Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 3409 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Using Firewall "Rule Groups"

Matthew Ritchie

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Difficulty Level:

Easy

Applies to:

All Sophos Firewall (XGS, Virtual, Software, Azure, AWS) Firmware v18.0+

Why would I do this?

As a Sophos Partner, or a Sophos customer managing 1 or 500 firewalls, keeping your firewall rules in an organized flow will help you to quickly analyze where you may need to make a change without requiring review of what every rule is doing one by one. Firewall "Rule Groups" saves you administrative time.

Where do i configure this?

Sophos Firewall > Admin UI > Protect: Rules and Policies > 

Steps:

  1. As shown above in "Where do I configure this?" you will log into your Firewall via HTTPS//172.16.16.16:4444 or via MGMT interface
  2. In the left menu, select "Protect: Rules and Policies", then Add Firewall Rule.
  3. Within the Add Firewall Window you will see the following, open the drop-down menu on "Rule Group":
  4. Click Add to add a new Rule group that will put any and all firewall rules we have to create now and in the future automatically into a "LAN-to-WAN" Rule Group. 
  5. Give your new "Rule Group" an appropriate name based on the targeted Firewall Rules. In this example, i have named this one "LAN-to-WAN" and provided a description for other admins and for myself when reviewing this later on.
  6. Continuing down the window we will now specify our Group Matching Criteria
  7. After creating this rule, you will return to the previous firewall creation menu and notice that you have a Rule Group selection of "LAN-to-WAN"
  8. From here on out, whenever you create a firewall rule that has this matching criteria, you can leave Rule Group selection as "Automatic" and it will place the rule into the appropriate Rule Groups.
  9. Rule Groups often seen to be effective:
    1. LAN-to-WAN (Group Internet Traffic Rules)
    2. LAN-to-LAN
    3. LAN-to-DMZ
    4. DMZ-to-LAN 
    5. LAN-to-VPN
    6. VPN-to-LAN
    7. WAN-to-LAN
  10. You can also refer to this the Documentation for creating Firewall Rules
    1. Add a firewall rule - Sophos Firewall


Updated Disclaimer
[edited by: Erick Jan at 9:57 AM (GMT -7) on 17 Apr 2023]
Parents

  • +1. Basically, a group for each Zone-Zone interaction that makes sense. (So Guest-to-WAN makes sense, but Guest-to-LAN doesn't.)

  • in reply to Wayne Folta

    Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

    In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

Reply
  • in reply to Wayne Folta

    Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

    In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

Children
No Data
Unfiltered HTML