Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2139 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Possible to bypass clientless filtering

Joshua Mallow

I am a home user of Sophos XG.

My home network is broken out like this:

IP Ranges Purpose

172.16.16.1 - 172.16.16.19 Network Devices / Servers

172.16.16.20 - 172.16.16.149 Primary DHCP

172.16.16.150 - 172.16.16.169 Personal Phones / Tablets / Laptops

172.16.16.170 - 172.16.16.199 IOT Devices

172.16.16.200 - 172.16.16.219 Kid Devices w/ Filtering

172.16.16.220 - 172.16.16.229 Streaming Devices

172.16.16.230 - 172.16.16.254 Unassigned

I use static mapping in DHCP to assign the proper IP range. I have firewall rules for each of these groups based on the needs and desired protection for each of these. But I realized it’s possible to bypass those protections if a user on the kid devices group does a manual IP change on their device to a group that has less filtering. Is there a way to prevent this from happening? Should I enable most restrictive rules for all devices then bypass the one or two devices that need more access? My kids are only toddlers, so I’m not having this problem now I’m just curious how I should handle it.

Is there a better way to set this up? All devices that have internet browsing capabilities are WiFi. No Ethernet PCs on my network.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Joshua,

    You may configure Static DHCP to your machines as per the range mentioned and there are two options to for you to manage the network with respect to web policies applied. 

    1. Use Static DHCP configuration mapped with MAC addresses and to ensure that the users would use the same IP, I would recommend to configure Spoof Prevention under Intrusion prevention and enable IP-MAC pair filter. Make sure you have added an entry to all your MAC adress and map with specified IP address or set as DHCP. Then you may check on Restricted unknown IP on trusted MAC on LAN Zone. Note that you must have another port configured with another ZONE i.e. DMZ to access the device incase you want to access the network without any restriction.
    2. Under Network > Neighbours (Apr-NDP) you can manually add the IP address associated with the MAC address. In case the IP address does not match with the Mac address listed then network traffic would not be valid. This option does provide you an option to add MAC address to spoofing prevention.

  • 0 in reply to Aditya Patel

    Hi,

    that only works if you have one IP address range in use. You can connect to another network on the XG receive your correct IP address and then use the features on the new connection.

    Ian

Reply Children
No Data