Filter Profiles

If you want to apply different policy or authentication modes to multiple networks you can create multiple filter profiles. For example on your wired network you may only have corporate computers that are integrated with AD, and therefore wish to use Standard mode with an explicit proxy and AD SSO. Your wireless network may have a browser login portal for employees to enter in their AD credentials, as well as a guest login that has limited access.

Profiles can be created on the Web Filter Profiles > Filter Profiles tab. When a web request is made, Sophos UTM will look at the source IP and apply the first profile that has a matching Allowed Network and Operation Mode. Traffic from transparent connections will only match if the operation mode is set to Transparent. Traffic redirected to the web filter with a client-side proxy configuration will match either Transparent or Standard mode profiles.

The Default Web Filter Profile is configured on the Web Protection > Web Filtering page. It is listed here to show that it is the last profile that will match. Once a profile is selected, Sophos UTM will perform authentication according to that profile and apply that profile's policy.

To create a filter profile:

  1. Click the Plus icon on the upper right.

    The Add Profile wizard opens.

  2. Enter a Name and Comment.
  3. Select the allowed networks.

    Select the networks that should be allowed to use the Web Filter. By default, the Web Filter listens for client requests on TCPClosed port 8080 and allows any client from the networks listed in the Allowed Networks box to connect.

  4. Select the allowed endpoint groups.

    If Endpoint Web Control is enabled, select the endpoint groups that should be allowed to use the Web Filter.

  5. Select a mode of operation.

    Note that when you select an operation mode that requires user authentication, you need to select the users and groups that shall be allowed to use the Web Filter. The following modes of operation are available:

    Cross Reference – For more information on configuring browser authentication in standard mode, see the Sophos Knowledge Base.

    When configured to use authentication, you have the option to Block access on authentication failure. If you are using AD SSO and do not block access on failure, an SSO authentication failure will allow unauthenticated access without prompting the user. If you are using Browser authentication and do not block access on authentication failure, there will be an additional Guest login link on the login page to allow unauthenticated access.

  6. Enable device-specific authentication.

    To configure authentication modes for specific devices, select the Enable device-specific authentication checkbox. Once enabled you can click the green Plus icon to add device types and associated authentication modes.

  7. Click Next, or select Policies from the top of the wizard.
  8. Review and create policies for your filter profile.

    To create a new policy, proceed as follows:

    1. Click the Plus icon on the upper right.

      The Add Policy dialog is displayed.

    2. Make the following settings:

      Name: Enter a descriptive name for this policy.

      Users/Groups: Select the users or user groups that this policy will apply to. You can also create new users or groups. How to add users is explained on the Definitions & Users > Users & Groups > Users page.

      Time event: The policy will be active for the time period you select. Choose Always to enable the policy at all times. You can also click the green Plus icon to create a new time event. Time period definitions are managed on the Definitions & Users > Time Period Definitions tab.

      Filter action: Select an existing filter action, which defines the types of web protection you want to apply in a policy. You can also click the green Plus icon to create a new filter action using the Filter Action Wizard. Filter actions can also be managed on the Web Filter Profiles > Filter Actions tab.

      Comment (optional): Add a description or other information.

      Advanced Settings:

      • Apply this policy to requests that have skipped authentication due to an exception: You can create exceptions on the Filtering Options > Exceptions tab to e.g. skip authentication for automatic updates that cannot use authentication. Select this checkbox to apply this policy to web requests that have skipped authentication.
    3. Click Save.

      The new policy appears at the top of the Policies list.

    4. Enable the policy.

      The new policy is disabled by default (toggle switch is gray). Click the toggle switch to enable the policy. The policy is now enabled (toggle switch is green).

  9. Click Save.

    The new profile appears on the Filter Profiles list.

Important Note – When SSL scanning is enabled in combination with the transparent mode, certain SSL connections are destined to fail, e.g. SSL VPN tunnels. To enable SSL VPN connections, add the respective target host to the Transparent Mode Skiplist (see Web Protection > Filtering Options > Misc). Furthermore, to access hosts with a self-signed certificate you need to create an exception for those hosts, selecting the option Certificate Trust Check. The proxy will then not check their certificates.

To either edit or delete a filter profile, click the name of the profile in the list.

Related Topics Link IconRelated Topics
© 2019 Sophos Limited Sophos UTM 9.600