topic Re: Sophos Central firewall rules question in General Topics

Sophos Central firewall rules question

njuttner — Thu, 15 Jun 2017 16:45:50 GMT

My company is trying to implement Sophos central throughout our network.

All clients need the access listed in the article below.

https://community.sophos.com/kb/en-us/121936

Currently Sophos central doesn't support the proxy solution we use.

what is the best way to allow access through our Palo?

Is it url filtering or a custom application?

Re: Sophos Central firewall rules question

markuskohlmeier — Thu, 15 Jun 2017 18:18:04 GMT

Hi. Custom App could be difficult if SSL is used (looks like that they use SSL regarding of the required ports).

They dont use a lot URLs. I would setup a custom URL category and use it as a match criteria within my security rulebase with Application any and the requested ports. After a while traffic is traversed that rule I would setup a report to get information about the used applications and at them to that rule.

Cheers, Markus

Re: Sophos Central firewall rules question

BPry — Thu, 15 Jun 2017 18:18:50 GMT

URL filtering is going to be the easiest to implement. If you can identify the proper information to correctly form a custom app-id I would always do that over URL Filtering.

Re: Sophos Central firewall rules question

njuttner — Fri, 16 Jun 2017 08:09:58 GMT

Thanks for the response.

Why would you chose a custom app-id over a URL filtering?

Re: Sophos Central firewall rules question

TranceforLife — Fri, 16 Jun 2017 09:29:17 GMT

Hi,

l think custom-app is more secure. This way you definitely know that you are talking to the "right" server(s) (based on the customer app signature and traffic logs). In you case because the application is already identified you only need to allow ssl&web-browsing between appropriate zones and filter all traffic using your URL-Filtering profile. In the profile allow only your custom URL Sophos URLs.

Re: Sophos Central firewall rules question

BPry — Fri, 16 Jun 2017 12:07:46 GMT

@njuttner,

Anytime you can use a custom app-id over a URL Filtering profile it's well advised that you create one and then secure it according to your needs. The thing with a URL Filtering profile is it's generally used in conjunction with [ ssl web-browsing ] and limiting it to a set of URLs. Obviously if you can create a custom app-id instead of utilizing either ssl or web-browsing app-ids it's encouragable that you do so as it gives you more access into your network activity and more granular control of what connections are actually allowed to be made.

Re: Sophos Central firewall rules question

OtakarKlier — Fri, 16 Jun 2017 12:53:57 GMT

Hello,

I take it none of the Sophos apps in the PAN work for this? They can be found in the applipedia, https://applipedia.paloaltonetworks.com/

sophos-live-protection	business-systems	software-update	client-server
sophos-rms	business-systems	management	client-server
sophos-update	business-systems	software-update	client-server

I dont use this product so I dont know.

Re: Sophos Central firewall rules question

njuttner — Mon, 19 Jun 2017 08:53:49 GMT

Hi Otakar,

The issue we have isn't that the apps aren't recognised. The issue we have is that currently Sophos Central (Cloud) isn't proxy aware so we'd have to allow all traffic from our subnet to the internet for those applications and their dependencies. That's something we'd prefer not to do.

Nick

Re: Sophos Central firewall rules question

OtakarKlier — Mon, 19 Jun 2017 17:03:47 GMT

Hello Nick,

I'm right there with you on that. However there are things you will not be able to decrypt due to many differnt issues. One good example of this is PAN updates, they cannot be decrypted. What we did is exclude that particular URL/IP address range and made the rule as specific as possible., i.e. source destination, applicayion, port, etc. We just created exclusions and called them 'trusted' end points off network.

I hope that makes sense.

Cheers!