Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 3 replies
  • Subscribers 30 subscribers
  • Views 7994 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Using Firewall "Rule Groups"

Matthew Ritchie

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Table of Contents

Applies to:

All Sophos Firewall (XGS, Virtual, Software, Azure, AWS) Firmware v18.0+

Configuration:

Sophos Firewall > Admin UI > Protect>Rules and Policies > 

Steps:

  1. As shown in "Where do I configure this?" you’ll log into your Firewall via HTTPS//172.16.16.16:4444 or MGMT interface
  2. Select "Protect: Rules and Policies" in the left menu, then Add Firewall Rule.
  3. Within the Add Firewall Window, you’ll see the following. Open the drop-down menu on "Rule Group":
  4. Click Add to add a new Rule group that will automatically put all firewall rules we have to create now and in the future into a "LAN-to-WAN" Rule Group. 
  5. Give your new "Rule Group" an appropriate name based on the targeted Firewall Rules. In this example, I have named it "LAN-to-WAN" and described other admins and myself when reviewing it later.
  6. Continuing down the window, we will now specify our Group Matching Criteria
  7. After creating this rule, you will return to the previous firewall creation menu and notice that you have a Rule Group selection of "LAN-to-WAN."
  8. From here on out, whenever you create a firewall rule with this matching criteria, you can leave the Rule Group selection as "Automatic," which will place the rule into the appropriate Rule Groups.
  9. Rule Groups are often seen to be effective:
    1. LAN-to-WAN (Group internet Traffic Rules)
    2. LAN-to-LAN
    3. LAN-to-DMZ
    4. DMZ-to-LAN 
    5. LAN-to-VPN
    6. VPN-to-LAN
    7. WAN-to-LAN
  10. You can also refer to this Documentation for creating Firewall Rules
    1. Add a firewall rule - Sophos Firewall



Revamped RR
[edited by: Erick Jan at 9:03 AM (GMT -7) on 18 Sep 2024]
Parents

  • +1. Basically, a group for each Zone-Zone interaction that makes sense. (So Guest-to-WAN makes sense, but Guest-to-LAN doesn't.)

  • in reply to Wayne Folta

    Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

    In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

Reply
  • in reply to Wayne Folta

    Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

    In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

Children
No Data
Unfiltered HTML