How to redirect all requests to the internet from some internal clients to internal server?

Thank you for all your replies. The potential infection was detected by the advanced Thread Protection of the UTM9, see below for an example notification email:

Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-07-20 18:57:52
Traffic blocked: yes

Source IP address or host: 10.xxx.xxx.xxx

Until now we simply block all external traffic of the client using the firewall as mentioned in my first post and wait until the owner of the computer reaches out to us and we then check the computer and remove the firewall rule.  To increase the usability for the people of the potential infected clients I thought about redirecting their http+https traffic (as probably all surf the web) to a status page to inform them that they should contact us.

I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

Thanks in advance
Simon

Simon Mustermann said:

 

I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

OK, try Internet IPv4 as destination instead of any, that could work.

Simon Mustermann said:

 

I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

OK, try Internet IPv4 as destination instead of any, that could work.

Alexander Busch said:

OK, try Internet IPv4 as destination instead of any, that could work.

Thanks, we get closer. :) Limiting the service to HTTP is not really optimal, I'd want https as well. I thought to use the group "Web Surfing", but there again I get an error message (It's not possible to create a NAT rule between different protocols [group and TCP]). As destination I do have a host and a protocol change (to redirect to a different port).

But for testing purpose I entered HTTP as service, to be able to save the rule. Unfortunately it seems as it has no effect. The selected client is not redirected. Do I need to change something else? Reload the config? Can I debug it somehow with a log file anywhere? (Yes, I did enable the rule after creation :) )