Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 20172 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound TCP Rule

LookOut

I am using Sophos Enterprise Console version 5.2.1.197 on a Windows based server.

I am having problems getting the outbound TCP rule to work without generating firewall events.

A sample firewall event would be:

Event type:  No global rule

Direction:  Outbound

Protocol:  TCP

Remote Port:  80

Remote Address:  54.177.147.99

I have set up a global rule called Outbound TCP Rule which is a high priority rule.  The settings for this rule are:

Protocol:  Stateful TCP

Direction:  Outbound

Remote Address:  *.*.*.*

Local address:  Local network

Remote Port:  HTTP, HTTPS

Allow

Can someone please explain why firewall events are still being generated with this rule in place?  I have tried to make the allowed connection as broad as possible in an attempt to see where the problem may be coming from, but so far no luck.

To the best of my knowledge, there are no other conflicting rules.

I apologize in advance for being generally competent with Sophos, but I am certainly no expert in this area.

Any assistance would be greatly appreciated.

Thank you!

:55255


This thread was automatically locked due to age.
Parents
  • 0

    Hello Terry,

    it's the OS of the endpoint sending the alerts which might be relevant.

    Anyway, I think the No global rule is only issued when no application is involved, i.e. the connection is made by "system" (wonder where it wants to connect to and what it could be). Still this does not explain the event assuming the rule is active. How many endpoints are generating these events? Did you check that the endpoints comply with the policy and the rule is configured (and enabled) on them?

    Christian

    :55397
Reply
  • 0

    Hello Terry,

    it's the OS of the endpoint sending the alerts which might be relevant.

    Anyway, I think the No global rule is only issued when no application is involved, i.e. the connection is made by "system" (wonder where it wants to connect to and what it could be). Still this does not explain the event assuming the rule is active. How many endpoints are generating these events? Did you check that the endpoints comply with the policy and the rule is configured (and enabled) on them?

    Christian

    :55397
Children
No Data
Unfiltered HTML