Business rule against new Firewall rule - feedback

Creating a DNAT or even a WAF is not simple as before. I appreciated the v17 feature where users can choose at the beginning what to create. New rule and: it is a normal firewall rule, a business rule? And inside decide if the BAP was a DNAT or WAF rule.

Sophos: I suggest to also rethink about the way new DNAT and WAF are created on v18. Very bad design in my opinion. WAF option is under "ACTION" drop-down menu?

[:'(]

From bad to worse!

I like the NAT tab but not the WAF creation, DNAT creation and also NAT should be managed also in firewall rule even for DNAT. To be honest, DNAT was simpler in v17. This is my personal feedback.

Creating a DNAT or even a WAF is not simple as before. I appreciated the v17 feature where users can choose at the beginning what to create. New rule and: it is a normal firewall rule, a business rule? And inside decide if the BAP was a DNAT or WAF rule.

Sophos: I suggest to also rethink about the way new DNAT and WAF are created on v18. Very bad design in my opinion. WAF option is under "ACTION" drop-down menu?

[:'(]

From bad to worse!

I like the NAT tab but not the WAF creation, DNAT creation and also NAT should be managed also in firewall rule even for DNAT. To be honest, DNAT was simpler in v17. This is my personal feedback.

In addition:

You could do this:

Restore the old way to create wizard appeard in v17 "create a network rule or business rule to publish not HTTP/S servers on internet or something like that, and WAF to protect only HTTP/S web server from malicious attack"

If the user choose the first option, user remains in the current tab (firewall), if the user choose second option, the system moves the user to NAT rule. Automatic rule could help but it is still confusing.

Hello Luk,

please check ( below ) the DNAT firewall rule and appropriate DNAT rule. Especially focus on the Destination Zone and the Destination Network in the firewall rule. The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN interface! It is very interesting interconnection of the Destination Zone and the Destination Network!

This is not me, but it is the result of business rule migration from v17.5 to v18 EAP1. But it really works. I learned something new again thanks to Sophos ...

However, it is important that the DNAT rule must be before the masquerading rule (MASQ) otherwise of course "matches" the User Portal. 

Regards

alda

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115784/eli5-how-do-i-do-a-business-rule-in-v18-firewall-rule-nat-rule

Here the explaination from PMParth.

So my earlier comments were removed by Sophos. Nice to see censorship well and alive. Good luck to anyone who thinks censoring will hide anything . By the way Luk, the thread you referenced above is  locked and unavailable for comments.

Hello BillyBob,

I have PMed you regarding your comment.

Additionally, the thread is not locked nor am I sure as to why you cannot reply to it.

Emile

certain threads have beee locked. We are able to reply as we are moderators.

Regarding the scope of this thread, I took the entire v18 training course, and to be honest I am very happy with the feature they implemented and how.

I hope that they will rethink on how to create DNAT and WAF rules. Leaving the Wizard as v17 and corresponding fields, can do the trick.

Hello Luk,

You're right, thank you for pointing that out.

Emile

Are we locking threads with a marked answer?  Seems to be what is happening now.  Interesting...

Edit:  I was wrong.  Only specific threads like Luk mentioned.  Even more interesting...fire a little too hot maybe??  ;)

The above diagram is how the XG v18 works now. In black my comment.

The below is one of my possible way to implement Firewall rules and DNAT

I also would suggest to put WAF and DNAT in the same windows. People choose if they want WAF or not.

Hi Luk,

That to me would make way more sense than the current layout.  Your mockups above at least.  More logical flow in how we all think when setting these rules up.  

Thanks,

John