How to block file type from downloading in Sophos XG 210 Firewall?

Hi,

first thing to check is the test connection going through the rule with the block policy enabled?

Ian

Hi rfcat_vk,

Thank you for the respond, But I don't quite understand what you mean, as I am totally not Firewall trained.

Not sure if you can guide me step by step with screen capture or ..?

From the current Firewall Rule, I have see that there is a rule which previous IT created to block the file type download that in the "Advanced=>Web Policy" pointing to the Web policy created, but did not see any in/out traffic.

In the Web Policy have the policy created too that link to the User activities, Categories and File types.

Thanks

Hi Jacky,

you would be looking in logviewer at the receiving IP address (you LAN user PC) to see which rule the traffic going through.

Ian

Hi lan,

Thank you for the guidance. I checked on the logviewer based on the PC IP address that I am doing the test, it seems like it is using the default Firewall Rule #1, which is used by all users.

I actually created a same Firewall Rule as #10, as the below, and the rule is before the default firewall rule #1, but it still only go through the default firewall rule #1.

Firewall Rule #10 

Source

Source Zones => LAN

Source networks and devices => The test PC IP address

During Schedule Time => All the time

Destination & Services

Destination zones => WAN

Destination networks => Any

Services => http and https

Hi lan,

Thank you for the guidance. I checked on the logviewer based on the PC IP address that I am doing the test, it seems like it is using the default Firewall Rule #1, which is used by all users.

I actually created a same Firewall Rule as #10, as the below, and the rule is before the default firewall rule #1, but it still only go through the default firewall rule #1.

Firewall Rule #10 

Source

Source Zones => LAN

Source networks and devices => The test PC IP address

During Schedule Time => All the time

Destination & Services

Destination zones => WAN

Destination networks => Any

Services => http and https

Hi Jacky,

that would imply the connection is not using http or https.

The default firewall rule is too open and not provif=ding much protection, you need to review the allowed protocols/ports that you allow.

So, in logviewer what port/application did the test PC use to access the bad site?

Ian

Hi lan,

I have captured a screen capture. Not sure if this is what you want?

Hi Jacky,

Thank you for that data, appears though you do not have the proxy setup.

To achieve your aim of blocking you will need to setup the firewall rule with APP, WEB and IPS enabled.

Please post an expanded screenshot of your firewall  rule.

Ian

Hi lan,

Please find the below attached. Not sure if this is sufficient?

Hi Jacky,

they look okay, I would remove the shaping settings unless you have created your own.

If you disable the other firewall rule then try the test again while reviewing the logviewer what do you see?

Ian

Hi lan,

Will need to test it during system maintenance week, as it will affect other users, if I OFF the default rule now. 

Will update again, once I have the chance to test it and get back to you again.

Thank you for the help. 

Hi Jacky,

all the best and keep intouch.

Ian