I do not understand how XG's Application Control work in detail (under the hood). Are any documentation somewhere?
I have to control and restrict some Traffic between LAN and Production due to written regulation of security.
e.g. for understanding
In this example we have to Block HTTP on Port 25.
How can I solve this with Sophos XG?
So what you want to do is L7 aware Policy, with protocol enforcement.
You want to open port 80, but only if It's HTTP traffic, or port 25 if It's only SMTP? Or port 53 if It's only DNS?…
XG applies Rules based on the common criteria: Source IP, destination IP, service (Port).
Everything is a session, so every connection is a session and XG applies a filter rule on this "session".
So if you create a rule for service HTTP and HTTPs you can allow or deny certain Apps, which uses HTTP/s.
You could use a ANY Services rule, and deny certain applications.
You would have to figure out the application, which you do not want to have, and block this app on your Rule for Port 25. Or the simple way is, only to allow the application SMTP and deny all other apps.
To be honest, this is the old scenario, where you are allowing based on TCP/IP and are scared, bad people using the Port 25 for other traffic, like HTTP. There are multiple problems with this view. First of all, SMTP should not be open for everybody. Only for your designed Mail server (Nobody should be able to send spam with your IP). Second of all, HTTP is "dead". Bad people uses TLS over XX (They basically find a open port and use TLS to encrypt the traffic). So DPI engine comes handy to find this kind of traffic on every port.
Just some thoughts about this.
I had the same thoughts like you.
In my opinion, however, this is extremely unsatisfactory. Why, let me explain.
1st) We open outgoing all Ports.2nd) Then we look into a session and try to filter out some traffic.
Why is this suboptimal? The session is established, and it is possible that the appfilter rule does not detect this traffic.In this case the traffic runs through the firewall.
What we need is a strict combination with Appfilter and traditional L3 Session and a bypass rule in Sophos' Appfilter system.
This give us back the control of the full traffic.
This means: IP Source and IP Destination and destination Port and L7-Application -> Allow / Deny
This would be great.
Why do you open all outgoing ports?
a firewall rule for http and smtp will block your traffic and can be fine tuned with web and application policies as well as ips .
I do not want to open any port. Only the neccessary one.
And we have to restrict the Port with the Application.
How can this configured in Sophos XG?
very simply, you create a rule that only has that port in it and you refine which networks can access that rule. You might need to consider using AD to control source devices. Further refinement would be to use web and application policies eg you create your own.
there are kbas at the top right of the forum home page that might help you understand what you are trying to achieve.
Hmm, i cannot confirm this.
In above case I have to create one rule:
Let us say, this Rule matches, now the Appfilter runs.
Row1: Allow HTTP, SMTP
Row 2 Deny.
Now, what happens in this example if one system sends HTTP Traffic on Port 25 from mySubnet1 to mySubnet2?
I think this traffic passes the Firewall. Right?
No, it will allow port 25 via the smtp and port 80 via the http. You could further enable the proxy and have seperate rules for http with proxy and another for smtp so that different policies are applied. Mixing ports 25 and 80 in the one rule is not a good idea while does work makes policy enforcement difficult. Then you can further enhance enforcement by enabling block non http traffic on http ports etc.
silly question why are you trying to limit internal traffic between lans?
> it will allow port 25 via the smtp and port 80 via the http
Where is this in Sophos XG defined? I did not find anything. The Application Object is a "blackbox".
This is a written policy we have to establish.
BTW: Port 25,80 was only for this example and only for understanding what I mean.
Other example, maybe better unterstanding:
Further you can set you destinations as the server that accepts each of the ports so regardless of what the user sends will only go to the correct firewall rule and then server. If you enable smtp scanning then anything else will be blocked if not mail,
See my previous posting:
Workarrounds are not allowed and will not accepted by our security officer.