Application Control and Port dependencies

rfcat_vk said:

Then you can further enhance enforcement by enabling block non http traffic on http ports etc.

Could you please explain to me how to enforce protocols over Sophos XG ?

I'm on v18 MR 2, all rules are using DPI Engine instead of the old Web Proxy. (No, I'm not going to use the old Web Proxy, it creates more headache than fixes.)

I've created a Rule that allows only HTTP from a host to another host, and blocks everything else.

But I'm able to connect with SSH without any issues over port 80.

It even detects the traffic as SSH...

Thanks!

Thank you, I've read that Postings. 

BTW: I worked the last years with PaloAlto...

Unbelivable what Sophos ignores in 2020 ....

I've sent you a message with more information. (I'm trying to find all posts about this.)

Crazy.

Please send me this Link.

Guenter

Adding to this, even SonicWall supports L7 Policy and protocol enforcement now. So pretty much any Sophos competitors does this now.

I've already asked to a Sophos Dev about L7 Policies, but this has the answer:

"Using the application filter it is hard to create a rule that allows one application and blocks everything else. At most you can allow one application and block all other applications, but any traffic that is not a defined application would also be allowed. An application filter of "Deny All" really means "Deny all defined applications" and not "Deny all traffic".

The application filter is better suited to denying applications rather allowing them (and denying everything else)."

(If you want I can send you the link of the post about this, but It has been archived.)

Thanks!

These are not work around they arecsecurity you can enforce.

Hi,

Yes this is exactly what we need:

L7 aware Policy, with protocol enforcement

We had the hope that XG would become a real L7 firewall, and not an L3 with L7 filters like the UTM.

On the other hand I find it also precarious, in the today's Ransomware time, still to sell such systems with good conscience. "Zero Trust, Inspect all" is the only solution to protect yourself from such threats.

I'm shocked.
Guenter

Hi Guenter,

So what you want to do is L7 aware Policy, with protocol enforcement.

You want to open port 80, but only if It's HTTP traffic, or port 25 if It's only SMTP? Or port 53 if It's only DNS?

If It is, Sophos XG doesn't support this since there's no way to "Block All, allow only X."; This is a feature that has asked multiple times, and pretty much most of the NGFW in the market supports it, but XG still falls behind.

Thanks!

See my previous posting:

This is a written policy we have to establish.

Workarrounds are not allowed and will not accepted by our security officer.

Further you can set you destinations as the server that accepts each of the ports so regardless of what the user sends will only go to the correct firewall rule and then server. If you enable smtp scanning then anything else will be blocked if not mail,

ian