Firewall Policies in Zones like in Cyberoam OS?

David,

can you explain what are your doubts? XG uses zone and network objects in order to filter traffic. Also on the same policy it is possible to apply filter per users/groups.

In Cyberoam OS (and firewalls like Sonicwall and others) policies were segmented by the TWO zones they crossed, be it LAN->WAN, WAN->LAN, VPN->LAN, LAN->VPN, LAN->DMZ, etc.

Whilst this does have the disadvantage that if you want to create a policy that applies to multiple source and/or destination zones, you had to create multiple policies, it resulted in the firewall policies being neatly laid out in a fashion that made them very easy to work with and manage.

In the current version of Sophos OS (XG), the policies are listed in a top down approach, with no separation between what zones they apply to.

This makes it much harder (IMO) to try and manage your policies and keep them in the correct order (if one policy possibly overrules another, if matched first).

I can in some way understand why this method may have been chosen, but it just ends up feeling less organised.

DavidRudduck I quote you 100%

Maybe there is a logic behind , but this rules management mode is insane!

I think that will be not so difficult to build a filter or different view modes to be selected by the user that "group" the zones together.

I have 150 rules all together , and we are small, I cannot imagine in larger companies to have VPN user, business and network policies together...and with truncated voices in the list if too long...

I hope that in future releases this will be changed or improved..

Simone

HI Simone,

I completely agree with the Segregation with the zones and with Version 16 launched as the UI have improved which was a Mimic of Cyberoam. Cyberoam UI is popular and easy to understand by as you would use the Rules in XG you would notice that it would require less number of rules and Multiple Zones can be configured on a Single Rule .  We are always open to suggestion to build the product better . The Architecture is changed and so would be the structure. Number of rules are managed easily on XG as the policy info is mentioned on the Rule Description . 

Thanks and regards

Aditya Patel  | Network and Security Engineer.

Everyone has a different view and needs. I never liked Cyberoam UI and all the zones separation like Fortigate for example (this is my view).

As Aditya said, XG requires less policy rules and less with the v16 (if you think about the improvement made with Web Filtering and as I know IPS and Application Filter will follow the Web Section).

What I am missing is group from UTM9, where you can create group of view from drop-down-list and move rules in your own group. This allow a lot of flexibility.

With UTM9 I am able to manage 4000 Users with SG650 without big problems view using groups.

Imagine LAN to WAN, how many rules you have under this view. If XG will implement Group in combination with the Filters that can be applied, we are at a good point.

Rules should also take less space (every rule is too big).

That is my opinion!

Everyone has a different view and needs. I never liked Cyberoam UI and all the zones separation like Fortigate for example (this is my view).

As Aditya said, XG requires less policy rules and less with the v16 (if you think about the improvement made with Web Filtering and as I know IPS and Application Filter will follow the Web Section).

What I am missing is group from UTM9, where you can create group of view from drop-down-list and move rules in your own group. This allow a lot of flexibility.

With UTM9 I am able to manage 4000 Users with SG650 without big problems view using groups.

Imagine LAN to WAN, how many rules you have under this view. If XG will implement Group in combination with the Filters that can be applied, we are at a good point.

Rules should also take less space (every rule is too big).

That is my opinion!