Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 606 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Policy configured and deny rule applied, linked to FW rule, but not working

Techplay27

Hi All,

Just want to get a better understanding of the firewall rule ordering.

I have created a group called Proxy and have a rule within that (this is right at the top)

I've applied the web policy to the rule, source/destination networks/devices set to 'ANY'

Connection type: LAN to LAN

Services: TCP_ 3128

The deny (category-based) user activity is switched on. Included in that is gambling sites.

I've changed proxy settings to a laptop XGFirewall.domain.com port 3128.

Internet access works.

I am able to access the gambling sites. I have tried 3. Williamhill, betfred and Ladbrokes (UK)

I do not get a block message.

What might be the problem here?



This thread was automatically locked due to age.
  • 0

    Hi,

    not sure about your lan to lan rule, should be lan to wan I would think?
    linked Nat policies take precedence regardless where they are in the list.

    do you have application and ips enabled?
    do you have decrypt and scan enabled which means you will need to install the XG ca.

    ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thank you for replying so swiftly as usual! :-)

    I do have decrypt and scan enabled and have imported the CA security certificate to my machine trusted certs

    I only want the policy to apply to LANs, the WAN configured elsewhere on a main multi switch

    "do you have application and ips enabled?" Is this within the Applications tab?

    ****Just to add I have NAT disabled*****

  • 0 in reply to Techplay27

    Ok so got the rule now working to some extent.

    Web Policy is called: MIS ICT

    User group/activity: Deny MIS ICT

    Do I need to have an "allow" user activity too, to allow certain traffic or is it ok just to leave some categories out e.g. search engines?

    Current setup

    Deny MIS ICT

    Allow MIS ICT - policy is turned off for now (will enable if needed, all web categories I want to allow are there)

    Test: so far:

    • Google not accessible, but that is more due to a trusted cert missing William Hill (betting site is blocked, even though it is not in the deny MIS ICT policy (it is in allow policy though, mentioned above...turned off for now)I have tested the policy via the tool in diagnostics and it is allowing the rule gambling, however when I access the user portal and log into my account, it isn't showing anything to suggest it recognises me using the Internet 
  • 0 in reply to rfcat_vk

    HI Ian,

    Just to let you know I got the web policies working now, I have a deny and allow rule for each internet user group I have imported over from the DC.

    Took a bit of time to get my head round how it works, but got there in the end. I do have another issue though, when accessing the web via my VPN the web policy is not working, and every site I go on is blocked as if the web policy is not taking effect, but it is when using the policy test tool in diagnostics.

    I have a suspicion it could be due to me having not configured NTLM or STAs yet....?