Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 25090 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Filter Whitelist

JulianTekook

Hello,

 

I think that I might just not doing it right, but I cannot for the love of god, create an application filter which has it's default action set to "Deny".

If I go to Applications -> Application Filters -> Add I can enter the following:

Name, Description and Template.

And I can only choose the predefined templates which all are default to allow.

Since there is no option to change the default action after creating the application filter, there is no way to create an application filter which works as a whitelist.

All I can do is a blacklist.


Is this a bug, or just not possible at the moment?

Kind Regards,

Julian



This thread was automatically locked due to age.
  • 0

    Hi Julian,

    You are correct in that you cannot change the default action of an Application Filter template, but it still possible to whitelist.

    You can do this by editing or adding a new Application Filter policy, selecting the applications you want to whitelist, then changing the action to from 'Deny' to 'Allow.'

    A way to achieve the "Deny All" would be to create a new Application Filter Policy, selecting 'All' under categories, choosing 'Deny' for Action.

    This will in essence trump the Allow All default action with a Deny All and then above this you can create a new Application Filter Criteria with the applications you want to whitelist.

    Thanks,
    Karlos

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0

    Hello,

    I can confirm this behaviour on 17.0.2 MR2, I can not create a white list application filter with a deny default action.

    I tried a filter with default allow :

    pplication
    Application Filter Criteria
    Schedule
    Action
    Manage
    Youtube Video Streaming

    Category = Streaming Media
    Risk = 3-Medium
    Characteristics =Excessive Bandwidth,...
    Technology = Browser Based
    All the Time
    Allow
    		  
    Facebook Blackberry Chat, Facebook Iphone, Facebook Android, Facebook Blackberry, Instagram, QUIC, Snapchat

    Category = Mobile Applications,...
    Risk = 1-Very Low, 2-Low, 3...
    Characteristics = Prone to misuse, Tra...
    Technology = Browser Based, Clien...
    All the Time
    Deny
    		  
    HTTP, iCloud, iCloud Bookmarks, Secure Socket Layer Protocol, Apple Store, iCloud Contacts, Android Market, ZIP File Download, Apple Appstore, iCloud Calender

    Category = File Transfer, Mobil...
    Risk = 1-Very Low, 2-Low, 3...
    Characteristics =Excessive Bandwidth,...
    Technology = Browser Based, Clien...
    All the Time
    Allow
    		  
    EXE File Download, BITS, MS Essentials AV Update, Secure Socket Layer Protocol, Windows Update, Microsoft Updates, Multi Thread File Transfer

    Category = File Transfer, Softw...
    Risk = 1-Very Low, 2-Low, 3...
    Characteristics =Excessive Bandwidth,...
    Technology = Browser Based, Clien...
    All the Time
    Allow
    		  
    All Application

    Category = All Categories
    Risk = All Risk
    Characteristics = All Characteristics
    Technology = All Technology
    All the Time
    Deny
    		  
       
     
    This was working with v16 but not anymore in v17, my android devices could not detect internet connectivity.
     
    The strangest thing is that it seems to work when I break the deny all rule in several parts : If I create a deny all for risk 1 and another form risks 2,3,4,5, it seems to work.
     
    Regards
     
  • 0 in reply to Karlos

    Hi Karlos,

     

    I will try, but this does not seem like a safe workaround. This only blocks all known apps by sophos. 

    If there is an unkown app, it will bypass..

     

    I found another post, stating that this feature has been remove in V17: https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter

    Would support  find that it did work in V16...

     

    Kind Regards,

    JUlian

  • 0 in reply to JulianTekook

    Btw, seems "Deny All" still exists...

    "Policy could not be created. Application filter policy with the same name as 'Deny All' already exists, choose a different name." when I wanted to create a policy named "Deny All"

  • 0

    No one should be using Application Filters with a default action of Deny All.  If you want to - you probably aren't going to end up doing what you think you are doing.

    In v16, however, it was allowed.  You could create a new policy using any other as a template, including the "Deny All" policy.  This was basically a bad idea, the system allowed users to create things they really shouldn't.

    In v17 you cannot no longer create a new policy based on Deny All.  However any existing policies still exist.

     

    So here is the question -- what are you actually trying to do?

  • 0 in reply to Michael Dunn

    I simply want to create an application filter working as a whitelist for everthing but some choosen apps.

     

    For Example

    I have a network where Windows DCs are in, I want to protect this network that only applications matching ActiveDirectory Services are allowed from clients into this network.

    Hence I created an application filter denying all apps and allowing only the needed applications used in active directory.

     

    This works, but the problem I see is, if there is a new or unkown app, not yet known by sophos, this application will pass.

  • 0 in reply to JulianTekook

    You are describing how a solution you want to use doesn't work.  What I want to know is what is the underlying thing you are trying to do.  Ignore HOW it is done -- what is the business problem?

     

    "whitelist of everything but some chosen apps"  - what you are describing is a blacklist.

     

    If you are trying to protect one internal network segment from data from another internal network segment, you should create a firewall rule with appropriate Source and Destination, allowing only the ports ("Services") that you need (eg active directory).  Application control does not come into it.
    If you instead create a Service=Any rule and put in Application Control with a Deny All policy (my guess at what you are trying to do) you will end up with a very insecure network as you basically have said "open up all ports to all traffic, but within that block Skype and the Bing website".

     

  • 0 in reply to Michael Dunn

    In my case, I have a default rule which allow my children to update app on play store without authentification : I use a web filter to allow only a limited website list (google stuff .. and cdn) and I use the application to avoid google streaming for example.

  • 0 in reply to Michael Dunn

    Another way of stating it is that firewall rules happen "before" application control rules.  In order for your system to be secure you first have to be secure in your firewall rules.  If your firewall rule opens up everything, you cannot use application control to then close it up again.

  • 0 in reply to Michael Dunn

    I wanted to do both.

    Allow only the ports neccassary but still check for invalid applications.

    Take HTTPS and OpenVPN vor Example. Could be using the same port, but are completly different ports.

    Also my sophos salesman told me, the XG is blocking/allowin Applications not ports. Or is this only for WAN Traffic?

Cookie Information Banner