My company is trying to implement Sophos central throughout our network.
All clients need the access listed in the article below.
Currently Sophos central doesn't support the proxy solution we use.
what is the best way to allow access through our Palo?
Is it url filtering or a custom application?
Hi. Custom App could be difficult if SSL is used (looks like that they use SSL regarding of the required ports).
They dont use a lot URLs. I would setup a custom URL category and use it as a match criteria within my security rulebase with Application any and the requested ports. After a while traffic is traversed that rule I would setup a report to get information about the used applications and at them to that rule.
l think custom-app is more secure. This way you definitely know that you are talking to the "right" server(s) (based on the customer app signature and traffic logs). In you case because the application is already identified you only need to allow ssl&web-browsing between appropriate zones and filter all traffic using your URL-Filtering profile. In the profile allow only your custom URL Sophos URLs.
Anytime you can use a custom app-id over a URL Filtering profile it's well advised that you create one and then secure it according to your needs. The thing with a URL Filtering profile is it's generally used in conjunction with [ ssl web-browsing ] and limiting it to a set of URLs. Obviously if you can create a custom app-id instead of utilizing either ssl or web-browsing app-ids it's encouragable that you do so as it gives you more access into your network activity and more granular control of what connections are actually allowed to be made.
I take it none of the Sophos apps in the PAN work for this? They can be found in the applipedia, https://applipedia.paloaltonetworks.com/
I dont use this product so I dont know.
The issue we have isn't that the apps aren't recognised. The issue we have is that currently Sophos Central (Cloud) isn't proxy aware so we'd have to allow all traffic from our subnet to the internet for those applications and their dependencies. That's something we'd prefer not to do.
I'm right there with you on that. However there are things you will not be able to decrypt due to many differnt issues. One good example of this is PAN updates, they cannot be decrypted. What we did is exclude that particular URL/IP address range and made the rule as specific as possible., i.e. source destination, applicayion, port, etc. We just created exclusions and called them 'trusted' end points off network.
I hope that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!