Sophos XG Firewall Rule Best Practice

Question

Hi All, 
 I just started testing Sophos XG as a VM in Hyper-V to make sure it will be suitable for our needs. As a Sophos UTMv9 user for a few years, I'm used to how that functioned and I noticed that, by default, Sophos UTM would block everything except what I specifically allowed. This meant setting up Definitions for services, Hosts, FQDN Hosts...etc to enable my network to talk to the outside world for all that was needed. 
 When I setup Sophos XG, I saw that I have the option to select a default "Allow All" except what's not allowed via any of the policies like adult content, inappropriate content for business, I can also block specific sites...etc. This options essentially allowed me to create a single firewall rule including IPS policy, traffic shaping and Web policy all within this single rule. I love this simplicity of setup but I'm not sure that this is what would be considered a best practice. For those of you here who've been working with Sophos XG for some time, what has been your standard approach? Do you setup with Deny All and then work to allow only those services that are required or do you Allow All except what you want blocked? 
 Call me paranoid, but I'm concerned that a single firewall rule, even if I've selected everything I want blocked, is the right way to go. Btw I've confirmed that the firewall rule is working as it is blocking access to resources I wanted blocked. 
 Would appreciate any insight you might have.

Billybob · Accepted Answer

You are correct that applying webfiltering, app filtering, ips, and qos in one rule makes XG very powerful. But as you have noticed, it brings confusion at the same time. Remember, the default deny rule is built into XG just like UTM so you don't have to deny traffic. If you are not allowing something, it is denied by default. For some reason they chose to use ALLOW ALL template for basic rule writing instead of guiding you towards writing better rules. 
 The order of the rules still applies just like UTM, so you cannot say deny all and then add a rule to allow All or vice versa. I usually only allow ports that I think are needed. So instead of allow all, I would change that to http/https/ftp and any other service that is needed in your environment instead of that allow any service rule and go from there. 
 Don't forget, XG is a layer 8 firewall. So you can write rules that only apply to certain people if you want to use authentication. XG can also do clientless authentication where you can make your firewall rules depending on the hardware someone is using etc. This makes the rule writing extremely powerful but also easier to errors where you think you are only allowing certain users through a certain rule but the traffic is still passing through some other rule. 
 Remember, just because you have a rule that says allow JANE http/s traffic only and then have a rule that says allow any service below it, JANE will still be able to use the second rule and use any service. 
 Really not that complicated once you get the logic. Logging sucks but hopefully it will get better in v17. Hope this helps.

lferrara · Answer

Nash, 
 the intent of XG is to reduce the number of rules and to have every setting in one location. Keep in mind that as best practice you should use multiple rule if you need multiple ports to be opened. 
 For example: 
 
 One rule for DNS 
 One rule for Web Services 
 One rule for FTP 
 
 More restricted you are, more safe your network will be. 
 Enjoy it!

lferrara · Answer

Nash, 
 if you need to block something on web or application, one rule can be used (if the ports are HTTP/HTTPS). 
 Any as service inside the LAN to WAN rule is not safe at all.