Dynamic App Control not working as expected

Hi,

please post a copy of your rules so we can review them and maybe help you.

Ian

Hi,

I think these are the relevant parts.

Cheers,

auda

Policy:

Rule ID 4:

Rule ID 5:

Application "Brave Browser":

Application Filter "Allow Brave":

I forgot the logs. All HTTP/HTTPS traffic matches Rule ID 4.

Cheers,

auda

Hi,

It is not clear to me what brave is? Also you are allowing http and https out through the brave rule?

I think you will need a web rule as well as the application rule.

Ian

Update:- investigated 'Brave Browser' and you will need to add TOR and block all other VPNs. FF already uses TOR. You might find that eventually TOR gets blocked by your ISP as a security risk or maybe even the various countries' security teams.

So in summary, I think you will need some more sophisticated rules in application, web and firewall to achieve your aim. Further by using Brave you are advertising the fact that you might be a security risk. My personal opinion only.

Brave is a Web Browser like Firefox, Chrome or Internet Explorer. It is just an example for any application that is using HTTP or HTTPS to communicate with some servers in the Internet. In Germany there is a tax program (Elster) that is famous for not working correctly with a proxy. The same applies to many of these cloud-enabled applications (Office 365, Autodesk 360, et al).

I just want to make sure, that all "normal surfing" traffic is protected via the proxy, but some applications (that are using also HTTP/HTTPS) have direct access to the internet.

Cheers,

auda

Did this work before v17? To me it looks like you created an application and instructed application control to make sure "brave" gets through. Nowhere did you define to block anything else.

On a side note the block all template doesn't work so there is that https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter 

Did this work before v17? To me it looks like you created an application and instructed application control to make sure "brave" gets through. Nowhere did you define to block anything else.

On a side note the block all template doesn't work so there is that https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter 

It couldn't have worked before v17, as synchronized app control is a new feature of v17.

And yes I want to make sure that HTTP traffic from the brave application gets through without proxy (rule id 4). All other HTTP traffic from all other applications should be inspected by the web proxy (rule id 5).

Cheers,

auda

On the last picture that you posted for allow brave application filter, modify it and add deny http application and see if that works.

Hi Billybob,

no, that doesn't help. I tried to block HTTP and the firefox application as well, but this leads to a timeout in firefox browser instead of browsing via the web proxy.

I get the impression, that the main problem is that I can't have an application filter with default action "Deny" as you mentioned. So the whole application control architecture seems to be build for blocking some well-known applications and not for allowing some well-known applications while blocking all others.

If thats true, it's the same messy logic as in UTM.

So I think the only solution would be to have a default "deny" action in an application filter or even better to be able to select applications the same way as services in a policy rule. But this would imply to have a logical 'not' for object definitions (to define a object "all applications but this one")

Cheers

auda

Hey @auda,

What you are trying to archive isn't covered by Synchronized App Control, but by the Proxy/Firewall itself.

Synchronized App Control won't control traffic for browsing the web since this is done by the proxy.

Tto keep it short: If the endpoint tells to SAC that the detected application categorized as Browser or Browser Plugin, SAC won't touch it. That's completely up to the proxy.

But what we do touch is if an application that isn't categorized browser but contains a WebView (a so called browser based application) and therefore opens some connections to the web.

You will need to create your own application filter with deny  and allow groups even though the name and description will show allow in fact it does deny traffic.

If you wish I will take screenshots of the one I built to test this process. I had to modify it because I found apple update is classed as unwanted applications.

Ian

I got a hint from my local Sophos engineer. Sadly it is not possible, because the application is not a matching criteria for the policy rule. If the rule matches on IP addresses, ports and user, it is executed on a first match basis. So my rule id 5 will never get processed.

auda