Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 23 replies
  • Subscribers 7 subscribers
  • Views 42351 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to redirect all requests to the internet from some internal clients to internal server?

Simon Mustermann

Hi!

UTM9 (Release 9.502-4 ) is informing me that some clients are infected with malware. I now blocked these clients using a firewall rule (Network Protection >> Firewall).

I would instead like to redirect all requests from these clients to an internal webserver, showing them an information message that they got blocked. I cannot redirect clients at the firewall, only allow or deny traffic. How do I do it?

Thanks in advance! Simon

PS: My first post here, sorry if I did something wrong. :)



This thread was automatically locked due to age.
Parents
  • 0

    Thank you for all your replies. The potential infection was detected by the advanced Thread Protection of the UTM9, see below for an example notification email:

    Advanced Threat Protection

A threat has been detected in your network
The source IP/host listed below was found to communicate with a potentially malicious site outside your company.

Details about the alert:

Threat name....: C2/Generic-A
Details........: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time...........: 2017-07-20 18:57:52
Traffic blocked: yes

Source IP address or host: 10.xxx.xxx.xxx

    Until now we simply block all external traffic of the client using the firewall as mentioned in my first post and wait until the owner of the computer reaches out to us and we then check the computer and remove the firewall rule.  To increase the usability for the people of the potential infected clients I thought about redirecting their http+https traffic (as probably all surf the web) to a status page to inform them that they should contact us.

    I tried a DNAT-rule, but this does not work. Upon creation of the DNAT rule, I get an error message, that an "any" address object as destination is not possible for this NAT-rule object if this NAT-mode is used (original message quote in German: "Das NAT-Regel-Objekt kann für das Attribut Datenverkehrsziel keine Any-Adresse-Objekte verwenden, wenn dieser NAT-Modus verwendet wird.").
    Any other idea how to inform the clients/redirect their traffic to inform them? (the reverse proxy setup plus DNS rules sounded rather complex)

    Thanks in advance
    Simon

  • 0 in reply to Simon Mustermann

    That's the most common finding by ATP, Simon, and is an indication that the computer probably has an infection that tries to connect to a C&C computer.  That traffic is being blocked, so you probably don't need to block the rest of the traffic from that computer.

    This probably isn't related to web browsing traffic other than the probability that the user clicked on a link he shouldn't have.  You might want to take a look at Sophos Phish Threat and talk to your reseller about it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Simon Mustermann

    I don't think any firewall will let you defined a many-to-one address mapping for NAT.   Since an infected PC is a threat to other devices on internal network, if you cannot put a person on-site promptly, the next best option would be to identify and disable the device's switch port.

    One of the problems with any block based on IP Address is that if the device uses DHCP, the address could change if the device is taken offline for awhile, such as over this weekend.   Then the wrong device is blocked and the right device is unblocked.

  • 0 in reply to Simon Mustermann

    What device does DHCP for your LAN?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to DouglasFoster

    I might not have expressed myself well enough.

    DouglasFoster said:

    I don't think any firewall will let you defined a many-to-one address mapping for NAT.   Since an infected PC is a threat to other devices on internal network, if you cannot put a person on-site promptly, the next best option would be to identify and disable the device's switch port.

    Well, I'm on-site. And in one case I actually deactivated the switch port. Which still doesn't solve my problem of how to inform the affected users.

    DouglasFoster said:

    One of the problems with any block based on IP Address is that if the device uses DHCP, the address could change if the device is taken offline for awhile, such as over this weekend.   Then the wrong device is blocked and the right device is unblocked.

    Before I block the clients on the UTM9, I mark the clients as static, thus the danger of blocking the wrong client is rather low, I believe.

     

    BAlfson said:

    What device does DHCP for your LAN?

    The UTM9.

    Cheers
    Simon

  • 0 in reply to Simon Mustermann

    Simon, in 'Network Services >> DHCP', search for the MAC on the 'IPv4 Leases' tab.  Hopefully, the associated machine name will allow you to identify the culprit. [;)]

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    Simon, in 'Network Services >> DHCP', search for the MAC on the 'IPv4 Leases' tab.  Hopefully, the associated machine name will allow you to identify the culprit. [;)]

    Unfortunately not, as the people tend to name their computers whatever they want. :)

    Note: The setup here is not a company, but a community of 150 people living together. You could say it's an unregulated byod...

    Simon

  • 0 in reply to Simon Mustermann

    That's a problem.  Until you have a method for identifying people/machines, you have a thankless task.

    If you want to block a device from any outside access, do the following:

    1. On the 'MAC Address Definitions' tab of 'Definitions & Users >> Network Definitions', create a definition "Malware" containing the MAC address(es) infected with malware.
    2. At the bottom of your list of firewall rules, create a rule like: 'Internal (Network) -> Any -> Any : Drop' with, in 'Advanced', 'Source MAC  Addresses: Malware' and with logging selected.
    3. Create a blackhole NAT 'DNAT : Internal (Network) -> Any -> Internet : to {non-existent IP}' and do not select 'Automatic firewall rules'.
    4. Create another blackhole NAT 'DNAT : Internal (Network) -> Any -> Internal (Address) : to {non-existent IP}' and do not select 'Automatic firewall rules'.

    Without a lot of effort on your part, I don't see any other solution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    That's a problem.  Until you have a method for identifying people/machines, you have a thankless task.

    That's why I want to redirect all http(s) traffic to an internal server, to show a warning message, to come back to my initial question...

    BAlfson said:

    If you want to block a device from any outside access, do the following: [...]

    Well, I did a firewall rule as followed:

    • source: {all blocked clients}
    • service: any
    • destination: internet IPv4
    • action: deny

    Which should block all (IPv4) traffic, if I get it right (VoIP should e.g. still work ect.). But anyway, my initial question was about how to inform them... Any idea?

    Simon

  • 0 in reply to Simon Mustermann

    An email to everyone telling them that they will be locked if your security device sees traffic from them that indicates they have a malware infection.

    Using IPs instead of the MAC list runs the risk of DHCP assigning the banned IP to another user.  Using a DNAT destination of "Internet IPv4" assumes that the users aren't using the web proxy in Standard mode.  Using a manual firewall rule without the DNAT assumes that Transparent Web Filtering is not activated (see #2 in Rulz). 

    I don't know of anything you can use in front of the UTM to do what you want automatically.  There is certainly nothing you can do in the UTM if you don't have a searchable list of allowed MACs and their owners.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Simon Mustermann

    Are you using standard or transparent Web Protection? Then all your firewall rules for the blocked clients" do not apply.

    Gruß / Regards,

    Kevin
    Sophos CE/CA (XG+UTM), Gold Partner

  • 0 in reply to kerobra_retired

    kerobra said:

    Are you using standard or transparent Web Protection? Then all your firewall rules for the blocked clients" do not apply.

    Transparent.

    Do you mean a different issue, than the one mentioned already by BAlfson?

    BAlfson said:

    Using a manual firewall rule without the DNAT assumes that Transparent Web Filtering is not activated (see #2 in Rulz).

    Simon
    (I'll be afk for a week)

    • Reply
    • 0 in reply to kerobra_retired

      kerobra said:

      Are you using standard or transparent Web Protection? Then all your firewall rules for the blocked clients" do not apply.

      Transparent.

      Do you mean a different issue, than the one mentioned already by BAlfson?

      BAlfson said:

      Using a manual firewall rule without the DNAT assumes that Transparent Web Filtering is not activated (see #2 in Rulz).

      Simon
      (I'll be afk for a week)

    Children
    Unfiltered HTML