Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 38 subscribers
  • Views 2414 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot seem to get Application Filter Firewall rule to work correctly

AllanD

So I attempted to get the application control working based on this article: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/120242/sophos-xg-firewall-how-to-create-an-exception-in-application-filter   but I could not get this to work.

We have a application from Honeywell that uses multiple outgoing ports, hundreds of them with no set port range, that we need to allow outgoing access.  The application is correctly detected by Synchronized Application Control and I customized it with the full name and categorized it as general business.  I then made a Application Filter with that application in it and allowed then saved it.  Then I made a new firewall rule for it for LAN - All -> WAN - All - All Services and under the application control I put it in.  But the rule is allowing everything outgoing now.

How do I make a firewall rule allowing this application full outgoing ports without allowing anything else?



This thread was automatically locked due to age.
  • 0 in reply to rfcat_vk

    FYI - Bharat spent 90 minutes looking at things and couldn't fix it.  We added a deny all web filter and a deny all application filter but traffic still was being forwarded through that should not have been.  It completely ignored the application filter.  The best example was a users printer software was trying to access his home printer on port 631 over and over.  With this rule it was allowed which it shouldn't have been.

    There appears to be no way of actually saying "Allow something.exe access outgoing and nothing else".  Waiting for more information.

  • 0 in reply to AllanD

    Hi AllanD 

    Allow me sometime to create the scenario you have on my lab and get back to you

    as of now only one user is facing issue with Honeywell  exe which runs give connection time out error as it is getting dropped by any any any any drop rule you have

    it getting allow once we apply application filter on rule but rest earlier blocked traffic is also getting allow as per the firewall log traffic under log viewer

    please login to Sophos central and check the event logs same PC and share what logs say there to assist you further 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to AllanD

    Hi AllanD

    Hope you are doing well 

    As per your request to allow only Microsoft Teams and to block the rest of the internet traffic, I have created a web and Application filter policy as below and it is working from my end : 

    Web Filter Policy : 

    Application filter as below : 

    First I have deny all the traffic and checked the log viewer logs.

    I have accessed Microsoft teams and checked web filter and application filter logs on log viewer simultaneously and allowed the traffic which was getting deny for Microsoft Teams on Application filter.

    You can check the same and allow the URL or application on which the Microsoft team works.

    Thanks and  Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • +1 in reply to Bharat J

    Still not working and the rule is allowing traffic that does NOT match the application filter to pass through.  I added the Honeywell app to a new application filter rule called "Honeywell App".  I made a "Block all other traffic" web filter matching the one pictured.  I added a firewall rule at the bottom of my list, right before my last deny, with those two in it.  And not only did it not work but it allowed traffic that normally wouldn't be allowed.  Things like iTunes calling home on port 5228 on PC's that don't even have the Honeywell app installed.  And I'm positive it's this rule doing it since I have the log viewer set to only show me that rule ID.

    I'm officially giving up and going with the application filter doesn't work or doesn't work as intended on the XG.  It allows traffic that it shouldn't since you are blocking with a "web filter" rule that is only blocking 80 and 443 but not blocking other higher ports which defeats the purpose.

Unfiltered HTML