Web protection - enforce proxy standard mode

I cannot quite follow your request. Are you talking about the Proxy mode like UTM? 

So you want only 8080 to allow to communicate to the proxy and all other ports (like 443 and 80) should be blocked? 

Yes similar to the functionality in the UTM. In SFOS, the proxy default port is 3128. I would like the clients to communicate only through this port and not directly. I hope it's a little more understandable now.

Should be possible in V17.5 and V18.

Simply put a firewall rule for your users with Port 3128. Do not create a firewall rule for Port 80/443. (or create a block rule below for 443/80). 

If no rule is in place, XG will simply block the Port 443 and 80 traffic. 

I'll give it a try.

You may already have discovered this, but it is actually not possible to allow access via direct proxy without also allowing access transparently, unless LuCar Toni knows something that I've missed.

If you create a firewall rule that only allows the configured proxy port as a destination service, the client devices are able to connect to the proxy, but the proxy is blocked from creating the outbound connections on behalf of the client device.

In order to allow the proxy to make the upstream connections, there must also be firewall rules allowing the original client devices to connect directly to the web ports on the WAN.

Obviously, this means that any application on the client device that doesn't respect direct proxy settings will still be able to connect, and will still have its traffic inspected by the proxy. What's the use case for wanting to force only direct proxy access?

You may already have discovered this, but it is actually not possible to allow access via direct proxy without also allowing access transparently, unless LuCar Toni knows something that I've missed.

If you create a firewall rule that only allows the configured proxy port as a destination service, the client devices are able to connect to the proxy, but the proxy is blocked from creating the outbound connections on behalf of the client device.

In order to allow the proxy to make the upstream connections, there must also be firewall rules allowing the original client devices to connect directly to the web ports on the WAN.

Obviously, this means that any application on the client device that doesn't respect direct proxy settings will still be able to connect, and will still have its traffic inspected by the proxy. What's the use case for wanting to force only direct proxy access?

We must comply with requirements that prohibit a transparent/direct connection. So I can't switch from the UTM to the XG until then.

Hello Steppenwolf,

You can prevent transparent access to the internet on 80/443. I'm not sure where the miscommunication has occurred but if you only want proxied access to the internet you only need a firewall rule (LAN to WAN) with the Proxy port found under Web Protection > General Setting. Default is 3128 but i like to change it to 8080. The allowed destination services are are also enabled in the same place as the port. I have several deployments where this is being done. So to summarise:

• Source Zone: LAN
• Destination Zone: WAN
• Service: Proxy port service definition
• Enable a Web Policy of choice
• Enable MASQ

By doing this, the XG will allow access to the internet if you proxy via it but will not allow general access to the internet via 80/443 transparently.

I have selected the appropriate answer in this thread.

Emile

RichBaldry said:

You may already have discovered this, but it is actually not possible to allow access via direct proxy without also allowing access transparently, unless LuCar Toni knows something that I've missed.

 

Actually Rich, you can.

Create a Service for 3128.  Create a firewall rule that applies only to that service that has web settings.

Off the top of my head, in v17 as long as you have that and nothing else you are good to go.  However if you have that and you also have a manually created drop all rule then you have problems.  This can be solved, see here.  https://community.sophos.com/kb/en-us/132117

If there are other problems it may be specific to your configuration.  But it is possible.

In v18 you might need to do a bit more fiddling on the NAT rule.

Hi Michael,

Yeah, I think I'm having some trouble with a NAT in my brief test earlier.

Will retest!

Emile