Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 22 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 54718 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Policy and Filtering Not Working at All

DavidPeterson

XG V16 - It seems yet another thing real simple in other firewalls just doesn't want to work.  I'm not sure if the KB article I found isn't complete, but if I have the default web filtering policy or Default Workplace Policy applied on the only LAN-to-WAN network rule, nothing gets blocked, nor does anything show up in the log viewer.  Also, while I can see the value of doing it on a rule basis, is there a way to just filtering on a zone like with other firewalls?



This thread was automatically locked due to age.
Parents
  • 0

    I found on my XG230 that the only Firewall rule it would use was the first (top) and then allow everything else under it.

    Seems mental as usually a Firewall would do the filter thing and pass to the next rule.

     

    I ended up making a Web Policy and adding all the categories into it and then adding that to the Firewall Rule and it works fine.

     

    I was told by the Sophos vendor this was by design and not a bug - not quite sure I believe him though.

    Sophos XG 450 (SFOS 18.5.1 MR-1)

    Sophos R.E.D 50 x 2

    Always configuring new stuff.....

  • 0 in reply to M8ey

    I don't know if he was in error, expressed himself poorly, or you misunderstood, but firewalls universally work by principal of first match.  If traffic matches a rule, yes, it stops further comparison of rules.  Therefore, you need to have the most specific rule first for any traffic that could match more than one rule.  For instance, if you want to block host A from HTTP, you'd first have a rule to block it before any a rule allowing all others to HTTP.  If you had the rules reversed where the "allow all" to HTTP first it would stop there and allow Host A's traffic, and not get to the rule to block that specific host.  I hope that makes sense.

  • 0 in reply to DavidPeterson

    Thanks David,

     

    I do understand however the XG isn't working this way.

     

    For example, I had rule 1 to block Social Media sites (web policy) and applied to a specific User Group, then Rule 2 was a Web Blacklist of sites I dont want anyone going to, Rule 3 was to block EXE downloads and so on.

    If a user in that policy tried to go to Facebook it would fail (Rule1) however could download an EXE file (Rule3)

    So I have one FW rule with seperate Web Policy and Application Controls added.

    Sophos XG 450 (SFOS 18.5.1 MR-1)

    Sophos R.E.D 50 x 2

    Always configuring new stuff.....

  • +1 in reply to M8ey

    Firewall Rule 1 had a Web Policy.  That Web Policy was "Block Social Media and a Default Action of Allow".  The rule was matched based on the user and it correctly followed the logic of the Default Action, which is to allow.  It never hits the second Firewall Rule.

    In v16 and later, as much as possible you should put all web decisions into a single Web Policy.  Within that policy you can do the Rule 1, Rule 2, Rule 3 that you describe.

     

    Firewall rules basically have two parts:  Match this traffic THEN apply this action.  Firewall rules flow from one to the other on the "match this traffic" part until a Firewall Rule is matched.  It then follows all the logic in the "apply this action".  It does not then, after that, go the the next firewall rule to see if it matches that as well.  For a given packet, only one firewall rule is applied.

    Web Policy rules work differently.  It also has a "match this traffic then apply this action".  However for those rules, traffic is always matched against all rules that apply to it.  For the Web Policy a "Block" will Block and "Allow" really means "I'm not going to block, continue evaluating the next rule".

    EDIT: Update/Clarification.  Web Policy also applies the first rule that matches, whether it is allow or block.  Allow does mean Allow, not "continue processing".  This makes a difference if Rule 1 is allow Document Files and Rule 2 is block Adult sites.  If someone downloads a pdf from an adult site, it will be allowed.

  • 0 in reply to Michael Dunn

    Michael Dunn said:
    Web Policy rules work differently.  It also has a "match this traffic then apply this action".  However for those rules, traffic is always matched against all rules that apply to it.  For the Web Policy a "Block" will Block and "Allow" really means "I'm not going to block, continue evaluating the next rule".

    I have been using XG as a layer8 firewall and usually don't run into the nuances that your described. However, I would like some clarification on the last part of the web policy.

     

    Policy1 Allow lan to wan webfilter ->allow general business, block advertisements.

    Policy2 Allow lan to wan webfilter-> allow advertsements, block everything else

    Does that mean that advertisements and general business categories will be allowed?

    Also, is the webfilter logic also applicable to application control?

  • 0 in reply to Billybob

    Billybob said:

    Policy1 Allow lan to wan webfilter ->allow general business, block advertisements.

    Policy2 Allow lan to wan webfilter-> allow advertsements, block everything else

    Does that mean that advertisements and general business categories will be allowed?

    Also, is the webfilter logic also applicable to application control?

     
    To rewrite your statements the way I think you mean:
    Firewall Rule 1 (Allow lan to wan webfilter) - Web Policy 1 ->allow general business, block advertisements, default action Allow.

    Firewall Rule 2 (Allow lan to wan webfilter) - Web Policy 2 -> allow advertisements, default action Block.

