Web proxy bypass web filtering.

Why did you change the proxy port to 8080?

Please post a copy of your firewall rule?

Ian

Proxy Port 8080 (3128) is used for a Standard / Direct Proxy. 

So called the Client is talking directly to the Proxy (XG Interface).

If a Client communicate through XG into the Internet (Port 443 and 80), XG can actually scan such Traffic via Transparent Proxy. 

Both Modes are enabled per Default, but needs a Firewall Rule. 

Thank you Toni,

I was asking why did he need to change it from the default, what benefit did he perceive he would receive?

Ian

Depends on the setup.

Most likely you change this because your old product worked with 8080 and you want to continue to work with 8080.

(For example "unmanaged" devices with Port 8080). 

Hi Ian,

Before we're using SG 210 and the default port as I remembered is 8080. Instead of changing web proxy of every client computer to port 3128, I've done it to XG Firewall. I will try to back to default port configuration if my concerned will address.

Raffy

Hi Raffy,

you will need a firewall rule only allowing HTTP and HTTPS with http and https scanning enabled. You will need to block internet browsing traffic from using any other ports/rules.

The XG proxy is a little different to the UTM in that you need firewall rules which allow you to configure different gateways if you have them for different uaergroups. The previous info only applies to the transparent proxy.

Ian

Update :- I might be wrong in the above comments following on from my own testing. What I cannot find is where the policies that apply to the web proxy in full mode are located? I can find and use the transparent policies.

Ian

Basically XG works in terms of Web Filtering like UTM.

https://community.sophos.com/kb/en-us/125585

You need to specify the Direct Proxy (Standard Proxy on UTM). 

But you could use both, without any issue. 

Simply selecting the Proxy in the Device Access Zone and building a Firewall Policy Port 443, 80 and 8080. 

Basically XG works in terms of Web Filtering like UTM.

https://community.sophos.com/kb/en-us/125585

You need to specify the Direct Proxy (Standard Proxy on UTM). 

But you could use both, without any issue. 

Simply selecting the Proxy in the Device Access Zone and building a Firewall Policy Port 443, 80 and 8080. 

Hi Toni,

that document is a little confusing when comparing to the UTM, the UTM proxy does not use MASQ.

Also the document in my mind is a little unclear when you use both modes you need to use a MASQ which sort of defeats the proxy function?

When using mixed mode there is no indication in the document as to where the policies for the direct mode are configured.

Ian

Sorted the policy thing out, still leaves the requirement of the MASQ in question?

In fact, UTM Proxy, like XG, uses MASQ per default. 

Because the Traffic is generated by UTM itself, it most likely uses the Interface IP of the Gateway Interface. 

There are no "Direct Mode Policy".

Its like on UTM - If you use Transparent Mode in UTM, UTM will respond to 8080. (Its not well known, but its how it works).

And XG does the same. You configure the Proxy, and it will respond to 8080, 443 and 80. 

You will have to create a Firewall Policy with Port 8080 to attach the correct web policy. 

I knew about the 8080 on the UTM, I had played with that for many years. I was not aware of the MASQ and most experts do not appear to know either.

I don't use the 8080 on the XG, but traffic seems to flow through all the appropriate policies.

Currently playing with the direct proxy to see if there any benefits, but suspect there aren't because I have to disable those settings when out of home.

Ian

Update:- setup a new firewall rule using tcp 3128 and no MASQ and it successfully passes traffic.