Sophos XG Firewall / Cyberoam: Application filter recommended settings for better application detection

Overview

This article describe the recommended CLI settings for the application filter in order to better detect and block critical and evasive applications such as Psiphon, Tor Proxy (Tor Browser), Torrent, Ultrasurf, HotSpot Shield, etc.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Firewall and Cyberoam

What to do

CLI settings

  1. Sign in to the Sophos XG Firewall's console and select 4. Device Console.
  2. Verify the current configuration by issuing the following commands.
    show advanced-firewall
    show ips-settings
  3. Issue the following commands for the recommended settings.
    set advanced-firewall midstream-connection-pickup off
    set ips maxsesbytes-settings update 0
    set ips maxpkts 80
    set ips packet-streaming on





GUI settings

Application filter policy settings

Along with P2P and Proxy and Tunnel category, applications listed below must be denied in the application filter policy. In case of CROS Micro App should be enabled in Application filter Policy.

  • DNS Multiple QNAME
  • OpenVPN
  • QUIC
  • Non-SSL/TLS traffic on port 443

Firewall rule settings

The same application filter policy (as configured above) must be applied to DNS Firewall rule as well, if there is any.

For Psiphon Proxy

V17.5 and prior deployments

CLI + GUI Settings.

  1. In v17.5, HTTPS scanning needs to be enabled in firewall rule.
  2. Web filter policy with below categories denied must be applied to the concerned firewall rule.
    1. IPAddress
    2. None
    3. Parked Domains
    4. Spam URLs (Available only in XG)
    5. Anonymizers
    6. Spyware & Malware
    7. Uncategorized
  3. Custom Web Filter categories should be also verified and keywords should not be allowed for well-known domains such as yahoo, microsoft, google, twitter, wikipedia, skype, facebook, bing etc.
  4. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
  5. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

    a) For Example, primary rule should have only limited services allowed.



    b) And the rule below the primary rule should 'deny' traffic for port range 1 to 1024 (Registered Ports), for same source machines.




  6. Block Non-SSL/TLS traffic on port 443 application on concern application filter policy.
  7. After performing all above steps and psiphon is still getting connected then white list DNS rule by putting known DNS servers in Destination. (One can use, 8.8.8.8,4.2.2.2,8.8.4.4,9.9.9.9,1.0.0.1,1.1.1.1). This may help to avoid bug CLITE-790.

For V18 Deployments

  1. SSL/TLS inspection should be enabled under SSL/TLS inspection settings and one decryption rule needs to be created based on firewall rules.




  2. Block Invalid Certificates must be enabled in SFOS and Allow Invalid Certificates should be disabled in CROS.
  3. Allow only HTTPS, HTTP, DNS, ICMP, SMPT. Services on LAN→WAN; if Psiphon is connected even after following all steps then it's highly possible that other port's traffic is passing through other firewall rules (One can allow 1025 to 65535 Ports).

For Hot Spot Shield Proxy

  1. Enable HTTPS scanning.
  2. Configure all CLI and GUI settings.
  3. Enable option in Web > General Settings > Block unrecognized SSL protocols.
  4. Enable option in Web > General Settings > Block invalid certificates.
Parents
  • Noticed the recommendation for maxpkts is 80 here but in this guide, it recommends setting between 100 to 300. What is the recommended setting? I'm assuming higher offers better scanning capability but is 300 where you hit a point fo diminishing returns?

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Also, that only applies yo V17.x, V18 has more parameters which are not shown.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Reply
  • Also, that only applies yo V17.x, V18 has more parameters which are not shown.

    Ian

     
    V18.0.x - e3-1225v5 6gb ram on 4 port MB with AP55c -20w. 
    2 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
Children