Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 6570 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Security firewall - a few questions!

EdDias

Hi, 

I am trying to set up the Endpoint Security firewall on my client PCs and I have a few questions.

On location detection using DNS.  What should the entries be?  A local DNS server?

I tried setting up by installing the firewall from the console to a group of PCs and then set it to allow by default and then ran as many applications as possible and using it as normal and left them for a week.  I added all applications I recognised and updated or added any extrachecksums.

Once I had done that I changed the rule to Block by default.  While people could log in, no one could access sites via internet explorer and the network connection now shows as Unauthenticated rather than internet Access.

A number of applications that want to launch hidden processes (though with the same process name as the application) are these safe to add to the list? For example iexplorer.exe, wscript.exe etc.

I tried a single PC with a standalone install on the firewall set up with interactive and then ran applications and added the rules manually. However once I log off or reboot the PC when I turn it back on the PC hangs on windows boot up (applying computer config) or when logging in it hangs applying group policy settings. The only solution is to leave it for several hours!

Any guidance would be appreciated. I read the rollout kb best methods and the guide for Sophos 10.3 but neither helped.


Thanks!

On location detection using DNS.  What should the entries be?  A local DNS
server?

I tried setting up by installing the firewall from the console to a group
of PCs and then set it to allow by default and then ran as many
applications as possible and using it as normal and left them for a week.
 I added all applications I recognised and updated or added any extra
checksums.

Once I had done that I changed the rule to Block by default.  While people
could log in, no one could access sites via internet explorer and the
network connection now shows as Unauthenticated rather than internet Access.

A number of applications that want to launch hidden processes (though with
the same process name as the application) are these safe to add to the
list? For example iexplorer.exe, wscript.exe etc.

I tried a single PC with a standalone install on the firewall set up with
interactive and then ran applications and added the rules manually.
However once I log off or reboot the PC when I turn it back on the PC
hangs on windows boot up (applying computer config) or when logging in it
hangs applying group policy settings. The only solution is to leave it for
several hours!

Any guidance would be appreciated. I read the rollout kb best methods and
the guide for Sophos 10.3 but neither helped.



This thread was automatically locked due to age.
  • 0

    Hello Ed Dias,

    location detection using DNS
    this one is easy. With location detection an endpoint should find out whether it's on the local LAN (with a more lenient policy). For DNS you use name/IP pairs (note that there can be more than one). If any name in the list resolves to its corresponding IP the endpoint assumes it's on the LAN (note that it doesn't matter whether the endpoint can actually reach this address or not, it's important that either no or a different address is returned for request from outside the LAN).

    hangs on windows boot up [...] or when logging in
    this suggests that some rules are missing (or the endpoint incorrectly detects its location as Secondary). Note that you don't get an interactive prompt if there's not yet a user session (which could present the UI) so for connections blocked during startup only the local firewall log (for SA) and for managed installs also the console Event Viewer must be checked.

    applications that want to launch hidden processes
    (no longer available in Windows 8 and later versions) note that you can't restrict which (hidden) process is launched, in some cases it's necessary to allow. The launched process is nevertheless subject to rules and options as when started "normal".

    Christian   

  • 0 in reply to QC

    Thanks for the reply and sorry for taking so long to get back to this.

    Sorry I still don't understand what should be entered for the the DNS location.  Should it be my domain name and then my corresponding local DNS server IP address?

    The biggest problem I currently have is that as mentioned previously with the rule set to Block by default.  While people could log in, no one could access sites via internet explorer and the network connection now shows as Unauthenticated rather than internet Access.


    Thanks

  • 0 in reply to EdDias

    Hello Ed Dias,

    DNS
    you enter a Domain name (usually a hostname) that resolves to IP Address when the endpoint makes the query on your LAN and resolves to a different IP or nothing on the outside. E.g. server01.internal.acme com - 10.0.3.15 (queries from "the Internet" must fail), or www.acme.com - 10.0.1.32 (queries from outside return a public IP). In other words, if the endpoint makes a DNS query for the name and receives the IP as response it considers its location as Primary. Clearer now?

    Block by default
    would not send an event to the console. Please view the endpoint's Firewall log on (you can filter for one or more reasons or rules).

    Christian

Unfiltered HTML