What are the differences between Firewall rules and Regex and how do they work together?

Hey Michael Jones1 

For added context, would it be possible to provide a screenshot or more detailed example of your original "clean rule" and how your rule looks now with regex entries?

Also could you please clarify your question regarding difference? Difference between a firewall rule matching traffic via regex vs a firewall rule matching to traffic via?

Regards,

Morning FloSup,

By clean I mean no scanning. No AV or WEB or IPS or HTTP or HTTPS. Just a rule to try an bypass any kind of scanning?

Why do I need regex if I have a firewall wall rule to allow or block traffic from say O365?

I think this KBA explains your query.

https://community.sophos.com/kb/en-us/128173

What does regex do that firewall rules don't?

Cannot follow your question? 

Hi LuCar,

I will answer what I think he is asking and I will request that you fill in the bits that I am unsure of.

The XG is based on firewall rules, policies and definitions.

A firewall rule uses policies and definitions to achieve its functions. REGEX can be used to fine tune the policies and maybe definitions, but not firewall rules.

I expect REGEX can be used in a number of places in the XG policies, but the only one I am aware of is the Web Exceptions, (LuCar please expand if needed).

I hope that answers you question?

Ian

Michael Jones1 said:

What does regex do that firewall rules don't?

If you are asking about the two different methods that are in the KB (Exceptions using RegEx versus Firewall Rules).

If you use the firewall rule method, the traffic (the packets) are forwarded from the LAN to the WAN, without ever going through the web proxy.

If you use the Exception / RegEx rule method the packets are sent the web proxy, the proxy then still implements some policy (other policy may not be run based on the exception) and then sent out to the far web server.

So an Exception turns off part of the web proxy policy.  A firewall rule bypasses the web proxy altogether.

If you wanted to turn off antivirus scanning and still enforce category blocks, use an exception.  If you wanted to say "I fully trust this site and want connections completely untouched" use a firewall rule.

Michael Jones1 said:

What does regex do that firewall rules don't?

If you are asking about the two different methods that are in the KB (Exceptions using RegEx versus Firewall Rules).

If you use the firewall rule method, the traffic (the packets) are forwarded from the LAN to the WAN, without ever going through the web proxy.

If you use the Exception / RegEx rule method the packets are sent the web proxy, the proxy then still implements some policy (other policy may not be run based on the exception) and then sent out to the far web server.

So an Exception turns off part of the web proxy policy.  A firewall rule bypasses the web proxy altogether.

If you wanted to turn off antivirus scanning and still enforce category blocks, use an exception.  If you wanted to say "I fully trust this site and want connections completely untouched" use a firewall rule.