Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 933 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Zone/Network/Devices Relationship

DS7109

Hi, I've moved to SFOS 19.5 from UTM9 and having some trouble getting my head around a couple of the concepts.

One of them is the Zone/Network/Devices model that SFOS uses;

What's the relationship between Zones, and Networks and Devices when creating firewall rules?  Sophos documentation describes zones in the context of firewall rules as being a way to manage security for a group of interfaces.  Seems straightforward enough and I initially thought it was saying "traffic from these source networks in these source zones".  However this can't be right as it allows me to create a rule with a [Zone=WAN] and [Networks and Devices=LAN Subnet] for example. This would obviously be nonsense in a firewall rule, so whats the actual relationship between source "Zone" and source "Networks and Devices"?  How would the firewall process the traffic in a nonsensical rule where I'm specifying resources in a zone they don't belong to, like in the example above?  Are the objects specified matched by logical AND, or logical OR? (or neither)?

Must admit, I'm finding Sophos' documentation in general to be a bit lacking in depth. It only really provides the most basic of information on each topic.

TIA for any clarity on this.  



This thread was automatically locked due to age.
Parents
  • 0

    Zones are virtual definition on a Interface. Each and every interface has to be in a zone (virtual or physical interface).

    You can use this zone to define Firewall rules - Within the firewall rule, everything is covered, coming from this interface.

    In a way, it is like the "Network Interface object in UTM" just without the IP stuff. 

    You can always use WAN + ANY or LAN + ANY and it will cover all the traffic of this particular interface(s). No need to use the network / device. If you want to be more granular, you can do it. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks.  So that much I understood but I don't get why I can mix zones and network/device objects of 'incompatible' types.

    In a rule that allowed the following source objects:

    • WAN in Zones
    • 192.168.0.5 in Networks/Devices (but not 'Any')

    What would actually trigger this rule? Not that I'd ever do this, but understanding this will help me to understand the overall concept.

    At the moment it seems to me that specifying Zones is somewhat redundant, as you can specify any type of object be it a system host object, IP Group, single IP etc, in Networks/Devices, and achieve the same result.

  • +1 in reply to DS7109

    Simply because you can build all sorts of setups, which does not make sense in the first place but could potentially occur.

    You could for example build a routing setup, which gives your your 192.168.0.5 from a WAN Based interface. For example MPLS, which you define as WAN, but still gives you such traffic. 
    SFOS simply does not stop you by doing such configuration for what ever reason you think, this could occur.

    It is not a OR connection, but statements have to be true (AND).

    You could potentially use ANY Zone for everything and simply copy paste the rule set of UTM.

    But from my point of view, i love to stop thinking about IP subnets and simply use the zones.

    Creating a Zone for Printer. Make DHCP for Printer Interface. Generate a LAN to Printer Firewall rule with the ports i need - Done. No need to create or think about what kind of IP subnet range in Printer is used. And no need to think about all the internal networks, which are LAN, they will be all considered to be true. 

    Another example is the LAN interface. You could create a new zone like "Clients". Then you put all VLANs into this zone Clients. You have 10 VLANs with different IP Subnet and you can simply create a Client to Client Rule without taking care of "What subnet ranges should be connected. It will be used by the SFOS. 

    Another example is the default zone VPN. All clients within VPN (Remote access and site to site) are considered to be VPN. So you can allow VPN to your server by using one firewall rule, which is clean and not packed with alot of subnet interfaces. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    That's the best explanation I've seen. Much clearer now. Thank you.

  • 0 in reply to LuCar Toni

    Thank you for the explanation. I am not clear about your use of the ZONE VLAN, what value do you put in the network field? Wouldn't you create an IP group in preference to a VLAN zone?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to LuCar Toni

    Thank you for the explanation. I am not clear about your use of the ZONE VLAN, what value do you put in the network field? Wouldn't you create an IP group in preference to a VLAN zone?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML