This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot seem to get Application Filter Firewall rule to work correctly

So I attempted to get the application control working based on this article: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/120242/sophos-xg-firewall-how-to-create-an-exception-in-application-filter   but I could not get this to work.

We have a application from Honeywell that uses multiple outgoing ports, hundreds of them with no set port range, that we need to allow outgoing access.  The application is correctly detected by Synchronized Application Control and I customized it with the full name and categorized it as general business.  I then made a Application Filter with that application in it and allowed then saved it.  Then I made a new firewall rule for it for LAN - All -> WAN - All - All Services and under the application control I put it in.  But the rule is allowing everything outgoing now.

How do I make a firewall rule allowing this application full outgoing ports without allowing anything else?



This thread was automatically locked due to age.
Parents
  • Hi,

    you could try changing the WAN Any to a WAN specific site for the Honeywell application rule. Further you could create it as a clientless user and select match users.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Unfortunately it's a P2P application.  It contacts a server which sends something to the device in a building and returns the IP/port to connect with.  So there is no set site list, it literally could be anything on the internet.  As for a clientless user how would I go about that?  And why would I need to?

  • I suggested clientless because you expressed concern about other devices using the firewall rule and clientless would only allow the Honeywell device to connect to the firewall rule.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • It's software that runs on our client machines.  Which is why I want to use some type of application rule to allow the application, no matter what computer is on, to have access to what it needs access to. But I don't understand how to set up a firewall rule correctly to only allow the application that I select. It seems to ignore the application part and just go by the top rules which allows all traffic everywhere. 

  • Hi AllanD,

    Sorry, I didnt understand that it was used by a number of people on different devices. The rule would need to be at the top and then all other rules would need to have an application policy denying access to this app.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • That makes no sense.  The first rule has to allow the application and then every other rule I have needs to deny it???   That's not what the guide I linked to seems to say:  Why would I add a deny application rule to say my web browsing rule?   And looking at the logging this rule is allowing traffic from other sources (applications) to the internet that normally would hit the last drop rule.  Which tells me it's not actually applying the filter at all.

  • You appear to be confusing application and web policies. Your application policy rule should block web browsing by disabling http/s assuming your application does not use http/s. Your web policy would block the application possibly by default if you have  https scanning enabled.

    Does the application use any form of network security other than being a p2p application?

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Not that I know of.   From what I can tell a device at some location is registered with Honeywells "P2P" system.  The application, which is on our network sends a unique ID to some Honeywell server for a device and the auth information.  The Honeywell server tells the device there is a incoming connection from xxxx and then tells the application what the external IP address is.  Again from what I can tell the application then talks directly to the device. 

    So the issue is I never know what the IP address of the device is, Honeywell is hosting with AWS so the initial connection could be anywhere in the AWS realm, and the ports used are random per connection.  You connect to multiple devices and you could be using 100+ ports.  Their tech support said it can be anything above 1024.  Which is why I was hoping there was a simple way to just allow a application.  I.e. HDCS.exe -> Allowed all outgoing ports.

    So the application: 

    Then per the guide Sophos posted I created a application filter:

    Then also per the guide it said to add the application but again the rule is allowing everything:

  • FYI - Bharat spent 90 minutes looking at things and couldn't fix it.  We added a deny all web filter and a deny all application filter but traffic still was being forwarded through that should not have been.  It completely ignored the application filter.  The best example was a users printer software was trying to access his home printer on port 631 over and over.  With this rule it was allowed which it shouldn't have been.

    There appears to be no way of actually saying "Allow something.exe access outgoing and nothing else".  Waiting for more information.

  • Hi AllanD 

    Allow me sometime to create the scenario you have on my lab and get back to you

    as of now only one user is facing issue with Honeywell  exe which runs give connection time out error as it is getting dropped by any any any any drop rule you have

    it getting allow once we apply application filter on rule but rest earlier blocked traffic is also getting allow as per the firewall log traffic under log viewer

    please login to Sophos central and check the event logs same PC and share what logs say there to assist you further 

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi AllanD 

    Allow me sometime to create the scenario you have on my lab and get back to you

    as of now only one user is facing issue with Honeywell  exe which runs give connection time out error as it is getting dropped by any any any any drop rule you have

    it getting allow once we apply application filter on rule but rest earlier blocked traffic is also getting allow as per the firewall log traffic under log viewer

    please login to Sophos central and check the event logs same PC and share what logs say there to assist you further 

    "Sophos Partner: InfrassistTechnologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data