This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule Facebook / Web URL / App-Filter

Hello,

for example, I would like to create a firewall rule that is used for various clients when using Facebook.

I created various IP hosts, web URLs and also an application filter for Facebook. But it looks like the rule, visible on the basis of the traffic, is not attracted to the rule. Is that basically possible or what would be a procedure.

Greeting



This thread was automatically locked due to age.
Parents
  • Hi,

    you need to be using policies which are applied to firewall rules. Are you trying to stop facebook access, also there are default exceptions in there web exceptions for facebook.

    the enforcement of policies is via firewall rule using web, application and IPS settings in the Proxy or DPI.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    if I have understood that correctly, I should use the web filter in the firewall rule and also the application in the firewall rule.

    Is that right ???.

  • A web policy is for URLs eg websites, application policy is for things like teamviewer, tor browser, etc You can have both when you want to restrict an application to work through a specific web server.  Or conversely stop an application using a website.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • yes I am aware of that.

    Unfortunately I did not understand when to use a web policy or an application filter in the firewall rule.

    Apparently it is so or are there constellations that it does not always work?

    I still haven't understood what the WebPolicy or application filter setting in the firewall rule is doing.

  • Put simply they are used to manage access or deny access to certain things because a number of things can exist at the same address.
    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • tell me please, what happen here in this rule.

  • Application control and web control are not the same. 

    application control filters on all ports, if the appliance can regnonise the traffic based on pattern (Sometimes port, sometimes special written applications signatures etc.).

    Web filter is applied to HTTP/s Traffic (port80/443) and will be applied to all traffic, that can be filtered. 

    In this rule: you are decrypting the traffic, which can be an issue, if you do not know the basic rules of decryption. See: https://support.sophos.com/support/s/article/KB-000038420?language=en_US

    Then you apply a app control and a web control rule, based on the traffic, those devices are generating. And only in the certain time based field. 

    BTW: The rule is disabled. 

    __________________________________________________________________________________________________________________

  • ok, yes the rule is deactivated :-) because I have the problem with the functionality of the firewall rules.

    I will read this through. But it makes sense in the operation etc. for me it is absolutely incomprehensible what this benefit is actually supposed to be looking for in the firewall rule and as far as I can remember it was not organized that way in the SG.

  • What does that mean in a brief overview.

    Both filter options cannot be used in one rule at the same time?

  • You can merge filter options in a policy. You also need to change the services to http and https. If you want to block access you also need to install the ca on the pc. What other rules do you have for the kinder group outside of your time limit?

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • There is a difference in a application based traffic and a web based traffic. Generally speaking a web based traffic looks like a browser is opening a connection to a website. A application could be something like spotify on windows. It looks like a web based traffic but could be categorized by the appliances as a application. 

    Start simply. Do a Client to WAN rule without any filter. Check if this works fine. Then enable the first filter. Check if everything works as expected and work towards the goal. Do not enable all filters at once if you do not know, what each and every filter means. 

    __________________________________________________________________________________________________________________

  • Hello,

    so I can answer again. After that someone meant to report this thread.

    I don't know what that happened, so be it.

    Well, I have to say it again. It is absolutely not understandable and transparent how these many constellations in connection with web filters, network rules and also application filters belong together or rather can be configured.

    Again, these many constellations are not clear to me how and when I set up the WebFilter etc. or apply them to a rule or not.

    I am already aware of a few things what HTTPS and scanning etc. is.

    But setting up is absolutely not transparent.

    Ok, I also tried to activate and check rules individually.

    How can you try to make this setting for Facebook to match the thread name.

    Is that possible.?

    greeting

Reply
  • Hello,

    so I can answer again. After that someone meant to report this thread.

    I don't know what that happened, so be it.

    Well, I have to say it again. It is absolutely not understandable and transparent how these many constellations in connection with web filters, network rules and also application filters belong together or rather can be configured.

    Again, these many constellations are not clear to me how and when I set up the WebFilter etc. or apply them to a rule or not.

    I am already aware of a few things what HTTPS and scanning etc. is.

    But setting up is absolutely not transparent.

    Ok, I also tried to activate and check rules individually.

    How can you try to make this setting for Facebook to match the thread name.

    Is that possible.?

    greeting

Children
  • I am not sure how to explain this in more depth. 

    It is actually that simply as; Create one rule, attach all block rules of applications and websites you do not want. 

    That it. Be careful with HTTPS decryption as this will likely kill the client, if not prepared.

    __________________________________________________________________________________________________________________

  • Hello,

    I marked one of your answers as abuse since swearing isn’t allowed in the Forum.

    community.sophos.com/.../sophos-community-terms-and-conditions-of-use

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi,

    I don't understand what you mean by that.

    On the one hand, I should set everything to "Allow All" with WebFilter and now only those that I should block.

    There are just so many conflicting answers. Something can't be right.

    E.g. I activated an ANY ANY rule because nothing worked again. Something is wrong with the XG software. I then restarted the firewall and then a lot went again.

    Please put together a screenshot in which you can see e.g. how to filter various clients using a rule and a rule how to work e.g. with WebFilter,

    so that the contradiction itself is uncovered in the hope that an understanding develops.

    Is that possible ?

    greeting

  • First of all: Disable the DPI engine. 

    Then build a Rule for your device:

    Check if this works fine.

    Then move to a own policy: 

    Check if those are applied and the web requests are blocked. 

    Then move to App control: 

    Check if this works fine. 

    Then think about using DPI/https decryption.

    Export the certificate and import it to your devices, if you want. 

    __________________________________________________________________________________________________________________

  • Hi,

    I just wanted to get in touch and thank you for taking the trouble for the screenshots. I look at this
    I have already implemented some things in exactly the same way.

    I think the big problem is that there are probably problems with the rules, if I restart the XG sometimes some things work again.

    I'll get in touch again when I've looked at

    Thanks again and see you later :-)

  • Hi,
    what happens if you select ALLOW ALL in the web filtering?

    I still have the problem of understanding when I have several WebFilters and want to use them, because in almost every web call, everything or a lot is always the first call for a connection to be established via HTTP / HTTPS.

    So now I'll create a rule, e.g. in this case for Facebook. Now I use the WebFilter rule for Facebook, in which various users are allowed to use Facebook and which are not.

    If I create the rule with ANY / ANY and select the Facebook WebFilter, all other traffic will also run through this rule, because everything is HTTP / HTTPS.

    I don't want that, at least that's how I think it is.

    Because, if my rule is for example Facebook, it should actually also include Facebook services etc.

    Therefore again the question are really the only criteria that a rule is executed on the basis of the zone / clients / networks ???