I have had some unhappy surprises with traffic filtering not working as expected. After reviewing some of the other material in this blog, I am beginning to understand. What follows is a description of my current understanding. Hopefully someone who is more knowledgeable can correct my errors, clarify my confusion, and affirm the assertions that are actually valid.
Even though this may get to a workable solution, it does not fully solve the problem that the device does not behave as most new users will expect it to behave, and as a result, there are likely to be many UTM installations will have allowed traffic which they do not intend to be allowed.
My current understanding:
When do Network Protection Firewall Rules apply?
- Assume that Firewall Rules only apply to traffic passing through the UTM without any processing by other subsystems.
- Fortunately, NAT rules apply even when Firewall Rule do not. Therefore, creating DNAT rules to direct unwanted traffic to a dead-end address is a useful alternative for situations where Firewall Rules are ignored. Remember that UTM allows USERS and GROUPS to be used in DNAT rules, so you should be able to block outbound traffic based on either of these methods:
- User/group and destination IP, or
- source IP and destination IP.
How to limit Webserver Protection (WAF) site to specific IP addresses?
- Use WAF Site Path Routing to specify Allow and/or Deny source addresses for each source path.
How to limit incoming SMTP traffic to the specific IP addresses intended for SMTP traffic?
- Option 1: Ignore the issue:
- For all internal addresses, SMTP will be open by default but will return error 550 – Access denied. This can be verified by testing with PortQry.
- For all external addresses, SMTP will be open by default and will route to the SMTP proxy, at which point SMTP proxy logic applies.
- Option 2: Lock it down:
- Create dead-end DNAT rules for every UTM address that exists but which should not accept SMTP traffic.
- Create dead-end DNAT rules for every Source IP address range that you want to block from ever sending SMTP traffic to your published SMTP addresses.
How to prevent web proxy users from accessing web servers in specific IP address ranges?
- Use a DNAT address to send traffic for specific outbound address ranges to a dead-end address. Web filtering does not have its own block/allow list based on IP address.
How to prevent web proxy users from access web servers with specific reverse DNS entries?
- Create a regular expression and add it to the list to blocked site list within each profile. If the list is long and the number of profiles is large, this may get tedious.
What are my options for managing FTP? (Short answer: I don’t understand.)
- Dead-end DNAT rules will probably be useful for FTP as well.
- Some web sites will provide web links that redirect the user from http to ftp for file downloads. As far as I understand, UTM must be in transparent mode for these links to work at all. The user cannot predict when or where this might happen, and has no ability to alter the link used. Consequently, I have never tested non-transparent mode or “Both” mode. I would be interested in comments.
- The FTP Advanced tab has a box to specify Allowed Servers. My understanding is that this list only applies when using non-transparent mode, which seems to presume use of an FTP Client application. There is not an equivalent Blocked Servers list.
- The FTP Advanced tab also has a transparent mode skip list. I wonder whether the transparent proxy functions differently when used anonymously from a web browser or transparently from an FTP client application.
- I have discovered that Google Chrome loses NTLM information when a web session switches from http to ftp, so web links that link to an ftp site will work in IE but fail in Chrome. One possible workaround is to create a Web Filtering exception to bypass authentication for URLs matching ftp://. Naturally, this approach eliminates the ability to control FTP differently for different users, so it may not be tolerable for some sites. If that is your situation, then users will have to be use a different browser or use one of the alternate authentication methods.
How close does this come to truth?
This thread was automatically locked due to age.
