Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Filter - blocking policy questions

Ok unless I am missing something, you:

Create an Application Filter, set it to Block. But in the GUI overview it shows default action is Allow. You have to edit the policy to see it's set to block.  Poor design and visually confusing.

Create a Firewall Filter, set it to Allow and choose the Application Filter that is set to Block.  Poor design and visually confusing.

Logging is even worse, with Firewall Logs showing the rule as allowed (which technically it is), but then you have to view the Application Filter logs to see the actual block. Audit nightmare. 

Is this really the way? I've never seen a policy and logging engine this badly implemented.



This thread was automatically locked due to age.
Parents
  • It is basically because the firewall is giving tasks to the app control and other mechanism. The firewall will allow traffic and work with other sub systems to block apps or websites with the proxy or other technologies. 

    Most Sophos customers do App control on the Endpoint - Simply because the time of App control on a Gateway solution is not viable anymore --> You can block as much as you want, the client will still "run". And you can still not prevent apps to be launched on a gateway. Additionally Apps are nowadays running in TLS - which needs to be decrypted etc. 

    So App control on a Firewall moved more into a auditing mode, which gives visibility rather than blocking it. 

    Endpoint solutions can help to actually prevent an app to be launched. 

    __________________________________________________________________________________________________________________

  • Endpoint app control is fine, but there are lots of devices that don't support an agent - XIoT for one.  So while I understand your point, it's really not valid unless your environment is very limited.  The use case here was for DNS over HTTPS and the firewall is definitely the best place to manage and control that. 

  • From a technical perspective, you do not have much chances in that term: You can check the TLS Handshake and try to figure out, what it is, you can try to figure out what DNS query is fetched, you can try to check the destination IP. Afterwards its impossible to find the session. 

    What you could try is Sophos DNS for IoT, as we integrated a own blocklist there. https://news.sophos.com/en-us/2023/11/23/introducing-sophos-dns-protection/

    It is a demo right now and can be integrated. 

    About your points: Try to use the detailed view: 

    It will showcase you all modules working. 

    __________________________________________________________________________________________________________________

Reply
  • From a technical perspective, you do not have much chances in that term: You can check the TLS Handshake and try to figure out, what it is, you can try to figure out what DNS query is fetched, you can try to check the destination IP. Afterwards its impossible to find the session. 

    What you could try is Sophos DNS for IoT, as we integrated a own blocklist there. https://news.sophos.com/en-us/2023/11/23/introducing-sophos-dns-protection/

    It is a demo right now and can be integrated. 

    About your points: Try to use the detailed view: 

    It will showcase you all modules working. 

    __________________________________________________________________________________________________________________

Children
No Data