Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall - How to manage multiple web exclusions over multiple firewalls

BoreasJeff

Hello, I’m seeing that our Sophos XG firewalls are blocking M365 install and updates.  What is the best way to push the M365 exceptions out to all firewalls?  We currently have about 25 XG firewalls.  I found the article

Sophos Firewall: Configure web exceptions for Office 365

with a list of URL pattern matches to exclude for M365, and some instructions for importing.  I had previously imported these to a couple of firewalls, but then spent a long time deleting them all because of the mess it created.  How do I import all of the URLs into one exception and then push out to all 25 XG firewalls?

My understanding is that it's still a manual process, so curious how others are managing such tedious tasks?



This thread was automatically locked due to age.
  • 0

    Essentially if you are using TLS Decryption by SFOS (DPI Engine) the managed List should take care of  this exception and should work. No need to manually add those hosts. 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      That's good to know. Unfortunately, I've never successfully deployed TLS decryption for similar reasons--the exceptions quickly became unmanageable.  With TLS enabled a lot of web sites have issues and overloads helpdesk.  And then I'd still need a way to globally push out those exceptions across 25 firewalls.  Maybe it's better now?  I last tried to deploy TLS to my organization about a year or so ago, but got too much pushback from users.  I've been wondering if it's a better strategy to turn off web inspections on the XG firewall and instead rely on the endpoint web protection.  At least with the endpoints I have centralized management.

      • 0 in reply to BoreasJeff

        Hi Jeff

        Two ways I can think of, via Central with all your firewalls in a single group and using the same Group Policy or via the API interface (you'd have to upload the XML to each one but it's pretty quick once you've got used to it and it's just a scripting thing then).

        Regards

    • 0

      The exceptions are mostly there to disable tls decryption.  If you are not doing decryption then they are not required.

      As for the easiest way to deploy, I would set up all the exception on a single box.  Then Backup & Firmware > Import export > Selective configuration > WebFilterExpection.

      You will get a .tar file containing an XML.  You can import that to any other box.  You can also edit the XML to do things like only include the one Exception you care about.