Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic set of firewall rules for a very basic office

Hello,

I'm new to Sophos, and am deploying my first firewall to a very basic client, and just want to check what I have configured is a reasonable balance between security and functionality?  I am just looking for opinions and whether I have missed anything major?  I do understand setting security can be like measuring the length of string so to speak.

Note as I don't want to risk too many problems I have just allowed everything LAN to LAN.

Also note I have a disabled 'deny LAN and WiFi to Internet' rule at the top so it can quickly be isolated in case of attack.

The allowed services for access to the web are;

DNS, FTP, HTTP, HTTPS, ICMP, ICMPv6, NTP, SIP, SIP-MSNmessenger, SNMP



This thread was automatically locked due to age.
Parents
  • Note I just reversed the source and destinations for the 'Block Russian Iranian North Korean' rule as it was obviously wrong.  I have tested it ok, and have also tested the internet via various sites ok

  • Hi,

    the blocking will only block outgoing traffic and should be the top rule.

    I would change any of your source to LAN and the network to improve security. Your mail setting is an open, so change it to source ZONE to LAN and network to the LAN network.

    Unless you have IPv6 configured on your XG I would remove the ICMPv6.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    the blocking will only block outgoing traffic and should be the top rule.

    I would change any of your source to LAN and the network to improve security. Your mail setting is an open, so change it to source ZONE to LAN and network to the LAN network.

    Unless you have IPv6 configured on your XG I would remove the ICMPv6.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children