topic Re: Sophos Install & Updates From DMZ in General Topics

Sophos Install & Updates From DMZ

Doug_Hogue — Wed, 31 May 2017 16:01:08 GMT

Anyone create a policy allowing a Sophos AV install and then Updates form a DMZ? I have created such a policy but still seems to be an issue.

The security policy has all the source and destination zones and the destination host are any.

I am then allowing the following applications (not using ports at all)

dns

ms-ds-smb

msrpc

netbios-cc

sophos-live-p...

sophos-rms

sophos-update

netbios-ss

ssl

web-browsing

tcp-over-tcp

If anyone is doing this please update me on how you are doing this securly.

Thanks

Re: Sophos Install & Updates From DMZ

TranceforLife — Wed, 31 May 2017 16:13:48 GMT

So what do you see in the monitoring tab when forcing the Sophos AV from the DMZ zone to get and install updates? What policy your traffic is hitting?

Re: Sophos Install & Updates From DMZ

BPry — Wed, 31 May 2017 17:09:07 GMT

@Doug_Hogue,

You'll need to actually monitor the traffic and see why it isn't being allowed. My guess would be that either one of the app-ids are using a non-standard port, you don't have an application listed that Sophos is trying to use, or something with your routing from your DMZ zone is not correct.

I would start with the basics and just verify that you can talk to the server serving up the updates, then look at the monitor tab and see what is getting blocked. You may want to turn on logging for your interzone-default policy for the time being just to make sure that if it's hitting that rule you'll actually get logging for it.

Re: Sophos Install & Updates From DMZ

Doug_Hogue — Wed, 31 May 2017 17:45:31 GMT

Yes I have already monitored the traffic and that is how I came up with the policy I have. I was looking for the experience of others and if their poloicy was different. Their may be some other restrictions such as url filtering and such going on here that is preventing the traffic through. Thanks for your thoughts.

Re: Sophos Install & Updates From DMZ

TranceforLife — Thu, 01 Jun 2017 11:47:29 GMT

Create test policy with any any in the app and services and test with one of the source machine ip (restrict the policy for the source ip of your test machine). Do not attach any security profiles yet! Then monitor the traffic to confirm if everything is allowed etc and if it even works with the plain policy. Then start adding additional futures (e.g security profiles). Still, works? Good. Then start restricting policy based on app and services.