Application filter for NTP

Hi James,

Looking at your FW-rule description, I can see all the Services are Allowed. I don't see a reason why the NTP is blocked when the services are open and Application Filter tells XG to Allow All. If you suspect that Application Filter is blocking NTP services then check, Log Viewer > Application Filter; it will only log Denied Traffic. This will give you a general idea if the Application Filter is doing a false positive and we could raise a request to fix that.

Thanks

sachingurung, 

can you explain in few lines how to properly use the Application filter?

I guess that in the Application lists there are some Apps that should not be there. Can you check internally and reply here back.

Thanks

Thanks Michael....however allowed Apps are not moniterd. XG Application filters log only blocked Apps.

Imagin you have a firewall rule where the Application filter is deny all but allow few application. How can users determine if that App is allowed and which App is allowing it?

At least this happens at the moment with current version. Aditya Patel and sachingurung replied many times that XG logs only denied App and not allowed one.

Anyway, I appreciate yours replies here...even if it is not your topic!

It's not working for me, even with that pattern update.

I have an application filter with a default of "Allow", but with a rule that denies all applications, and NTP still gets through the firewall.

When I change that to an application filter with a default of "Deny", but with a rule that allows NTP, NTP is still blocked, and the log entry for port 123 does not identify the application as NTP.

:(

James

James, can you double check your last test? When I run the different scenarios identified by Michael (and include your scenario as well) I get the correct result on all tests except where NTP is specifically allowed on a default-deny filter. This result is similar to my testing with the LDAP protocol.

In the above FW rules, each rule has an application filter as specified:

1. No filter
2. Application Filter of Block NTP, default Allow
3. Application Filter of Allow NTP, Block (select All), default Allow
4. Application Filter of Allow NTP, default Block
5. Application Filter of Block (select All), default Allow

My testing results are as follows:

1. Allowed (correct)
2. Blocked (correct)
3. Allowed (correct)
4. Blocked (incorrect)
5. Blocked (correct)

And, just like LDAP traffic was not identified as LDAP traffic in scenario 4 in my previous tests, NTP traffic was not identified as NTP traffic in the logs when I ran scenario 4 here as well. The issue I was experiencing previously, where NTP was not handled at all by the application filter, is something I have not been able to reproduce after receiving the signature update. Did that update fix part of the issue? Or was there a flaw in my previous test? I have no idea.  But... I have repeatedly been able to replicate a bug where a default block filter with explicit allow (scenario 4) does not behave as expected.

Hi Luk,

I support this request and you can raise the request on Sophos Ideas for logging Allowed Applications in the LogViewer. Check #2 in my

Just for a bit more information here, Check #2 in my Troubleshooting Guide, IPS(Application Filter) in XG is accounted at the bottom of the list and any traffic that is allowed will be processed by all the other check before falling into Application Filter check. So considering that the blocks are logged in Log Viewer, if something is allowed and not logged then, it becomes certain that Application Filter is not blocking it and one must eventually take a step back and configure a Firewall Rule to block the services.

Thanks

Thanks Saching,

but I will not open a feature request for standard feature. It is like opening a feature request for logging traffic on Firewall. Reports report which applications are used but live logs do not.

Still incredible how certain things work on this "Cyberoam OS like."

Really disappointed! [:@]

Great testing Gary. Just when I think, I know everything that is there to learn Michael Dunn  throws a curve ball when explaining XG[:D] I am guessing you have run into a bug because the way the behavior is intended does make sense.

However, I generally don't use application rules for simple things like NTP where firewall rule gives me a lot more flexibility. Here I agree with Luk that application rules are more suitable when distinguishing for example between http downloads and http streaming for netflix specially when using QoS. You can't throttle http whereas its easy to throttle netflix using application filters.

Having said all that, this is another case where things are complicated and non intuitive because of the way firewall rules incorporate everything including appfilter/QoS/IPS. Long time ago people did some testing on UTM on behaviors of different firewall/DNAT/Proxy rules. Once you understand that behavior rules become easy to write. I suspect a similar test or KB from sophos is in order to explain some of the nuances that Michael explains in many posts throughout the forum. Because the way it is right now, there is really no guide to follow to see how http proxy affects DNS, application filters dos and don'ts and how the whole application control is dependent on intrusion protection.

Billybob, 

here on some aspects it seems we are tilting at windmills. It does not make sense and this create confusion on Application filters. So Sophos should decide if use the application filters for all APPS or use them only for HTTP/S Applications. If they proceed with the first option, the application list is small and so they should allow us to add more applications using a custom application filter like custom IPS filter or another way to capture the packets and create the application. The other way makes more sense because the rest of the Application can be allowed/blocked by Firewall rules.

Hi BillyBob,

I'm in complete agreement that something simple like NTP could (and should) be handled by a simple FW rule. And yes, your point about app rules being well suited for differentiating different types of HTTP traffic is well taken.  A counterpoint would be... Sohpos put those network protocols (and client/server and P2P) in the application list and by golly I expect them to work! [;)]

That said, it is a bit confusing. Is XG using DPI on application rules to determine the traffic type? If I allow SMTP in the app rules, will XG block SSH sent across port 25? Who knows. Perhaps we need to break "applications" into two sections... one for filtering of HTTP(S) and one for "other" with an explanation of just how deep the inspection of that "other" will be. 

But... I do see the value here. Coming from a Shorewall/IP Tables setup, I like the idea of being able to create application filter bundles that are reusable and transportable. Imagine a "base" for servers that is a "deny all" with explicitly allowed services for network management. Then (assuming the v17 release has the add-able filters) you could add on a web server filter or an LDAP filter or a DB filter and, assuming your web servers and LDAP servers and DB servers are in host groups... you can have a single FW rule for each host group that holds the composite filter. Or something like that.

Granted, this could all just be the simple case of me completely misunderstanding next-gen firewalls. [*-)]

I have worked with different firewall vendors over the years and like everything else, they come up with new terminology and fancy words. DPI (deep packet inspection) is the new word. Back about 10 years ago we called them UTM appliances. The only difference is that UTM9 does layer7 (kind of like DPI) using iptables whereas DPI firewalls lately use snort or similar. Snort was being used as intrusion detection system where it did (DPI) to see what was actually being carried in those packets and since it could distinguish between different applications, some firewall vendors started using it for application classification also. XG being one of those firewalls... hence the next gen DPI label[;)]

I suspect your telnet test to port 25 would be classified as SMTP traffic if you actually send the HELO message because at that point there is no difference between an SMTP server communication and your telnet session.

I am old fashioned and I trust the firewall rules that I create. If I need to open 10 ports to make an application work, I like to know what I did instead of the firewall using application control doing it for me. Almost reminds me of upnp... you have no idea what is going on. That is why I like the approach of firewall rule and then augment it with application filter if the application uses the same firewall port otherwise such traffic should be denied. But different people have different needs and Sophos knows a lot more about industry trends and needs of their clientele so we will get what they give us. This however doesn't mean that the product shouldn't work as advertised and you are absolutely correct that if it is there, you should expect it to work.

Well stated! For non-pet-project stuff, things I want to just plain work, I share a very similar philosophy.

But this? XG is my current "shiny new toy" and to that end I'm going to push it until it breaks and learn what I can along the way. [H]

Well stated! For non-pet-project stuff, things I want to just plain work, I share a very similar philosophy.

But this? XG is my current "shiny new toy" and to that end I'm going to push it until it breaks and learn what I can along the way. [H]