Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 26 subscribers
  • Views 524 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN Rule Setup

SophosNewby

Hi Everyone, I have somewhat of a quick question regarding optimizing but still maintaining security when it comes to setting up the SSL VPN firewall rule. When I originally setup the rule I was very new creating rules and using an actual firewall and one thing I did do when setting up the VPN rule was to configure the Advanced area of the rule so I have set the following:

Intrusion Prevention - WAN to LAN

Web Policy - Default Work Policy

Application Control - Custom Application Block

Overall users connect but I do get a few grumbles things are slow, like saving files, accessing folders etc.. I have always thought there isn't much I can do, but I'm now thinking having IPS on the rule may be contributing but I'm still very nervous about change without consulting the seasoned users and more experienced firewall users to get their feedback.

Any recommended firewall rule configurations that don't jeopardize security but yet optimize the users connecting experience?

Thank you



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi, Thanks for reaching out to Sophos Community. 

    I suggest creating a custom optimized IPS policy with the components that you have in the network. For example, The IPS policy you've selected may have signatures for Linux machines or any specific server application-related signatures. That could affect the performance. 

    Also, If the rule for SSL VPN (VPN to LAN) users, remove the web proxy if these users are simply accessing network resources (shared folders, File servers etc..)

  • 0 in reply to FormerMember

    Thank you, do these recommendations apply to split-tunnelling as in my case as well. By web proxy do you mean remove the web policy setting? Thank you

  • FormerMember
    0 FormerMember in reply to SophosNewby

    Yeah, it does apply in a split-tunnel configuration as well since you'll be allowing access to the internal resources. 

    SophosNewby said:
    y web proxy do you mean remove the web policy setting?

    Yes, You can just keep "Allow All" as an action. That will basically be taking actions on the web traffic and since this is a split tunnel, I think there won't be a need as such to block any web traffic. (Unless you're looking to block some internal URLS) 

Reply
  • FormerMember
    0 FormerMember in reply to SophosNewby

    Yeah, it does apply in a split-tunnel configuration as well since you'll be allowing access to the internal resources. 

    SophosNewby said:
    y web proxy do you mean remove the web policy setting?

    Yes, You can just keep "Allow All" as an action. That will basically be taking actions on the web traffic and since this is a split tunnel, I think there won't be a need as such to block any web traffic. (Unless you're looking to block some internal URLS) 

Children
No Data