Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 10 replies
  • Subscribers 27 subscribers
  • Views 30109 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Rules

SophosNewby

Is there a preference between creating a Business Application Rule vs a User/Network Rule? When to use either because they appear to be very similar when created. 



This thread was automatically locked due to age.
Parents
  • +1

    Hi  

    Very simply put, the Business Application Rule is used to protect your servers and services while the User/Network Rule is where you configure your standard firewall rules for your users and networks.

    Business Application Rules protects your servers/services from unauthorized access over the Internet.

    Examples:

    Business Application Rule: Allow external users access to your internal web server using port 80 & 443 via DNAT

    User/Network Rule: Allow your Wireless LAN access to the WAN but restrict access to  your Internal LAN

    Please let me know if you need further clarification. Clicking the 'Help' button at the top-right corner of your XG also provides you further explanation regarding configuration of these two rules.

    Cheers,

    Karlos

  • 0 in reply to Karlos

    THank you Karlos, I have been getting confused with which one to use and was simply thinking any device on my LAN that needs to communicate outside gets set up through a Business Application Rule and anything user related I am was setting up for User/Network rule.

    Here are my examples:

    For Business Application Rules

     - VOIP PBX -> communicating with outside SIP control and voice ( all voip ports set up )

     - Exchange Server Email -> communicates directly to 3rd party software that takes care of spam, scanning etc.. then its final destination comes to us

     

    User/Network Rules

     

    - FTP client access from outside in ( internal FTP server )

    - Exchange OWA

    - Accessing LAN cameras off site ( http )

     

    Basically any user interaction on the outside to come in I have been setting up as User/Network rules and any services that are unmanned business applications.

  • +1 in reply to SophosNewby

    I think you got it the opposite way actually. Anything from the inside out should be set up as a User/Network Rule and from the outside in as a Business Rule.

    For instructions on protecting your internal servers via a Business Rule, follow: 

    Sophos Firewall: How to DNAT to an internal server OR

    Sophos Firewall: WAF configuration guide

    For rules regarding your LAN communicating out, you would set it up as a User/Network Rule. The below image is a firewall rule that allows all access from your LAN to the outside.

    Please let me know if you need any more clarification. 

    Thanks,
    Karlos

  • 0 in reply to Karlos

    Thank you, when I saw adding the Business rule's action as Forward, I figured I was doing it right cause I was port forwarding, but now that I think of it, I'm port forwarding in reverse after reading your explanation. I don't know why I'm struggling with this, I normally understand things quickly but this Sophos has really thrown me for a loop.

  • 0 in reply to SophosNewby

    Karlos if I may ask, on our current firewall the administrator has a lot of the rules referencing one of the 3 IP addresses our ISP assigned to us but its not the primary IP address the WAN is assigned. I'm not exactly sure how to handle this or why its been set that way. Basically we have 3 static IPs with our primary being x.x.x.97 but some of my rules reference x.x.x.98 and sometimes x.x.x.99. Some I understand because it allows the same port to be used, 2009 and if I were to browse http://x.x.x.98:2009 form the outside it would go to Camera system 1, and if I went x.x.x.99:2009 this would bring up Camera system 2. A lot of our VOIP ports are x.x.x.98, not sure how this all works.

    Thanks

  • 0 in reply to SophosNewby

    It sounds like he created additional addresses for your WAN port and created Business DNAT rules for each additional address to point to an internal server, like your Camera System.

  • 0 in reply to Karlos

    Can that be duplicated at all on a XG 210? Would this be an Alias on the WAN.

Reply Children
  • 0 in reply to SophosNewby

    Basically created 2 alias interfaces on Port 2 with the extra IP's then went back to my rules and changed the Destinations to the correct Port 2 assignment. Thank you again Karlos. Tomorrow I have reserved an hour window to shutdown and swap out the firewalls tomorrow morning, fingers crossed.

     

    Just one last thing, when I created my network rules for LAN to WAN for my service must I also create WAN to LAN rules in reverse back to the service? Thanks

  • 0 in reply to SophosNewby

    SophosNewby said:
    Just one last thing, when I created my network rules for LAN to WAN for my service must I also create WAN to LAN rules in reverse back to the service? Thanks

    I’m new to Sophos XG (will be installing it next week) but my understanding is that it’s a stateful firewall therefore a separate firewall rule is not required for WAN to LAN because the connection originated from the LAN.

  • 0 in reply to shred

    That's what I thought as well, but none of my LAN to WAN rules worked in my case for either my Exchange server or PBX, the only rules that worked were where users were accessing reources from the outside.