Central Firewall - no Sophos Services and FQDN - why?

When going to Hosts and Services in Sophos Central, you pre-configured a lot of 3rd Party stuff there but forgot to pre-configure your own services.

So why is there no FQDN group for Sophos Services? There are all the other vendors and your'e maintaining them more or less... 

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

So now I want to prepare some firewalls rules for Sophos devices and need a lot of time to implement all these FQDN manually. That could have been done better.

You cannot handle everything by built-in TLS Exception URL groups.

Parents Reply
  • FormerMember
    0 FormerMember in reply to LHerzog

    Hi, 

    The default design choice in the SFOS is that users will allow outbound traffic for web (http/https) and then use the web filter to restrict and protect it. This security stance works for the majority of our customers. However, for those that desire to have a stricter firewall rule policy (limiting http and https traffic at the perimeter without using the web filter) a bit more work is needed to configure this. Basically, the Sophos URLs are auto excluded in our web filter. So you could allow 80 and 443 outbound and turn on the web filter and restrict everything but Sophos would still be accessible.

    Does that answer your question?

Children
  • Just to add onto this, Sophos does add all the necessary TLS and filtering exceptions if web filtering is enabled we have the following exceptions out of the box:


    Also for the managed TLS exclusions list we have added all of the Sophos domains in the "URL groups" section. Hopefully the suggestion from Richard can help in the future for ease of configuration.

  • Thanks. Indeed there are scenarios, like Sophos Central WiFi and others, that are not covered by these exceptions or the TLS exclusion groups. They require firewall rules and so need to create all the hosts manually.

    Also think of a Server LAN - would you generally allow servers any internet connection via Web Proxy / DPI TLS Inspection? If probably no, you need to create a firewall rule to the (Sophos) hosts, they are only allowed to communicate with. That's where you would need pre configured hosts. On a Sophos machine, the vendors required FQDN pre defined would make so much sense and the product more cool.