Thread Info
  • State Suggested Answer
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 10 subscribers
  • Views 2174 views
  • Users 0 members are here
Options
Suggested

Central Firewall - no Sophos Services and FQDN - why?

LHerzog

When going to Hosts and Services in Sophos Central, you pre-configured a lot of 3rd Party stuff there but forgot to pre-configure your own services.

So why is there no FQDN group for Sophos Services? There are all the other vendors and your'e maintaining them more or less... 

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

So now I want to prepare some firewalls rules for Sophos devices and need a lot of time to implement all these FQDN manually. That could have been done better.

You cannot handle everything by built-in TLS Exception URL groups.

Parents Reply Children
  • 0 in reply to LHerzog

    Thank you for clarifying. I recommend sending this in as a feature request from the Sophos Ideas page. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • FormerMember
    0 FormerMember in reply to LHerzog

    Hi, 

    The default design choice in the SFOS is that users will allow outbound traffic for web (http/https) and then use the web filter to restrict and protect it. This security stance works for the majority of our customers. However, for those that desire to have a stricter firewall rule policy (limiting http and https traffic at the perimeter without using the web filter) a bit more work is needed to configure this. Basically, the Sophos URLs are auto excluded in our web filter. So you could allow 80 and 443 outbound and turn on the web filter and restrict everything but Sophos would still be accessible.

    Does that answer your question?

  • 0 in reply to FormerMember

    Just to add onto this, Sophos does add all the necessary TLS and filtering exceptions if web filtering is enabled we have the following exceptions out of the box:


    Also for the managed TLS exclusions list we have added all of the Sophos domains in the "URL groups" section. Hopefully the suggestion from Richard can help in the future for ease of configuration.

  • 0 in reply to Ry Guy

    Thanks. Indeed there are scenarios, like Sophos Central WiFi and others, that are not covered by these exceptions or the TLS exclusion groups. They require firewall rules and so need to create all the hosts manually.

    Also think of a Server LAN - would you generally allow servers any internet connection via Web Proxy / DPI TLS Inspection? If probably no, you need to create a firewall rule to the (Sophos) hosts, they are only allowed to communicate with. That's where you would need pre configured hosts. On a Sophos machine, the vendors required FQDN pre defined would make so much sense and the product more cool.

Unfiltered HTML