Business rule against new Firewall rule - feedback

Creating a DNAT or even a WAF is not simple as before. I appreciated the v17 feature where users can choose at the beginning what to create. New rule and: it is a normal firewall rule, a business rule? And inside decide if the BAP was a DNAT or WAF rule.

Sophos: I suggest to also rethink about the way new DNAT and WAF are created on v18. Very bad design in my opinion. WAF option is under "ACTION" drop-down menu?

[:'(]

From bad to worse!

I like the NAT tab but not the WAF creation, DNAT creation and also NAT should be managed also in firewall rule even for DNAT. To be honest, DNAT was simpler in v17. This is my personal feedback.

In addition:

You could do this:

Restore the old way to create wizard appeard in v17 "create a network rule or business rule to publish not HTTP/S servers on internet or something like that, and WAF to protect only HTTP/S web server from malicious attack"

If the user choose the first option, user remains in the current tab (firewall), if the user choose second option, the system moves the user to NAT rule. Automatic rule could help but it is still confusing.

Hello Luk,

please check ( below ) the DNAT firewall rule and appropriate DNAT rule. Especially focus on the Destination Zone and the Destination Network in the firewall rule. The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN interface! It is very interesting interconnection of the Destination Zone and the Destination Network!

This is not me, but it is the result of business rule migration from v17.5 to v18 EAP1. But it really works. I learned something new again thanks to Sophos ...

However, it is important that the DNAT rule must be before the masquerading rule (MASQ) otherwise of course "matches" the User Portal. 

Regards

alda

Hello Luk,

please check ( below ) the DNAT firewall rule and appropriate DNAT rule. Especially focus on the Destination Zone and the Destination Network in the firewall rule. The Destination Zone is LAN zone and #PortB: 1 is the alias address on the WAN interface! It is very interesting interconnection of the Destination Zone and the Destination Network!

This is not me, but it is the result of business rule migration from v17.5 to v18 EAP1. But it really works. I learned something new again thanks to Sophos ...

However, it is important that the DNAT rule must be before the masquerading rule (MASQ) otherwise of course "matches" the User Portal. 

Regards

alda

https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115784/eli5-how-do-i-do-a-business-rule-in-v18-firewall-rule-nat-rule

Here the explaination from PMParth.

So my earlier comments were removed by Sophos. Nice to see censorship well and alive. Good luck to anyone who thinks censoring will hide anything . By the way Luk, the thread you referenced above is  locked and unavailable for comments.

Hello BillyBob,

I have PMed you regarding your comment.

Additionally, the thread is not locked nor am I sure as to why you cannot reply to it.

Emile

certain threads have beee locked. We are able to reply as we are moderators.

Regarding the scope of this thread, I took the entire v18 training course, and to be honest I am very happy with the feature they implemented and how.

I hope that they will rethink on how to create DNAT and WAF rules. Leaving the Wizard as v17 and corresponding fields, can do the trick.

Hello Luk,

You're right, thank you for pointing that out.

Emile

Are we locking threads with a marked answer?  Seems to be what is happening now.  Interesting...

Edit:  I was wrong.  Only specific threads like Luk mentioned.  Even more interesting...fire a little too hot maybe??  ;)

The above diagram is how the XG v18 works now. In black my comment.

The below is one of my possible way to implement Firewall rules and DNAT

I also would suggest to put WAF and DNAT in the same windows. People choose if they want WAF or not.

Hi Luk,

That to me would make way more sense than the current layout.  Your mockups above at least.  More logical flow in how we all think when setting these rules up.  

Thanks,

John

Hi,

I think WAF is not given here because it is only working on HTTP or HTTPS services and WAF rule can be created in old-style (17.5) without any NAT.  Yesterday, I got an email from the Sophos and he shared a very clear explanation that why Sophos moved with this type of configuration and services. After reading his mail, I understand that Sophos planning to move with more SDWAN and flexible for Traffic engineering. 

As I am a big fan of Cisco due to his documents and flexibility in traffic engineering. You can do the same task in multiple ways and now Sophos is also moving in this way. I like it. It may some difficulty for a month but it is big change.

Thanks for your input deepakkhw.

I know that WAF is not the same, but since WAF template now is under action drop-down menu (which does not make sense) the WAF option or section can be moved somewhere else.

I took the XG v18 beta course suggested by PMPath and I said, the features in v18 are great but the DNAT rule creation is not "Security made simple".

I am sure they will consider our feedbacks to change something. It is still a beta version. Creating and managing things from multiple sources it is a great feature and way to do thigs. I am thinking about how web filtering has been implemented on XG. Web filtering (apart the engine which is still not catching some urls categories) the Web filtering Unit devs did a grear job. I love it. Configuring web filtering in XG is simpler and better than UTM9. This is my opinion and also some system admins I know told me the same.