Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

Decimal

46

48

56

34

36

38

40

DSCP

AF41

AF42

AF43

CS5

EF

CS6

CS7

Description

Class 4, Gold (AF41)

Class 4, Silver (AF42)

Class 4, Bronze (AF43)

Class 5 (CS5)

Expedited Forwarding (EF)

Control (CS6)

Control (CS7)

Business Application Rule

Business Application Rule is used to protect internally or publicly hosted business applications or servers like

SalesForce, Sharepoint etc.

Using Business Application Rule, the administrator can configure protection of the http and non-http web servers from unauthorized access over the Internet. You can also control access of protected server or services through a

Business Application Rule.

Several templates are available that cover protection configuration for a variety of different types of http and non-http web servers and application. A list of these application templates appear on the Business Application Rule page.

Adding a Business Application Rule

Go to Protect > Firewall and select IPv4. using the filter switch. Now, click on +Add Firewall Rule and select

Business Application Rule. You can then select the Application Template from the list of available templates.

The application template allows you to choose the rule which suits the configuration of the required business application. Once you select the template, you can see the configuration page with few fields pre-populated. The prepopulated values eliminate the need to manually specify the configuration for securing your business application, but you may customize the settings according to your network setup or other requirements.

1.

DNAT/Full NAT/Load Balancing rule

- It is used to protect Non-Web servers, like mail or other servers hosted

inside the network (LAN or DMZ). Using this template, you can define access rights of such servers to users who require access over the WAN or Internet. Additionally, you can use the following Non-web application template:

2.

Email Server (SMTP)

: Email Server (SMTP) rule is used to protect mail servers which are hosted internally in a

network and require protection.

3.

Email Clients (POP & IMAP)

- Email Clients (POP and IMAP) rule is used to protect mail servers which are

hosted publicly (WAN) and require protection.

Note:

If you delete Email Clients rule, the Emails which are under process by this rule will be queued but will not be delivered.

We recommend to follow below given steps so that you do not lose all the emails processed by this rule:

1. Before deleting this rule, clone this rule by choosing Clone Above option and change the Action to

Drop. This cloned rule will hold all the incoming emails.

2. Go to Email > Mail Spool and check if spool is empty.

3. Once the spool is empty, delete both the firewall rules.

Application Protection Templates for common HTTP-based Applications

SF-OS offers several pre-configured templates to create a protection rule for commonly used HTTP-based applications. You can use a pre-configured template to create a rule for the web application that is close to your configuration, then modify it to fit your needs.

Pre-configured templates for common HTTP applications include:

| Protect | 64

1.

Web Server Protection (WAF)

- Web Server Protection is used to protect HTTP or generic web application servers

hosted in the network. This template is essentially WAF implementation but with additional benefit of defining

WAF objects, rules, exceptions from the same page.

2.

Exchange Autodiscover

3.

Exchange Outlook Anywhere

4.

Exchange General

5.

Microsoft Lync

6.

Microsoft Remote Desktop Gateway 2008 and R2

7.

Microsoft Remote Desktop Web 2008 and R2

8.

Microsoft Sharepoint 2010 and 2013

Add Web Server Protection (WAF) Rule

This page allows you to control HTTP traffic flowing to and from a web application. Use this page to create Web

Server Protection (WAF) rule for traffic that uses IPv4 protocol.

1. Go to Protect > Firewall and select IPv4. using the filter switch.

2. Click +Add Firewall Rule and Business Application Rule.

3. Enter the general rule details.

Application Template

Select Web Server Protection (WAF) to define an application filter policy for HTTP based applications.

Rule Name

Enter a name for the rule.

Description

Enter a description for the rule.

Rule Position

Specify the position of the rule.

Available Options:

• Top

• Bottom

| Protect | 65

Figure 42: About this Rule

4. Enter Hosted Server details.

Hosted Address

Select the interface of the hosted server to which the rule applies. It is the public IP address through which Internet users access the internal server/host.

Note: When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the Web Application Firewall (WAF) since the connection is made through the WAF. The client’s real IP address is available in the HTTP header

Listening Port

Enter a port number on which the hosted web server can be reached externally over the Internet.

Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication

(HTTPS).

HTTPS

Select to enable or disable scanning of HTTPS traffic.

HTTPS Certificate (available only if HTTPS is selected)

Select the HTTPS certificate to be used.

Redirect HTTP (available only if HTTPS is selected)

Select to redirect HTTP requests. Thus, users entering the URL without “https://” will be redirected automatically to the hosted server.

Note: An HTTP request requires a host header if Redirect HTTP is enabled.

Domains

(if HTTPS is disabled): Enter the domains the web server is responsible for as FQDN, e.g.

shop.example.com.

(if HTTPS is enabled): Depending on the HTTPS certificate you select, some domains may be preselected. You can edit or delete these domains or add new ones.

| Protect | 66

Figure 43: Hosted Server

5. Specify Protected Server(s) details.

Path-specific routing

You can enable path-specific routing to define (a path) to which web servers incoming requests are forwarded.

You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.

For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.

Add New Path (available only if Path-specific routing is selected)

Click Add Path to define a new path.

Add Path

Note: Add New Path will only be active after at least one web server and one hosted web server have been created.

Web Server (not available if Path-specific routing is selected)

With this option, you select the web servers that are to be protected. Select a web server from Web

Server list. The selected web server is displayed on the right side of the table under Selected Web

Server(s).

A new web server can be created on the Protect > Web Server > Web Servers page.

| Protect | 67

Figure 44: Protected Server(s)

6. Specify Access Permission details (not available if Path-specific routing is selected).

Allowed Client Networks

Select or add the allowed networks that should be able to connect to the hosted web server.

Blocked Client Networks

Select or add the denied networks that should be blocked to your hosted web server.

Authentication

Select a web app authentication profile or click Create new to create a new authentication profile.

You can also create an authentication profile from the Protect > Web Server > Authentication

Policies page.

Add Authentication Policy

on page 242

Figure 45: Access Permission

7. Add path Exceptions for the web servers.

Click Add New Exception to specify a new exception.

Add Exception

Figure 46: Exceptions

8. Specify Advanced settings.

a) Specify Policies for Business Applications.

Protection

Select an application protection policy for the server or create a new one. A new application protection policy can be created directly from this page or from the Protect > Web Server >

Protection Policies page. You can also choose to have None application protection.

Intrusion Prevention

Select an Intrusion Prevention policy for the rule or create a new one. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention > IPS Policies page.

You can also choose to have None intrusion prevention.

Traffic Shaping

The traffic shaping policy allocates & limits the maximum bandwidth usage of the user.

Select a traffic shaping policy for the rule or create a new one. A new traffic shaping policy can be created directly from this page or from the System > System Services > Traffic Shaping page. You can also choose to have None traffic shaping.

| Protect | 68

Figure 47: Policies for Business Applications

b) Specify Additional Options for the added server.

Disable Compression Support

By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the

WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request's encoding parameter.

Rewrite HTML

Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local

but the hosted web server's hostname on the device is yourcompany.com. Thus, absolute links like

[a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href="http:// yourcompany.com/"] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook web access and/or SharePoint portal server.

Note: HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.

Rewrite cookies (available only if Rewrite HTML is selected)

Select this option to have the device rewrite cookies of the returned web pages.

Pass Host Header

When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.

Figure 48: Advanced

9. Click Save.

Note: As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.

The business application rule has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Exchange Autodiscover

(Only available for IPv4 policy) This page describes how to configure a rule for Exchange Autodiscover.



3. Specify the general rule details.


Select Exchange Autodiscover to configure a policy for an Exchange Autodiscover environment.

Description


Rule Position



• Top

• Bottom

Rule Name

Specify a name for the rule.

Figure 49: About This Rule

4. Specify Hosted Server details.

Hosted Address

Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.


Listening Port

| Protect | 69



(HTTPS).

HTTPS

Select this option to enable or disable HTTPS traffic.




Select this option to redirect HTTP requests.

Domains

Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.

| Protect | 70




You can enable path-specific routing to define (the path) to which web servers incoming requests are forwarded.



