Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 9307 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Policies in Zones like in Cyberoam OS?

DavidRudduck

The new "flat" policies in SFOS XG is no where near as logical as it was in Cyberoam's view - where everything had a policy based on the zones it applied to (LAN->WAN, WAN->LAN, VPN->LAN, VPN->LAN).



This thread was automatically locked due to age.
  • 0

    David,

    can you explain what are your doubts? XG uses zone and network objects in order to filter traffic. Also on the same policy it is possible to apply filter per users/groups.

  • 0 in reply to lferrara

    In Cyberoam OS (and firewalls like Sonicwall and others) policies were segmented by the TWO zones they crossed, be it LAN->WAN, WAN->LAN, VPN->LAN, LAN->VPN, LAN->DMZ, etc.

    Whilst this does have the disadvantage that if you want to create a policy that applies to multiple source and/or destination zones, you had to create multiple policies, it resulted in the firewall policies being neatly laid out in a fashion that made them very easy to work with and manage.

    In the current version of Sophos OS (XG), the policies are listed in a top down approach, with no separation between what zones they apply to.

    This makes it much harder (IMO) to try and manage your policies and keep them in the correct order (if one policy possibly overrules another, if matched first).

    I can in some way understand why this method may have been chosen, but it just ends up feeling less organised.

  • 0 in reply to DavidRudduck

    DavidRudduck I quote you 100%

    Maybe there is a logic behind , but this rules management mode is insane!

    I think that will be not so difficult to build a filter or different view modes to be selected by the user that "group" the zones together.

    I have 150 rules all together , and we are small, I cannot imagine in larger companies to have VPN user, business and network policies together...and with truncated voices in the list if too long...

    I hope that in future releases this will be changed or improved..

     

    Simone

  • 0 in reply to SimoneMontagnani

    HI Simone,

    I completely agree with the Segregation with the zones and with Version 16 launched as the UI have improved which was a Mimic of Cyberoam. Cyberoam UI is popular and easy to understand by as you would use the Rules in XG you would notice that it would require less number of rules and Multiple Zones can be configured on a Single Rule .  We are always open to suggestion to build the product better . The Architecture is changed and so would be the structure. Number of rules are managed easily on XG as the policy info is mentioned on the Rule Description . 

    Thanks and regards

    Aditya Patel  | Network and Security Engineer.

  • 0 in reply to Aditya Patel

    Everyone has a different view and needs. I never liked Cyberoam UI and all the zones separation like Fortigate for example (this is my view).

    As Aditya said, XG requires less policy rules and less with the v16 (if you think about the improvement made with Web Filtering and as I know IPS and Application Filter will follow the Web Section).

    What I am missing is group from UTM9, where you can create group of view from drop-down-list and move rules in your own group. This allow a lot of flexibility.

    With UTM9 I am able to manage 4000 Users with SG650 without big problems view using groups.

    Imagine LAN to WAN, how many rules you have under this view. If XG will implement Group in combination with the Filters that can be applied, we are at a good point.

    Rules should also take less space (every rule is too big).

    That is my opinion!

  • 0 in reply to Aditya Patel

    There needs to be some way to better display the rule sets.

    I can see advantages of allowing one rule to apply to multiple zones, but inversely attempting to navigate through the rule list can be cumbersome. The other day I had a rule that was overlapping another rule, even though it shouldn't have been. So I had to move it to the top of my list.

    I came from a pfSense and SonicWall world, where everything was based on where it went from and where it was going to, much like Cyberoam's style. This made a lot of sense. It made it very easy to quickly create and manage rules, and to order them based on which ruleset should apply first.

    By allowing one rule to have multiple zones, the order of when a rule may or may not fire becomes very confusing and you have to be extremely aware of what you're doing.

    PS: I do find it ironic that the UI is looking more and more like Cyberoam and less and less like the attempt to make it 'super pretty' as in the earlier releases of Copernicus/XG. Cyberoam UI may not have been pretty, but it was logical and it worked.