How to redirect all requests to the internet from some internal clients to internal server?

Thank you for all your replies. The potential infection was detected by the advanced Thread Protection of the UTM9, see below for an example notification email:

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-07-20 18:57:52
Traffic blocked: yes

Source IP address or host: 10.xxx.xxx.xxx

Until now we simply block all external traffic of the client using the firewall as mentioned in my first post and wait until the owner of the computer reaches out to us and we then check the computer and remove the firewall rule.  To increase the usability for the people of the potential infected clients I thought about redirecting their http+https traffic (as probably all surf the web) to a status page to inform them that they should contact us.

I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

Thanks in advance
Simon

Thank you for all your replies. The potential infection was detected by the advanced Thread Protection of the UTM9, see below for an example notification email:

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-07-20 18:57:52
Traffic blocked: yes

Source IP address or host: 10.xxx.xxx.xxx

Until now we simply block all external traffic of the client using the firewall as mentioned in my first post and wait until the owner of the computer reaches out to us and we then check the computer and remove the firewall rule.  To increase the usability for the people of the potential infected clients I thought about redirecting their http+https traffic (as probably all surf the web) to a status page to inform them that they should contact us.

I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

Thanks in advance
Simon

Simon Mustermann said:

 

I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

OK, try Internet IPv4 as destination instead of any, that could work.

Alexander Busch said:

OK, try Internet IPv4 as destination instead of any, that could work.

Thanks, we get closer. :) Limiting the service to HTTP is not really optimal, I'd want https as well. I thought to use the group "Web Surfing", but there again I get an error message (It's not possible to create a NAT rule between different protocols [group and TCP]). As destination I do have a host and a protocol change (to redirect to a different port).

But for testing purpose I entered HTTP as service, to be able to save the rule. Unfortunately it seems as it has no effect. The selected client is not redirected. Do I need to change something else? Reload the config? Can I debug it somehow with a log file anywhere? (Yes, I did enable the rule after creation :) )

That's the most common finding by ATP, Simon, and is an indication that the computer probably has an infection that tries to connect to a C&C computer.  That traffic is being blocked, so you probably don't need to block the rest of the traffic from that computer.

This probably isn't related to web browsing traffic other than the probability that the user clicked on a link he shouldn't have.  You might want to take a look at Sophos Phish Threat and talk to your reseller about it.

Cheers - Bob

BAlfson said:

That's the most common finding by ATP, Simon, and is an indication that the computer probably has an infection that tries to connect to a C&C computer.  That traffic is being blocked, so you probably don't need to block the rest of the traffic from that computer.

Yeah, I understand that the computer possible is infected. Thus I want to ensure that the owner is aware of the fact and that we can clean it. I don't want to block all the traffic because I believe that it is harmful, but to notify the user that their computer is infected.
Still as pointed out in my last posting it seems, that the DNAT rule is not working (at least I don't see any effect of being redirected). Any idea on how to debug?

Simon

I don't think any firewall will let you defined a many-to-one address mapping for NAT.   Since an infected PC is a threat to other devices on internal network, if you cannot put a person on-site promptly, the next best option would be to identify and disable the device's switch port.

One of the problems with any block based on IP Address is that if the device uses DHCP, the address could change if the device is taken offline for awhile, such as over this weekend.   Then the wrong device is blocked and the right device is unblocked.

What device does DHCP for your LAN?

Cheers - Bob

I might not have expressed myself well enough.

DouglasFoster said:

I don't think any firewall will let you defined a many-to-one address mapping for NAT.   Since an infected PC is a threat to other devices on internal network, if you cannot put a person on-site promptly, the next best option would be to identify and disable the device's switch port.

Well, I'm on-site. And in one case I actually deactivated the switch port. Which still doesn't solve my problem of how to inform the affected users.

DouglasFoster said:

One of the problems with any block based on IP Address is that if the device uses DHCP, the address could change if the device is taken offline for awhile, such as over this weekend.   Then the wrong device is blocked and the right device is unblocked.

Before I block the clients on the UTM9, I mark the clients as static, thus the danger of blocking the wrong client is rather low, I believe.