Please clarify IPS Policies?

I see these 10 IPS Policies available with very minimal description for what they do, what situation they apply to, and their relative “strengths”.  I assume strict is stronger than general.

1. DMZ TO LAN

2. DMZ TO WAN

3. LAN TO DMZ

4. LAN TO WAN

5. WAN TO DMZ

6. WAN TO LAN

7. generalpolicy

8. lantowan strict policy

9. lantowan general policy

10. dmzpolicy

Are the Policies directionally dependent , meaning LAN to WAN differs from WAN to LAN?  How?  I have seen other posts saying the source and destination Zones do not matter as the reverse traffic is also checked according to the policy.  Is this true, which would imply LAN to WAN and WAN to LAN are identical?

Do I need two firewall rules one applying WAN TO LAN and the other LAN TO WAN?

What is the difference between lantowan general policy and LAN to WAN?

What is the security level of generalpolicy relative to the others?

The Wizard created a default firewall rule using generalpolicy.  Does that mean it is “good enough” for general use?

I have one web server in LAN exposed by a DNAT rule and chose to apply WAN TO LAN in that rule; however, I don’t know if that is the best choice.  Is it actually doing anything with generalpolicy in the preceeding firewall rule?

I have seen several posts saying descriptions of these policies would be forthcoming, but I can’t find such a thing.  I hope someone can and will do it in response.

  • Hi and welcome,

    I understand the reason for your questions, but at this stage from my point of view there is a lot of self help involved, you can ask your reseller for the details or you can explore the various IPS rules.

    If you go into the IPS tab and click on IPS policies you will get a short description of each policy.

    LAN to WAN is for your internal clients outgoing to the web.

    WAN to LAN is for your servers (incoming traffic).

    ian

  • In reply to rfcat_vk:

    Ian,

    I had discovered the brief descriptions of the policies.   My reseller does just that, resell, no support except Sophos Professional services.  I agree, there is not much self help compared to UTM 9.  The documentation only covers how to do something not why to do it.  Exploring the policies is quite time consuming when all I want to know is which one to use in different situations.  I will change to LAN TO WAN in the default firewall rule and leave the DNAT rule on WAN TO LAN.

    Thanks for responding,

    Dean

  • In reply to Dean Hammond:

    Hi Dean,

    when you get a bit more used to the way the XG is configured you will be able to build your own better performing IPS rules for your application.

    Ian

  • I have this same question. What is the difference between LAN TO WAN, General Policy, lantowan strict and landtowan general?

    I’m currently using lantowan general, but I’m not really even sure what it does... or if I should be using one of the other three rules that sounds like they could potentially fit my needs. With no information, it’s not really possible to make a decision.

  • In reply to shred:

    Hi folks,

    the best way for you to tell is to open each IPS rule and examine what IPS features are included. I know it is messy and time consuming but will help you understand the way XG thinks.

    Ian

  • In reply to rfcat_vk:

    When I open the LAN TO WAN policy, it lists a bunch of categories such as "Operating System and Services", "ERP System", etc. You can't actually view anything. When I view "lantowan general", there is a "Migrate_def_filter_3"  that I can open which lists 7158 rules I can scroll through. When I open "lantowan_strict", there is a "Migrate_def_filter_2" that shows 7158 rules as well that looks identical. Bottom line, I can't even view what's in LAN TO WAN and the other two appear to be the same, and scrolling through 7158 really doesn't help me understand these policies. Someone or a group of people obviously created these at Sophos. All we need is little more detailed description on the purpose of each policy, recommended use and differences between each other.

  • In reply to shred:

    Hi,

    the more I look and play with tihs stuff the more I being to understand (long way to go). The first 6 are templates which have everything in them but for different end points eg client and server. What I can't find is what determines whether you are protecting a client or a server other then maybe firewall rule type eg business rule for server and user for client?

    The other filters have been provided for you to use, fine tune by removing some of the IPS rules or build your own to remove whole IPS functions eg I just deleted ERP and control from my IPS rule. You can review each IPS group by selecting category and then ticking the box you wish to review, reduces number of IPS item significantly.

    Ian

    I am trying to help so don't shoot the messenger, yes the documentation is very poor.

  • I ended up just creating my own policy. The “lantowan_general”, “lantowan_strict”, “general policy” and “dmzpolicy” seem to be identical as far as I can tell. They apply to all categories, all severity, all platforms and all targets (7158 rules). I’m not sure if these are just placeholders and the plan was to update them in the future. Hopefully someone from Sophos can shed some light on this topic.

    The custom policy I created is based on:

    - Protect everything connected to my home network.

    - I don’t have any devices running Windows or Solaris.

    - I am not running any servers, database management systems, industrial control systems or ERP systems.

    This significantly reduced the number of rules to 1520. It doesn’t seem to make any difference with bandwidth though, still seeing about 300Mbps with IPS enabled compared to 900Mbps with IPS off.

    Here’s a screenshot of my custom policy:

  • In reply to shred:

    Hi Shred,

    when you review the DOS attacks tab what if any do you see as being dropped?

    Ian

  • In reply to rfcat_vk:

    None. I don’t have DoS setup/configured. The only three options I have enabled under DoS settings are:

    - Dropped Source Routed Packet (enabled by default)

    - Disable ICMP/ICMPv6 Redirect Packet (enabled by default)

    - ARP Hardening (not enabled by default)

    I’m not sure how to setup DoS and Spoof Protection for home use.

    My understanding is the DoS attacks tab has nothing to do with IPS policies but  the entire ‘Intrusion Prevention’ page layout is confusing...

  • In reply to shred:

    The DoS stuff is part of the IPS package.

    Ian

  • In reply to shred:

    I've experienced the same behaviour regarding the throughput performance. As soon as the IPS is enabled, the amount of patterns doesn't seem to play any rule...

  • In reply to rfcat_vk:

    rfcat_vk
    The DoS stuff is part of the IPS package.

    Ian

    Please read posts more carefully. I understand DoS falls under what Sophos XG classifies as “Intrusion Prevention”. What I said was the DoS Attacks tab has nothing to do with IPS policies, because it doesn’t as far as I can tell. The DoS Attacks tab shows dropped packets specifically pertaining to DoS Attacks (SYN, UDP, TCP, ICMP and IP floods). To view what’s going on with IPS policies, there’s a section in the log viewer.

    I understand you’re trying to help and I appreciate the amount of time and effort you put into replying to nearly every thread on this forum, but I’ve found multiple times it seems like you read posts too quickly before replying. Some day we will figure out how Sophos XG works :) It’s just unfortunate sometimes when it seems like they’ve tried to make things easier, in actual use it makes it more difficult.

  • In reply to Dom Nik:

    Dom Nik
    I've experienced the same behaviour regarding the throughput performance. As soon as the IPS is enabled, the amount of patterns doesn't seem to play any rule...

    I know Sophos XG uses Snort for its IPS engine which is limited to a single CPU core for its packet inspection. But based on doing some research on IPS engines and using pfSense, increasing patterns typically decreases throughput. I’d think going from 7k+ patterns to ~1.5k would had some impact, but I ran a speed test multiple times and it didn’t budge. I wonder if Sophos has looked into using Suricata which supports multi cores.

  • In reply to shred:

    Shred,

    I am glad to not be alone but sorry you are struggling also.  I had much better luck getting responses in the UTM group than I have had in the XG group.  Returning to the IPS Policies, I intend to somehow inspect them and document their contents so that I can compare them and learn from it.  It will take a long time because there is apparently no way to print or export.

    Dean