Sophos XG Firewall / Cyberoam: Application filter recommended settings for better application detection

Overview

This article describe the recommended CLI settings for the application filter in order to better detect and block critical and evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, etc.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Firewall and Cyberoam

What to do

CLI settings

  1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
  2. Verify the current configuration by issuing the following commands.
    show advanced-firewall
    show ips-settings
  3. Issue the following commands for the recommended settings.
    set advanced-firewall midstream-connection-pickup off
    set ips maxsesbytes-settings update 0
    set ips maxpkts 80
    set ips packet-streaming on





GUI settings

Application filter policy settings

Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

  • DNS Multiple QNAME
  • OpenVPN
  • QUIC
  • Non-SSL/TLS traffic on port 443

Firewall rule settings

The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

For Psiphon Proxy

V17.5 and prior deployments

CLI + GUI Settings.

  1. In v17.5, HTTPS scanning needs to be enabled in firewall rule.
  2. Web filter policy with below categories denied must be applied to the concerned firewall rule.
    1. IPAddress
    2. None
    3. Parked Domains
    4. Spam URLs (Available only in XG)
    5. Anonymizers
    6. Spyware & Malware
    7. Uncategorized
  3. Custom Web Filter categories should be also verified and keywords should not be allowed for well-known domains such as yahoo, microsoft, google, twitter, wikipedia, skype, facebook, bing etc.
  4. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
  5. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

    a) For Example, primary rule should have only limited services allowed.



    b) And the rule below the primary rule should 'deny' traffic for port range 1 to 1024 (Registered Ports), for same source machines.




  6. Block Non-SSL/TLS traffic on port 443 application on concern application filter policy.
  7. After performing all above steps and psiphon is still getting connected then white list DNS rule by putting known DNS servers in Destination. (One can use, 8.8.8.8,4.2.2.2,8.8.4.4,9.9.9.9,1.0.0.1,1.1.1.1). This may help to avoid bug CLITE-790.

For V18 Deployments

  1. SSL/TLS inspection should be enabled under SSL/TLS inspection settings and one decryption rule needs to be created based on firewall rules.




  2. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
  3. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

For Hot Spot Shield Proxy

  1. Enable HTTPS scanning.
  2. Configure all CLI and GUI settings.
  3. Enable option in Web > General Settings > Block unrecognized SSL protocols.
  4. Enable option in Web > General Settings > Block invalid certificates.
  • Hi,

    interesting about the block unknown ssl traffic when the recommended default is to leave it off.

    Ian

  • In reply to rfcat_vk:

    rfcat_vk

    interesting about the block unknown ssl traffic when the recommended default is to leave it off.

    Maximum compatibility is to have it off.

    Maximum protection is to have it on.

    Most admins care more about compatibility and therefore have it off.  That is the default and the recommendation.  For some cases where admins are trying to block specific things, it needs to be on.  Turning it on will help block Hot spot Shield Proxy, but will also block other things.

  • Noticed the recommendation for maxpkts is 80 here but in this guide, it recommends setting between 100 to 300. What is the recommended setting? I'm assuming higher offers better scanning capability but is 300 where you hit a point fo diminishing returns?

  • In reply to shred:

    Also, that only applies yo V17.x, V18 has more parameters which are not shown.

    Ian

  • In reply to rfcat_vk:

    Just to be sure :-)

    maxpkts for V17.x = ?

    maxpkts for V18.x = ?

    Also noticed, that maxpkts 300 had no performance impact at all but I had less false positives after setting it. (on V18)