We are trialing this endpoint system. With our current platform I can set a deny all, but allow just Office 365 URL's to allow outlook/webmail only. Is this possible? I don't really see any options to set that up?
In general, the Endpoint Web Control is more meant to prevent access to specific websites with a default allow. You could achieve this goal, but it would be cumbersome.
A better product for that sort of thing is the SFOS (Sophos Firewall) since it can sit at the demarc and can have more robust filtering options - such as acting as a web proxy. https://www.sophos.com/en-us/products/next-gen-firewall.aspx
Program Manager, Support Readiness | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Thanks. This is a simple check box in Kaspersky endpoint. We have an XG, but the procedures to do that is really involved, with user sync and logins, enable SSL inspection.certificate etc.
You don't need to use all related XG features to do what you want, which I think lowers the complication factor a lot.
All you need to do is have one Firewall rule to drop all HTTP/HTTPS traffic destined for the WAN, and above it place a rule that allows HTTP/HTTPS traffic but only to the websites you want to allow. Have these two rules early in the Firewalls Rules so that HTTP/HTTPS traffic is dropped before other rules that might allow it due to other factors.
For the HTTP/HTTPS traffic that you allow, you should impost the appropriate CFS, IPS, and decryption conditions that make sense.
Thanks. But it's not for everyone, just a few PC's so that does involve either restricting by the user log in or statically assigning/reserving an address etc. Comparably, I just wish there was a feature that could handle it along with blocking ZIP/Archives in the allowed downloads options with ease.
we are currently updating our Web Control offering. I will talk to the PM and dev team and see if we can include something like this or if the new offering will have an easier way of configuring it.
Thanks Richard. If you have their ear, can they add an option to block/warn/allow archive files like zips etc?
Also, I can't block downloads like exe's etc under the policy. It still allows them like downloading a driver exe from HP downloads and opens and runs :/. The web filtering on the policy is kind of working, I get an SSL error for blocled pages, but not a nice error that this page was blocked, and maybe company logo.