Cannot seem to get Application Filter Firewall rule to work correctly

Hi AllanD

Please check Application logs as per the below link

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogViewer/index.html

click on firewall on right hand side and select application filter from drop down menu 

Simultaneously check web filers logs and IPS logs and so on as per the current policy applied on firewall rule

Hi,

you could try changing the WAN Any to a WAN specific site for the Honeywell application rule. Further you could create it as a clientless user and select match users.

Ian

Maybe I'm missing something but I'm not sure what checking the logs will do. We have 20+ firewall rules setup already and we added this at the bottom. But this rule is letting everything out, anything that doesn't match a rule above then matches this (all ports in to out) and the application part isn't doing anything. 

Am I missing something?  Isn't the point of the firewall being able to identify applications, which it does correctly, so you can then allow or block those applications?  This seems like it should be easy since the application is already identified.

Unfortunately it's a P2P application.  It contacts a server which sends something to the device in a building and returns the IP/port to connect with.  So there is no set site list, it literally could be anything on the internet.  As for a clientless user how would I go about that?  And why would I need to?

I suggested clientless because you expressed concern about other devices using the firewall rule and clientless would only allow the Honeywell device to connect to the firewall rule.

ian

It's software that runs on our client machines.  Which is why I want to use some type of application rule to allow the application, no matter what computer is on, to have access to what it needs access to. But I don't understand how to set up a firewall rule correctly to only allow the application that I select. It seems to ignore the application part and just go by the top rules which allows all traffic everywhere. 

Hi AllanD,

Sorry, I didnt understand that it was used by a number of people on different devices. The rule would need to be at the top and then all other rules would need to have an application policy denying access to this app.

Ian

That makes no sense.  The first rule has to allow the application and then every other rule I have needs to deny it???   That's not what the guide I linked to seems to say:  Why would I add a deny application rule to say my web browsing rule?   And looking at the logging this rule is allowing traffic from other sources (applications) to the internet that normally would hit the last drop rule.  Which tells me it's not actually applying the filter at all.

You appear to be confusing application and web policies. Your application policy rule should block web browsing by disabling http/s assuming your application does not use http/s. Your web policy would block the application possibly by default if you have  https scanning enabled.

Does the application use any form of network security other than being a p2p application?

Ian

Not that I know of.   From what I can tell a device at some location is registered with Honeywells "P2P" system.  The application, which is on our network sends a unique ID to some Honeywell server for a device and the auth information.  The Honeywell server tells the device there is a incoming connection from xxxx and then tells the application what the external IP address is.  Again from what I can tell the application then talks directly to the device. 

So the issue is I never know what the IP address of the device is, Honeywell is hosting with AWS so the initial connection could be anywhere in the AWS realm, and the ports used are random per connection.  You connect to multiple devices and you could be using 100+ ports.  Their tech support said it can be anything above 1024.  Which is why I was hoping there was a simple way to just allow a application.  I.e. HDCS.exe -> Allowed all outgoing ports.

So the application: 

Then per the guide Sophos posted I created a application filter:

Then also per the guide it said to add the application but again the rule is allowing everything: