would be good if future versions were clearer. In my view it would be ideal to have an option on the drop rule settings to enable proxy response for some ports or just do a normal drop for all ports.
I appreciate your input too Michael.