Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rules and policy

Hi, I am wanting to block the IOT network (xxx.xxx.5.xx/24) from pinging the default gateway of other networks so created a firewall rule to do so however when testing, devices in the IOT network are still able to ping the default gateway of other networks. I have also used the policy tester to test this and it is not picking up the firewall rule.

I have tried putting the firewall rule at the very top to make sure that it would pick it up.

I have attached images of the firewall policy created. Any help would be much appreciated.  



This thread was automatically locked due to age.
Parents
  • Hello there,

    Thank you for contacting the Sophos Community.

    I recommend that you create a separate zone for the IOT devices instead of using Source Zone Any and disable PING from the ACL for this new zone.

    ACL has precedence over the Firewall Rules.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I have tried this by putting the source and destination zone to LAN. if I change this rule for another device eg xx.xx5.20 (one that isn't the default gateway IP) then the rule works fine and blocks the ICMP traffic. 

  • I have noticed that I need to fill in a specific Zone at times to get a firewall rule to work as expected, so you've tried all the right things.

    My guess is that there's sometimes a bit of a confusion as to which subnet/port of the firewall is being used to access what firewall service. Which is consistent with what you've found: your rule works for an IP other than the firewall's port.

    Have you tried not specifying the destination network? (I.e. try to block all pings from IoT?) I'm can't recall whether you can differentiate an ICMP ping reply from a ping request, but at least you could see if you can stop pings entirely and then try to dial it back.

    In my case, my IoT has its own SSID, which gets placed in its own VLAN which is in its own Zone, which might or might not give you additional control/differentiation. In addition, my IoT SSID has the isolation setting turned on so that none of the IoT devices can talk to each other.

    Not sure if any of that would help you... again, my feeling is that deep within the firewall your ICMP is considered to be on a different port than we might assume.

  • Hi Wayne,

    I currently have the network in t's own vlan but not in a separate zone for each vlan. I may look into putting each vlan into a separate zone as that looks to benefit the firewall rules. 

    This was one of the firewall rules I had on my previous router and am trying to migrate the rules over. 

    Is there a way to isolate clients in a vlan so that they cannot talk to each other or is this only possible if you are using sophos access points and switches? This is next on my list to look into. 

Reply
  • Hi Wayne,

    I currently have the network in t's own vlan but not in a separate zone for each vlan. I may look into putting each vlan into a separate zone as that looks to benefit the firewall rules. 

    This was one of the firewall rules I had on my previous router and am trying to migrate the rules over. 

    Is there a way to isolate clients in a vlan so that they cannot talk to each other or is this only possible if you are using sophos access points and switches? This is next on my list to look into. 

Children
No Data