Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Edit/Delete Default IPS Rules - Feature Request

lferrara

Hi All,

at the moment XG comes with defautl IPS rules that cannot be customized or delete. At least allow us to customize them in order to add/remove Signature.
I always like to keep the Appliance as clean and light possible and I would like to delete default IPS rules too.

Please vote the feature request:

http://feature.astaro.com/forums/330219-sophos-xg-firewall/suggestions/13146459-edit-delete-default-ips-rules

Thanks.



This thread was automatically locked due to age.
  • 0

    voted and commented to keep this post topof the heap.

    Ian,

    home UTM 9.x running in ESXi 6 e3-1275v2

    AP55c and AP10 (courtesy Astaro)

    Three other UTMs, SUM and SFM in hibernation

    XG 15.x MR3 in hibernation

    • 0

      Hi lferrara,

      While I understand the desire to have the optimal usage of RAM and storage available on the appliance, please note:

      1. The default IPS policies are meant, primarily, for an SMB admin (all of them may not be security experts) to have the most basic protection in place against intrusions, without getting into all the details.
      2. Those default policies are NOT activated by default, you have to actually select and bind them with a firewall rule (by default - an IPS policy is set to 'None' while creating a firewall rule), so I don't see any issue with RAM usage here. As for the storage, 6 default policies may consume, at most, a few MBs and your appliance is shipped with storage capacity of hundreds of GBs.   

      Hope this helps.

      • 0 in reply to Dhiren

        Dhiren,

        thank you for your answer. We know that and most of the rules can be used in most organization, however some of them reports false-positive and editing the built-in can reduce time to create a new one.

        My idea is always to keep rules and policies as clean as possible and removing the built-in (let us deciding if we want to edit/remove them) will do the trick. For SMB I agree with your idea and point of view, but some of us use Sophos in big environment.

        Think about it!

        Thanks.

        • 0 in reply to lferrara

          Agreed - the ability to edit a built-in rule as opposed to creating a new one should come handy both by having less false-positives and saving time as well.

          I see that you've already suggested this as a feature request on the forum, still - I'll forward this to our PM team as well.

          Cheers.

          • 0 in reply to Dhiren

            I think you should alternatively consider storing the non-modifiable built-in rules as templates rather than non-modifiable rules, and that way they can be stored (taking up the minimal-bloat megabytes of space) and be available as baselines to admins when creating new rules. In addition the default configuration could continue to provide pre-defined rules, based on these templates, which have access permissions that allow for both modification and deletion. This would appease the large deployment admins who want to add and delete rules and maintain a clean set, and also will cover the less advanced users who might be satisfied with the defaults (or slightly tweaked defaults based on their circumstances) and are protected from the situation in which they accidentally delete any of the pre-defined rules if anyone could easily recover from this by re-creating the defaults from hard-coded (non-modifiable and otherwise inaccessible) templates stored within the system.

            But please see my other discussion regarding the confusion surrounding pre-defined rules, and the undocumented relationship between, e.g. "LAN TO WAN" and "lantowan 'x'".

            • 0 in reply to BrianCarp

              Hi BrianCarp,

              I hear you.

              You mentioned some confusion surrounding pre-defined rules, I looked around - couldn't find it. Can you share the link?

              Regards,

              Dhiren

            Unfiltered HTML