Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 41 subscribers
  • Views 939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Nesting of allowed Web Applications possible?

LHerzog

Hi,

is it possible to nest web application rules?

Take this little Chart:

I would like to allow different applications to different users on the XG Firewall based on their user heartbeat.

So the idea is to create several rules for each application and put the apps inside each rule. Then put all the users that need it into this rule.

Currently my problem is, that the first matching rule wins:
e.g. if I Allow Office 356 to User A - he is only allowed to use Office 365 - nothing else.

This makes it very uncomfortable to keep track with changing user requirements, because I need almost one Web / Application Rule for each user.



This thread was automatically locked due to age.
Parents
  • 0 in reply to LHerzog

    I hope I'm wrong, but by the last conversations I had with support "Nesting" rules are not possible because the management plane on Sophos XG is horrible.

    Let's say you have two rules for User A.

    1) Allow Facebook, Deny everything else.

    2) Allow O365, Deny everything else.

    By default XG will match everything on Rule 1, even if O365 is allowed on Rule 2 It will still be denied since by default the Rule 1 have a "Deny" all.

    The only way to do this is by having a single rule by user, that applies everything (All Apps/Web policies) for that user.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

Reply
  • 0 in reply to LHerzog

    I hope I'm wrong, but by the last conversations I had with support "Nesting" rules are not possible because the management plane on Sophos XG is horrible.

    Let's say you have two rules for User A.

    1) Allow Facebook, Deny everything else.

    2) Allow O365, Deny everything else.

    By default XG will match everything on Rule 1, even if O365 is allowed on Rule 2 It will still be denied since by default the Rule 1 have a "Deny" all.

    The only way to do this is by having a single rule by user, that applies everything (All Apps/Web policies) for that user.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 EAP @ Home

    Sophos ZTNA (KVM) @ Home

Children
No Data
Unfiltered HTML