Sophos Central firewall rules question

cancel
Showing results for 
Search instead for 
Did you mean: 

Sophos Central firewall rules question

L1 Bithead

My company is trying to implement  Sophos central throughout our network.


All clients need the access listed in the article below.

 

https://community.sophos.com/kb/en-us/121936

 

Currently Sophos central doesn't support the proxy solution we use.

 

what is the best way to allow access through our Palo?

 

Is it url filtering or a custom application?

8 REPLIES 8

L2 Linker

Hi. Custom App could be difficult if SSL is used (looks like that they use SSL regarding of the required ports).

They dont use a lot URLs. I would setup a custom URL category and use it as a match criteria within my security rulebase with Application any and the requested ports. After a while traffic is traversed that rule I would setup a report to get information about the used applications and at them to that rule.

 

Cheers, Markus 

Cyber Elite
Cyber Elite
URL filtering is going to be the easiest to implement. If you can identify the proper information to correctly form a custom app-id I would always do that over URL Filtering.

Thanks for the response.


Why would you chose a custom app-id over a URL filtering?

L6 Presenter

Hi,

 

l think custom-app is more secure. This way you definitely know that you are talking to the "right" server(s) (based on the customer app signature and traffic logs). In you case because the application is already identified you only need to allow ssl&web-browsing  between appropriate zones and filter all traffic using your URL-Filtering profile. In the profile allow only your custom URL Sophos URLs.  

@NicholasJuttner,

Anytime you can use a custom app-id over a URL Filtering profile it's well advised that you create one and then secure it according to your needs. The thing with a URL Filtering profile is it's generally used in conjunction with [ ssl web-browsing ] and limiting it to a set of URLs. Obviously if you can create a custom app-id instead of utilizing either ssl or web-browsing app-ids it's encouragable that you do so as it gives you more access into your network activity and more granular control of what connections are actually allowed to be made. 

Hello,

I take it none of the Sophos apps in the PAN work for this? They can be found in the applipedia, https://applipedia.paloaltonetworks.com/

 

 

sophos-live-protectionbusiness-systemssoftware-updateclient-server
sophos-rmsbusiness-systemsmanagementclient-server
sophos-updatebusiness-systemssoftware-update

client-server

 

I dont use this product so I dont know.

Hi Otakar,


The issue we have isn't that the apps aren't recognised. The issue we have is that currently Sophos Central (Cloud) isn't proxy aware so we'd have to allow all traffic from our subnet to the internet for those applications and their dependencies. That's something we'd prefer not to do.

 

Nick

Hello Nick,

I'm right there with you on that. However there are things you will not be able to decrypt due to many differnt issues. One good example of this is PAN updates, they cannot be decrypted. What we did is exclude that particular URL/IP address range and made the rule as specific as possible., i.e. source destination, applicayion, port, etc. We just created exclusions and called them 'trusted' end points off network.

 

I hope that makes sense.

 

Cheers! 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!