Sophos Install & Updates From DMZ

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sophos Install & Updates From DMZ

L1 Bithead

Anyone create a policy allowing a Sophos AV install and then Updates form a DMZ? I have created such a policy but still seems to be an issue.

 

The security policy has all the source and destination zones and the destination host are any.

 

I am then allowing the following applications (not using ports at all)

dns

ms-ds-smb

msrpc

netbios-cc

sophos-live-p...

sophos-rms

sophos-update

netbios-ss

ssl

web-browsing

tcp-over-tcp

 

If anyone is doing this please update me on how you are doing this securly. 

 

Thanks

4 REPLIES 4

L6 Presenter

So what do you see in the monitoring tab when forcing the Sophos AV from the DMZ zone to get and install updates? What policy your traffic is hitting? 

Cyber Elite
Cyber Elite

@Doug_Hogue,

You'll need to actually monitor the traffic and see why it isn't being allowed. My guess would be that either one of the app-ids are using a non-standard port, you don't have an application listed that Sophos is trying to use, or something with your routing from your DMZ zone is not correct.

I would start with the basics and just verify that you can talk to the server serving up the updates, then look at the monitor tab and see what is getting blocked. You may want to turn on logging for your interzone-default policy for the time being just to make sure that if it's hitting that rule you'll actually get logging for it. 

Yes I have already monitored the traffic and that is how I came up with the policy I have. I was looking for the experience of others and if their poloicy was different. Their may be some other restrictions such as url filtering and such going on here that is preventing the traffic through. Thanks for your thoughts.

Create test policy with any any in the app and services and test with one of the source machine ip (restrict the policy for the source ip of your test machine). Do not attach any security profiles yet! Then monitor the traffic to confirm if everything is allowed etc and if it even works with the plain policy. Then start adding additional futures (e.g security profiles). Still, works? Good. Then start restricting policy based on app and services. 

  • 1958 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!