Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall App control without Endpoint Agent?

Wolfgang Jacques

We have a customer who uses Sophos Firewall (SFOS 19.5) but has a third party antivirus tool. So no Endpoint Agent and no Intercept X is installed on the client PCs.

Does it make sense at all to use App control in the Firewall Rules in this scenario?

If so: How would Sophos Firewall possibly identify, which App tries to make a connection?

If not: What could be the cause that App control blocks one PC from getting Mails with Outlook / POP3 / Port 995? The problem is just with one PC and it's gone when we deactivate App control in the LAN-to-WAN-Allow firewall rule.

Thank you for your input.

Wolfgang



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Erick Jan

    Hi Erick, thank you for your quick response.

    Do you know if Sophos explains somewhere the principle of operation of Firewall Application control w/o Sophos Endpoint? Does it just guess the application from the traffic behavior? And if so: how reliable can it be?

    And are you sure that a blocked app would show up in the log viewer? I investigated earlier and I could not see any block and I wonder if a second look will be worthwhile.

    Thanks again, regards, Wolfgang

  • 0 in reply to Wolfgang Jacques

    Hi,

    there's a detailed explanation in the KBA. I will try a simplified version.

    Implementation  requires

    1/. create your own application policy

    2/. install CA on end devices

    3/. use IPS in the firewall rule

    4/. I prefer to use the web proxy as well with my own policy

    5/. I also use a drop/reject firewall rule with the IP address of the site/s

    What you will observe in logviewer 

    1/. in the firewall view you will see that the application is allowed

    2/. in the application view you weill see the application blocked

    Daily  report

    1/. shows the application is passing traffic

    2/. the next section (blocked) will show the application is blocked.

    The process for application blocking relies on packet inspection so that is why you see apparently valid traffic, where as the web blocking is done on URL.

    I hope this simplified explanation helps?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML