Home testing - Sophos XG 17.1 - its so easy?

Wait what!!! - #Default_Network_Policy allows all outbound traffic! - no wonder its all working lol! - DOH!

I've only got 2 pc's on my internal network tbh - guessing it might be best to leave this as is and create additional rules to protect them 2 pc's? (rest are all media and mobile devices) - but then again this would mean someone could compromise one of the media devices/mobiles/consoles and manage to get out and misuse them?

Wierd - I find it really strange that the default policy allows all outbound from LAN! - surely a standard firewall should be blocking ALL incoming and outgoing by default?

Are you sure the default policy that you are using is set for HTTP scanning? I would check the log and make sure it is actually using the rule you think it is. My experience with home use has been rough where malware and content scanning are concerned for kids.  Roblox, Youtube, Apple services, Google/Android, Netflix, etc have had issues where it either doesn't work at all or partially (which is worse). And don't even get me started on HTTPS decryption....

In the end, I have done what you were doing which is turn off malware and content scanning and all is well. Occasionally there are sites that simply don't like going thru the Web proxy for category filtering. I'm not sure if this is advisable, but I have created a FW rule that is top of the list for "exceptions" and then enter wildcards for destination networks which I find to be easier than using the REGEX exceptions within the Web proxy itself. This approach also works if you want to keep HTTP scanning on, but I found it was too much of a hassle and life is much better when the wife/kids are not yelling about the Internet not working. Yes, I know I'm sacrificing security by doing this, but I was pulling my hair out and just don't have the energy to deal with it! Open to ideas..... 

Hi,

folks, sounds like you are trying to do too much with one firewall rule.

You need to setup rules for specific applications eg no scanning (application or web) on minecraft, but full scanning on other sites. The minecraft rule would be at the top. Setup scanning rules for your mail, but you will need certificates installed on each device to enable pops/imaps/smtps otherwise you only scan pop3/imap/smtp.

The default rule built at installation time will always let all traffic out (you are asked during initial configuration what functions you want configure), if you don't enable an initial firewall rule nothing leaves the XG.

Ian

It's currently a work in progress but I'm going for this sorta setup - it's VERY simple as my main aim is just to secure my NAS box:

A whole new strategy to go with a whole new Nextgen firewall ;)

Basically I've only got 2 PC's in the house, an xbone, ps4, 2 x smart tv's, and a synology media server also being used for cctv.

It's always a mare adminstering this stuff at home especially when the IT illiterate CEO applies pressure (read that as wifee)

Theres an Asus AC88U also acting as an access point serving a gazillion and one wireless devices lol.

I've gone for an allow all (out) sorta policy with just web filtering on http traffic for now (to keep the kids safe and away from pron etc) and worked my way into locking down the NAS box (it's setup as a WAF). - Thats a reverse proxy type setup yeah? Better than just wanging the NAS straight out to the web?

It sort of all works barring the CCTV stuff - I'm using DSCam so need to faff with ports - multi-view is working fine, but when trying to view individual cameras it currently isn't (might need to open port 5000 I think). Also need to faff with Sab a bit as I use an external site to send get file requests to it - currently getting https errors when I do that however (require tweaking)

With this setup I've not had to do anything other than set a static IP address on the NAS and some basic config on the XG - keeps maintenance down to a minimum as I don't need to keep adding MAC's or individual devices to any groups that connect via weefee (visiting cousins etc) and provides protection for ALL devices in terms of being able to limit which sites can be gone to.  I'm using the standard Default_Profile to apply a simple Web filtering policy at the moment - this way it won't affect gaming on any of the devices either and keeps it bog simple.

Still better than using just the AC88U, as it gives the same level of protection with the added bonus of having web filtering and a sort of reverse proxy for the NAS box.

Only shame about this setup v's UTM 9.5 is that we can't use the endpoint protection feature - I would have loved to have secured the PC's a tad more using that 'heartbeat' thingy but I'm guessing its a no-go for us home users. Ain't touched reporting or anything yet.  I got so used to using UTM. Guess Endpoint security will have to be handled on the device itself - but its no different to using a bog standard off the shelf router I guess this way?

Tell you what its a great idea by Sophos to give this stuff out for home use - I've built up a ton of experience and Sophos is often referred to at work, even by my colleagues (work in IT) - great promotion tool for them.

It really is personal preference as to creating individual rules vs "bucket" them as I have described. Both achieve the same result. The issue being discussed here is more about the process of identifying the exceptions that need to be made. I found myself constantly tweaking the exceptions which required reviewing the logs to determine the needed exceptions for HTTP scanning, web filtering or both... only to have something else not work the very next day. Perhaps someday I will gear back up to tackle identifying all the exceptions so I can turn HTTP scanning (and perhaps HTTPS) back on, but it had gotten to the point where the family felt like I was the oppressive overlord making the Internet a miserable place.  

lol - remind them who pays the bills ;)

I use it as a scare tactic for the kids - Daddy knows EVERY packet of information that leaves this house and comes back in.  Keeps them inline if you know what I mean ahahaa.

Back on point - That's what I got tired of doing on the UTM9.5 in the past bud - constantly having to keep on top of it. Especially with games like Roblox which have multiple servers using different ports - it was a mare to administrate. Everytime a new device connected (some one visiting for example) had to add it to exceptions group etc.

We can obviously use company policy at work to assist us with these sort of situations but at home man, its just a mish mash of everything.

I had to create exceptions for everything and anything in the past, this new method just makes all our lives easier.  Just concentrate on protecting those things that need protecting rather than trying to protect everything. (that's IF I can get it working this way!)

At some point I'll dig into the intricacies of it, but right now I needed to get it up and running again. Crucial fortnite time was being wasted according to me son!

I found the following guide quite useful: https://shred086.wordpress.com/2017/11/24/configuring-sophos-xg-for-home-use/ for configuring basic stuff (NTP etc).

That and the post on here about using no-ip or any other ddns provider. hth's others. 

So came across the first issue using the above 'generic config'.

PS4 wasn't updating games - used the exception list in a post on here (added to Exclusions under Web) -- got that working

Also chucked in a rule allowing HTTP traffic for the NAS - that resolved the SAB issue

That leaves two remaining issues - IPTV not working on the Sammy telly - will look into that later.

and more importantly I still can't access my CCTV from external - it connects and shows multi-view of the cameras but I can't seem to connect to each individual camera yet.

Still - i'm quite impressed it all works with such little config and glad I adopted this strategy - much less maintenance required overall.

IPTV issue resolved by enabling Multicast forwarding in Routing section :)

EDIT: DS Cam issue is a problem with Surveillance station - enabling MJPEG mode fixes it - so thats one for synology to sort out when they decide to pull out their finger lol.

THAT means - i'm fully operational now - woohoo! - minimal rules, maximum effort :)

Time to savw the new config - oh wait..... mail alerts ain't working yet lol

Love the way it identifies whatsapp traffic lol!

Looking at reporting apparently my LG TV is 'attacking' something on the web lol - NMP :)

Serious question - How do I disable VPN services? I couldn't find any options to actually disable it.....

I use VPN TO work but that's all kool as its just outbound traffic from a works pc on my LAN captured by the default rule. What I don't need is VPN access INTO my network.....