Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=lc_202004291623440394

Send web requests through an upstream proxy in WAN

You can configure Sophos Firewall to send all web requests to the external network through an upstream proxy in the WAN zone.

Configure Sophos Firewall to use the upstream proxy in WAN

In this example, the upstream proxy is in the WAN zone. The network details are as follows:

Upstream proxy's IP address: 203.1.23.5

WAN IP address of Sophos Firewall: 203.0.113.1

Diagram showing upstream proxy in the WAN zone

You must configure the following:

  1. Adding the upstream proxy to Sophos Firewall.
  2. Firewall rule for web filtering and scanning in web proxy mode.
  3. Firewall rule to allow traffic from internal users to the upstream proxy.

Add the upstream proxy to Sophos Firewall

Add the upstream proxy to Sophos Firewall and enter the credentials if the proxy requires authentication.

  1. Go to Routing > Upstream proxy.
  2. Select Parent proxy.
  3. Enter the upstream proxy's IP address (example: 203.1.23.5).
  4. Enter the port number the upstream proxy receives web traffic on (example: 3128).

  5. Enter the username and password if the upstream proxy requires authentication.

    Here's an example:

    Example settings to add a proxy server

  6. Click Apply.

Create a firewall rule to scan web traffic

Create a firewall rule to scan and allow traffic between the internal users and WAN.

  1. Go to Rules and policies, click Add firewall rule, and click New firewall rule.
  2. Set Source zones to LAN and Wi-Fi.
  3. Set Source networks and devices to Any.
  4. Set Destination zones to WAN.

  5. Set Destination networks to Any.

    Here's an example:

    Firewall rule to allow traffic from LAN to WAN

  6. Select Scan HTTP and decrypted HTTPS and Use web proxy instead of DPI engine.

    Select scanning and web proxy in the firewall rule

  7. Click Save.

Create a firewall rule to allow internal traffic to the upstream proxy

Create a firewall rule to allow traffic from the internal users to the upstream proxy in the WAN zone.

  1. Go to Rules and policies, click Add firewall rule, and click New firewall rule.
  2. Set Source zones to LAN and Wi-Fi.
  3. Set Source networks and devices to Any.
  4. Set Destination zones to WAN since the upstream proxy is in the WAN zone.

  5. Set Destination networks to the IP host you create for the upstream proxy.

    Here's an example:

    Firewall rule to allow LAN and Wi-Fi traffic to upstream proxy in WAN

  6. Click Save.

The default SNAT rule (Default SNAT IPv4) at the bottom of the NAT rule list masquerades the private IP addresses of internal users. If you want to specify different translation settings, create an SNAT rule.