Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 7 subscribers
  • Views 42368 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to redirect all requests to the internet from some internal clients to internal server?

Simon Mustermann

Hi!

UTM9 (Release 9.502-4 ) is informing me that some clients are infected with malware. I now blocked these clients using a firewall rule (Network Protection >> Firewall).

I would instead like to redirect all requests from these clients to an internal webserver, showing them an information message that they got blocked. I cannot redirect clients at the firewall, only allow or deny traffic. How do I do it?

Thanks in advance! Simon

PS: My first post here, sorry if I did something wrong. :)



This thread was automatically locked due to age.
Parents
  • 0

    In my opinion, blocking all their trsffic is a pretty effective notice.   I assume there is a help desk function for technical problems with the netsork, and that the affected people will use it.

    Sounds like you need some policy work to announce terms of service, and some technical work to implement network access control technology.

  • 0 in reply to DouglasFoster

    BAlfson said:

    An email to everyone telling them that they will be locked if your security device sees traffic from them that indicates they have a malware infection.

     Seems that this is the only solution. Too bad.
    I was wondering if it would be possible to assign a different DNS-resolver to the affected clients to resolve all host names to the internal IP address hosting a notification page. But this is probably not possible either.

    BAlfson said:

    Using IPs instead of the MAC list runs the risk of DHCP assigning the banned IP to another user.  Using a DNAT destination of "Internet IPv4" assumes that the users aren't using the web proxy in Standard mode.  Using a manual firewall rule without the DNAT assumes that Transparent Web Filtering is not activated (see #2 in Rulz).

    I always mark the affected clients as static in the IPv4 lease table, thus I believe blocking the wrong client shouldn't happen. We're afaik not using the web proxy. Thanks though for the tip about the rules, I'll double-check about the Transparent Web Filtering Issue.

    DouglasFoster said:

    In my opinion, blocking all their trsffic is a pretty effective notice.   I assume there is a help desk function for technical problems with the netsork, and that the affected people will use it.

    Sounds like you need some policy work to announce terms of service, and some technical work to implement network access control technology.

    Unfortunately your assumption is wrong. I recently had a person who set up their computer before asking me for help. As I mentioned before it's not a company network or the like, but a bunch of people living together in a community. Thus it won't work to set up policies or to technically control network access. I fear I'll have to go with information emails and hope that not too many people with false positives will ask me for help...

  • 0 in reply to Simon Mustermann

    "I always mark the affected clients as static in the IPv4 lease table"

    Be aware that static assignments are not the same as reservations in Microsoft DHCP.  In the UTM, you must make static assignments outside of the dynamic range, otherwise you risk having two devices assigned the same IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    Be aware that static assignments are not the same as reservations in Microsoft DHCP.  In the UTM, you must make static assignments outside of the dynamic range, otherwise you risk having two devices assigned the same IP.

    Thanks for the hint. I assumed, that if I mark them as static in the IPv4 lease table, a corresponding rule is added to the DHCP server of the UTM to prevent a double assignment. If these two functions of the UTM are not coupled to each other, I'd consider this a feature request. :)

    Simon

Reply
  • 0 in reply to BAlfson

    BAlfson said:

    Be aware that static assignments are not the same as reservations in Microsoft DHCP.  In the UTM, you must make static assignments outside of the dynamic range, otherwise you risk having two devices assigned the same IP.

    Thanks for the hint. I assumed, that if I mark them as static in the IPv4 lease table, a corresponding rule is added to the DHCP server of the UTM to prevent a double assignment. If these two functions of the UTM are not coupled to each other, I'd consider this a feature request. :)

    Simon

Children
No Data
Unfiltered HTML