Sophos Firewall : Application filter recommended settings for better application detection

Overview

This article describe the recommended CLI settings for the application filter in order to better detect and block critical and evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, etc.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Firewall

What to do

CLI settings

  1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
  2. Verify the current configuration by issuing the following commands.
    show advanced-firewall
    show ips-settings
  3. Issue the following commands for the recommended settings  ( Applicable to Versions 18.x and 19.x )
    set advanced-firewall midstream-connection-pickup off
    set ips maxsesbytes-settings update 0
    set ips maxpkts 80
    set ips packet-streaming on





GUI settings

Application filter policy settings

Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

  • DNS Multiple QNAME
  • OpenVPN
  • QUIC
  • Non-SSL/TLS traffic on port 443

Firewall rule settings

The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

For Psiphon Proxy

  1. SSL/TLS inspection should be enabled under SSL/TLS inspection settings and one decryption rule needs to be created based on firewall rules.



  2. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
  3. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

For Hot Spot Shield Proxy

  1. Enable HTTPS scanning.
  2. Configure all CLI and GUI settings.
  3. Enable option in Web > General Settings > Block unrecognized SSL protocols.
  4. Enable option in Web > General Settings > Block invalid certificates.


Edited Title
[edited by: emmosophos at 12:53 AM (GMT -8) on 22 Nov 2022]