Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 28 subscribers
  • Views 7363 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can i create user based application policy ?

Ozgur Gursoy

Hello,

 

I try to create an user or user-group based application policy, i can easily create a web policy which inside all user groups but i have to make same think for application policy ?

I need to define different firewall rules that include different web and application policies, web policies is easy but i can not find a solution for application policies.

 

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    As far as i understand, you cannot do this. 

    The Web Proxy is the only module in XG which does not rely to this KBA: https://community.sophos.com/kb/en-us/123161

    All modules like Firewall Policies (Application, IPS etc.) Hotspot, VPN etc. uses the "Primary Group" for authentication.

    Only the Web Proxy can perform "another" lookup to AD. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Well, for example some users need to connect to p2p, but others should not be able to connect.

    Can I only do this from the source network in the firewall rule? If the ip number of these people changes, the rule doesn't work? 

  • 0 in reply to Ozgur Gursoy

    Hi Ozgur,

    are you using the AD as an authentication to access the XG?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Ozgur Gursoy

    Hi Ozgur,

    So, as part of your AD you can disable people'e access to VPN's via a GPO.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    VPN or P2P is just an example :)

    why do i have to use a single application policy for all clients ? 

    I might want to allow some users to allow facebook games or block them. I should be able to do that with application policies ?

    As you can see in the image below, it is a drop for users outside the defined group and the next firewall rule does not work

  • 0 in reply to Ozgur Gursoy

    Hi,

    I think you misunderstand. You create groups within your AD and then create the groups in the XG where people are allowed to connect using STAS functions. (You would have to read the KBA and search the forums, I am not a STAS user). You can create your own application policies and assign them to a firewall rule/s.

    I have an application policy on my XG, for VoIP.

    You will need to change your rules to use HTTPS scanning as well.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I would like to explain this with an example

    I created 3 user groups, 

    Group A, Group B, Group C

    also created 3 application policies, 

    AppPolicy1, AppPolicy2, AppPolicy3 

    Ok,

    Group A have connect to wan in AppPolicy1,

    Group B have connect to wan in AppPolicy3 (for example)

    Group C have connect to wan in AppPolicy2

    So, i should create 3 firewall rules for this operation but firewall rules is triggering through via only network ip or hosts is not depending user groups. 

     

    Can I explain my problem? 

     

Reply
  • 0 in reply to rfcat_vk

    I would like to explain this with an example

    I created 3 user groups, 

    Group A, Group B, Group C

    also created 3 application policies, 

    AppPolicy1, AppPolicy2, AppPolicy3 

    Ok,

    Group A have connect to wan in AppPolicy1,

    Group B have connect to wan in AppPolicy3 (for example)

    Group C have connect to wan in AppPolicy2

    So, i should create 3 firewall rules for this operation but firewall rules is triggering through via only network ip or hosts is not depending user groups. 

     

    Can I explain my problem? 

     

Children
  • 0 in reply to Ozgur Gursoy

    Like mentioned in my post earlier. You need to setup all those 3 Groups in XG as primary group and fill them with users. Then you are able to perform your actions because you setup up 3 user based policies and attach all those 3 app policies to these 3 rules. 

    It will work.

    Same for IPS, VPN, etc.

    But you cannot simply use the same mechanism like HTTP Proxy. The Proxy works in a different way, so he can perform a lookup to get other groups out of AD. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you LuCar for chiming in to assist.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner