Thread Info
  • State Not Answered
  • Replies 12 replies
  • Subscribers 4 subscribers
  • Views 14682 views
  • Users 0 members are here
Options
Suggested

Dynamic App Control not working as expected

auda

Hi,

in v17 Beta 2 I tried to do the following:

- All HTTP traffic should be filtered via Web Protection

- One Application (e.g. Brave Browser) should have direct access without proxy

 

Therefor I configured the following:

- Rule 1: Allow HTTP/HTTPS from LAN to WAN for Brave Browser (discovered by synchronized app control)

- Rule 2: Allow HTTP/HTTPS from LAN to WAN with content scanning "Scan HTTP" and Web Policy to block certain URLs

 

What I see:

- All HTTP traffic matches the first rule (Brave Browser, Firefox Browser, Chrome Browser)

 

Cheers

auda

- But in the Synchronized Application Control Pane the "Occurances"-Counter for the different Browsers rise as expected

 

Is this a bug or a wrong configuration or a misunderstanding of the Synchronized Application Control feature?

Parents Reply Children
  • 0 in reply to auda

    Hi,

    It is not clear to me what brave is? Also you are allowing http and https out through the brave rule?

    I think you will need a web rule as well as the application rule.

     

    Ian

    Update:- investigated 'Brave Browser' and you will need to add TOR and block all other VPNs. FF already uses TOR. You might find that eventually TOR gets blocked by your ISP as a security risk or maybe even the various countries' security teams.

    So in summary, I think you will need some more sophisticated rules in application, web and firewall to achieve your aim. Further by using Brave you are advertising the fact that you might be a security risk. My personal opinion only.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Brave is a Web Browser like Firefox, Chrome or Internet Explorer. It is just an example for any application that is using HTTP or HTTPS to communicate with some servers in the Internet. In Germany there is a tax program (Elster) that is famous for not working correctly with a proxy. The same applies to many of these cloud-enabled applications (Office 365, Autodesk 360, et al).

    I just want to make sure, that all "normal surfing" traffic is protected via the proxy, but some applications (that are using also HTTP/HTTPS) have direct access to the internet.

     

    Cheers,

    auda

  • 0 in reply to auda

    Did this work before v17? To me it looks like you created an application and instructed application control to make sure "brave" gets through. Nowhere did you define to block anything else.

    On a side note the block all template doesn't work so there is that https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter 

  • 0 in reply to Billybob

    It couldn't have worked before v17, as synchronized app control is a new feature of v17.

    And yes I want to make sure that HTTP traffic from the brave application gets through without proxy (rule id 4). All other HTTP traffic from all other applications should be inspected by the web proxy (rule id 5).

     

    Cheers,

    auda

  • 0 in reply to auda

    On the last picture that you posted for allow brave application filter, modify it and add deny http application and see if that works.

  • 0 in reply to Billybob

    Hi Billybob,

     

    no, that doesn't help. I tried to block HTTP and the firefox application as well, but this leads to a timeout in firefox browser instead of browsing via the web proxy.

    I get the impression, that the main problem is that I can't have an application filter with default action "Deny" as you mentioned. So the whole application control architecture seems to be build for blocking some well-known applications and not for allowing some well-known applications while blocking all others.

    If thats true, it's the same messy logic as in UTM.

    So I think the only solution would be to have a default "deny" action in an application filter or even better to be able to select applications the same way as services in a policy rule. But this would imply to have a logical 'not' for object definitions (to define a object "all applications but this one")

     

    Cheers

    auda

  • 0 in reply to auda

    Hey @auda,

     

    What you are trying to archive isn't covered by Synchronized App Control, but by the Proxy/Firewall itself.

     

    Synchronized App Control won't control traffic for browsing the web since this is done by the proxy.

    Tto keep it short: If the endpoint tells to SAC that the detected application categorized as Browser or Browser Plugin, SAC won't touch it. That's completely up to the proxy.

    But what we do touch is if an application that isn't categorized browser but contains a WebView (a so called browser based application) and therefore opens some connections to the web.

  • 0 in reply to cedi

    You will need to create your own application filter with deny  and allow groups even though the name and description will show allow in fact it does deny traffic.

    If you wish I will take screenshots of the one I built to test this process. I had to modify it because I found apple update is classed as unwanted applications.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I got a hint from my local Sophos engineer. Sadly it is not possible, because the application is not a matching criteria for the policy rule. If the rule matches on IP addresses, ports and user, it is executed on a first match basis. So my rule id 5 will never get processed.

     

    auda

Unfiltered HTML