Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 1 subscriber
  • Views 8369 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos endpoint security block

magesh

Dear Sir,

We are testing Sophos Enterprise console version 5 and we come across below scanario,

User connected outside internet using usb tangle once connected the interenet we have to block browsing and everything except vpn access. Once vpn is connected he have to browse as per office network security policy for which is defined in the management console. So kindly advice how to develop this type of scanario policy. Our aim is after connecting vpn server only able to browse and use other stuffs like file sharing and etc.,

Thanks for your support in advance.

Thanks N regards,

Magesh Kumar .P

:23451


This thread was automatically locked due to age.
  • 0

    Hello Magesh,

    in the firewall policy you can define two locations, detection is based on either DNS or gateway MAC address. Basically you'd lock down everything in the Secondary part of the policy except VPN access. Once the connection is established it will detect the Primary location and work in Dual location mode meaning it will use the Primary rules for traffic over the VPN connection while still enforcing the Secondary rules for the initial connection.

    Christian 

    :23453
  • 0

    Thank you very much for your prompt reply, we'll check and let you know.

    Thanks N regards,

    Magesh Kumar .P

    :23487
  • 0

    We are testing Sophos Enterprise Console 5.0.0.8, we are facing some issues in Firewall policy.

    For Laptop user or roaming user we are cofigured firewall policy as Dual Location.

    In primary location we had  configured as "Idendtify location by DNS" . In secondary location we had configured as Block by default option. In ICMP tab what have to choose or enabled. Lan  tab what have to select ?. Also Global rules, Applications and process tab what have to configured . Our aim is secondary location user can't access web and file access only to access vpn dialer. Using VPN dialer have to connect our domain then have to work web browsing and file access as per the primary policy.

    Let us know how to overcome above issue.

    Thanks N regards,

    Magesh Kumar .P

    :23715
  • 0

    Hello Magesh,

    usually you can leave ICMP as it is. In LAN select Local network (detected automatically) and set NetBIOS and Trusted as desired. Note: You should select Local network for the primary location only. If your clients need NetBIOS access from/to LANs other than the local segment (e.g. access spanning several VLANs or a server LAN) add them here.  Other tabs depend on your needs/policy (e.g. you might allow all outgoing TCP for Local network and only create a few application rules).

    For the Secondary I'd suggest you use Interactive mode (I've found this easier than Monitor mode mentioned in the article below - but that is up to you). start the VPN connection and answer the prompts as appropriate (preferably creating custom rules instead of using the suggested predefined ones). Export the policy if everything works, import it into a policy in SEC (select Secondary only) and assign this policy to some clients for testing.  

    Please see also Administrator roll-out guidelines for Sophos firewall version 2.0.

    Christian

    :23717
  • 0

    We need further clarification for configuring firewall policy as dual location. Our firewall policy configuation as follow,

    We had created policy as roaming policy, in that we had configured as Dual location mode. Primary location as our own network (our domain ip address as added here) and secondary location as out of our network.

    In Primary Location configuration:

    In the configuration - General tab Working mode selected as Allow by default

    Blocking , Reporting and Desktop messaging check boxes are selected.

    ICMP: Everything is unchecked.

    Lan settings : We are configure our domain network ipaddress series with domain name. Area as local and NetBIOS and Trusted  select boxes are checked. Block file and printer sharing for other networks option as checked.

    Global Rules:

    Allow loopback TCP connection

    Allow GRE protocol

    Allow PPTP control connection

    Allow loopback UDP connection

    Block RPC call (TCP)

    Block RPC call (UDP)  - select boxes are checked.

    In the Secondary location configuration as follow:

    Configure - General tab - Woking mode as Block by default

    Blocking , Reporting and Desktop messaging check boxes are selected.

    In the ICMP tab -

    Echo Reply - In is checked

    Destination Unreachable - In & out checked

    Echo request - Out is checked

    Router advertisement - In is checked

    Router solicitation - Out is checked

    Time exceeded - In is checked

    In the Lan tab - Nothing added and also uncheked as Block file and printer sharing for other networks.

    We had tested dual location in test pc and we get the below results,

    1. Out of our network - We had connecting internet using USB dangle but we can't block the browser access in windows 7 operating system.

    2. Also we had connecting VPN dialer for connect our domain network, after connecting vpn access only able to access web browsing and everything .

    So how to fix are reconfigure dual location for our setup.

    Thanks N regards,

    Magesh Kumar .P

    :23785
  • 0
    Hello magesh,

    let's start with secondary: you say that browsing is not blocked (i.e. any URL can be accessed) - or is it that you want browsers to be completely unavailable? For the latter you have to use checksums. Whether a connection is made or not you can find the fact and the reason (i.e. the rule which led to the block/allow decision) in the firewall log.
    I'm not sure I understand what did not work as desired after connecting through VPN? Again - the log tells you which rule was applied. If you are unsure about the specific meaning of an entry (or why the particular rule was applied but not another) please post them here.
    BTW: Why is ICMP unchecked in Primary?

    Christian
    :23795
  • 0

    Can you explain more details. Our aim is to block interent browsing and file sharing in out of our network ( connect internet through USB Dongle). Once user connecting interent  through usb dongle, he cannot access interent browsing is our goal. 

    After connecting our VPN dialer he should be able to connect internet and file sharing.

    We try below setup,

    1. User is not connected our network.

    2. Connect interent using USB dongle.

    3. He able to open interent browing.

    4. User connecting VPN dialer, once connected he cannot access interent browing. But intranet is working fine.

    So kindly explain how to configure primary location and secondary location step by step.

    Thanks for your support in advance.

    Thanks N regards,

    Magesh Kumar .P

    :23947
  • 0

    Hello magesh,

    without knowing exactly what you have already configured it's very hard to give useful advice. But it seems at least partially to do what you want.

    Now I'd start with browsing when connected through VPN. The firewall log should contain the Reason for the blocked browser connection. This is either the name of a rule or a general reason (like Invalid Checksum or Blocked Application). So whatever it says there must be corrected in the settings for the Primary location. Maybe this will also give you an idea why the browser is not blocked for the Secondary location. If you are unsure please post the specific details here.

    BTW: In the configuration for the specific locations, tab General, pane Blocking - is Use checksums to authenticate applications checked?

    Christian

    :23949
  • 0
    How to attach our configuration settings in which it's in the format of word file with images.
    :23987
  • 0

    Hello magesh,

    posts are of limited length so it's not possible to attach such a document here. I wouldn't recommend making such information publicly available unless carefully edited. Provided your document doesn't contain sensitive information you could upload it to some free sharing site and include a link here.

    As said before, the relevant lines from the log would help (and are probably required if you have created a number of rules - displaying them as images in a document is not feasible).

    Christian     

    :24033