This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos xg 125 v18 - creating a rules for POS PCI compliant zone

Thank you community guru's for your help! 

So my POS zone requires only specific sites and ports be allowed best security,  this list for example, of requirements for my CC processing.

Would it be recommended that I create a rule with these specific hosts and IP ranges, or create a custom web policy for this. or both? 



This thread was automatically locked due to age.
Parents
  • Hello WWarneke,

    Thank you for contacting the Sophos Community.

    I would create a Firewall rule for the IPs of your POS and then add an IP range for the Destination Networks and would open only the indicated ports 80,443 and probably 53.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Can you give me an idea of what that rule looks like?  Is there a way to add multiple IP ranges to one item in destination networks, or should I create separate items for each range..?

    Thanks!

  • Hi,

    are the POS on a seperate LAN.

    I would suggest you use clientless users/groups and fixed IP addressing for these devices. The assigned IPs need to be outside of the DHCP range on that network.

    You can either create a FQDN group and use that in the destination firewall rule and then  create IP groups and add them as well. The services you can add each one as you require it.

    Security wise I would suggest web - allow all, select block quic, scan http and use the proxy, though nothing will be rejected.

    Application I would suggest allow all and IPS general LAN to WAN unless you wish to build your own profile.

    The rule

    Source ANY -, Network IP range of the POS LAN.

    Destination ANY - FQDN and IP lists

    Services your required list from above.

    Select users and add your clientless group the users field.

    Ian 

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello WWarneke,

    Additionally to what rfcat_vk mentioned, yes you would need to create two separate IP ranges 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I am bit confused, are you advising that you have over 100 POS devices on your XG125 using real IP address ranges or are those ranges external servers

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • there are only 8-10 pos pc's, they need access to these ip's and fqdn's in order to process payments. Other than that, I'm trying to limit internet access to specific sites and services. Thanks!

  • My previous post should give you enough guidance to build a rule and try it out.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data