Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

Icons Meaning

Delete rule (not applicable for default rules)

Insert a new rule above

Insert a new rule below

Move rule. To move the rule, click the icon and drag-and-drop at the required position (not applicable for default rules).

Collapse rule

Understanding the List of Firewall Rules

All added rules are available in the form of a list. Each rule in the list presents a quick snapshot of the rule. To view rule details, click to expand the view. Which items are available in the collapsed or expanded view is shown below.

Items in collapsed view:

• Rule Name: name of the rule

• In/Out: amount of traffic (in bytes) coming in or going out using the particular rule

• Firewall Rule features: status of Schedule, heartbeat, IPS and traffic shaping

• Source: source zone

• Destination: destination zone

• What: shows protected domains/services

• Action: status of protected servers, status of web and application protection for user

Additional items in expanded view:

• ID: rule ID

• User's Policy Applied: status of application filter, web policy, AV and AS scanning, NAT policy and route through gateway, if configured

• Firewall Rule Summary: summary of the added rule

While configuring any Firewall Rule, hover mouse over the following objects to see additonal details of it:

• Source/Destination Zones

• Schedule

• Services

• Source/Destination Networks

• Hosted Address

• Allowed/Blocked Client Networks

• Protected Server(s)

• Protected Zone

User / Network Rule

User/Network Rule is used to define access rights and protection to the network objects/hosts. In a nutshell, if you want to control traffic by source, service, destination, zone, then use a Network Rule. Additionally, the administrator has the option to attach user identity to a rule in order to customize access of assorted hosts/servers. Such an identity based rule is considered a User Rule.

You can view or add a User/Network Rule for IPv4 and IPv6 traffic.

| Protect | 52

1.

Add User / Network Rule (IPv4)

2.

Add User / Network Rule (IPv6)

Add User/Network Rule (IPv4)

This page allows you to create firewall rules to control traffic that uses the IPv4 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.

1. Go to Protect > Firewall and select IPv4. using the filter switch.

2. Click +Add Firewall Rule and User/Network Rule.

3. Enter the rule introduction details.

Rule Name

Enter a name for the rule.

Description

Enter a description for the rule.

Rule Position

Specify the position of the rule from the available options.

Available Options:

Top Bottom

Action

Specify an action for the rule traffic from the available options. Accept – Allow accessDrop –

Silently discardReject – Deny access (“ICMP port unreachable” message is sent to the source)

When sending a response it might be possible that the response is sent using a different interface than the one on which the request was received. This may happen depending on the routing configuration done on the device.

For example: If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and no specific route is defined, the device will send a response to these hosts using the default route. Hence, the response will be sent through the WAN port.

| Protect | 53

Figure 27: About This Rule

4. Enter the Source details.

Source Zones

Select the source zones allowed to the user.

A new zone can be created directly from this page itself or from Configure > Network > Zones page.

Source Networks and Devices

Select the source networks/devices allowed to the user.

A new network host can be created directly from this page itself or from System > Hosts and

Services.

During Scheduled Time

Select the schedule allowed to the user.

A new schedule can be created directly from this page itself or from the System > Profiles >

Schedule page.

Figure 28: Source

5. Enter the Destination and Services details.

Destination Zones

Select the destination zones allowed to the user.

Destination Networks

Select the destination networks allowed to the user.

A new network host can be created directly from this page itself or from System > Hosts and

Services.

Services

Select the services allowed to the user.

A new service can be created directly from this page itself or from the System > Hosts and

Services > Services page.

| Protect | 54

Figure 29: Destination

6. Enter Identity details. Follow this step if you want to configure a User Rule.

Match known users

Select to enable a rule based on the user identity.

Show captive portal to unknown users (available only if Match known users is selected)

Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.

Clear the check box to drop traffic from unknown users.

User or Groups(available only if Match known users is selected)

Select the user(s) or group(s) from the list of available options.

Exclude this user activity from data accounting. (only available if Match known users is selected)

Select to exclude user traffic activity from data accounting. In other words, the traffic allowed through this rule will not be accounted towards data transfer for the user.

By default, user’s network traffic is considered in data accounting.

Figure 30: Identity

7. Enter Malware Scanning details (available only if Action selected for the traffic is Accept).

Scan HTTP

Enable HTTP traffic scanning.

Decrypt & Scan HTTPS

Enable HTTPS traffic decryption and scanning.

Detect zero-day threats with Sandstorm

Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).

Scan FTP

Enable FTP traffic scanning.

8. Enter Advanced settings details (available only if Action selected for the traffic is Accept).

a) Specify policies for User Applications.

Intrusion Prevention

Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Protect > Intrusion Prevention > IPS Policies page.

Traffic Shaping Policy

User's traffic shaping policy will be applied automatically if Match known users is selected.

You need to select traffic shaping policy for the rule if Match known users is not selected.

Web Policy

Select a web policy for the rule.

A new web policy can be created directly from this page itself or from the Protect > Web > Policies page.

Apply Web Category based Traffic Shaping Policy

Click to restrict bandwidth for the URLs categorized under the Web category.

A three step configuration is required as follows:

1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Web Categories.

2. Now, on this page assign the created policy to Web Policy.

3. Select Apply Web Category based Traffic Shaping Policy to apply the rule.

Application Control

Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Protect > Applications > Application Filter page.

Apply Application-based Traffic Shaping Policy

Click to restrict bandwidth for the applications categorized under the Application category.

| Protect | 55

A three step configuration is required as follows:

1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Applications.

2. Now, on this page assign the created policy to Application Control.

3. Select Apply Application-based Traffic Shaping Policy to apply the rule.

| Protect | 56

Figure 31: User Applications

b) Configure Synchronized Security settings.

Minimum Source HB Permitted

Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.

Block clients with no heartbeat

Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.

Based on that information, you can restrict a source device's access to certain services and networks.

Enable/disable the option to require the sending of heartbeats.

Minimum Destination HB Permitted (not available if the only Destination Zone selected is WAN)

Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.

Note: You can use the option if you have selected multiple zones along with WAN.

Block request to destination with no heartbeat (not available if the only Destination Zone selected is

WAN)

Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.

Based on that information, you can block requests to destinations not sending heartbeat.

Enable/disable the option to require the sending of heartbeats.

Note: You can use the option if you have selected multiple zones along with WAN.

| Protect | 57

Figure 32: Synchronized Security

c) Enter NAT and Routing details.

Rewrite source address (Masquerading)

Select if you want to re-write the source address or specify a NAT policy.

Default: Disabled

Use Gateway Specific Default NAT Policy (available only if Masquerading is selected)

Select to override the default NAT policy with a gateway specific policy.

Override default NAT policy for specific Gateway (available only if Use Gateway Specific Default

NAT Policy is selected)

Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.

Use Outbound Address (available only if Rewrite source address is selected)

Select the NAT policy to be applied from the list of available NAT policies.

A new NAT policy can be created directly from this page itself or from the System > Profiles >

Network Address Translation page.

Default: MASQ.

MASQ (Interface Default IP)

• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.

• (Interface Default IP) will be displayed when multiple Destination Zones are selected.

Primary Gateway

Specify the Primary Gateway. This is applicable only if more than one gateway is defined.

Note: On deletion of the gateway, Primary Gateway will display WAN Link Load

Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.

Backup Gateway

Specify the Backup Gateway. This is applicable only if more than one gateway is defined.

Note: On deletion of the gateway, Backup Gateway will display None.

DSCP Marking

Select the DSCP Marking.

DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; source IP address, destination IP address, source port, destination port and the transport protocol.

For available options, refer to

DSCP Values

.

| Protect | 58

Figure 33: NAT & Routing

9. Define logging option for the user application traffic.

Log Firewall Traffic

Select to enable logging of permitted and denied traffic.

Figure 34: Log Traffic

10. Click Save.

Add User / Network Rule (IPv6)

This page allows you to create firewall rules to control traffic that uses the IPv6 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.

1. Go to Protect > Firewall and select IPv6. using the filter switch.

2. Click +Add Firewall Rule and User / Network Rule.

3. Specify the policy introduction details.

Rule Name

Enter a name for the rule.

Description

Specify a description for the rule.

Rule Position

Specify the position of the rule from the available options.

Available Options:

Top Bottom

Action

Specify an action for the rule traffic from the available options. Accept – Allow accessDrop –

Silently discardReject – Deny access (“ICMP port unreachable” message is sent to the source)

When sending a response it might be possible that the response is sent using a different interface than the one on which the request was received. This may happen depending on the routing configuration done on the device.

For example: If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and no specific route is defined, the device will send a response to these hosts using the default route. Hence, the response will be sent through the WAN port.

| Protect | 59

Figure 35: About This Rule

4. Specify Source details.

Source Zones

Select the source zones allowed to the user.

Source Networks and Devices

Select the source networks/devices allowed to the user.

A new network host can be created directly from this page itself by clicking Create new or from

System > Hosts and Services.

During Scheduled Time

Select the schedule allowed to the user.

A new schedule can be created directly from this page itself or from the System > Profiles >

Schedule page.

Figure 36: Source

5. Specify Destination and Services details.

Destination Zones

Select the destination zones allowed to the user.

Destination Networks

Select the destination networks allowed to the user.

A new network host can be created directly from this page itself by clicking Create new or from

System > Hosts and Services.

Services

Select the services(s) allowed to the user.

A new service can be created directly from this page itself or from the System > Hosts and

Services > Services page.

Figure 37: Destination

6. Specify Identity details.

Match known users

Select to enable a rule based on the user identity.

Show Captive Portal to unknown users

Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.

Clear the check box to drop traffic from unknown users.

User or Groups(available only if Match known users is selected)

Select the user(s) or group(s) from the list of available options.

Exclude this user activity from data accounting (only available if Match known users is selected)

Select to enable/disable user traffic activity from data accounting.

By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.

Figure 38: Identity

7. Specify Malware Scanning details. (available only if Action for the traffic is Accept)

Scan HTTP

Enable HTTP traffic scanning.

Decrypt & Scan HTTPS

Enable HTTPS traffic decryption and scanning.

Detect zero-day threats with Sandstorm

Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).

8. Specify Advanced settings details (available only if Action for the traffic is Accept) a) Specify policies for user applications.

Intrusion Prevention (IPS)

Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Protect > Intrusion Prevention > IPS Policies page.

Traffic Shaping Policy

User's traffic shaping policy will be applied automatically if Match known users is selected.

| Protect | 60

You need to select traffic shaping policy for the rule if Match known users is not selected.

Web Policy

Select a web policy for the rule.

A new web policy can be created directly from this page itself or from the Protect > Web > Policies page.

Apply Web Category based Traffic Shaping Policy

Click to restrict bandwidth for the URLs categorized under the Web category.

A three step configuration is required as follows:

1. Create a traffic shaping policy on the System > Profiles > Traffic Shapingpage. Here, specify the Policy Association as Web Categories.

2. Now, on this page assign the created policy to Web Policy .

3. Select Apply Web Category based Traffic Shaping Policy to apply the policy.

Application Control

Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Protect > Applications > Application Filter page.

Apply Application-based Traffic Shaping Policy

Click to restrict bandwidth for the applications categorized under the Application category.

A three step configuration is required as follows:

1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Applications.

2. Now, on this page assign the created policy to Application Control.

3. Select Apply Web based Traffic Shaping Policy to apply the policy.

| Protect | 61

Figure 39: User Applications

b) Specify Routing details.

Rewrite source address (Masquerading)

Disable if you do not want to re-write the source address or specify a NAT policy.

Default - Enabled

Use Gateway Specific Default NAT Policy (only if Masquerading is selected)

Click to override the default NAT policy with a gateway specific policy.

Override default NAT policy for specific Gateway (only if Use Gateway Specific Default NAT Policy

is selected )

Enable to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.

Use Outbound Address (only if Rewrite source address is selected)

Select the NAT policy to be applied from the list of available NAT policies.

A new NAT policy can be created directly from this page itself or from the System > Profiles >

Network Address Translation page.

Default: MASQ.

MASQ (Interface Default IP)

• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.

• (Interface Default IP) will be displayed when multiple Destination Zones are selected.

Primary Gateway

Specify the primary gateway. This is applicable only if more than one gateway is defined.

Note: On deletion of the gateway, Primary Gateway will display WAN Link Load

Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.

Backup Gateway

Specify the backup gateway. This is applicable only if more than one gateway is defined.

Note: On deletion of the gateway, Backup Gateway will display None.

DSCP Marking

Select the DSCP Marking.

DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; Source IP Address, Destination IP Address, Source port,

Destination port and the transport protocol.

For available options, refer to

DSCP Values

.

| Protect | 62

Figure 40: NAT & Routing

9. Define logging option for the user application traffic.

Log Firewall Traffic

Click to enable logging of permitted and denied traffic.

Figure 41: Log Traffic

10. Click Save.

DSCP Value

DiffServ Code Point (DSCP) uses the 6 bits, thereby giving 2^6 = 64 different values (0 to 63). describes the standard

DSCP values. Remaining DSCP values can be customized as per the QoS requirement.

Decimal

22

24

26

28

30

32

14

16

18

20

0

8

10

12

DSCP

AF23

CS3

AF31

AF32

AF33

CS4

Default

CS1

AF11

AF12

AF13

CS2

AF21

AF22

Description

Best Effort

Class 1 (CS1)

Class 1, Gold (AF11)

Class 1, Silver (AF12)

Class 1, Bronze (AF13)

Class 2 (CS2)

Class 2, Gold (AF21)

Class 2, Silver (AF22)

Class 2, Bronze (AF23)

Class 3 (CS3)

Class 3, Gold (AF31)

Class 3, Silver (AF32)

Class 3, Bronze (AF33)

Class 4 (CS4)

| Protect | 63