Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 927 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Standard-Proxy not working

dirkkotte

Hi all,

i try at different XG's and different versions 18.0.3 and 18.0.4 to use the standard-proxy-mode.

(my last question "How to allow Standard-Proxy connections only"  suggests that the configuration is correct. )

Today i do the test again ... very simple ... but without success:

I allow Port 3128 only () and configure 3128 at the Browser ... of course.

Block all other traffic from this PC.

Firewall and webproxy logs show "allow" for the request. But page is not loaded:

Someone got this running? How?

Thanks!



This thread was automatically locked due to age.
  • 0

    Hi  : While using Direct Proxy Mode, the XG firewall will make another connection which will intern recheck the Firewall list for its own connection and would need to allow HTTP/HTTPS port as well in the direct proxy rule. Otherwise it will follow the rules below until it finds a match and if not no connection can be made with the website.

    Based on your rule details and setup snapshot here XG is not getting any rule for HTTP/HTTPS  for it's own connection and due to that website not accessible.

    Reference:

    support.sophos.com/.../KB-000036493

  • 0 in reply to Vishal_R

    OK, Thanks for the answer.
    But before I confirm it, I wanted to do some tests of my own.
    The task is not solved satisfactorily. My customer will probably not accept that.
    With the proposed solution, "non-proxy traffic" is also allowed through.
    This is inconclusive and not a real solution.
    But apparently we have another unsatisfactory XG solution here again.

  • 0 in reply to dirkkotte

    Actually it is about the system itself, if this is acceptable or not.

    Standard Proxy only is the old technology. The world is moving to DPI Engine - Direct Proxy (Standard Proxy in UTM terms) will likely not survive this shift, because TLS1.3 decryption will not work anymore. 

    Hence you have to think about the future anyway: If (and thats from my point of view a matter of time) Google and the other internet provider will enforce TLS1.3, you will likely move to DPI Engine, as you cannot decrypt TLS1.3 in a direct proxy. 

    If you tell the client, only 3128 is allowed, what difference does it make, if the client will use 443, 80 or 3128? If the Proxy pick up all those packets and interact with the website any way? 

    PS: XG uses the same technique as UTM transparent mode. If you activate UTM in transparent mode, you can do 3128 and 443/80. It is coded in one mode. 

    So you can talk with the customer about the DPI Mode and the "new interaction with TLS". Or you can scan HTTP/s on 443/80/3128. 

  • 0 in reply to LuCar Toni

    Thank you for the simple explanation, now makes a lot more sense why there are some many exceptions in the DPI mode.

    Of course there is a limitation with the DPI you cannot scan UDP so blocking VPNs becomes an issue. So I expect you will need some form of proxy rule after the DPI rule to assist with blocking UDP bypasses?

    Ian

  • 0 in reply to LuCar Toni

    Hi all,
    with your information i was able to found a solution with the customer.
    Thanks a lot.

  • 0 in reply to dirkkotte

    Can you share with us your solution?

  • 0 in reply to LuCar Toni

    Sorry, no solution ... the customer has to accept that there is no option to meet the requirement "standard/direct Proxy traffix only".
    But with your information about advanced security using DPI it should be possible to adapt the security guide.