Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 2475 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Filter (App Control) vs Web Policy - Order of Precedence

cm00001

Hello, 

I have issues understanding what is an Application Filter for and how to use it.  What I understand:

- Web Policies: Allow you to block or allow traffic to users (based on categories/file types, etc.). Only one web policy is meant to be used for a group of users through a firewall rule. If you have multiple rules with multiple web policies, only the first firewall rule/web policy that matches the traffic, will be applied (the subsequent ones will be ignored). Source:  https://community.sophos.com/xg-firewall/f/discussions/83833/web-policy-and-filtering-not-working-at-all/ 

- Application Filters: Offers the flexibility of matching traffic by identifying the application related to it (i.e. you can create an application to match anything where SmartFilter = "Netflix", regardless of knowing or not what servers or ip address ranges Netflix uses). 

My scenario:

 I want to configure a Web Policy to block users from getting to certain websites at all times, but have the flexibility to enable/disable a firewall rule configured with an Application Filter that matches "Netflix".  If the rule is enabled, Netflix will be allowed, otherwise it will be blocked.  I don't try to configure this as part of the Web Policy, because I want to be able to turn on/off the "Netflix" application firewall rule manually as needed through the XG's REST API. 

What I've tried:

Firewall Rule 1 - Application Filter Allowing Netflix (Smart Filter = "Netflix"). 

Firewall Rule 2 - Web Policy Filter Blocking "Video Hosting" category at all times. 

Issues with this configuration:

- If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed.  Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule).

- If I somehow incorporate the Netflix block as part of the Web Policy (provided it is not too difficult to match this type of traffic with the options available), there's not easy way to turn on/off this block from the REST API. Even if I did it manually, I would have to turn on/off a web policy rule (and modifying a web policy) frequently, which is less than desirable.

Should I be doing things differently?  (Somehow I think if would be easier if we could turn off a Web Policy's "default action", and let the packet match the next rule available. Eventually, it would reach to the "Drop All" (last) firewall rule, if traffic is not matched by anything.  (To give some background, I come from using Microsoft TMG 2010, and that's how TMG used to work).

Thanks!



This thread was automatically locked due to age.
Parents
  • 0
    cm00001 said:
    - If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed.  Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule).
    cm00001 said:
    (Somehow I think if would be easier if we could turn off a Web Policy's "default action", and let the packet match the next rule available. Eventually, it would reach to the "Drop All" (last) firewall rule, if traffic is not matched by anything.  (To give some background, I come from using Microsoft TMG 2010, and that's how TMG used to work).

    There has two really long conversations here in the community about this, I recommend you to read those:

    https://community.sophos.com/xg-firewall/f/discussions/123605/nesting-of-allowed-web-applications-possible

    https://community.sophos.com/xg-firewall/f/discussions/123000/application-control-and-port-dependencies/

    In reality, Sophos XG is a L4 SPI Firewall with It's L7 capabilities glued In. When a traffic matches the Source/Destination Network + Service It will only match on that single Rule.

    If you have two Rules:

    1. Allowing NetFlix. Block every other known application.
    2. Allowing O365. Block every other known application.

    Everything will be matched on the rule 1). Even that O365 is enabled on the second rule It will still be blocked, since Sophos XG will match everything over the first rule since the Firewall is still just a L4 SPI Firewall,

    Also, If you want this to work, you should only use Web Policies, and everything should be done over a single Rule/Policy.

    Thanks!

  • 0 in reply to Prism

    Actually you can do this. It starts to get complicated in case of "User interaction with Application control". As the App control does not have a user interaction (data), it relies on the Firewall rule to take this over. You are correct about the L4 part, but you could create "one rule" and attach a app control filter with you both filters: allow netflix + allow O365 + deny everything else. 

Reply
  • 0 in reply to Prism

    Actually you can do this. It starts to get complicated in case of "User interaction with Application control". As the App control does not have a user interaction (data), it relies on the Firewall rule to take this over. You are correct about the L4 part, but you could create "one rule" and attach a app control filter with you both filters: allow netflix + allow O365 + deny everything else. 

Children
  • 0 in reply to LuCar Toni
    LuCar Toni said:
    You are correct about the L4 part, but you could create "one rule" and attach a app control filter with you both filters: allow netflix + allow O365 + deny everything else. 

    Thanks! that's exactly what I has going to write later on.

    The best practice is have a single Rule that applies both Web & App filtering for a desired User or Group.