Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 39 subscribers
  • Views 5539 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN Deny Rule displays User Portal

CityLee's Summit

I have created a Deny Rule on the WAN zone to block foreign countries and put it at the top of my rules. But instead of dropping connections, it instead will show the User Portal. It doesn't matter if I choose Reject or Deny. This rule worked properly with firmware ver 16.5.08, but since upgrading to ver 17, it has not worked properly. I am currently on ver 17.1.2.



This thread was automatically locked due to age.
  • 0

    Hi  

    For context, how are you testing this rule?

    Regards,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    I have another internet circuit not on this firewall, so I added its IP address to the Source Network and Devices list in the firewall rule. I then test from that internet circuit.

  • 0
    Although I have not seen this with Reject rules, I'm fairly certain I know what is going on.  It is intentional.
     
    Let say you have
    Firewall Rule 1 - Sales department can do web access anywhere
    Firewall Rule 2 - All users are blocked from going to Russia
     
    When a web request hits firewall rule 2 as a "not logged in" user the system goes Wait.... maybe this user would be allowed, if they logged in.  So instead of showing a block page it shows a login page.  Basically when displaying the captive portal it is really saying "you are blocked from this site because you are not authenticated".
     
    This logic completely makes sense and there are lots of companies who take advantage of this.

    Now the logic does get a little more complex.  I would have to know about your specific setup to retest and confirm your flow.
    If you are not using NTLM, then you should receive a block page.  The block page should contain a link to log in based on the "Prompt unauthenticated users to log in" setting found in Authentication \ Services.
    If you are using NTLM, then it should automatically try to log in the SSO user.  If the SSO succeeds it will re-evaluate the Firewall rules and allow or deny, and if they are still denied it will display the block page.  But if NTLM SSO fails then it will redirect the user to the captive portal.
    There is a side effect of using NTLM, which is whenever NTLM fails to log in you see Captive Portal.  Even if it might be more logical too see block page with link to captive portal.

    So, do you have NTLM configured (in Administration, Device Access)?
  • 0 in reply to Michael Dunn

    I follow the logic of your response, however:

    1. The rule is at the Top

    2. The rule is for the WAN zone, not the LAN zone.

    3. They are being presented with the User portal, not the Captive User portal. 

    Basically, I am trying to prevent the public from specific countries being able to access any my servers listed further down in my BAP firewall rules. 

  • +1 in reply to CityLee's Summit

    Sorry, I missed some of those details.  This is getting out of my area of expertise but...

    User Portal should only be served on port 443 and only if you are going to an IP of the XG firewall itself (as opposed to going through the firewall to some other destination).  It will be served on any port that is in a zone where the zone is configured to allow User Portal.

    See Administration \ Device Access \ Local Service ACL (Access Control List).  By default the User Portal is not enabled for WAN zone.  Therefore any incoming connection onto a port IP that is in the WAN zone should follow that Local Service ACL.

    If you never want User Portal on WAN the remove it there.  That should resolve your problem.

    I don't know in the world of Firewall Rules versus the Local Service ACL which has higher priority.  One issue is that there are two special zones that are not shown in the UI that are for local and internal traffic.  There are therefore sometimes differences whether you specify the zone "Any" (which includes them) or specify every defined zone (which does not include these special zones).

     

Unfiltered HTML