Thread Info
  • Replies 3 replies
  • Subscribers 29 subscribers
  • Views 6253 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Using Firewall "Rule Groups"

Matthew Ritchie

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table of Contents

Applies to:

All Sophos Firewall (XGS, Virtual, Software, Azure, AWS) Firmware v18.0+

Configuration:

Sophos Firewall > Admin UI > Protect: Rules and Policies > 

Steps:

  1. As shown above in "Where do I configure this?" you will log into your Firewall via HTTPS//172.16.16.16:4444 or via MGMT interface
  2. In the left menu, select "Protect: Rules and Policies", then Add Firewall Rule.
  3. Within the Add Firewall Window you will see the following. Open the drop-down menu on "Rule Group":
  4. Click Add to add a new Rule group that will put any and all firewall rules we have to create now and in the future automatically into a "LAN-to-WAN" Rule Group. 
  5. Give your new "Rule Group" an appropriate name based on the targeted Firewall Rules. In this example, i have named this one "LAN-to-WAN" and described other admins and myself when reviewing this later on.
  6. Continuing down the window, we will now specify our Group Matching Criteria
  7. After creating this rule, you will return to the previous firewall creation menu and notice that you have a Rule Group selection of "LAN-to-WAN."
  8. From here on out, whenever you create a firewall rule that has this matching criteria, you can leave Rule Group selection as "Automatic" and it will place the rule into the appropriate Rule Groups.
  9. Rule Groups are often seen to be effective:
    1. LAN-to-WAN (Group Internet Traffic Rules)
    2. LAN-to-LAN
    3. LAN-to-DMZ
    4. DMZ-to-LAN 
    5. LAN-to-VPN
    6. VPN-to-LAN
    7. WAN-to-LAN
  10. You can also refer to this Documentation for creating Firewall Rules
    1. Add a firewall rule - Sophos Firewall

______________________________________________________________________________________________________________________________________



Added horizontal line at the end of RR, Added table of Contents, edited grammar
[edited by: Raphael Alganes at 3:30 PM (GMT -8) on 24 Nov 2023]
Parents

  • +1. Basically, a group for each Zone-Zone interaction that makes sense. (So Guest-to-WAN makes sense, but Guest-to-LAN doesn't.)

  • in reply to Wayne Folta

    Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

    In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

Reply
  • in reply to Wayne Folta

    Definitely agree with you that there would never be a use case or rare for Guest-to-LAN, but there are times where a DMZ-to-LAN rule may be necessary, perhaps a maintenance window for access to a resource, zone separated backups, even a pinhole for accounting or authentication. In any situation, you weigh the need for the ability to do something like that, though vs how it impacts security.

    In relation to the Rule Groups, at minimum if a rule was created like this, let's say by accident, it would ensure you had a group that gave you quick ability to identify and disable or modify as needed.

Children
No Data
Unfiltered HTML