     

    Lets assume that both Firewall rules have the same source/destination, apply to user "Mike" and are otherwise built the same.

    In this case, Mike would be blocked from Advertisements and nothing else.  Firewall Rule 1 and Web Policy 1 would apply.  General business would be allowed due to the specific rule.  Porn would be allowed because it falls into the default action.  Firewall Rule 2 and Web Policy 2 has no effect.

    This is of course a simplification.

     

    Application Control is....  To be honest I'm not positive.  For firewall rule is uses the same logic - use first rule that matches criteria.  Then within the Application Control Filter it uses the first rule that matches the time schedule plus application.

  • 0 in reply to Michael Dunn

    Thanks for the reply, that clarifies things a lot. With level 8, I can assign specific rules to specific people so I usually don't have to worry about policy compliance. The firewall rules incorporated with webfiltering, application filtering, qos, and IPS with further granular control of QoS is one my favorite features in XG. You can write a single rule for a lot of stuff that needed multiple rules before but on the other hand this makes things complicated and gives unexpected results if the admin is not paying attention.

    After reading through your explanation I remembered the allow/deny rule setting in UTM9 web filtering and everything made a lot more sense. The main difference is that default allow doesn't carry over to the next firewall rule[:D]

  • 0 in reply to Billybob

    I'm coming from the Web team and therefor am biased towards the Web Policy.

    In v15 we carried along with the simpler implementation of making the user-aware firewall make all the user policy decisions.

    In v16 we found that the firewall rules were just not powerful enough to do everything we wanted to, and that the real work in web policy decisions must be done in the web proxy.  So we did a lot of work making Web Policies and User Activities.  These are closer to the way that the UTM works.  Now you have a choice.

    * You could use the XG fully like the UTM - where the UTM Web Profile is equivalent to an XG Firewall Rule (with no match users and a web policy selected).

    * You could also use the XG with the user-aware firewall and do all your user policy decisions there.  The thing is that if you do make all your user policies decisions in the firewall you must make sure that the web policy you select fully defines their permissions.

    From a pure policy perspective, doing it within Web is more powerful as you now have user constraints and time constraints defined in the same place.

    Here is a basic example of the difference:

    Firewall Rule 1 - Applies to Mike - Use Web Policy 1 - Block executable files, Allow everything else
    Firewall Rule 2 - Applies to Mike - Use Web Policy 2 - Block adult sites, Allow everything else

    -OR-

    Firewall Rule 1 - Don't match users - Use Web Policy 3 - Applies to Mike - Block executable files
                                                           - Applies to Mike - Block adult sites

    In the first case, Mike will not be blocked from Adult sites.

    So if you wanted to put user decisions in the Firewall you should do the following.

    Firewall Rule 1 - Applies to Mike - Use Web Policy 3 - Applies to All - Block executable files
                                                         - Applies to All - Block adult sites

     

    If it helps, you can think of it a different way.  An incoming packet can only go to one Web Policy.  So you cannot define two Web Policies and have them both apply to that connection.  You need to have one Web Policy.  Then you have the freedom of doing user selection within the Web Policy or the Firewall Rule.

  • 0 in reply to Michael Dunn

    Thanks Michael for perfectly explaining things. This is the kind of interaction that I miss from astaro days. The devs/mods didn't just show you a workaround but the logic and thinking that went behind a decision to do things a certain way. Most people get caught up in the basic gui differences between UTM9 and XG and I don't blame them but by doing so they don't give the true gems like firewall policies a fair chance. I was not a fan of v15 but gave v16 a serious chance after reading 's praises of XG. Although I still miss certain things from UTM9, after using XG v16 exclusively for a few months, I realized that UTM9 is indeed showing its age.

    Although you mostly deal with the webfiltering aspect, I am hoping you guys can inspire other teams with your forward thinking into other areas of XG. If we keep getting the XG firmwares at the pace we have been getting, I am very optimistic and can't wait to test what v17 will bring.

    Thanks again and happy holidays

    Regards
    Bill

Reply
  • 0 in reply to Michael Dunn

    Thanks Michael for perfectly explaining things. This is the kind of interaction that I miss from astaro days. The devs/mods didn't just show you a workaround but the logic and thinking that went behind a decision to do things a certain way. Most people get caught up in the basic gui differences between UTM9 and XG and I don't blame them but by doing so they don't give the true gems like firewall policies a fair chance. I was not a fan of v15 but gave v16 a serious chance after reading 's praises of XG. Although I still miss certain things from UTM9, after using XG v16 exclusively for a few months, I realized that UTM9 is indeed showing its age.

    Although you mostly deal with the webfiltering aspect, I am hoping you guys can inspire other teams with your forward thinking into other areas of XG. If we keep getting the XG firmwares at the pace we have been getting, I am very optimistic and can't wait to test what v17 will bring.

    Thanks again and happy holidays

    Regards
    Bill

Children
Cookie Information Banner