Thread Info
Options
Suggested

Sophos Firewall: Using Firewall "Rule Groups"

Matthew Ritchie

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Table of Contents

Applies to:

All Sophos Firewall (XGS, Virtual, Software, Azure, AWS) Firmware v18.0+

Configuration:

Sophos Firewall > Admin UI > Protect>Rules and Policies > 

Steps:

  1. As shown in "Where do I configure this?" you’ll log into your Firewall via HTTPS//172.16.16.16:4444 or MGMT interface
  2. Select "Protect: Rules and Policies" in the left menu, then Add Firewall Rule.
  3. Within the Add Firewall Window, you’ll see the following. Open the drop-down menu on "Rule Group":
  4. Click Add to add a new Rule group that will automatically put all firewall rules we have to create now and in the future into a "LAN-to-WAN" Rule Group. 
  5. Give your new "Rule Group" an appropriate name based on the targeted Firewall Rules. In this example, I have named it "LAN-to-WAN" and described other admins and myself when reviewing it later.
  6. Continuing down the window, we will now specify our Group Matching Criteria
  7. After creating this rule, you will return to the previous firewall creation menu and notice that you have a Rule Group selection of "LAN-to-WAN."
  8. From here on out, whenever you create a firewall rule with this matching criteria, you can leave the Rule Group selection as "Automatic," which will place the rule into the appropriate Rule Groups.
  9. Rule Groups are often seen to be effective:
    1. LAN-to-WAN (Group internet Traffic Rules)
    2. LAN-to-LAN
    3. LAN-to-DMZ
    4. DMZ-to-LAN 
    5. LAN-to-VPN
    6. VPN-to-LAN
    7. WAN-to-LAN
  10. You can also refer to this Documentation for creating Firewall Rules
    1. Add a firewall rule - Sophos Firewall



updated links to latest
[edited by: Raphael Alganes at 11:11 AM (GMT -8) on 31 Dec 2024]

  • +1. Basically, a group for each Zone-Zone interaction that makes sense. (So Guest-to-WAN makes sense, but Guest-to-LAN doesn't.)

    • in reply to Wayne Folta

      Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

      In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

    • Thank you for sharing!

      Florentino
      Director, Global Community & Digital Support
      Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
      If a post solves your question, please use the 'Verify Answer' button.
      The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
      Unfiltered HTML