XG Firewall Initial Setup Easy... too easy? (Rule Review & Best Practice)

Question

This week I jumped from a typical consumer grade box to an XG 125 running a home license. So far so good, but I'm new to Sophos (and more advanced firewall applications in general). 
 My goal has been: 
 
 A security focused device with long term firmware support (Check) 
 Allow all devices on the LAN to access to the Internet/WAN (Check and working) 
 Make sure devices on the LAN are behaving (AV & some APP Rules. Done and Working) 
 Country Block Rules (Check, working?) 
 Similar to my consumer router LAN to WAN is ok. WAN to LAN is bad, unless something on the LAN requested it. 
 Keep an eye on what LAN side devices are requesting, something I wasn't able to do previously (Check and eye opening) 
 Lateral Movement protecting for a few devices on my network (Not yet setup, but the process seems straight forward). 
 No remote access / VPN for the moment (Done, port 443 and user portal, disabled). 
 
 Screenshots of my current, simple setup:

I mean, is that it? It seems so simple. My concern here is the default Allow (ID 5) I've configured isn't setup correctly. All of my IOTs, the NAS, Laptops, Computer, Tablets, Phones etc are all working as they did before. Nothing is wrong...setup was simple. Where is the complication, the allow ports/services etc one by one? 
 Should I instead deny everything, watch everything go down and then open services/ports until everything is working again (and by this method, will end up blocking anything that is not used?) 
 The biggest weakness here, isn't Sophos, but rather an inexperienced firewall user unsure if best practices are being followed.

LuCar Toni · Accepted Answer

Actually you could start to setup DHCP Static Mapping with Clientless Users. 
 XG will be able to resolve those clients and you can setup a more granular rules for your predefined clients (PCs / IoT etc.).

shred · Answer

CMC said: 
 Let's take an example, say I want to ensure my IOTs (grouped via Clientless Users) can only access HTTP and HTTPS (just as an example). So I create a firewall rule "allowing" HTTP and HTTPS for them and set it as a top rule. Well the IOT says "Hey, I want FTP access" the firewall rule says "hmm, nope you can only have HTTP or HTTPS" but, as it works it's way down the list to that default network policy eventually the firewall will say "Oh, you're on the LAN, sure, "allow all' to the WAN, FTP? no problem" 
 
 That's correct. The firewall rule has to match the source zone, source network and devices, scheduled time, destination zone, destination network and services. If it doesn't match one of those, then the firewall rule does not apply to that "connection", and it will move down the list of firewall rules until something applies. If nothing applies, then the default deny all, aka rule 0, will block it. 
 CMC said: 
 
 Shouldn't the network default policy be drop all? Or in this case, perhaps completely removed in favor of granting devices access as required 
 
 It's personal preference. The default LAN to WAN rule simply allows clients to access the WAN (internet in our case) by default without any further configuration. I think you will find most home users run this type of setup based on how difficult it is to identify every single port a device uses. I tried that approach initially, but eventually gave up because you will find companies either 1) do a poor job of listing which ports their devices use, 2) devices will use ports outside of what the manufacturer claims or 3) will have no idea what you're talking about when you ask them. The approach I've taken is setting up separate firewall rules for my computer/mobile devices, media streaming devices and IOT devices that have to be on my local subnet. I've classified almost all of the services they need but I keep the default LAN to WAN rule at the bottom with logging on, such that when one of the devices use ports outside of the services I have set, I'll see it in the logs and I can do some research to figure out what it is. If I can identify and confirm it, I'll add it as a service to pertaining firewall rule. For my IOT devices that don't need to be on my local subnet, I have them on my guest subnet using a separate WiFi SSID and VLAN so they can never access my local subnet. 
 Is this setup less secure than deleting the default LAN to WAN rule and only explicitly allowing connections? Sure, but it's all tradeoffs and network security is really a layered approach. Even though you have a default LAN to WAN rule, you can still run malware scanning, IPS, application scanning, etc. I'd also recommend anti-virus on your end points (computers) as another layer of security. I'd say experiment and find what works for you. Setup the rules you need to still be able to access the internet from the devices you want, then disable the default allow all rule. With my current setup, I could run it that way since I've categorized most of the services my devices use, but it's still not worth having to troubleshoot every week so I just leave it enabled. It's already painful having to deal with HTTPS scanning at times (some websites or apps will not work with HTTPS scanning so you have to create exceptions).