Blocking access from internal range to an internal host is NOT working!

do you configure "automatic firewall-rules" within SSL-VPN or NAT Rule (only a checkbox)?

these rules have priority over manual configured rules.

you can see the automatic FW rules with selecting "show all" within fw-rule-set.

All of the automatic firewall rules are just for the SSL VPN that have the users to be able to access the Internal network, and vice-versa. However these rules would be for the VPN IPs which are separate from the IPs I'm trying to block - that is, the SNAT & DNAT rules I used to assign each VPN user a static IP. I see the rules you are talking about but it doesn't look like any explicitly allow the virtual static IPs I created through no matter what...

How would I go about testing to override  these rules?

you have to disable the "automatic-firewall-rules" temporary.

I can't disable them - they are handling all of my SNAT and DNAT rules for my VPN-Dynamic-IP-to-Static-IP translations. Those are the only rules in the firewall aside from user groups having access to the internal network. There are no other rules.

Any other ideas why the blocking doesn't work?

Does anyone have any input here? I need help, it's not working when the rule is very simple. Something is wrong here.

Thank you!

In my opinion it's not possible to assign rules to a host, that access a destination in the same subnet because the traffic will not run through the rules.

You should try to change the source to the VPN address 192.168.x.x or the VPN user, so that the traffic won't run trought the D-/S-NAT rules.

The rules are being accessed - because the packets are coming from the VPN (which is hosted by the Sophos UTM device) out to the LAN. There are some SNAT/DNAT rules being done to convert the dynamic VPN IP assigned to the user to a static IP (as per the UTM manual instructions to do so). So, since the traffic is coming from the VPN (Sophos UTM hosted), translated to a 192.168.x.x address (by the UTM, with SNAT/DNAT) and then out to the LAN, it should be able to filter this. It's doing all the routing. It should be able to stop the packets before they dump out to the LAN segment and onto their destination.

So, what else is going on here? Is there another way to approach this? It seems like it should be trivial.

You wrote that your firewall rule should block traffic from source 10.100.1.2 - 10.100.1.5, for ALL services, to destination 10.100.100.2. But source and destination are in the same subnet, so the traffic will never pass the firewall and the rule will never be applied.

The traffic passes the firewall only during the S-/D-NAT. So you should try to change the source of your firewall rule to the VPN address range 192.168.xxx.xxx.

Hi, Brian, and welcome to the UTM Community!

I'm not trying to rain on your parade, but the comments here might make you suspect that you're not configuring things "the regular way" that folks here put configs together.

It sounds like you're a knowledgeable guy configuring with WebAdmin the first time. I wind up charging twice as much to fix a first-time installation by a talented CCIE than if I'd done the original install myself.  It's easy to modify and administer a UTM with a well-designed configuration.  It's a whole different issue to create a good design.

You probably don't need all of those SNATs and DNATs.  You may not be aware of #2 in Rulz, and that may be the source of your difficulties.  What is the reason for your NAT rules instead of just using objects created by WebAdmin like "Brian (User Network)"?

I needed static IPs assigned because the Sophos does not act as a route/gateway for all machines on the network. Instead, it's only intended to be used for VPN connectivity (and site-to-site VPC and network linking) and firewalling between the VPN users and the network. Thus, I needed to be able to assign virtual "static IPs" so that machines on the network would be able to allow and block certain users. For example, one of our machines only needs to allow the administrative users in to SSH - thus, we block all except 192.168.1.x - y. We can't reference to 'user net' etc from the jump box. And since the Sophos does not permit assignment of static IPs to VPN users (which I don't understand WHY, many others have this capability), I had to use the preferred / documented (according to Sophos UTM 9 manuals) way of doing SNAT/DNAT rules to translate the VPN dynamic IP ("brian user network") to a static IP.

You can assign static VPN IPs to IPsec, L2TP/IPsec and PPTP Remote Access clients.

If you use SSL VPN Remote Access, you cannot assign fixed IPs, but you can make separate Profiles allowing restricted access to specific users.  Assume that "Brian" is in three different Profiles.  When he logs into the SSL VPN, he will have access via automatic firewall rules to items in each of the Profiles.  In this way, you can get rid of all those NAT rules and replace them with a single Masquerading rule.  The UTM manages the access, not the jump box - all it has to do is limit access to the primary IP on the UTM interface in its subnet.

You might not need the DNATs using your current approach as the UTM is a stateful firewall.

Cheers - Bob

You can assign static VPN IPs to IPsec, L2TP/IPsec and PPTP Remote Access clients.

If you use SSL VPN Remote Access, you cannot assign fixed IPs, but you can make separate Profiles allowing restricted access to specific users.  Assume that "Brian" is in three different Profiles.  When he logs into the SSL VPN, he will have access via automatic firewall rules to items in each of the Profiles.  In this way, you can get rid of all those NAT rules and replace them with a single Masquerading rule.  The UTM manages the access, not the jump box - all it has to do is limit access to the primary IP on the UTM interface in its subnet.

You might not need the DNATs using your current approach as the UTM is a stateful firewall.

Cheers - Bob