Default: Enabled


Click Add New Path to define a new path.

Add Path

Note: Add New Path will only be active only after at least one web server and one hosted web server have been created.

Default: /autodiscover, /Autodiscover, /AutoDiscover


Web servers are the application servers to be protected. Select a web server from the list of web servers or enter a web server and click Create to add a web server.

A new web server can be created directly from this page or from the Protect > Web Server > Web

Servers page.

| Protect | 71




Select the allowed host(s)/network(s).


Select the blocked host(s)/network(s).

Authentication

Select the web application authentication profile from the list of available profiles.

You can also create a new authentication profile on this page or on the Protect > Web Server >

Authentication Policies page.



Click Add New Exception to specify new exception.

Add Exception

Default: /autodiscover/*,/Autodiscover/*




Protection






Traffic Shaping



| Protect | 72






Rewrite HTML









| Protect | 73


9. Click Save.

Note: As soon as a new HTTP based policy configuration has been created and saved or an existing

HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.

The firewall rule for Microsoft Remote Desktop Gateway 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Exchange Outlook Anywhere

(only available for IPv4 policy) This page describes how to configure a rule for Exchange Outlook Anywhere.



3. Specify the general policy details.


Select Exchange Outlook Anywhere to configure rule for Exchange Outlook Anywhere.

Description


Rule Position


Available Options: TopBottom

Rule Name




Hosted Address



Listening Port



(HTTPS).

HTTPS

Select to enable or disable of HTTPS traffic.




Select to redirect HTTP requests.

Domains


| Protect | 74




You can enable path-specific routing to define (path) to which web servers incoming requests are forwarded.





Add Path


Default: /rpc, /RPC


Web servers are the application servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.


Servers page.

| Protect | 75


6. Specify Access Permission details. (not available if Path-specific routing is selected).





Authentication

Select the web application authentication profile from the list of available profiles. You can also create a new authentication profile from this page or from the Protect > Web Server >





Add Exception

Default: /rpc/*,/RPC/*.




Protection






Traffic Shaping



| Protect | 76






Rewrite HTML









| Protect | 77


9. Click Save.


The Exchange Outlook Anywhere rule has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Exchange General

(only available for IPv4 policy) This page describes how to configure a rule for Exchange General.



3. Specify the general policy details.


Select Exchange General to configure a rule for Exchange General.

Description


Rule Position


Available Options: TopBottom

Rule Name




Hosted Address



Listening Port



(HTTPS).

HTTPS

Select to enable or disable of HTTPS traffic.




Select to redirect HTTP requests.

Domains


| Protect | 78




You can enable path-specific routing to define (path) to which web servers incoming requests are forwarded.





Add Path


Default: /owa, /OWA, /ecp, /ECP, /oab, /OAB, /ews, /EWS, /oma, /OMA, /Microsoft-Server-

ActiveSync

Web Servers (not available if Path-specific routing is selected)



Servers page.

| Protect | 79


6. Specify Access Permission details. (not available if Path-specific routing is selected)





Authentication

Select the web application authentication profile from the list of available profiles. You can also create new authentication profile on this page or on the Protect > Web Server > Authentication

Policies page.




Add Exception

Default: /owa/*,/OWA/*,/ews/*,/EWS/*,/ecp/*,/ECP/*,/oab/*,/OAB/*,/oma/*,/OMA/*,/Microsoft-Server-

ActiveSync?*, /owa/ev.owa*




Protection






Traffic Shaping



| Protect | 80






Rewrite HTML









| Protect | 81


9. Click Save.


The Exchange General rule has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Microsoft Lync

(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Lync.





Select Microsoft Lync to define Application filter policy for HTTP based applications.

Description


Rule Position



• Top

• Bottom

Rule Name

Specify a name to identify the rule.



Hosted Address

Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access internal server/host.


Listening Port

| Protect | 82



(HTTPS).

HTTPS

Click to enable or disable of HTTPS traffic.

HTTPS Certificate (available if HTTPS is enabled)


Redirect HTTP (available if HTTPS is enabled)

Click to redirect HTTP requests.

