Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 788 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple Protection Policies Necessary? (Top to Bottom Rules)

CMC

I'm trying to better understand the Sophos Top to Bottom philosophy.

I currently have three separate wireless networks. With the exception of QOS, each have similar policies (Scan HTTP, Block Google, Scan FTP, Lan to Wan Default Intrusion Prevention, Application Control (Custom), Traffic Shaping Policy (Custom).

All has been working well. I have a number of hard wired devices on the LAN. They all route through "default network policy" or the "Lan to Wan." This, like the wireless networks, has it's own firewall rules (Intrusion Prevent, Application Control, etc etc).

My question is, since the Wireless Networks, at some point, have to travel through the lan > wan. Are these settings redundant? In other words, is the firewall working double time/scanning twice when really all of the protection setting should just be applied within the Default Network Policy /  Lan to WAN firewall rule instead? 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Please post a copy of your firewall rules so we can meter assist you.

    Are you seeing traffic being reported against each firewall rule?

    Also you might like to build your own IPS policy rather than use the general template.

    Ian

  • 0 in reply to rfcat_vk

    Yes there is traffic, there's no issue there. I'm just curious if perhaps the firewall is double scanning traffic/working harder than it needs to. In other words, because the Wireless AP is bonded to the Lan/Wan and all traffic from the WiFi flows through LAN, I'm curious if perhaps I just need to set up Intrusion Protection, AV, etc on only the Lan/Wan rule rather than all of them. 

    Image attached:

  • +1 in reply to CMC

    Hi,

    only scans the first rule that matches.

    Ian

  • +1 in reply to rfcat_vk

    XG uses a first match principle based on Source IP, destination IP and Service.

    You can replace the Source IP with a Username in a Authentication setup.

    But still the 3 factors above are hitting. 

    The Zone Factor is implemented in Source and Destination IP. 

Reply
  • +1 in reply to rfcat_vk

    XG uses a first match principle based on Source IP, destination IP and Service.

    You can replace the Source IP with a Username in a Authentication setup.

    But still the 3 factors above are hitting. 

    The Zone Factor is implemented in Source and Destination IP. 

Children