Sophos Firewall: v19.5 MR2: Feedback and experiences

Would be a relief to be able to also use FQDN objects in ACL exception rules, so you can use a DNS entry for proper remote support address maintenance

Hello ddcool,

a FQDNs have long been supported in ACLs...

Regards

alda

That is not true. FQDNs can not be used within "Local service ACL exception rules".

Hello ddcool,

hmm, really interesting and how is it possible that I have been using this feature for several years?!?

I definitely recommend you to try this feature, I'm sure you will be very surprised.

Regards

alda

Feel free to post a screenshot showing that this is possible in Sophos XG(S) v19.5 or below (not Sophos UTM!)

Hello ddcool,

as I wrote before, this feature has been supported for many years. It is naturally also supported in SFOS version 19.5.1 MR-1-Build278.

I won't send any screen shot because you can try it trivially easily yourself. You need one FQDN for this, which you enter in the Source Network / Host field in the Local service ACL exception rule window.
That is all.

Regards

alda

You mean this? Yeah funny it does not offer FQDN...

Oh and what is this? Use FQDN-Host Object for Device Access ACL - Discussions - Sophos Firewall - Sophos Community

Really?!?

I don't know about you, but it works for me.

Regards, alda

Really?!?

I don't know about you, but it works for me.

Regards, alda

I guess you just created IP host objects with FQDN in its name, but IP addresses as content. That is not an FQDN object, as it does not resolve anything

Hello ddcool,

yes, you're right, sorry, I forgot that I have hosts records defined like this as FQDN.

Well, again, all the more reason that I started using another firewall solution a long time ago. Something like that obviously works there, sorry...

Regard

alda

There are plans to implement a FQDN Support for ACLs - Generally speaking: Using Services like Central for Access from external instead could be a good approach to access the firewall. 

There are even plans to build a SSO Access as a Partner directly to the SFOS Firewall of a customer (Partner Dashboard). 

Other approach could be using VPN Tunnels (To ensure a access). 

All of them are valid points, but there are scenarios and customer whishes, which would benefit from having this feature. In general I think every object type should be usable within all modules of the firewall if possible.

Yes - every kind of objects should be consistently avaliable through all of Sophos firewall. This is a must-have!

Overall, this release is not to tackle the way, how Customers/Partner work today. So if you are doing access to your firewall like that "today" it will not change anything.

It is only to automatically increase the security of all customers, who do not use it at all. If you are not using WAN for 90 Days, likely you wont use it at all. So customers will get a setting removed, which highly reduce there attack surface at no cost. 

Sophos is working on a way to improve the product in the future for partner access and customer access. And there are multiple approaches to this situation, like described above. 

But those approaches are not covered in this Release, it is only to reduce the attack surface for all customers, who are currently not using it. 

Do you mean SSL VPN access? The way this update reads to me, if nobody connects to the User Portal in 90 days, that user portal will have WAN access turned off. And the User Portal is necessary for Sophos Connect. Plus, I don't like turning on SSL VPN on firewalls that don't need it, as, well... It's a security risk, after all.

Or do you mean access over IPSec tunnels? I really don't want to make > 1000 tunnels manually. Plus then I have all my customers cross-connected, so, that's a pretty big security risk.

Using the Access means a successful Login. 

SSLVPN and IPsec VPN is not impacted by this change. 

Sophos Connect does not need User Portal. The User Portal is only needed, if the OVPN does not work, or you need a OVPN in the first place (It will connect to the User Portal and download the OVPN). This process will be reworked in the next major release. 

We make changes to the SSL VPN settings here and there that require a new .ovpn file for users. I'll admit that I love Sophos Connect for this, since the changes essentially auto-deploy. Are you saying that a successful Sophos Connect connection won't necessarily reset the 90-day timer on User Portal access?

I may not be sure what you're referring to when you say "Using the Access" though. If Sophos Connect only defaults to pulling the .ovpn file when the locally cached .ovpn settings fail, then accessing SSL VPN won't usually reset the User Portal 90-day window. If it pulls the .ovpn settings every time in the background using the User Portal, then it would reset that window.

Ultimately I just want to know the best way to keep WebAdmin and User Portal access going for my clients where it's only used maybe a few times a year, and from possibly-changing public IP addresses. I can update an FQDN as needed for WebAdmin, but we've had clients in the past go from SSL VPN users connecting once a year, to once a week, because they transitioned some people to WFH. We can go in and re-enabled when this happens of course, but it's hard to explain to the clients why their SSL VPN stopped working if it's by design and can't be changed.

We would just prefer it stayed working, but just be hardened instead. Public-facing logins can be pretty locked down with industry standard stuff: 2FA, Captcha, geo-blocking, failure timeouts and IP auto-bans, active check-in and monitoring with error reporting, third-party code reviews, etc. Much of this is already implemented, but just not fully tied together.

RCEs happen. Geoblocking, 2FA, Captcha etc, cannot protect you against 0Day RCEs. Generally speaking, your strategy should be to keep services unavailable, if not needed. 

Every successful login to user portal / webadmin will reset the timer. So essentially, if you need to change the config of OVPN in generell, you could enable the user Portal again. By the way, as mentioned will there be a new way to download the config in the future without the User Portal.