This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deny connection to SSL VPN from internal network

Hi,
We have issue with our Sophos UTM that we cannot deny access to Sophos SSL VPN from internal network.
We have created deny drop rule in FW (internal > port 443 > SSLWANInterface), but FW is allowing the traffic. It's the 3.th rule and there are no related allowing rules above.
When i turn on logging no packets are allowed or droped on this rule and users can access SSL VPN on port 443.
It seems SSL VPN is above firewall based on: https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22065.

But is there any way to block connections to VPN SSL interface fromn internal networks?

Thanks for your suggestions.
Adrian

This thread was automatically locked due to age.

0 BAlfson over 9 years ago

Hi, Adrian, and welcome to the User BB!

In general, as you saw in #2 in Rulz, you can use a DNAT to blackhole a packet before anything else gets a chance to let it pass.

In the case of the SSL VPN, look at the top of the 'Settings' tab where you can limit inbound traffic to one interface address.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 amrvan over 9 years ago

Hi Bob,
I have set DNAT rule to change service to telnet service from clients network. Destination IP is the same and It works! [:)]
For blackholing i looked for answers in this thread: https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/40628

So thank you for your answer.

Cheers Adrian
Cancel
Vote Up 0 Vote Down

Cancel