Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 6453 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 16 - Can you have a Web Policy and an Application filter apply to same users?

mthomps3

Created the following and wanted to apply them to traffic from any user:

- Application Filter - want to block very high risk (level 5) apps.  Default action is allow.

- Web Policy - select categories to block.  Default Action is allow.

While the individual filters work, the question is how to properly apply them.  I've tried applying them to separate firewall rules.  Due to the default action required in each filter, this doesn't work as nothing makes it past the first rule; all traffic either gets allowed or blocked.    I see you can apply an Application policy and a web filter in the same firewall rule, but which takes precedence?

Also, I created these filters/rules in Firewall Manager which is still ver 15 and pushed them out to devices running v16.  There is no default action listed there.  It only appears when logging onto the ver 16 devices.  If I use a web or app filter does it now need to be applied only to the last rule? 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mthomps3,

    Priority of Application Filter is the lowest in the packet flow chart. Hence, if the packet filters out due to any definition in the Web Filter then, it will never reach the Application filter policy.

    Thanks

  • 0 in reply to sachingurung

    Due the the inclusion on the Default Action in the Web Filter, it has to match something.  It would never reach the app filter.

     

    In my situation, I'm trying to...

    - App filter - block Risk Level 5 apps.

    - Web filter - block a number of categories (Peer to Peer & torrents, Phishing & Fraud, Pro-Suicide & Self-Harm, etc...)

     

    After creating those filters there are 3 scenarios by which I can apply them:

    1. 2 separate rules - application filter rule then a web filter rule - Application rule either blocks or allows all traffic.  Never reaches web filter

    2. 2 separate rules - web filter rule then an application filter rule - Web filter rule either blocks or allows all traffic.  Never reaches app filter

    3. 1 rule using both policies - selections for web and app filter - Web filter rule either blocks or allows all traffic.  Never reaches app filter

     

    Why are there default actions associated with the web and app filters? 

    If it doesn't match, it should just pass thru, same as other rules.  Default rule should be the last in the list, not inserted into some filter. 

     

     

  • 0 in reply to mthomps3

    can you share an example?

    Thanks

  • 0 in reply to mthomps3

    The basic principal of webfiltering and default actions is explained in this thread by    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/83833/web-policy-and-filtering-not-working-at-all/314394#314394

    How do you know that the application control is not working? Are you looking in application logs or are you experiencing applications passing through that you think should be blocked? 

     

    mthomps3 said:

    3. 1 rule using both policies - selections for web and app filter - Web filter rule either blocks or allows all traffic.  Never reaches app filter

    I personally use this method and have great success. You will have to look under diagnostics > connection list to see which rule and what application is being detected. 

  • 0 in reply to lferrara

    I have a query in this regard

    Can I have two rules:
    1. A user authentication rule having its own Web Filtering and ALL Application Filtering Policies

    AND

    2. A non authenticated User rule just above the 1st rule which has ONLY an Application Filter which has a Deny All default but allows "Whatsapp" All the Time (with Micro App Discovery).

     

    Basically what I want to do is this: Allow users without Authentication and for all other web access, they need to login post which there could be some blocked applications and websites.

     

    I know as it is a stateful firewall, this might not work out. But there might be a workaround that Sophos might have put up in this regard. We haven't tried it yet as the both the XG750s we have are on production and these rules can't be tampered with till we are sure of it working in the desired way.

  • 0 in reply to akshay_r

    You can't have a deny ALL rule before an ALLOW rule. Your scenario will work with allow authenticated users everything they need first and then deny most of the other stuff and only allow certain apps.

    Firewall rules are parsed in order. If you use deny first, what you are doing is denying anyone (authenticated or not) that matches the deny rule and any further rules will be disregarded. If you only allow a few first without denying, only the allowed will pass the firewall and the next rule will be considered. 

  • 0 in reply to Billybob

    So,

     

    Do I set the rules as:
    1. A user authentication rule having its own Web Filtering and ALL Application Filtering Policies

    AND

    2. A non authenticated User rule just above the 1st rule which has ONLY an Application Filter which has a Allow All default but allows "Whatsapp" All the Time (with Micro App Discovery).

     

    So does this mean that the Allow All will pass the request down to the further rules below to check if it is allowed or not.? Or will it just allow everything to pass from the firewall without hitting the below rules?

Reply
  • 0 in reply to Billybob

    So,

     

    Do I set the rules as:
    1. A user authentication rule having its own Web Filtering and ALL Application Filtering Policies

    AND

    2. A non authenticated User rule just above the 1st rule which has ONLY an Application Filter which has a Allow All default but allows "Whatsapp" All the Time (with Micro App Discovery).

     

    So does this mean that the Allow All will pass the request down to the further rules below to check if it is allowed or not.? Or will it just allow everything to pass from the firewall without hitting the below rules?

Children
No Data