Easily Evaluate Sophos UTM Using Full Transparent Mode

UPDATE! This article refers to Sophos UTM 9.2. The UI for configuring Sophos UTM as a Transparent proxy has since changed slightly in UTM 9.3. For the latest information, please refer to our updated article Easily Evaluate Sophos UTM 9.3 Using Full Transparent Mode.

One of the biggest hurdles for evaluating and implementing a new firewall (such as a Forefront TMG replacement), is disruption to the existing network. You need to be able to put the firewall in line as the network's default gateway, but you can't make proxy or routing changes because business needs to carry on as usual. Historically, the only way to do this was to unplug the old one and plug in the new one.

Fortunately, Sophos UTM solves this problem with its ability to operate in 'Full Transparent' mode. This mode allows you to place the UTM in between your internal network and your existing firewall, and transparently pass all traffic through it without changing the source or destination IP addresses. Your existing firewall therefore sees the traffic exactly as it did before and no services are affected.

To understand why this is an awesome feature, let's quickly recap all the possible operational modes:

• Standard Mode In standard Proxy mode you have to explicitly instruct the browser to use the proxy IP and port number, and it only works for browsing.
• Transparent Mode In transparent mode the traffic ends up at the UTM by following the gateways all the way to it.  The UTM then NATs source address of the traffic from there. This mode supports all types of traffic.
• Full Transparent Mode Full transparent mode on the other hand, does not affect the source and destination address in anyway. This mode also supports all types of traffic.

For more details on how the modes works and how they differ check out our other article Sophos UTM Operation Modes: Standard, Transparent vs Full Transparent.

Sophos UTM's Full Transparent Mode Explained

To use Full Transparent mode, you need a Sophos UTM with a minimum of three network interfaces. One of these will be used for the internal network (UTM management etc), and the other two will be bridged.

Bridging the interfaces turns the UTM into a pass-through like it is a piece of wire. This allows you to simply plug the Sophos UTM in before your existing firewall and it will essentially be invisible to your other network devices as both the source and destination IP addresses are retained.

In the diagram above, the green arrows indicates the default flow of traffic through the network. The red arrow represents the two interfaces in bridge mode.  All traffic will flow through the Sophos UTM, and the UTM will see the client IP and pass it through without changing it.  The Internet router will see all traffic coming from the original client IP.

The purple arrow represents traffic from the Sophos UTM’s internal interface. Managing the UTM will occur through this interface and it will also be used when connecting to Active directory or other internal resources.

Using full transparent mode allows you to easily insert the UTM into your existing network. Simply take the existing cable going from the switch to the router and plug it into one of the UTM's bridged interfaces. Then plug in a second cable into the UTM's other bridge interface and plug the other end into your router. If the configuration is correct, all traffic will flow through without any problems. The steps below will guide you through the configuration.

Configuring the Sophos UTM Bridge Interface

As mentioned, ensure your UTM has three network interfaces. After the initial build follow the normal getting started wizard where you specify the internal and external interfaces each with their own IP addresses. You can complete the rest of the wizard to set up your base configuration.

The wizard only allows you to set up a single network adapter to an interface, but for the bridge we need to use two network adapters. This section explain how create the bridge and assign it as an interface.

1. Select Interfaces & Routing | Interfaces
2. Delete the External Interface
3. Select Interfaces & Routing | Bridging
4. Toggle the switch for Bridge Status
5. Select Bridge Selected NICs (Mixed Mode)
6. Select the two interfaces to be used
7. Click Create Bridge

Now the bridge is created, we need to configure its IP address and default gateway. Even though the bridge operates at Layer 2 of the OSI model, it still requires an IP address as it is the 'default gateway' for the UTM. Other features of the UTM such as login pages for the Web App Firewall also require an IP address.

1. Select Interfaces & Routing | Interfaces | New Interface
2. Specify a Name and type
3. From the hardware drop down select br0
4. Specify a valid IP and Netmask for the network segment the UTM is on.
5. Select the Default gateway check box and specify the IP of your existing firewall
6. Click Save and then Enable the Interface

Configure the firewall rule(s)

The bridge now exists but by default it will not allow any traffic through. We can specify a very permissive rule because the existing firewall will still be filtering traffic and protecting your network.

1. Select  Network Protection | Firewall | New Rule
2. Specify the Source as Any
3. Specify the Service as Any
4. Specify the Destination as Any
5. Action Allow
6. Expand Advanced and check the box for Log Traffic
7. Click Save and Enable the rule

Sophos UTM is now configured as a Full Transparent firewall. You should now be able to access all of the services offered by the existing firewall. You can also confirm this by looking at the Sophos UTM’s firewall live log.

Testing Sophos UTMs Web Protection Feature

Now that Sophos UTM is transparently inline and not disrupting any existing services, you can start testing the features of the UTM. Let's start by enabling Sophos UTM's comprehensive Web filtering feature only for a few test machines.

1. Select Web Protection | Web Filtering
2. Toggle the Web Filtering Switch to enable it
3. For Operation mode select Full Transparent
4. Select Browser Authentication
5. For allowed networks specify a client or network segment you want to use for testing.
6. Click Apply

Test the client machine

The Sophos UTM is now configured to listen for web requests coming from your test machine. You do not need to specify a proxy because the traffic makes its way through the network to the bridged interface via the default gateway.

1. Open a browser and connect to a web site
2. You should now see the Browser authentication challenge from the UTM if authentication is configured. If not, you might way to read our Sophos UTM and Active Directory Step by Step Integration Guide.
3. Authenticate, and you should be able to access the site successfully.

If you look at your existing firewall logs, you will see the traffic from the test machine. Once you have tested the feature thoroughly, you have the option of adding more client IPs or Networks to the 'Allowed Networks' list, and eventually disabling web filtering on your existing firewall.

Conclusion

Sophos UTM’s Full Transparent mode provides a great way to evaluate the UTM and systematically transition functionality with very little interruption to your existing network.

Full transparent mode does not necessarily need to be strictly temporary. Depending on the scenario, full transparent mode could remain the preferred method for some or all traffic.

I hope this helps with your Sophos UTM testing and deployment. Let me know how you go in the comments!