Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 37 subscribers
  • Views 6951 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS with webproxy/MTA/WAF

Tomas Beran

Hi all,

I'm testing XG firewall as home user now in a side role (proxy) before putting it in as router.
I have now v18.0.3.

I could not find answers to question below.

If IPS (Application Control) is configured in FW policy, does it work for:

1. Web proxy in explicit mode (users have it configured in browser)?

Web filter works fine, but not sure that IPS protects users etc.

2. for email protection in MTA mode?

3. for WAF traffic?

Thanks.



This thread was automatically locked due to age.
  • 0

    Hello Tomas,

    Thank you for contacting the Sophos Community!

    Yes, IPS will work for Web Proxy, MTA and WAF Traffic.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hello Emmanuel,

    thanks for feedback.

    I did a test with webproxy when it is configured in browser (NO transparent).
    The IPS seems to be triggered on http cleartext traffic.
    But IPS does not trigger for HTTPS traffic even if it is decrypted by webproxy.

    So my conclusion is:
    1. IPS is applied to traffic passing through IPS engine to webproxy port. With HTTPS it sees only the SSL/TLS stream.
    2. the decrypted cleartext traffic by webproxy in this scenario is not scanned by IPS itself -> no reason to enable it if most traffic is HTTPS and in this case it does not protect clients
    3. probably the same for Application contorol

    I would expect that the same is for WAF if all traffic is https. IPS can see only SSL/TLS stream, but can't see the inner clear text traffic to protect for example vulnerabilities in web server etc.

Unfiltered HTML