Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 29 subscribers
  • Views 4484 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Initial Setup Easy... too easy? (Rule Review & Best Practice)

CMC

This week I jumped from a typical consumer grade box to an XG 125 running a home license. So far so good, but I'm new to Sophos (and more advanced firewall applications in general).

My goal has been:

  • A security focused device with long term firmware support (Check)
  • Allow all devices on the LAN to access to the Internet/WAN (Check and working)
  • Make sure devices on the LAN are behaving (AV & some APP Rules. Done and Working)
  • Country Block Rules (Check, working?)
  • Similar to my consumer router LAN to WAN is ok. WAN to LAN is bad, unless something on the LAN requested it. 
  • Keep an eye on what LAN side devices are requesting, something I wasn't able to do previously (Check and eye opening)
  • Lateral Movement protecting for a few devices on my network (Not yet setup, but the process seems straight forward). 
  • No remote access / VPN for the moment (Done, port 443 and user portal, disabled). 

Screenshots of my current, simple setup: 

 

 

 

I mean, is that it? It seems so simple. My concern here is the default Allow (ID 5) I've configured isn't setup correctly. All of my IOTs, the NAS, Laptops, Computer, Tablets, Phones etc are all working as they did before. Nothing is wrong...setup was simple. Where is the complication, the allow ports/services etc one by one?

Should I instead deny everything, watch everything go down and then open services/ports until everything is working again (and by this method, will end up blocking anything that is not used?) 

The biggest weakness here, isn't Sophos, but rather an inexperienced firewall user unsure if best practices are being followed. 



This thread was automatically locked due to age.
  • +1

    Actually you could start to setup DHCP Static Mapping with Clientless Users. 

    XG will be able to resolve those clients and you can setup a more granular rules for your predefined clients (PCs / IoT etc.). 

  • 0 in reply to LuCar Toni

    Excellent suggestion, Thank You. I'll start looking into that. 

     

    So it sounds like then, outside of more granular rules, the overall configuration looks ok? (At least in terms of Wan to Lan. Lan to Wan needs a little more refinement).

     

    If that's the case, hats off to the development team. The XG software is pretty intuitive, especially to someone not within the industry. 

     

  • 0 in reply to CMC

    Actually you can delete the predefined rules, if you are not intended to use them. 

    The MTA Rule is not needed, if you are not using any mail content scanning. 

    And actually you have a LAN to WAN Rule, allowing everything. That will work, but maybe you want to start to be more granular. 

    Maybe you can start to do a Proxy for certain clients? 

  • 0

    I’m a bit confused by your firewall rules. Here’s a couple of things to consider that may help.

    1. There is a hidden firewall rule, known as “rule 0”, that is the implicit default drop rule in Sophos XG. Basically, if you deleted all of your firewall rules, this is what blocks all traffic from ingressing or egressing Sophos XG.

    2. By default, Sophos XG creates a Default Network rule that you can see on the bottom of your firewall rules. As you can see, it allows any host in your LAN zone to establish a connection with any host in the WAN zone (e.g. internet for the majority of users). This is what allows devices/clients on your local network (LAN) to access the internet. Remember, this is only allowing connections from your LAN to the WAN, but Sophos XG is a stateful firewall meaning once a connection is established, packets can now be exchanged in both directions. This is why you don’t need a firewall rule from the WAN to the LAN to access the internet, nor would you want to since you would open up your local network to the internet which would be bad.

    Personally, I create MAC Hosts for the devices on my network and add them to their respective firewall rules. This way I don’t have to deal with static DHCP mappings.

    I created a blog with some tutorials for Sophos XG home users that may be useful: https://shred086.wordpress.com/

  • 0 in reply to shred

    Thanks, Your blog looks like a great source of info. I'll start reading through it this evening.

    Note that some of the rules in the screenshot are actually grayed out and were just example rules Sophos added during the install. Currently I have the default network allow all in place (LAN to WAN) and a country blocking rule. That's it for the moment. 

    Where I'm currently confused (I actually posted this in another thread I think confusing these two). Is why that default LAN to WAN allow is there in the first place. 

     

    Let's take an example, say I want to ensure my IOTs (grouped via Clientless Users) can only access HTTP and HTTPS (just as an example). So I create a firewall rule "allowing" HTTP and HTTPS for them and set it as a top rule. Well the IOT says "Hey, I want FTP access" the firewall rule says "hmm, nope you can only have HTTP or HTTPS" but, as it works it's way down the list to that default network policy eventually the firewall will say "Oh, you're on the LAN, sure, "allow all' to the WAN, FTP? no problem" 

     

    Shouldn't the network default policy be drop all? Or in this case, perhaps completely removed in favor of granting devices access as required

  • 0 in reply to shred

    From  my understanding if you use the MAC address you do not get the device ID in reports.

    Ian

  • +1 in reply to CMC

    CMC said:

    Let's take an example, say I want to ensure my IOTs (grouped via Clientless Users) can only access HTTP and HTTPS (just as an example). So I create a firewall rule "allowing" HTTP and HTTPS for them and set it as a top rule. Well the IOT says "Hey, I want FTP access" the firewall rule says "hmm, nope you can only have HTTP or HTTPS" but, as it works it's way down the list to that default network policy eventually the firewall will say "Oh, you're on the LAN, sure, "allow all' to the WAN, FTP? no problem" 

    That's correct. The firewall rule has to match the source zone, source network and devices, scheduled time, destination zone, destination network and services. If it doesn't match one of those, then the firewall rule does not apply to that "connection", and it will move down the list of firewall rules until something applies. If nothing applies, then the default deny all, aka rule 0, will block it.

    CMC said:

     

     Shouldn't the network default policy be drop all? Or in this case, perhaps completely removed in favor of granting devices access as required

    It's personal preference. The default LAN to WAN rule simply allows clients to access the WAN (internet in our case) by default without any further configuration. I think you will find most home users run this type of setup based on how difficult it is to identify every single port a device uses. I tried that approach initially, but eventually gave up because you will find companies either 1) do a poor job of listing which ports their devices use, 2) devices will use ports outside of what the manufacturer claims or 3) will have no idea what you're talking about when you ask them. The approach I've taken is setting up separate firewall rules for my computer/mobile devices, media streaming devices and IOT devices that have to be on my local subnet. I've classified almost all of the services they need but I keep the default LAN to WAN rule at the bottom with logging on, such that when one of the devices use ports outside of the services I have set, I'll see it in the logs and I can do some research to figure out what it is. If I can identify and confirm it, I'll add it as a service to pertaining firewall rule. For my IOT devices that don't need to be on my local subnet, I have them on my guest subnet using a separate WiFi SSID and VLAN so they can never access my local subnet.

    Is this setup less secure than deleting the default LAN to WAN rule and only explicitly allowing connections? Sure, but it's all tradeoffs and network security is really a layered approach. Even though you have a default LAN to WAN rule, you can still run malware scanning, IPS, application scanning, etc. I'd also recommend anti-virus on your end points (computers) as another layer of security. I'd say experiment and find what works for you. Setup the rules you need to still be able to access the internet from the devices you want, then disable the default allow all rule. With my current setup, I could run it that way since I've categorized most of the services my devices use, but it's still not worth having to troubleshoot every week so I just leave it enabled. It's already painful having to deal with HTTPS scanning at times (some websites or apps will not work with HTTPS scanning so you have to create exceptions).