Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 3571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Set application filter for specify user

DXG

Dear all

I migrated from SG to XG (current firmware SFOS 17.5.3). i really really love the feature Web policies, it's very flexible when i wanna set allow/deny specify URLs/URLs group for specify group or user, good job.

But, i cann't set specify Applications/Applications group for specify group or user, this feature is not available. right now, i have over 20 different request for application filter, i must created one by one for over 20 firewall rules (one user one firewall rule), meanwhile, with web policies, i just create one and set filter for specify user.

is there any way to set application filter for specify user/group?

Best regards



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    from my understanding of your request you can create application groups. They take a little more effort but you can do it.

    You create your application filter, name description, allow all or block all, save it. Then you add the applications you wish to filter by selecting the individual tab.

    If you need additional assistance I will post examples.

    Ian

  • 0 in reply to rfcat_vk

    Dear rfcat_vk

    Thanks for your reply.

    Please post examples for me. i'm in confuse and feel tired. application filter is not flexible like Web policies (grant permision via user/group)

    Best regards

  • 0 in reply to DXG

    Hi DXG,

    the following are a series of screenshots that might provide some help.

     

    or

    there is another alternative and that is to modify an existing application policy.

    I can provide screenshots of that if you need?

    Ian

  • 0 in reply to rfcat_vk

    The point is, you cannot assign Group A Only Facebook, Group B only Twitter and Group C Facebook and Twitter. For this scenario, you would have to setup 3 individual firewall policies.

    It is the common "Nested Group" problem. AD Administrators love this system to simply assign a group on AD, user can access twitter. But it is kinda hard to project this on a Firewall like XG.  You would have to implement something like Web filtering in XG as well. 

    As far as i know, there is something in the pipeline for this right now. But i cannot give a ETA. 

  • 0 in reply to rfcat_vk

    Thanks for your help, rfcat_vk

    But, i created new application filter, allow teamviewer for HR Team leader, after that, i created new firewall above all user's firewall rules, and i attached new application filter (allow teamviewer), match HR Team Leader's user. Effect, HR Team leader can access Teamviewer, and unbelievable, he can access any application.

    The rule with id 59 is the rule applied for Team leader, and id 12 for all user.

    Rule id 12 deny over 100 applications, rule id 52 have one row wich allow Teamviewer

    When i disable rule id 59, HR Team leader cannot use teamviewer and over 100 application, he's applied with rule id 12 (include skype, remote desktop..) --> it's good. when i enable rule id 59, HR Team leader can use teamviewer, he's applied with rule id 59 --> it's good. But, instead just using teamviewer, HR Team leader can use any application too (skype, remote desktop, Filezilla....). it's not good.

    sorry for my poor English

    Regards

  • 0 in reply to DXG

    Hi,

    do you have https scanning enabled and the XG CA installed on the desktops?

    The application rule does not stop any other application from connecting, you need to add that policy to your block all policy.

    Ian

  • 0 in reply to rfcat_vk

    hi rfcat_vk

    i don't have HTTPs scanning enabled and not yes install CA.

    right now, i have 5 user's request connecting for 05 different applications, i must create 05 applications filter, each application filter i must add one application with action ALLOW and over 100 applications with action DENY.

    web policies is very good. in the meanwhile, application filter is not good, it's really inconvenient. Sophos SG is very good with this request.

    Thanks for your help, rfcat_vk.

    Regards

  • 0 in reply to DXG

    Hi DXG,

    copy one of the existing filters and add the exception. I think your approach is making life difficult for yourself. The UTM does not have the same level of application control as does the XG, the is why the migration to the XG is occurring.

    why do you need to limit your users to specific applications, wouldn't it easier to provide all 5 users with the same policy. While they might attempt to access the external application, in theory they would not have the correct  credentials to use it or download and install it?

    Ian

  • 0 in reply to LuCar Toni

    right now, i have 5 user's request connecting for 05 different applications, i must create 05 applications filter, each application filter i must add one application with action ALLOW and over 100 applications with action DENY, because the application rule does not stop any other application from connecting. After that, attach one by one application filter vs one firewall rule vs one user.

    It really complicated.

    Sophos SG can process these request very flexible

  • 0 in reply to DXG

    Is SG more flexible in this scenario? 

    As far as i can remember it has the same mechanism in it to implement this as XG. 

  • 0 in reply to LuCar Toni

    If what you say is accurate, why are we wasting time wit the XG. The reason for the XG was the better level of application management?

    Yes, I am aware off lots of other improved features to dmi with the HTTP/S proxy and being able to direct different rules to different external networks.

    Ian

  • 0 in reply to rfcat_vk

    Hi rfcat_vk

    "The reason for the XG was the better level of application management?" - Yes, i agree. The application filter of XG better than SG.

    My issue belong to look experience, in fact, i just migrate form SG to XG for 1 week, too many application rules have not been transferred yet, I'm stress.

    XG Web policies is very good, it has left deep impressions to me.

    Thanks for all your help, rfcat_vk

Reply
  • 0 in reply to rfcat_vk

    Hi rfcat_vk

    "The reason for the XG was the better level of application management?" - Yes, i agree. The application filter of XG better than SG.

    My issue belong to look experience, in fact, i just migrate form SG to XG for 1 week, too many application rules have not been transferred yet, I'm stress.

    XG Web policies is very good, it has left deep impressions to me.

    Thanks for all your help, rfcat_vk

Children
No Data