Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 809 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Tip: put any in Local Networks for Remote access

apijnappels
I found this tip and wonder why I hadn't thought about that myself.
When you put any in Local Networks, all traffic is sent to your UTM when someone is remotely connected to it.
Of course you will need to add the VPN pool to your Masquerading list, and possibly also the Webfiltering and DNS lists and I would also make sure not to use auto Firewall rules if you don't want these inbound connections to be able to reach anything reachable from your UTM.

But by defining any, you can be certain that all traffic is sent over the encrypted VPN link, especially at places where you are using public free wifi hotspots which are often open networks and therefore the traffic in these networks is not encrypted (many passwords will be sent unencrypted over the air).

Another benefit is that any potential MITM malware can not easily "phone home".


This thread was automatically locked due to age.
  • 0
    Indeed, if Remote Access Users are allowed to reach all of your subnets, using "Any"simplifies things.

    This is especially true in a hub-and-spoke situation with a main office and multiple branches where all offices should have access to each other.  Otherwise, you have to add specific definitions for the local networks to all of the tunnels (see https://community.sophos.com/products/unified-threat-management/astaroorg/f/68/t/58783).

    If you don't want the Remote Access Users to reach all of your local networks, just adding the "Internet" object to the definition is easier/clearer than using "Any" with a lot of Firewall rules.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thanks Bob, I will definately change from any to Internet. This will make it even better.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML