Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 2890 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Client Firewall 3

JohnLee

Hi,

Installed SCF 3.0 on windows 8 pro after a few issues but finally got everything working.

First thoughts of SCF 3.0 are good but the basic configuration setup is hopeless.  It does not even contain internet explorer as an allowed application.  I understand that some deployments do not want this allowable but it would be easier to remove some applications than to set every permission one at a time.

Secondondly, when you view the blocked logs, you cannot assign the application to the allow list drirect from the log, you have to search each application one at a time.  A very slow process indeed.

Finally, are there any templates which can be modified to speed up this process and to assist deployment across a all client standalone systems.

Regards

John

:41053


This thread was automatically locked due to age.
  • 0

    Hello John,

    firewall (policy) deployment is naturally not as simple and easy as for the other components. There aren't any templates but sets of predefined rules. Have you read the Administrator roll-out guidelines for Sophos firewall? it's not version-specific and lists two methods. If I understand you correctly you're basically following method one - and found that creating rules is not as easy as one would wish.

    Personally I'd use a slightly different approach - IIRC, a previous incarnation of the mentioned article suggested either using Interactive Mode on the client (which lets you create policies on the fly but has three major drawbacks: 1) it works only for connections attempted while a user is already logged on, 2) it might prompt you several times for an application and you could end with more rules than necessary and 3) some applications don't deal as desired with the delay caused by interctive mode) or the monitoring method with a single client (or very few). Thus I'd monitor a client until after the login has completed and use the events to create a "foundation" policy. Then I'd use Interactive mode to add the necessary application rules. Once this is done you can roll out the policy (with Block by default) to a number of clients and make any amendments.

    Christian 

    :41063
  • 0

    I would guess the reason its not in the article anymore is because the option "Interactive Mode" no longer exists in this version of the firewall.

    On a side note, the "use checksums" feature seems to be broken. As on our test computer it says invaild checksum even though the checksum is in the checksums list.

    :41083
  • 0

    Hello HerbDerp,

    the option "Interactive Mode" no longer exists in this version

    I don't (yet) have Windows 8 - how did you find out (not that I don't believe you)? If you set it from SEC (where it still seems to exist), what is the Firewall mode reported back from the client?  

    the "use checksums" feature seems to be broken

    Hm ... for all applications? As SCF 3.0 has been available for testing quite some time this seems odd (and such a basic flaw shouldn't have passed internal tests). 

    Christian

    :41089
  • 0

    Sophos help file states: 

    Note: In Windows 8, interactive mode is not available. You must add specific policy rules to allow or block applications. Alternatively, you can use the event viewer in the management console to manage application rules interactively.

    It would have been nice to have the interactive mode where the "firewall displays a learning dialog each time an unknown application or service requests network access. The learning dialog asks you whether to allow the traffic once, block it once, or whether to create a rule for that type of traffic". 

    John

    :41105
  • 0

    Hello John,

    thanks for heads-up and the reference to the help (BTW: the restrictions pertaining to Windows 8 are are not mentioned in the Console help). Indeed there are several features unavailable on Windows 8: turn off reporting of local changes, (automatic) local network detection, allow launch of hidden processes, block modified processes (which is anyway unavailable on 64bit) - for the latter two there's a somwhat cryptic Note: This option is not available in Windows 8 as it is handled automatically by the Sophos Anti-Virus HIPS technology. Whilst it certainly does work, it requires HIPS to be enabled (which is recommended and the default) and in addition it's not clear when a behaviour is considered malicious and when "only" suspicious.

    interactive mode - it is IMO more than nice to have it for creating an initial set of rules, especially if a connection attempt is only made when another has previously been allowed.

    Christian 

    :41113
  • 0

    The biggest shortcoming of the Client Firewall is the total lack of support for 3G cards.

    So, when you are using a broadband card using NDIS, all the outbound and inbound is allowed.

    Unacceptable. I don't know how can this problem be left without a solution for such a long time.

    :41153
  • 0

    Is the interactive mode for windows 8 version going to be re-added?

    Or are we going to lose this on the pre windows 8 installs?

    As I have suggested before, can you not use a filter at the server side to learn the firewall settings of the network,

    I.e. these have been approved already by x numbers of people therefore I don't need to ask again.

    Best regards

    Ian

    :43819
  • 0

    I have also noticed that when the non windows clients are set to interactive the default on windows 8 becomes Block.

    If interactive is not returning to V3 firewall then the server console, firewall settings needs an additional setting for windows 8

    giving  Block or Allow when interactive is not available.

    :44575