Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 2483 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Filter (App Control) vs Web Policy - Order of Precedence

cm00001

Hello, 

I have issues understanding what is an Application Filter for and how to use it.  What I understand:

- Web Policies: Allow you to block or allow traffic to users (based on categories/file types, etc.). Only one web policy is meant to be used for a group of users through a firewall rule. If you have multiple rules with multiple web policies, only the first firewall rule/web policy that matches the traffic, will be applied (the subsequent ones will be ignored). Source:  https://community.sophos.com/xg-firewall/f/discussions/83833/web-policy-and-filtering-not-working-at-all/ 

- Application Filters: Offers the flexibility of matching traffic by identifying the application related to it (i.e. you can create an application to match anything where SmartFilter = "Netflix", regardless of knowing or not what servers or ip address ranges Netflix uses). 

My scenario:

 I want to configure a Web Policy to block users from getting to certain websites at all times, but have the flexibility to enable/disable a firewall rule configured with an Application Filter that matches "Netflix".  If the rule is enabled, Netflix will be allowed, otherwise it will be blocked.  I don't try to configure this as part of the Web Policy, because I want to be able to turn on/off the "Netflix" application firewall rule manually as needed through the XG's REST API. 

What I've tried:

Firewall Rule 1 - Application Filter Allowing Netflix (Smart Filter = "Netflix"). 

Firewall Rule 2 - Web Policy Filter Blocking "Video Hosting" category at all times. 

Issues with this configuration:

- If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed.  Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule).

- If I somehow incorporate the Netflix block as part of the Web Policy (provided it is not too difficult to match this type of traffic with the options available), there's not easy way to turn on/off this block from the REST API. Even if I did it manually, I would have to turn on/off a web policy rule (and modifying a web policy) frequently, which is less than desirable.

Should I be doing things differently?  (Somehow I think if would be easier if we could turn off a Web Policy's "default action", and let the packet match the next rule available. Eventually, it would reach to the "Drop All" (last) firewall rule, if traffic is not matched by anything.  (To give some background, I come from using Microsoft TMG 2010, and that's how TMG used to work).

Thanks!



This thread was automatically locked due to age.
Parents
  • 0
    cm00001 said:
    - If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed.  Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule).

    Forgot to talk about this.

    There's no way to "DENY ALL" and "Allow only X".

    By default the Application Filter will allow all traffic, you can see this while creating the template - It means you will allow all and block what you want.

    Also, you can check the two links above that I sent to you. When a traffic matches a single Rule - even if there's another rule that It would also be matched. The inspection will only be applied over that first Rule - As I talked about on the example above.

  • 0 in reply to Prism

    Thanks for your reply!  I went through the links you posted.  With all this being said, what I understand is:

    - When you want to control access to a group of computers or users, you should use either an Application Filter OR a Web Policy (on different firewall rules).  (Given that the first rule matched will make the 2nd rule to be ignored).

    - I can use both Application Filter and Web Policy in the same firewall rule. (should I?) (Which one gets evaluated first (Application Filter or Web Policy)?)

    Prism said:
    By default the Application Filter will allow all traffic, you can see this while creating the template - It means you will allow all and block what you want.

    I just realized that the OOB Application Filters are always blocking something (instead of "allowing").   All my Application Filter rules were set to "Allow".  I'll change them to "block" instead, to see if I can get the behavior I want. 

    Once I figure this part out and have things working, I'll switch to the other topic, which is being able to turn things on/off through the API.

  • 0 in reply to cm00001

    Its quite simple:

    The firewall will match against the classic filters: Source IP, Destination IP and Service(port). You can replace Source IP with a User/Group in XG. 

    As most applications move to 443 for everything, most applications will match against this firewall rule. 

    There is more stuff about this in this recommended read: https://community.sophos.com/xg-firewall/f/recommended-reads/122357/life-of-a-packet---sophos-xg-v18-0

    XG will call for the traffic both filters: Web and Application control.

    Web filter will be used, if its actual "Web based traffic (HTTP/S)". Application control will be used, if the web filter cannot verify it. So each module will pick up the matching traffic. 

Reply Children
No Data