Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 19094 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web/Application Policies by User/Group

CarlosCesario

Hi folks, 

I'm migrating from Cyberoam to Sophos XG, and I would like to know what is the best way to apply Web and Application policies to users/groups.

I believe that I need create one firewall rule to each users group and apply the policies. Is it the correct way!?

 

because in cyberoam devices, the web and application policies it was defined on Groups and it seem that Xg Firewall apply it on firewaçll rules. right?

 

Best Regards

 



This thread was automatically locked due to age.
Parents
  • 0

    Carlos,

    XG uses certralization concept so everything is managed by firewall rules. For web traffic you can create one rule per each users/group or one firewall rule for all users/groups and create a unique web profile. Under web menu indeed, you can create one profile and apply different policy to different users.

    Do some test before going in production so you can take confidence with it.

    Regards

  • 0 in reply to lferrara

    Hi Luk, thank you by your answer. 

    Well.. but now I 'm a bit confused. When you say "For web traffic you can create one rule per each users/group or one firewall rule for all users/groups and create a unique web profile. Under web menu indeed, you can create one profile and apply different policy to different users."

     

    "For web traffic you can create one rule per each users/group" .. Did you mean Firewall rule ? 

    "Under web menu indeed, you can create one profile and apply different policy to different users." .. Where I found it ? I did not found Profile option.

     

    Could you please post some screenshots to explain about these options that you suggest ?

     

    Best regards

     

    Carlos

  • 0 in reply to CarlosCesario

    There are two different things you can do:

    You can do user matching within the firewall rule.  Then each firewall rule can apply to a different Web Policy.  You need one Web Policy for each different type of access level, and in each Web Policy just set leave the rules applying to Everyone.  You can create separate firewall rules, one for each user/group that you want to sent to a unique policy.  Though it uses more objects it can be more straightforward to read a web policy and know exactly how it applied.  This is familiar to Cyberroam users and takes advantage of the "User aware next generation firewall".

     

    The other option is to create a single firewall rule that applies to everyone.  It goes to a single Web Policy.  Within the web policy you specify on a rule by rule basis which rules apply to which groups.  This uses fewer objects and puts all the complexity into the Web Policy rules.  This is more familiar to how the UTM works, by putting user awareness into the proxy.  Whether the firewall rule should "Match known users" depends a bit on how you do authentication.

     

    You can of course also do a mix.

Reply
  • 0 in reply to CarlosCesario

    There are two different things you can do:

    You can do user matching within the firewall rule.  Then each firewall rule can apply to a different Web Policy.  You need one Web Policy for each different type of access level, and in each Web Policy just set leave the rules applying to Everyone.  You can create separate firewall rules, one for each user/group that you want to sent to a unique policy.  Though it uses more objects it can be more straightforward to read a web policy and know exactly how it applied.  This is familiar to Cyberroam users and takes advantage of the "User aware next generation firewall".

     

    The other option is to create a single firewall rule that applies to everyone.  It goes to a single Web Policy.  Within the web policy you specify on a rule by rule basis which rules apply to which groups.  This uses fewer objects and puts all the complexity into the Web Policy rules.  This is more familiar to how the UTM works, by putting user awareness into the proxy.  Whether the firewall rule should "Match known users" depends a bit on how you do authentication.

     

    You can of course also do a mix.

Children
  • 0 in reply to Michael Dunn

    Hi Michael,

     

    Thank you by clarify me.

    I think that I will usage the fist option, each firewall rule to each users/groups, because I have appplication filters specific to each group, and maybe te second option is more specific to Web Filtering.

     

    But about the second option, when you say "Within the web policy you specify on a rule by rule basis which rules apply to which groups. " is it related the image attached ? need I choose the group/user in each policy/action ?

     

    Best regards

     

    Carlos

  • +1 in reply to CarlosCesario

    Carlos,

    as Michael and I explained, you have 2 ways to implement web filters.

    On the screenshot you attached, you have to create a Policy and you can add uses inside the policy and for each user/group you can attach an activity and action. Once you have configured that policy, apply that policy inside the Firewll rule and enable "match know users".

    If you the configuration is not clear for you, do some test.

    Regards