Domains


| Protect | 83







Add New Path (available if Path-specific routing is enabled)

Click Add Path to define a new path.

Add Path


Web Server (available if Path-specific routing is disabled)

Hosts are the web servers that are to be protected. Select a web server from the list of web servers or click Add New Item to add a web server.


Servers page.

| Protect | 84

Figure 72: Protected Application Server(s)






Authentication


You can also create a new authentication profile on this page or on the Protect > Web Server >



7. Specify path Exceptions for the web servers.


Add Exception




Protection






Traffic Shaping



| Protect | 85






Rewrite HTML










9. Click Save.


The Microsoft Lync rule has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Microsoft Remote Desktop Gateway 2008 and R2

(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Remote Desktop Gateway

2008 and R2.





Select Microsoft Remote Desktop Gateway 2008 and R2 to configure a rule for Microsoft

Remote Desktop Gateway 2008 and R2.

Description


Rule Position



• Top

• Bottom

Rule Name




Hosted Address



| Protect | 86

Listening Port

Enter a port number on which the hosted web server can be reached externally, over the Internet.


(HTTPS).

HTTPS






Domains


| Protect | 87









Add Path



Web servers are the application servers that are to be protected. Select from the list of web servers or click Add New Item to add a web server.


Servers page.

| Protect | 88


6. Specify access permission details. (Available if Path-specific routing is disabled)





Authentication

Select the web application authentication profile from the list of available profiles. You can also create a new authentication profile from this page or from the Protect > Web Server >



7. Specify path Exceptions for the web servers.


Add Exception




Protection






Traffic Shaping



| Protect | 89






Rewrite HTML










9. Click Save.


The rule for Microsoft Remote Desktop Gateway 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Microsoft Remote Desktop Web 2008 and R2

(only available for IPv4 policy) This page describes how to configure a rule for Microsoft Remote Desktop Web 2008 and R2.





Select Microsoft Remote Desktop Web 2008 and R2 to configure a rule for Microsoft Remote

Desktop Web 2008 and R2.

Description


Rule Position



Rule Name




Hosted Address



Listening Port

| Protect | 90



(HTTPS).

HTTPS






Domains


| Protect | 91









Add Path




A new web server can be created directly on this page or on the Protect > Web Server > Web

Servers page.

| Protect | 92


6. Specify Access Permission details (available if Path-specific routing is disabled).





Authentication


You can also create new authentication profile on this page or on the Protect > Web Server >





Add Exception




Protection






Traffic Shaping



| Protect | 93






Rewrite HTML










9. Click Save.


The rule for Microsoft Remote Desktop Web 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.

Add Rule for Microsoft Sharepoint 2010 and 2013

(only available for IPv4 policy) This page describes how to configure a rule for Microsoft SharePoint 2010 and 2013.





Select Microsoft Sharepoint 2010 and 2013 to configure a rule for Microsoft Sharepoint 2010 and

2013.

Description


Rule Position



• Top

• Bottom

Rule Name




Hosted Address



| Protect | 94

Listening Port



(HTTPS).

HTTPS






Domains


| Protect | 95









Add Path





Servers page.

| Protect | 96

Figure 93: Protected Application Server(s)

6. Specify Access Permission details (available if Path-specific routing is disabled).





Authentication


You can also create new authentication profile from this page or from the Protect > Web Server >





Add Exception




Protection






Traffic Shaping



| Protect | 97






Rewrite HTML










9. Click Save.


The rule for Microsoft Sharepoint 2010 and 2013 has been created and appears on the Firewall page when the IPv4 filter is set.

Add Path

(only available for the HTTP based business application rules) This page describes how to define (a path) to which real web servers incoming requests are forwarded.

1. Enable path-specific routing and click Add New Path.

2. Specify the path details.

Path

Enter the path for which you want to create the site path route.

Example: /products/.

Web Server

Select the web servers which are to be used for the specified path.

Authentication

Select the web app authentication profile. Select Create new to create a new authentication profile.

You can also create an authentication profile from the Protect > Web Server > Authentication

Policies page.

