Send web requests through an upstream proxy in WAN
You can configure Sophos Firewall to send all web requests to the external network through an upstream proxy in the WAN zone.
Configure Sophos Firewall to use the upstream proxy in WAN
In this example, the upstream proxy is in the WAN zone. The network details are as follows:
Upstream proxy's IP address: 203.1.23.5
WAN IP address of Sophos Firewall: 203.0.113.1
You must configure the following:
- Adding the upstream proxy to Sophos Firewall.
- Firewall rule for web filtering and scanning in web proxy mode.
- Firewall rule to allow traffic from internal users to the upstream proxy.
Add the upstream proxy to Sophos Firewall
Add the upstream proxy to Sophos Firewall and enter the credentials if the proxy requires authentication.
- Go to Routing > Upstream proxy.
- Select Parent proxy.
- Enter the upstream proxy's IP address (example:
203.1.23.5
). - Enter the port number the upstream proxy receives web traffic on (example:
3128
). -
Enter the username and password if the upstream proxy requires authentication.
Here's an example:
-
Click Apply.
Create a firewall rule to scan web traffic
Create a firewall rule to scan and allow traffic between the internal users and WAN.
- Go to Rules and policies, click Add firewall rule, and click New firewall rule.
- Set Source zones to
LAN
andWi-Fi
. - Set Source networks and devices to
Any
. - Set Destination zones to
WAN
. -
Set Destination networks to
Any
.Here's an example:
-
Select Scan HTTP and decrypted HTTPS and Use web proxy instead of DPI engine.
-
Click Save.
Create a firewall rule to allow internal traffic to the upstream proxy
Create a firewall rule to allow traffic from the internal users to the upstream proxy in the WAN zone.
- Go to Rules and policies, click Add firewall rule, and click New firewall rule.
- Set Source zones to
LAN
andWi-Fi
. - Set Source networks and devices to
Any
. - Set Destination zones to
WAN
since the upstream proxy is in the WAN zone. -
Set Destination networks to the IP host you create for the upstream proxy.
Here's an example:
-
Click Save.
The default SNAT rule (Default SNAT IPv4
) at the bottom of the NAT rule list masquerades the private IP addresses of internal users. If you want to specify different translation settings, create an SNAT rule.