Web Filter Overrides the Firewall rules

Firewall rules are the last in hierarcy

thank you oldeda. i thought that would be the case, thank you for confirming, however, what confuses me is why the firewall rules is bypassed when i enable the web filter?

i know the firewall rules are correct, because if i disable the web filter they kick in and do as expected, but as soon as i enable the web filter, almost like the firewall side is turned off (although its still on)

i am using LACP with 4 NICs in a bundle and VLANs. i wonder if that has anything to do with it? a bug or something...

The architecture is different than most firewslls.

Read the Wiki articles, as theycontain information that is not in the manuals.

Thank you DouglasFoster.

I read the https://community.sophos.com/products/unified-threat-management/w/utm-wiki/37/securing-and-configuring-web-filtering

but now i am now more confused:(

=====================

This what the instructions reads:

In most firewall products, Access Control Entries are used to evaluate source and destination together.  In UTM, any traffic handled by the proxies will bypass any firewall rules, so source-destination restrictions must be enforced in the proxy configuration.

=====================

So it seems, if you enable the Web Filter, any traffic dealt by the web filter is not sent to the firewall rules but rather sent directly out (that my understanding). If my understanding is correct, then i am back to square one and more importantly how you supposed to use both at the same time since they both used for different things?

Hi and welcome to the UTM Community!

You will want to internalize #2 in Rulz.  Also see Doug Foster's take on some of this: READ ME FIRST: UTM Architecture.

Cheers - Bob

Every new user endures this shock, unless they are configured and trained by an experienced consultant.   I think the architecture should be in the manual, with lots of cross-references to be sure it is not missed.   Since Sophos expects new installs to choose XG Firewall, the manual may not ever get rewritten.  

Given the documentation gaps, I do not understand why the home use program is still offered.

Every new user endures this shock, unless they are configured and trained by an experienced consultant.   I think the architecture should be in the manual, with lots of cross-references to be sure it is not missed.   Since Sophos expects new installs to choose XG Firewall, the manual may not ever get rewritten.  

Given the documentation gaps, I do not understand why the home use program is still offered.

XG has a traditional firewall architecture with security zones.   Having learned to adapt to UTM's design, I have decided to continue using what I have.