Thread Info
  • State Suggested Answer
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 525 views
  • Users 0 members are here
Options
Suggested

Application Filter - blocking policy questions

jspanitz

Ok unless I am missing something, you:

Create an Application Filter, set it to Block. But in the GUI overview it shows default action is Allow. You have to edit the policy to see it's set to block.  Poor design and visually confusing.

Create a Firewall Filter, set it to Allow and choose the Application Filter that is set to Block.  Poor design and visually confusing.

Logging is even worse, with Firewall Logs showing the rule as allowed (which technically it is), but then you have to view the Application Filter logs to see the actual block. Audit nightmare. 

Is this really the way? I've never seen a policy and logging engine this badly implemented.



Added TAGs
[edited by: Raphael Alganes at 5:44 AM (GMT -7) on 21 Mar 2024]
Parents
  • 0

    It is basically because the firewall is giving tasks to the app control and other mechanism. The firewall will allow traffic and work with other sub systems to block apps or websites with the proxy or other technologies. 

    Most Sophos customers do App control on the Endpoint - Simply because the time of App control on a Gateway solution is not viable anymore --> You can block as much as you want, the client will still "run". And you can still not prevent apps to be launched on a gateway. Additionally Apps are nowadays running in TLS - which needs to be decrypted etc. 

    So App control on a Firewall moved more into a auditing mode, which gives visibility rather than blocking it. 

    Endpoint solutions can help to actually prevent an app to be launched. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Endpoint app control is fine, but there are lots of devices that don't support an agent - XIoT for one.  So while I understand your point, it's really not valid unless your environment is very limited.  The use case here was for DNS over HTTPS and the firewall is definitely the best place to manage and control that. 

  • 0 in reply to jspanitz

    From a technical perspective, you do not have much chances in that term: You can check the TLS Handshake and try to figure out, what it is, you can try to figure out what DNS query is fetched, you can try to check the destination IP. Afterwards its impossible to find the session. 

    What you could try is Sophos DNS for IoT, as we integrated a own blocklist there. https://news.sophos.com/en-us/2023/11/23/introducing-sophos-dns-protection/

    It is a demo right now and can be integrated. 

    About your points: Try to use the detailed view: 

    It will showcase you all modules working. 

    __________________________________________________________________________________________________________________

Reply Children
No Data
Unfiltered HTML