Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 11212 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Network rule with application filter allows everything

JeffKloet

I want to have a network rule that specifically allows Youtube.  I've created an application filter that allows only the individual Youtube related applications and have applied it to a network rule in the 'Application Control' section.

I have observed that this rule allows all traffic ... not just Youtube.  What's really odd is that no events are generated for this or following rules in either the Application or Web Filter log.

If I change the action of the Youtube application filter to deny, the policy works as expected.  It blocks the youtube traffic and subsequent rules are evaluated properly.  Events in the Application and Web Filter logs are generated and reflect the behaviour.

I'm running SFOS 15.01.0 MR-3.  

What could I be doing wrong?

Thanks, Jeff K



This thread was automatically locked due to age.
  • 0 in reply to lferrara

    Luk,

    I created a 'skype' application filter using the 'deny all' template.  The behaviour of the firewall rule now appears to block everything ... presumably it would allow skype but I don't think it's classifying the skype traffic properly.

    I'll ask this question instead.  How would you build a rule to specifically classify skype traffic for the purpose of permitting the traffic?  Non-skype traffic should be ignored by this rule so it can be evaluated by subsequent rules.

    Thanks!
    Jeff K

  • 0 in reply to JeffKloet

    Jeff,

    Firewalls use the concept of first match. So if the rule blocks everything except skype, only Skype is allowed and not are rules are checked. The same happens viceversa (allow all and block only Skype). You can play with source and destination, services and users in order to match that rule specifically but the concept first match persists.

    If Skype is not allowed you need to check application logs, firewall and web logs also.

    Regards