This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM in transparent/bridged mode

Hello all,

Desperately hoping that someone can help with me this. We've had the UTM running for over a year now in standard mode with no problems. I now want everything to go through the UTM transparently.

The topology would be LAN > UTM > External Firewall > WAN

Currently the default gateway on the core switches is setup as the existing firewall (*.*.192.251). I would change this to the UTM IP (*.*.192.254) and then what? I have tried a number of different ways none of which have worked properly. My original plan was to have an inside interface, and an outside one, so in and out. Then I have thought about link aggregation?

I have read recently about using a gateway route, is that the way forward? The internal interface is setup with the IP *.*.192.254 with the gateway *.*.192.1 and this one interface handles all traffic.

All I require is that all web traffic comes through the UTM, web filtered, then out to the existing firewall.

Thanks in advance

This thread was automatically locked due to age.

Parents

0 DouglasFoster over 8 years ago

There is a significant loss in capability and accountability when you switch to teansparent mode.

I suggest that you enable teansparent mode as a backup to standard mode rather than a replacement.
Cancel
Vote Up 0 Vote Down

Cancel
0 AdamBurn over 8 years ago in reply to DouglasFoster

Hi Douglas,

Thanks for the replies. The problem is that I don't want to specify proxy settings on my appliances. We have issues where some applications ignore the system proxy settings and attempt to go straight out through the firewall too.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 AdamBurn over 8 years ago in reply to DouglasFoster

Hi Douglas,

Thanks for the replies. The problem is that I don't want to specify proxy settings on my appliances. We have issues where some applications ignore the system proxy settings and attempt to go straight out through the firewall too.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 DouglasFoster over 8 years ago in reply to AdamBurn

The two proxy methods are not exclusive.   The proxy method determines the port -- UTM standard proxy uses 8080 (by default), while transparent mode monitors 80 and 443 only. Since the two modes operate on different ports, they can be operate in parallel.   Of course, to use transparent mode, the UTM needs to be on the path to the internet, which was the focus of my previous post.   (That suggestion does not requiring any IP address changes.)

To use both methods, you have to create a filter profile for each method: The source IP and port determines the filter profile. The filter profile (and optionally the device type) determines the authentication method and the https inspection method.   The authentication method determines the user. The user determines the policy. The policy determines the filter action, and the filter action determines whether the URL is allowed.

With both modes enabled, the transparent mode proxy will handle any traffic that does not honor the device proxy configuration.    This includes traffic that is configured for DIRECT in your proxy script. You need to add your Direct destinations into the transparent skiplist (or retest to see if they work acceptably in transparent mode.)

With non-browser applications, they will not have NTLM information needed for automatic user identification.   Consequently, many problems with these applications can be solved with an exception entry to bypass authentication for the destination server.   This works with both proxy modes.

When transparent mode takes effect, firewall rules to block port 80/443 will no longer be relevant, so you may need to create appropriate transparent-mode policies to maintain your desired security posture.
Cancel
Vote Up 0 Vote Down

Cancel