Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 29 subscribers
  • Views 459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question about specific features in XG Firewall

Josh Delfosse

Hello, I attended a webinar today about XG Firewall and its general features and usage. During the webinar, the presenter mentioned that Sophos XG Firewall is able to know if a device has red health and then prevent it from reaching out to the internet or connecting to other devices on the network. I understand this feature as a concept because we utilize Sophos Endpoint protection in our environment, but my question is: How does XG Firewall differ in this regard from running only Endpoint protection? Doesn't Endpoint protection already provide this functionality through Auto-Isolating? What new features would XG Firewall bring to the table in a scenario such as this? 



This thread was automatically locked due to age.
Parents
  • 0

    I am not 100% sure but as far as I remember some consultants told me that if you route client traffic through the firewall the firewall can also isolate a client. In Sophos Endpoint protection the client isolates itself which theroeticall might be broken by some malware residing on the client.

  • 0 in reply to BeEf

    We're using this feature and this is what we expect from it. But as far as I know, the decision if a client is to be isolated always is made by the Intercept-X Client, the XG firewall cannot decide to isolate a client and push that information to central. Sophos, correct me if I'm wrong.

    Besides complete Client isolation, you can also define what happens, if the client has a not good green state. Red and yellow.

    So for example, a reboot is pending because the Sophos Client needs a reboot, the Status changes from green to yellow. Now we have rules to secured servers, that don't allow traffic in that state of the client. Other rules still apply, depending on our settings. So for example the client can still resolve names or contact DHCP but is not allowed to contact a file server etc.

    This works but sometimes our users complain they cannot reach this or that server and our support then needs to check if the Sophos Endpoint agent on the client requires a reboot. The Sophos software on the computer does not tell the user about the pending reboot. You need to open the Endpoint Agent to see that information.

Reply
  • 0 in reply to BeEf

    We're using this feature and this is what we expect from it. But as far as I know, the decision if a client is to be isolated always is made by the Intercept-X Client, the XG firewall cannot decide to isolate a client and push that information to central. Sophos, correct me if I'm wrong.

    Besides complete Client isolation, you can also define what happens, if the client has a not good green state. Red and yellow.

    So for example, a reboot is pending because the Sophos Client needs a reboot, the Status changes from green to yellow. Now we have rules to secured servers, that don't allow traffic in that state of the client. Other rules still apply, depending on our settings. So for example the client can still resolve names or contact DHCP but is not allowed to contact a file server etc.

    This works but sometimes our users complain they cannot reach this or that server and our support then needs to check if the Sophos Endpoint agent on the client requires a reboot. The Sophos software on the computer does not tell the user about the pending reboot. You need to open the Endpoint Agent to see that information.

Children
  • 0 in reply to LHerzog

    There are different modules active. 

    First the Endpoint itself can isolate everything to stop communicating with anybody anymore. So it build up a firewall to stop communication.But as the client is potentially affected, this can fail. 

    There is the HB Source/Destination firewall rules. You can use a specific state of the destination and/or source of the client/server to specific, if the client should be able to communicate. For example the client is RED, it will not be allowed to communicate through the XG Firewall to specific other hosts or WAN. 

    Then there is a lateral movement prevention. Basically XG will tell the other clients in the same broadcast domain to stop communicate with this Host. This will be done on a ARP/MAC level to make sure, no other client will communicate via Switch to the infected host. 

    The status (RED, Green, Yellow) can be setup by the Client or the XG Firewall. If the XG senses a ATP alert for example, it will push a new status to the client and trigger certain mechanism.