Sophos Firewall App control without Endpoint Agent?

Question

We have a customer who uses Sophos Firewall (SFOS 19.5) but has a third party antivirus tool. So no Endpoint Agent and no Intercept X is installed on the client PCs. 
 Does it make sense at all to use App control in the Firewall Rules in this scenario? 
 If so: How would Sophos Firewall possibly identify, which App tries to make a connection? 
 If not: What could be the cause that App control blocks one PC from getting Mails with Outlook / POP3 / Port 995? The problem is just with one PC and it's gone when we deactivate App control in the LAN-to-WAN-Allow firewall rule. 
 
 Thank you for your input. 
 Wolfgang

rfcat_vk · Answer

Hi, 
 there's a detailed explanation in the KBA. I will try a simplified version. 
 Implementation requires 
 1/. create your own application policy 
 2/. install CA on end devices 
 3/. use IPS in the firewall rule 
 4/. I prefer to use the web proxy as well with my own policy 
 5/. I also use a drop/reject firewall rule with the IP address of the site/s 
 
 What you will observe in logviewer 
 1/. in the firewall view you will see that the application is allowed 
 2/. in the application view you weill see the application blocked 
 Daily report 
 1/. shows the application is passing traffic 
 2/. the next section (blocked) will show the application is blocked. 
 
 The process for application blocking relies on packet inspection so that is why you see apparently valid traffic, where as the web blocking is done on URL. 
 I hope this simplified explanation helps? 
 Ian

Sophos Firewall App control without Endpoint Agent?

Top Replies