super simple firewall rule not working?

Are you running the web proxy?

Yeah, seems like when you run "Web Filtering" in "Transparent" mode, the firewall rules don't apply... 

But when I enabled "Standard" mode, then the firewall rules worked, but my web filtering policies dont work??  

So, looks like I can either choose to filter out content for my kids like "nudity" etc. OR apply firewall rule to restrict time zones for them on their devices.. NOT both..

The ideal would be to block nudity etc. sites on their devices AND only allow them to use their devices during certain times..

Doesnt look like this is possible??  

look at #2 of rulz

https://community.sophos.com/products/unified-threat-management/f/general-discussion/22065/rulz

Hello Koos,

i would check the automatic created firewall rules. You can show them by changing the dropdown above the search field.

If there is a rule that accepts traffic before your custom "deny" rule the traffic will be allowed.

Greetings

Bernd

Thanks.

But I guess the statement still holds true that I cant do web filtering to restrict content like nudity AND use firewall rules to restrict kids to time window of using devices..

You have to pick one or the other.. They can browse 7am-7pm, but allowed to watch porn.. OR you can block porn, but then their devices are active 24/7 . 

ANY recommendations on how the heck to do both?

Hi Koos

As you say, traffic will either match a firewall rule or Web Filter Policy. If you need to inspect web content then this will need to be sent through the Web Filter Policy. Both Firewall Rules and the Web Filter Policy can be set to only be active for certain time periods, so you should be able to achieve the desired outcome.

To do this for the Web filter Policy, locate the Profile you are using and go to the Web Filter Policy list within this. Edit or Add the Policy you want to use, there should then be a dropdown menu for the Time Event (similar to the firewall rules). When the policy is disabled (out of the Time Event period) the request will hit the Base Policy within that profile, so make sure that is set to block all categories.

Let me know if this helps

Greg

Main thing here is what I suspected and Zaphod answered. Have a good read of the RULZ and try and memorise parts of them. In this case rulz #2 would have helped you. I've recently been caught out by the application filter with regards to this even though I've had the UTM's for a while.

When strange things happen, work your way through the rulz and you will get your answer most of the time.

In the case of automatic firewall rules, they will always come before manual firewall rules so worth bearing in mind.

However, in this case, we could see that there weren't any because the rules posted were # 1 & 2.

Greg Thanks a lot for the info and detailed response.

EDITED:  I figured it out!  thanks a lot Greg.  

I was able to create a new profile and added just my kid's devices in there as the source network and then added a policy to restrict timed access and block nudity etc.

This worked perfectly for browsers etc.  and then I also added a firewall for the same devices and time limits..

works like charm.

THANK YOU!

glad it worked for you. There is also the static mappings side of things where you can ensure that a certain device always gets a certain ip address (or reservation) via DHCP.

You would then add this ip address into your filters/rules.

please mark gregh answer as the answer you need so this thread is marked finished and other can search and see there is an tested answer in it :-)