Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6455 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 16 - Can you have a Web Policy and an Application filter apply to same users?

mthomps3

Created the following and wanted to apply them to traffic from any user:

- Application Filter - want to block very high risk (level 5) apps.  Default action is allow.

- Web Policy - select categories to block.  Default Action is allow.

While the individual filters work, the question is how to properly apply them.  I've tried applying them to separate firewall rules.  Due to the default action required in each filter, this doesn't work as nothing makes it past the first rule; all traffic either gets allowed or blocked.    I see you can apply an Application policy and a web filter in the same firewall rule, but which takes precedence?

Also, I created these filters/rules in Firewall Manager which is still ver 15 and pushed them out to devices running v16.  There is no default action listed there.  It only appears when logging onto the ver 16 devices.  If I use a web or app filter does it now need to be applied only to the last rule? 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mthomps3,

    Priority of Application Filter is the lowest in the packet flow chart. Hence, if the packet filters out due to any definition in the Web Filter then, it will never reach the Application filter policy.

    Thanks

  • 0 in reply to sachingurung

    Due the the inclusion on the Default Action in the Web Filter, it has to match something.  It would never reach the app filter.

     

    In my situation, I'm trying to...

    - App filter - block Risk Level 5 apps.

    - Web filter - block a number of categories (Peer to Peer & torrents, Phishing & Fraud, Pro-Suicide & Self-Harm, etc...)

     

    After creating those filters there are 3 scenarios by which I can apply them:

    1. 2 separate rules - application filter rule then a web filter rule - Application rule either blocks or allows all traffic.  Never reaches web filter

    2. 2 separate rules - web filter rule then an application filter rule - Web filter rule either blocks or allows all traffic.  Never reaches app filter

    3. 1 rule using both policies - selections for web and app filter - Web filter rule either blocks or allows all traffic.  Never reaches app filter

     

    Why are there default actions associated with the web and app filters? 

    If it doesn't match, it should just pass thru, same as other rules.  Default rule should be the last in the list, not inserted into some filter. 

     

     

  • 0 in reply to mthomps3

    can you share an example?

    Thanks

  • 0 in reply to mthomps3

    The basic principal of webfiltering and default actions is explained in this thread by    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/83833/web-policy-and-filtering-not-working-at-all/314394#314394

    How do you know that the application control is not working? Are you looking in application logs or are you experiencing applications passing through that you think should be blocked? 

     

    mthomps3 said:

    3. 1 rule using both policies - selections for web and app filter - Web filter rule either blocks or allows all traffic.  Never reaches app filter

    I personally use this method and have great success. You will have to look under diagnostics > connection list to see which rule and what application is being detected. 

Reply Children
No Data