Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 26 subscribers
  • Views 15507 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall eules and web policies

tgreis

Hi all,

I used UTM9 for several years, now I'm testing XG. I'm kind of stuck with firewall rules/web policies.

I want to block all access to a host except for port 80 and 443 to a list of IPs.

So i created a firewall rule and I though that was it.

Accept "HTTP" and 3 others services going to "WAN" zone, when in "DMZ" zone, and coming from "Custom_ip_frost" network, then apply log connections

Source & Schedule
DMZ

Source Networks and Devices : origin_ip
During Scheduled Time : All the Time

Destination & Services
WAN

Destination Networks : destination_ip
Services : HTTP,HTTPS



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Hi Luk,

     

    Yes I have a drop rule at the bottom, I haven't enabled HB, unless it was during deploy, using ESXi version.

    As far as I could find when the traffic goes thru the proxy, the firewall wont block it because the source IP is the WAN IP.

    But the web policies arent doing their job (or so it seems).

    Since this is my first experience with XG I'll have to dig a bit more, but for the traffic going thru the proxy only the web policies can allow/deny, correct?

     

    Thanks In Advance ;)

    Telmo

  • 0 in reply to tgreis

    Telmo,

    can you share your Firewall policies? Can you share a network diagram too?

    HB is not active on firewall rules, sorry...My mistake. I red the thread from mobile and I misunderstood "Client with no HB are allowed". I red "Client with HB are allowed".

    Thanks and sorry again.

  • 0 in reply to lferrara

    Hi Luk,

     

    I've reset the system and started with a few simple rules.

    here's what I have

    Network

     

    Rules

    Rule ID2

    The associated policy allow google, deny bing and deny all the rest, I put a deny for bing but it works with that rule disabled

    now the results

    I try to access google.com and I get "connecting to"

         This is because google is "very smart" and forwards to my country site, but firewall does not show any deny for the google."my domain", if I put this ip in the fw rule it works fine.

    I try to access bing and I get the sophos blocked page.

         Works fine no issues here

    I try to access  yahoo (out of the specific rules) and I get "unable to connect".

         Cant find this deny in any log

     

    Firewall log does no report my access to yahoo

    Policy log seems ok, as I think that if the firewall is denying everything that is not bing and google it should not reach the policy, correct?

    What can cause this (no) log issue?

  • 0 in reply to tgreis

    Just another thing that I missed in the last response

    Why is the content delivery rule applied, and I didnt allow it, although it has the same IP as google.com and "#my cat allow" is allowing for the domain www.google.com, not by keyword.

     

    Thanks,

    Telmo

  • 0 in reply to tgreis

    Telmo,

    inside the Policy ID 2 remove the remote network objects (google and bing) and leave any then try again.

    If it does not work, show the web policy rules and make sure pattern signatures are updated from Backup & Firmware > Patterns.

    Regards

  • 0 in reply to lferrara

    Hi Luk,

     

    For this case it worked, but there are some systems that I need to restrict traffic to a single ip, should the policies be used instead of firewall?

    And this is valid for the proxy ports only, correct?

  • +1 in reply to tgreis

    Tgreis,

    you can use both method because XG allows some dynamic behaviour. I prefer to use a firewall rule and apply that rule to a single IP. If your users are authenticated and you use Users objects instead of IP, you can use one firewall rule, one web policy and create all the profile inside the same web policy.

    Regards