Sophos Firewall : Application filter recommended settings for better application detection

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read describes the Application filter recommended settings for CLI and GUI to block critical/evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, and so on.

CLI settings

IPS-Settings

  • Max Packet value must be at least 80
  • Max Session byte values must be 0
  • Packet Streaming must be ON

To verify the current configurations, you may log in to Sophos Firewall Console and select 4. Device Console

show ips-settings

To set the following commands for the recommended settings, you may follow the below configurations

set ips maxpkts 80
set ips maxsesbytes-settings update 0
set ips packet-streaming ON

Advanced-Firewall Settings

  • Midstream Connection Pickup must be OFF

You may verify and set the commands by following the commands below.

show advanced-firewall
set advanced-firewall midstream-connection-pickup off

GUI settings

Application filter policy settings

Along with "P2P" and "Proxy and Tunnel" categories, applications listed below must be denied in the concerned application filter policy. 

  • DNS Multiple QNAME
  • OpenVPN
  • QUIC
  • Non-SSL/TLS traffic on port 443

Firewall rule settings

The same application filter policy (as configured above) must be applied to the "DNS Firewall rule" as well if there’s any.

For Psiphon Proxy

1.SSL/TLS inspection should be enabled under SSL/TLS inspection settings, and one decryption rule needs to be created based on firewall rules.

a. Action must be "Decrypt."

b.Profile is set to "Maximum Compatibility"

2. In the firewall rule, Legacy Proxy has to be "Disabled" (Web Policy = None).

3. Block Invalid Certificates (PROTECT>Web>General Settings>HTTPS decryption and scanning) must be enabled in SFOS.

4. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN/WAN: if the Psiphon is connected even after following all steps, other port traffic may pass through other firewall rules (One can allow 1025 to 65535 Ports).

a. For example, the primary rule should have only limited services allowed.

b. And the rule below the primary rule should 'deny' traffic for port ranges 1 to 1024 (Registered Ports) for the same source machines.

Betternet VPN

To block Betternet VPN, We have to block Invalid Certificates (Which are usually used by Such Proxy applications). Perform the below steps to
reach out to set

  1. CLI + GUI Settings mentioned above.
  2. In SFOS UI> Rules and Policies > SSL/TLS Inspection Rules> Create a rule with Action "Don't Decrypt" and Profile as "Block Insecure SSL".
  3. Disable the Default rule "Exclusions by the website."

Hot Spot Shield Proxy

  1. Enable HTTPS scanning.
  2. Configure all CLI and GUI settings.
  3. Enable the option in web > General Settings > Block unrecognized SSL protocols.
  4. Enable the option in web > General Settings > Block invalid certificates.


Revamped RR Corrected Grammar & Font Size Added Horizontal Lines ^EV Edited Table of Content ^EO
[edited by: emmosophos at 12:06 AM (GMT -8) on 24 Nov 2023]
Parents Reply Children
  • rfcat_vk said:

    interesting about the block unknown ssl traffic when the recommended default is to leave it off.

    Maximum compatibility is to have it off.

    Maximum protection is to have it on.

    Most admins care more about compatibility and therefore have it off.  That is the default and the recommendation.  For some cases where admins are trying to block specific things, it needs to be on.  Turning it on will help block Hot spot Shield Proxy, but will also block other things.