Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 24106 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Difference between "Action" (IPS policy rules) & "Recommended Action" (IPS signatures)

cyberzeus

There is an action field found in both the IPS policy rules and the signatures that make up those rules.  Both fields have similar options (few more on the Rules side) which, per the Web manual, appear to have identical functions.

What is the difference here?

For example, let's say I have a rule set to Drop the Session but all of the signatures in that rule are set to Allow the Packets - what would happen?

Does one take precedence over the other?  If not, who wins?



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    The action field found in the IPS policy rule, is the global action taken for all of the selected IPS signature rules enabled within that individual IPS policy.
    Therefore if you were to select the global action Drop Session, the session will still be dropped even if the signatures contained within have a recommended action to Allow Packet.

    I hope that was able to clarify your inquiry. Please share a screenshot of your IPS policy rule you have configured if you would like further clarification.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    Hello and thanks for the feedback...but this is still somewhat confusing...here's why...

    It seems that you are saying the setting at the Rule level supersedes that at the Signature level - fair enough.  Then why ever use the setting at the Signature level if it is going to be overruled by the Rule setting?

    I have tried to come up with a use-case where both settings would have an effect on the traffic but if the Rule level takes precedence, then I can find no such use-case...

  • 0 in reply to FloSupport

    So are you saying that essentially, the Rule level setting acts as the default action if none of the other rules applies?  If so, then this setup is confusing especially when considering that a different approach for similar behavior is employed under the Application Filter settings.

    I will likely have some suggestions but will wait until you are able to confirm my default behavior question above.

    Thanks.

  • 0 in reply to cyberzeus

    Hey  

    Yes, this setup is also used for the application filter settings. This top-down behavior with a default action performed if no matching rules is common for most configurations.

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    So the top-down aspect of this is not in dispute - totally makes sense to have that approach in place.  What may be an issue however is the GUI.

    For example, on the App Filter side, there is a Default Action shown yet no place to actually change the Default Action setting - it is always set to Allow.  I think this makes sense for many if not most scenarios because I can see where folks will often want to block specific apps and then allow the rest. However, I do imagine there are potential situations where people might want to only allow a few apps and block the rest.  If so, then configuring that is more cumbersome without being able to switch the App Filter --> Default Action.

    If I am missing something here, please let me know - otherwise, I will submit a suggestion to add the ability to change the Default Action at the App Filter level.

    Also, it is confusing that the "Default" nomenclature is used under App Filter & Web Policies but not in the IPS Policy rules.  One would think it would be standard across the board for a given type of functionality.

    Again, if I am missing something here, please illuminate.

    Thanks.

  • 0 in reply to cyberzeus

    Hey  

    You can create an application filter policy with a default rule at the bottom to block all and allow only specific applications.
    Please see the screenshots I've provided where I created a test application policy with a default rule to deny all apps and an additional rule above to allow YouTube.

     

    Regards,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    The first screen is found when adding applications to a given App Filter and the action field you see is only for a given application.  If you go ahead and set that to "Deny" and then "Save", go back and check the Default Action for the filter you were just modifying and note it still says "Allow".

    This discussion also begs the question, why even show the Default Action when it can't be modified?

  • 0 in reply to cyberzeus

    Hey  

    Could you PM me with your support access ID to your XG? I can further investigate your configuration and followup to clarify your desired implementation.

    Thanks,

    FloSupport | Community Support Engineer

  • 0 in reply to cyberzeus

    cyberzeus said:

    Hello and thanks for the feedback...but this is still somewhat confusing...here's why...

    It seems that you are saying the setting at the Rule level supersedes that at the Signature level - fair enough.  Then why ever use the setting at the Signature level if it is going to be overruled by the Rule setting?

    The policies you create don't have any influence on the traffic till you actually apply them to a firewall rule. The recommended action in IPS rule is just that a recommendation. You can choose to block a certain rule that is recommended to be allowed and you may get false positives. This is for IPS only.

    For applications there is no recommended action. Unless you copied a template that was deny or allow certain applications(deny all template doesn't' exist in v17 where you would deny everything and then choose a few applications to pass https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter )

    So lets say you create an application rule called "test" that blocks all streaming media but then add  youtube allow on top. Your settings are only available in that application filter rule that you created called test and are not applied globally. 

    Additionally, your settings will only apply to your traffic if you create a firewall rule that has application control "test" selected and only when the firewall rule allows http/s traffic. 

    On top of that you can apply firewall rules to individual users, groups, throttle them with qos in that rule or control their webfiltering etc and then qos them again on the basis of the websites or applications that they use... all in one firewall rule. In addition you can pick and choose which traffic in your firewall rule needs what IPS policy depending on the client/server OS... still in the same rule. This makes firewall rules extremely powerful and yet confusing as hell for new users.

    Hope this makes sense. You are in good hands with Flo

  • 0 in reply to Billybob

    Ahhh - I see this now...

    So the Recommended Action is just one of many options that can be selected to define how the rule handles matching traffic.  So for example, if I choose "Recommended", then matching packets will be dealt with pursuant to whatever the Recommended Action column says for the matching signature.  Conversely, if I choose another action - such as Drop - the matching traffic will be dropped regardless of what is in the Recommended Action column.

    I misunderstood Recommended Action to be a setting that is configurable by the user when the signatures are added to a given rule - this of course was incorrect.  I know it can be configured for Custom IPS Signatures but not the ones hard-coded into the system. 

    It also makes sense now as to what FloSupport meant when they mentioned the more global aspect of selecting anything other than Recommended Action which tends to be more granular because it handles traffic on a per signature basis.

    As an aside, it might be nice to actually be able to modify the Recommend Action for a given hard-coded signature.

    Thanks everyone for your feedback - much appreciated.

     

    PS: This XG really is a very capable device - liking it more and more as time goes on.

  • 0 in reply to FloSupport

    Hey  

    You would create an IPS policy with a rule configured at the bottom that covers all of the signatures and set with the "recommended" action. You would then configure additional rules on top with the signatures selected that you would like to explicitly allow/deny/drop. A top-down approach would be taken in determining what action to perform on the traffic.

    See my screenshot below:

    3404.pastedimage1511389576100v1.png

    I hope this clarifies your inquiry.

    Regards,

    FloSupport | Community Support Engineer

    What is the benefit of using this strategy? It seems like it would be better to just customize an IPS Policy to only look for and block the desired signatures so the IPS engine is dealing with less signatures overall.

  • 0 in reply to shred

    Hey  

    I would agree with you in regards to your suggestion being the better approach.

    However, some administrators may decide that they don't have the time to perform this task, therefore I wanted to suggest atleast having something in-place.

    Regards,

Reply Children
  • 0 in reply to FloSupport

    Ah, makes sense. Just wanted to make sure I wasn’t setting up my IPS rules incorrectly or misunderstood how the rules/signatures work. ;)

    I’ve noticed my bandwidth performance doesn’t really change anyways with less IPS signatures (I’m assuming it’s because the Sophos IPS runs in inline mode).