Home testing - Sophos XG 17.1 - its so easy?

Are you sure the default policy that you are using is set for HTTP scanning? I would check the log and make sure it is actually using the rule you think it is. My experience with home use has been rough where malware and content scanning are concerned for kids.  Roblox, Youtube, Apple services, Google/Android, Netflix, etc have had issues where it either doesn't work at all or partially (which is worse). And don't even get me started on HTTPS decryption....

In the end, I have done what you were doing which is turn off malware and content scanning and all is well. Occasionally there are sites that simply don't like going thru the Web proxy for category filtering. I'm not sure if this is advisable, but I have created a FW rule that is top of the list for "exceptions" and then enter wildcards for destination networks which I find to be easier than using the REGEX exceptions within the Web proxy itself. This approach also works if you want to keep HTTP scanning on, but I found it was too much of a hassle and life is much better when the wife/kids are not yelling about the Internet not working. Yes, I know I'm sacrificing security by doing this, but I was pulling my hair out and just don't have the energy to deal with it! Open to ideas..... 

Hi,

folks, sounds like you are trying to do too much with one firewall rule.

You need to setup rules for specific applications eg no scanning (application or web) on minecraft, but full scanning on other sites. The minecraft rule would be at the top. Setup scanning rules for your mail, but you will need certificates installed on each device to enable pops/imaps/smtps otherwise you only scan pop3/imap/smtp.

The default rule built at installation time will always let all traffic out (you are asked during initial configuration what functions you want configure), if you don't enable an initial firewall rule nothing leaves the XG.

Ian

It's currently a work in progress but I'm going for this sorta setup - it's VERY simple as my main aim is just to secure my NAS box:

A whole new strategy to go with a whole new Nextgen firewall ;)

Basically I've only got 2 PC's in the house, an xbone, ps4, 2 x smart tv's, and a synology media server also being used for cctv.

It's always a mare adminstering this stuff at home especially when the IT illiterate CEO applies pressure (read that as wifee)

Theres an Asus AC88U also acting as an access point serving a gazillion and one wireless devices lol.

I've gone for an allow all (out) sorta policy with just web filtering on http traffic for now (to keep the kids safe and away from pron etc) and worked my way into locking down the NAS box (it's setup as a WAF). - Thats a reverse proxy type setup yeah? Better than just wanging the NAS straight out to the web?

It sort of all works barring the CCTV stuff - I'm using DSCam so need to faff with ports - multi-view is working fine, but when trying to view individual cameras it currently isn't (might need to open port 5000 I think). Also need to faff with Sab a bit as I use an external site to send get file requests to it - currently getting https errors when I do that however (require tweaking)

With this setup I've not had to do anything other than set a static IP address on the NAS and some basic config on the XG - keeps maintenance down to a minimum as I don't need to keep adding MAC's or individual devices to any groups that connect via weefee (visiting cousins etc) and provides protection for ALL devices in terms of being able to limit which sites can be gone to.  I'm using the standard Default_Profile to apply a simple Web filtering policy at the moment - this way it won't affect gaming on any of the devices either and keeps it bog simple.

Still better than using just the AC88U, as it gives the same level of protection with the added bonus of having web filtering and a sort of reverse proxy for the NAS box.

Only shame about this setup v's UTM 9.5 is that we can't use the endpoint protection feature - I would have loved to have secured the PC's a tad more using that 'heartbeat' thingy but I'm guessing its a no-go for us home users. Ain't touched reporting or anything yet.  I got so used to using UTM. Guess Endpoint security will have to be handled on the device itself - but its no different to using a bog standard off the shelf router I guess this way?

Tell you what its a great idea by Sophos to give this stuff out for home use - I've built up a ton of experience and Sophos is often referred to at work, even by my colleagues (work in IT) - great promotion tool for them.

It's currently a work in progress but I'm going for this sorta setup - it's VERY simple as my main aim is just to secure my NAS box:

A whole new strategy to go with a whole new Nextgen firewall ;)

Basically I've only got 2 PC's in the house, an xbone, ps4, 2 x smart tv's, and a synology media server also being used for cctv.

It's always a mare adminstering this stuff at home especially when the IT illiterate CEO applies pressure (read that as wifee)

Theres an Asus AC88U also acting as an access point serving a gazillion and one wireless devices lol.

I've gone for an allow all (out) sorta policy with just web filtering on http traffic for now (to keep the kids safe and away from pron etc) and worked my way into locking down the NAS box (it's setup as a WAF). - Thats a reverse proxy type setup yeah? Better than just wanging the NAS straight out to the web?

It sort of all works barring the CCTV stuff - I'm using DSCam so need to faff with ports - multi-view is working fine, but when trying to view individual cameras it currently isn't (might need to open port 5000 I think). Also need to faff with Sab a bit as I use an external site to send get file requests to it - currently getting https errors when I do that however (require tweaking)

With this setup I've not had to do anything other than set a static IP address on the NAS and some basic config on the XG - keeps maintenance down to a minimum as I don't need to keep adding MAC's or individual devices to any groups that connect via weefee (visiting cousins etc) and provides protection for ALL devices in terms of being able to limit which sites can be gone to.  I'm using the standard Default_Profile to apply a simple Web filtering policy at the moment - this way it won't affect gaming on any of the devices either and keeps it bog simple.

Still better than using just the AC88U, as it gives the same level of protection with the added bonus of having web filtering and a sort of reverse proxy for the NAS box.

Only shame about this setup v's UTM 9.5 is that we can't use the endpoint protection feature - I would have loved to have secured the PC's a tad more using that 'heartbeat' thingy but I'm guessing its a no-go for us home users. Ain't touched reporting or anything yet.  I got so used to using UTM. Guess Endpoint security will have to be handled on the device itself - but its no different to using a bog standard off the shelf router I guess this way?

Tell you what its a great idea by Sophos to give this stuff out for home use - I've built up a ton of experience and Sophos is often referred to at work, even by my colleagues (work in IT) - great promotion tool for them.