This article explains how to setup your Sophos UTM so you can create a bridged interface and then configure Web Filtering and Application Control.
Applies to the following Sophos product(s) and version(s)
Sophos UTM 9.2
Note: the steps to create a bridge interface in this article only apply to UTM 9.2 and prior versions. In UTM 9.3, the process to create bridge interfaces has changed. Please see KB 121532 for instructions on creating bridge interfaces in UTM 9.3, or KB 121560 for general information on other changes in 9.3.
What To Do
- Go through the UTM setup as normal (to watch a video of an example setup click here) and ensure that the internal interface is valid for your network. Set the WAN interface up as a 'Standard Ethernet interface with dynamic IP address'. This interface will be removed later to create the bridge.
- Once the device has been configured go to 'Interfaces & Routing' | 'Interfaces' | 'Interfaces' tab and delete the external (WAN) interface. This allows for the creation of the bridged interface (br0).
- Ensure the internal connection has no default gateway assigned.
Creating the bridged interface
- Go to 'Interfaces & Routing' | 'Bridging' | 'Status' tab and enable the 'Bridge status'.
- Under the section 'Bridge configuration' select 'Bridge select NICs (mixed mode)' and select the Ethernet interfaces you wish to bridge.
- Go back to 'Interfaces & Routing' | 'Interfaces' | 'Interfaces' tab and select the 'New interface' button. Create a interface with the following settings:
|Name: Bridged Interface |
Type: Ethernet Standard
Hardware: br0 (this is the newly created bridged interface)
IPV4 Address: Give this an appropriate IP address for the network that the bridged interface is connected to
Netmask: Select the appropriate netmask for the network that the bridged interface is connected to
IPv4 Default GW: Enabled
Default GW IP: IP address of the appropriate network gateway that the bridged interface is connected to.
- Go to 'Network Protection' | 'Firewall' | 'Rules' tab and create a new firewall rule to allow the appropriate traffic through it. For this example we will assume you have a network firewall in place and we can allow all traffic through the Sophos UTM device.
|Group: Left as default |
Time Period: Always
Log traffic: enabled
Comment: ANY ANY Rule for Bridge mode
- Enable the firewall rule.
Now this is complete we are able to connect the UTM device to the network (one cable to the firewall, one to the switch). Computers on the attached switch should now be able to connect out to the Internet via the bridged UTM (e.g., try browsing to google.com). If you experience any issues open the firewall live log to ensure traffic is allowed through.
Configure Web Filtering
- To set up the web filtering functionality on the web server go to 'Web Protection' | 'Web Filtering' | 'Global' tab and press the enable button.
- In the 'Allowed networks' we have chosen 'Any' in the screenshot below, however if you have defined your internal network you would use this.
- Enable 'Transparent Mode' with 'Full Transparent' and set the 'Authentication Mode' to none.
- Go to the 'Antivirus/Malware' tab, enable 'Use Antivirus scanning' and select 'Single Scan (Maximum Performance)'.
- Under the section 'File extension filter' delete all the entries in the 'Blocked file extensions' list.
- Go to the 'URL Filtering' tab and use the following settings:
|Allow content that does not match the criteria below: Enabled |
Block Spyware infection and communication: Enabled
Block URLs with a reputation below a threshold of: Unverified
Block these website categories: Appropriate categories for your site
Block access to uncategorized sites: Enabled
Google SafeSearch: On
Bing SafeSearch: On
Yahoo SafeSearch: On
YouTube for Schools: Off
Youtube School ID: blank
If there are certain sites that are required to be whitelisted add them to the 'Always allow these URLs/sites'. Additionally if there are certain sites you never want to allow access to add them to the 'Additional URLs/sites to block'.
- Go back to the 'Global' tab, open the live log and then try to access some websites that you know should be allowed and some that should be blocked. The live log will show you error codes and reasons if this is not working as desired.
Configure Application Control
- Go to 'Web protection' | 'Application Control' | 'Network Visibility' tab and enable 'Network Visibility'.
Note: For the example in this article we are interested in seeing ALL traffic in the 'Logging & Reporting' reports so we will create a blanket rule to accept and allow all applications. We would not do this in a real world installation.
- Create a new rule with the following settings:
|Name: Allow all apps |
Group: Leave as default
Position: Leave as default
Control by: Applications
Control these applications: All Applications (refer to the screenshot below - applications can be filtered by many fields)
For: Any network
Comment: Allow all apps for reporting
This will now allow ALL apps to show up in any 'Logging & Reporting' reports.
- To view the web usage reports go to 'Logging & Reporting' | 'Web Protection' | 'Web Usage Report' tab. In the drop down menu 'Available Reports' select what type of report you would like to view (e.g., Users, Categories, Sites, Urls, etc.)
- To view the application control reports go to 'Logging & Reporting' | 'Web Protection' | 'Application Control' tab. Again you can select which report to view by selecting the drop down list.
- To view currently used applications go to the main dashboard and select the br0 interface in the right hand pane. From here you will have the option to either block or shape the traffic.
If the option to shape the traffic is unavailable go in to 'Interfaces & Routing' | 'Quality of Service (QoS)' | 'Status' tab and enable quality of service on the br0 interface. Any traffic shaping rules that have been configured through the 'Flow Monitor' page will be displayed in the 'Traffic Selectors' tab.