Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 2470 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Filter (App Control) vs Web Policy - Order of Precedence

cm00001

Hello, 

I have issues understanding what is an Application Filter for and how to use it.  What I understand:

- Web Policies: Allow you to block or allow traffic to users (based on categories/file types, etc.). Only one web policy is meant to be used for a group of users through a firewall rule. If you have multiple rules with multiple web policies, only the first firewall rule/web policy that matches the traffic, will be applied (the subsequent ones will be ignored). Source:  https://community.sophos.com/xg-firewall/f/discussions/83833/web-policy-and-filtering-not-working-at-all/ 

- Application Filters: Offers the flexibility of matching traffic by identifying the application related to it (i.e. you can create an application to match anything where SmartFilter = "Netflix", regardless of knowing or not what servers or ip address ranges Netflix uses). 

My scenario:

 I want to configure a Web Policy to block users from getting to certain websites at all times, but have the flexibility to enable/disable a firewall rule configured with an Application Filter that matches "Netflix".  If the rule is enabled, Netflix will be allowed, otherwise it will be blocked.  I don't try to configure this as part of the Web Policy, because I want to be able to turn on/off the "Netflix" application firewall rule manually as needed through the XG's REST API. 

What I've tried:

Firewall Rule 1 - Application Filter Allowing Netflix (Smart Filter = "Netflix"). 

Firewall Rule 2 - Web Policy Filter Blocking "Video Hosting" category at all times. 

Issues with this configuration:

- If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed.  Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule).

- If I somehow incorporate the Netflix block as part of the Web Policy (provided it is not too difficult to match this type of traffic with the options available), there's not easy way to turn on/off this block from the REST API. Even if I did it manually, I would have to turn on/off a web policy rule (and modifying a web policy) frequently, which is less than desirable.

Should I be doing things differently?  (Somehow I think if would be easier if we could turn off a Web Policy's "default action", and let the packet match the next rule available. Eventually, it would reach to the "Drop All" (last) firewall rule, if traffic is not matched by anything.  (To give some background, I come from using Microsoft TMG 2010, and that's how TMG used to work).

Thanks!



This thread was automatically locked due to age.
Parents
  • 0
    cm00001 said:
    - If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed.  Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule).

    Forgot to talk about this.

    There's no way to "DENY ALL" and "Allow only X".

    By default the Application Filter will allow all traffic, you can see this while creating the template - It means you will allow all and block what you want.

    Also, you can check the two links above that I sent to you. When a traffic matches a single Rule - even if there's another rule that It would also be matched. The inspection will only be applied over that first Rule - As I talked about on the example above.

  • 0 in reply to Prism

    That actually not quite correct - You can specify within a Application filter rule the "Default action" and select Allow/Deny. This means, if something is not fetched by your filter it will allowed or blocked. So you can follow the Block or Whitelist approach in application filtering. 

  • 0 in reply to LuCar Toni

    The "Default Action" of "Deny All" has been removed a while ago.

    By default all applications are allowed through a "Allow All" template. And there's a lot of issues with this.

    Even if you create a Application Policy and select all applications with the "Action" as Deny - Any application that isn't identifiable by the IPS Engine will pass-through the firewall.

    Even then, there's multiple applications that you can't just block all and allow "HTTP", since most of the times the applications have It's own identifier, It won't be allowed as "HTTP".

  • 0 in reply to LuCar Toni

    Thanks Toni!  I saw you could do the "Default action at the end of an Application Filter (to Allow/Deny all).  My problem with that is all or nothing.

    Here's what I am trying to solve. I want to be able to block All "Video Hosting" category from a Web Policy Perspective, and only Allow Certain sites (or applications), like Netflix or YouTube as needed (through separate Firewall Rules.  In my mind this can work in 2 ways:

    Approach 1: Allowing Netflix through Application Filter:

        Firewall Rule 1 - Application Filter - Allow smart Filter "Netflix" 

        Firewall Rule 2 - Web Policy - Block "Video Hosting". 

    Approach 2: Blocking Netflix through Application Filter:

        Firewall Rule 1 - Application Filter - Block smart Filter "Netflix" 

        Firewall Rule 2 - Web Policy - Allow "Video Hosting". 

    Summary of Approach 1:

     It doesn't work Wink,  since I found that turning on Rule #1, will allow everything (not just Netflix).   I also tried having the Default Action of "Deny All" at the end of the Application Filter, and it blocked everything (as expected), but blocking ALL internet other than Netflix is not an option.

    Summary of Approach 2:

    It works, but not as I expect. In this case, I can individually block or allow Netflix by turning on/off Rule 1. The problem here is that Rule 2 will allow every other Video Hosting thru. Since there can be hundreds of video hosting sites out there, I won't be able to just allow Netflix and block the rest of "Video Hosting".  Thoughts on how to achieve this?

  • 0 in reply to cm00001
    cm00001 said:
    Here's what I am trying to solve. I want to be able to block All "Video Hosting" category from a Web Policy Perspective, and only Allow Certain sites (or applications), like Netflix or YouTube as needed (through separate Firewall Rules.  In my mind this can work in 2 ways:

    You cannot do this with Sophos XG.

    In reality you can't have two different rules with the same Source/Destination Networks + Services applying different filtering - Since everything will be matched over the first L4 valid Rule.

    The recommended is having a single Rule per User or Group that applies both Web / Application Filtering all together.

  • 0 in reply to Prism

    Thanks Prism.. Interesting..   I don't think my request is too out of the ordinary though.

    Since having a single rule per user or group is a restriction on the product, then it doesn't make too much sense to even use an Application Filter in this case (just the Web Policy).  The Application Filter's flexibility and potential is hampered by these limitations.

    I can make things work (with a little more effort) if I know what's behind the "Video Hosting" category. Is there a way to know what sites (or domains) are covered under "Video Hosting"?  

  • 0 in reply to cm00001
    cm00001 said:
    Is there a way to know what sites (or domains) are covered under "Video Hosting"?  

    There's no way to get a list of those domains.

    But you can use the URL Category Lookup function at the "Diagnostics" Tab inside the WebAdmin of Sophos XG to see what's the classification of a certain domain.

Reply
  • 0 in reply to cm00001
    cm00001 said:
    Is there a way to know what sites (or domains) are covered under "Video Hosting"?  

    There's no way to get a list of those domains.

    But you can use the URL Category Lookup function at the "Diagnostics" Tab inside the WebAdmin of Sophos XG to see what's the classification of a certain domain.

Children
No Data