Reihenfolge der Firewall Rules

Question

Hallo 
 Ich habe immer wieder Verst&auml;ndigungsprobleme mit einzelnen Beschreibungen und Aussagen. Ich versuche es jetzt mit kleinen einzelnen Schritten. Ich hoffe Ihr seit nicht beleidigt, aber meine Erkenntnis ist, sobald es etwas komplizierter wird bleibt die Anfrage unbeantwortet h&auml;ngen. 
 Gem&auml;ss Beschreibung gilt die Bottom Down Regel f&uuml;r die FW Rules. Aber es gibt ja jetzt auch die Gruppierungsm&ouml;glichkeit und was passiert dann? Wenn ich meine zweitletzte Regel einer Gruppe zuordne dann wird sie theoretisch in der Reihenfolge verschoben. Alle Gruppen werden bildlich an erster Stelle oder wenn ich es mit Bottom Down veranschauliche an eine Top Position gesetzt. 
 Kann mir jemand dies genauer erkl&auml;ren. Mein FW Regeln angeh&auml;ngt. 
 
 Danke 
 Wolfgang

Wolfgang Ritter1 · Accepted Answer

Hi Toni 
 Thank you, your last part was the information which i want to know. 
 I think if Sophos write that the group will not change the rule order, that this information is not correct. The rule order is from top to bottom. But if i move a rule to any group the rule order can get changed. 
 In my specific case (i will reference to the ID), it will start with 6, 8, 7, 1, 5 and the last 9. 
 If i move the rule 9 e.g. to Group "Traffic to WAN" the rule order will change to 6, 8, 9, 7, 1 and the last 5. 
 In this case a rule group isn't anymore just container for grouping of similar rules, it also changes the rules order if i add one to the group. 
 I just checked also the documentation in English and German and there is written that a firewall group doesn't change the rule order. 
 De facto that's wrong. I can move the rule group and all rules are new ordered. If i place a rule on the second last order and i think that i will keep all rules for the sales team together (it's a kind of organisation), i will change the rule order. 
 But on the end I know how it works correctly and i know also that the description in manual isn't correct, the more nice expression is not complet. I will meet a Sophos Manager beginning of December. Will discuss this with him. 
 Thanks a lot Wolfgang

Vishal_R · Answer

Hi Wolfgang Ritter1 Rule groups don't determine rule priority. The firewall evaluates rules from top to bottom.Please find the below URL and snapshot for reference. 
 http://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SecurityPolicyManage.html

LuCar Toni · Answer

I am still not sure, how there is a difference? 
 Basically the XG will start on the Top and look for a matching Firewall rule. 
 XG uses Source IP; Destination IP and Service. 
 Source IP can be replaced by a User, which is basically is a IP. 
 So: User, Destination IP and Service. 
 
 Those are the matching criteria. And XG will look for a matching Rule, starting from the Top Rule in the first group. 
 
 Grouping will be "just a management method". It will not redesign the rule order. 
 
 You are correct - putting / attaching a firewall rule into a group will / could change the order of your firewall rule set. 
 
 XG will start with Group on Top, run through the whole group, existing the group and check the next group / firewall rule. Basically it is just for bigger setups to have a better overview. 
 
 Most customers start to group up zone based. 
 For example: You have Zone LAN, Zone Server. 
 They create a Group LAN, with all Source Zone Firewall Groups. Create a new Group Server, with all Rules attached to this Zone. 
 Then create a Group DNAT, WAF etc. Just to group them. 
 Within the groups, they sort / order the firewall with most explicit first: Admin to WAN allow all. User to WAN restrictive access. etc.

LuCar Toni · Answer

I guess, it is partial true, that the Group will not change the rule order. 
 Because basically if you do not "move" the Firewall Rule, instead simply put them into Groups, the group will not change the order at all. 
 
 For Example: 
 Rule 1 
 Rule 2 
 Rule 3 
 Rule 4 
 
 If you now put a Group around Rule 1,2,3, it will not change the order. 
 
 Rule 1 Group 1 
 Rule 2 Group 1 
 Rule 3 Group 1 
 Rule 4 
 
 So basically the Group is just a administration overview, to have a better visibility over the rule set. 
 
 If you now take Rule 4 and move them above the Group1, you will of course change the rule Order. 
 If you pick up Rule 4 into Group 1, nothing will change. 
 If you move Rule 4 in Group 1 to Place between 1/2, it will change the Order. 
 
 The Note in your example simply show, that XG will no pickup Groups in any "special" reason. 
 
 There are products, which run Groups first, then single firewall. Or some products run standalone firewalls first, because they have another priority. 
 
 Take a look at the "new" Online help for V18. 
 http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallRules.html 
 Do you find an issue there? Open a thread in the EAP Community: This will be fixed in the next release. 
 https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/

To get back to your example: If you move Firewall Rule 9 into Traffic to WAN, it will of course change the firewall order in the first place. Its like moving firewall Rule 9 above rule 3. Thats what you are doing, if you moving it to the group Traffic to WAN. (Same process). 
 If you put Rule 3 into Traffic to WAN, nothing will change in terms of order. 
 Hope thats clear.