Application Filter (App Control) vs Web Policy - Order of Precedence

Question

Hello, 
 I have issues understanding what is an Application Filter for and how to use it. What I understand: 
 - Web Policies: Allow you to block or allow traffic to users (based on categories/file types, etc.). Only one web policy is meant to be used for a group of users through a firewall rule. If you have multiple rules with multiple web policies, only the first firewall rule/web policy that matches the traffic, will be applied (the subsequent ones will be ignored). Source: https://community.sophos.com/xg-firewall/f/discussions/83833/web-policy-and-filtering-not-working-at-all/ 
 - Application Filters: Offers the flexibility of matching traffic by identifying the application related to it (i.e. you can create an application to match anything where SmartFilter = "Netflix", regardless of knowing or not what servers or ip address ranges Netflix uses). 
 My scenario: 
 I want to configure a Web Policy to block users from getting to certain websites at all times, but have the flexibility to enable/disable a firewall rule configured with an Application Filter that matches "Netflix". If the rule is enabled, Netflix will be allowed, otherwise it will be blocked. I don't try to configure this as part of the Web Policy, because I want to be able to turn on/off the "Netflix" application firewall rule manually as needed through the XG's REST API. 
 What I've tried: 
 Firewall Rule 1 - Application Filter Allowing Netflix (Smart Filter = "Netflix"). 
 Firewall Rule 2 - Web Policy Filter Blocking "Video Hosting" category at all times. 
 Issues with this configuration: 
 - If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed. Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule). 
 - If I somehow incorporate the Netflix block as part of the Web Policy (provided it is not too difficult to match this type of traffic with the options available), there's not easy way to turn on/off this block from the REST API. Even if I did it manually, I would have to turn on/off a web policy rule (and modifying a web policy) frequently, which is less than desirable. 
 Should I be doing things differently? (Somehow I think if would be easier if we could turn off a Web Policy's "default action", and let the packet match the next rule available. Eventually, it would reach to the "Drop All" (last) firewall rule, if traffic is not matched by anything. (To give some background, I come from using Microsoft TMG 2010, and that's how TMG used to work). 
 Thanks!

Prism · Answer

cm00001 said: - If Rule 1 is enabled, not only Netflix, but ALL traffic is allowed. Why? (I thought the Application Filter would only match the configured criteria, and let the traffic be matched by the next rule). 
 Forgot to talk about this. 
 There's no way to "DENY ALL" and "Allow only X". 
 By default the Application Filter will allow all traffic, you can see this while creating the template - It means you will allow all and block what you want. 
 Also, you can check the two links above that I sent to you. When a traffic matches a single Rule - even if there's another rule that It would also be matched. The inspection will only be applied over that first Rule - As I talked about on the example above.

LuCar Toni · Answer

That actually not quite correct - You can specify within a Application filter rule the "Default action" and select Allow/Deny. This means, if something is not fetched by your filter it will allowed or blocked. So you can follow the Block or Whitelist approach in application filtering.

Prism · Answer

cm00001 said: Is there a way to know what sites (or domains) are covered under "Video Hosting"? 
 There's no way to get a list of those domains. 
 But you can use the URL Category Lookup function at the "Diagnostics" Tab inside the WebAdmin of Sophos XG to see what's the classification of a certain domain.

Application Filter (App Control) vs Web Policy - Order of Precedence

Top Replies