Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 3950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Finding out the way to configure a Firewall

mario Andrick

Hello, 

 

after using the Firewall Sophos XG about some month I would like to check if it is configured right. 

But Iam not sure, if I set up the policies well.  Is there a so called "red line" how I should start with policies? 

 

What Ports and Tasks should I always allow ? 

 

After I had installed Sophos some time ago, i changed the default rule (ID:1) to Drop. 

After doing this i added Rules to get every Softare to work. 

 

But now Iam not sure, what tasks like Gopher ESP and so on are. Should I allow these Services,too ?

 

And another question is about the Policies Settings. 

Example 1: I've got two different VLANS  (VLAN 20 + Guest -VLan 50). 

VLAN 20: 192.168.2.0/24

VLAN 50: 192.168.5.0/24

Unifi-Controller : 192.168.2.2

 

- The First Rule should drop every Traffic between VLAN 50 + 20 + VPN networks.

- The second Rule should only allow the access to the Wlan-Server (located with a static IP in VLAN 20)

--> So every guest get acces to the Unifi Controller. (The reason is a captive Portal - Every guest have to log in to get internet access)

 

Afterward is my solution, but I don't know if it is correct. 

Maybe some could check these Settings?

 

 

Thanks for helping me. 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi mario Andrick,

    1 - How you should start with policies :
         The way is simple, Take note what you want to serve, for who? Then how that gonna be serve? Write them down on a paper then write them in Firewall!
         * 5 thing to keep in mind:
               a - The rule work from Top down! So if your deny rule is working first, then your allow rule will never work.
               b - Do not lock yourself! Lan => Firewall on https port 443 <=> allowed
               c - Everybody can talk to DNS. Any Network => DNS on DNS port 53 <=> allowed
               d - SSH service => Firewall on port 22 <=> allowed (on XG this automatic checked on interface)
               e - XG have one specifict rule, Deny all at the end!

    2 - What port/task should always allow?
        Company have its requirement for Staff to go where! Company business website or app, because everybody need to go there for information. if you not allowed, when the boss ask them to get information there, they will say: Sir IT not allowed to access that website, then you will die! So make sure you allowed! Other service like Skype, Skype for Business, Office 365, Video Conference must be allow for Staff to communicate if your company have any! The last allowed target is Manager. He must be going anywhere no block, or people have a special permission also!

        * What should be block?
        In Corporation i think most of them is not allow to access FACEBOOK and Youtube (both URL and App Android/iOS), so you should block that!

    3 - Your another QUESTION!
         For WiFi network i suggest to design another network! and then link it with the Corporation network. You ask me why? i will say a single missed config cmd could destroy your network both Firewall or Switch! Be aware of that.
        * VPN should not be applied on WiFi network! Because They already apply in Corporation network!
        * To help you setup your UniFi WiFi network, you can check here: https://community.ubnt.com/t5/UniFi-Routing-Switching/Guest-Wireless-Network-with-pfSense-UniFi-Switch-and-UniFi-AP/td-p/1929585
        * For rule setup you can decide:
             a - Guest Network is complete locked from Corporation Network.
             b - Staff WiFi network can access Corporation Network.
             C - Staff WiFi can access Guest WiFi
             d - Staff WiFi can access Company website/app
             e - Staff WiFi can not access Youtube & Facebook            <= this one is up to you, i just make example
             F - Guest WiFi can go anywhere
             g - Guest WiFi need Captive Portal
             ...
    One last word: Goodluck!

Reply
  • 0

    Hi mario Andrick,

    1 - How you should start with policies :
         The way is simple, Take note what you want to serve, for who? Then how that gonna be serve? Write them down on a paper then write them in Firewall!
         * 5 thing to keep in mind:
               a - The rule work from Top down! So if your deny rule is working first, then your allow rule will never work.
               b - Do not lock yourself! Lan => Firewall on https port 443 <=> allowed
               c - Everybody can talk to DNS. Any Network => DNS on DNS port 53 <=> allowed
               d - SSH service => Firewall on port 22 <=> allowed (on XG this automatic checked on interface)
               e - XG have one specifict rule, Deny all at the end!

    2 - What port/task should always allow?
        Company have its requirement for Staff to go where! Company business website or app, because everybody need to go there for information. if you not allowed, when the boss ask them to get information there, they will say: Sir IT not allowed to access that website, then you will die! So make sure you allowed! Other service like Skype, Skype for Business, Office 365, Video Conference must be allow for Staff to communicate if your company have any! The last allowed target is Manager. He must be going anywhere no block, or people have a special permission also!

        * What should be block?
        In Corporation i think most of them is not allow to access FACEBOOK and Youtube (both URL and App Android/iOS), so you should block that!

    3 - Your another QUESTION!
         For WiFi network i suggest to design another network! and then link it with the Corporation network. You ask me why? i will say a single missed config cmd could destroy your network both Firewall or Switch! Be aware of that.
        * VPN should not be applied on WiFi network! Because They already apply in Corporation network!
        * To help you setup your UniFi WiFi network, you can check here: https://community.ubnt.com/t5/UniFi-Routing-Switching/Guest-Wireless-Network-with-pfSense-UniFi-Switch-and-UniFi-AP/td-p/1929585
        * For rule setup you can decide:
             a - Guest Network is complete locked from Corporation Network.
             b - Staff WiFi network can access Corporation Network.
             C - Staff WiFi can access Guest WiFi
             d - Staff WiFi can access Company website/app
             e - Staff WiFi can not access Youtube & Facebook            <= this one is up to you, i just make example
             F - Guest WiFi can go anywhere
             g - Guest WiFi need Captive Portal
             ...
    One last word: Goodluck!

Children
No Data