Add Authentication Policy

on page 242


Select or add the allowed networks that should be able to connect to the hosted web server.


Select or add the denied networks that should be blocked to your hosted web server.

Sticky session cookie

Click the toggle switch to ensure that each session is bound to one web server. If enabled, a cookie is passed to the user's browser, which causes Sophos XG Firewall to route all requests from this browser to the same real web server. If the server is not available, the cookie will be updated, and the session will switch to another web server.

Hot-standby mode

Click the toggle switch if you want to send all requests to the first selected web server, and use the other web servers only as a backup. The backup servers are only used in case the main server fails.

As soon as the main server starts functioning, the sessions will switch back - unless you have selected the Sticky session cookie option.

| Protect | 98

Figure 98: Add New Path

3. Click Save.

Add Exception

(only available for the HTTP based business application rules) This page describes how to specify path exceptions for the web servers.

1. Click Add New Exception.

2. Specify exception details.

Path

Specify the path which you want to exclude.

Operation

Select the operation among AND or OR for Path and Source.

Source

Specify the source networks where the client request comes from and which are to be exempted from the selected check(s).

| Protect | 99

Skip these Checks

Cookie Signing

Click to skip cookie signing. Cookie signing protects a web server against manipulated cookies.

When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built of the primary cookie's name, its value and a secret, where the secret is only known by the WAF. Thus, if a request cannot provide a correct cookie pair, there has been some sort of manipulation and the cookie will be dropped.

Static URL Hardening

Protects against URL rewriting. When a client requests a website, all static URLs of the website are signed. The signing uses a similar procedure as with cookie signing. Additionally the response from the web server is analyzed in respect to the links that can be validly requested next.

Form Hardening

Click to skip form hardening. Form hardening protects against web form rewriting. Form hardening saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed when it is submitted the WAF rejects the request.

Anti-virus

Select this option to protect a web server against viruses.

Block clients with bad reputation

Based on GeoIPClosed and RBLClosed information you can block clients which have a bad reputation according to their classification.

Skip these categories

Protocol Violations

Enforces adherence to the RFC standard specification of the HTTP protocol. Violating these standards usually indicates malicious intent.

Protocol Anomalies

Searches for common usage patterns. Lack of such patterns often indicates malicious requests.

These patterns include, among other things, HTTP headers like 'Host' and 'User-Agent'.

Request Limits

Enforces reasonable limits on the amount and ranges of request arguments. Overloading request arguments is a typical attack vector.

HTTP Policy

Narrows down the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely used options protects against attackers aiming at these often less well supported options.

Bad Robots

Checks for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your web servers are less likely to be discovered.

Generic Attacks

Searches for attempted command executions common to most attacks. After having breached a web server, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.

SQL Injection Attacks

Checks for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.

XSS Attacks

| Protect | 100

Checks for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server, often in a legitimate way.

Tight Security

Performs tight security checks on requests, like checking for prohibited path traversal attempts.

Trojans

Checks for usage patterns characteristic of trojans, thus searching for requests indicating trojan activity. It does not, however, prevent the installation of such trojans as this is covered by the antivirus scanners.

Outbound

Prevents web servers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.

Advanced

Never change HTML during static URL hardening or form hardening

If selected, no data matching the defined exception settings will be modified by the WAF engine.

With this option, e.g., binary data wrongly supplied with a text/html content type by the web server will not be corrupted. On the other hand, web requests may be blocked due to activated URL hardening, HTML rewriting, or form hardening. Those three features use an HTML parser and therefore to some extent depend on the modification of web page content. To prevent undesired blocking, skip URL hardening and/or form hardening for requests affected by blocking; you might need to do this in another/new exception to reflect dependencies between web servers and/or web pages.

Accept unhardened form data

Even though having an exception for form hardening, it is possible that form data will not be accepted if the form hardening signature is missing. With this option, unhardened form data will be accepted anyway.

| Protect | 101

Figure 99: Add New Exception

| Protect | 102

| Protect | 103

3. Click Save.

Application Protection Templates for common non-HTTP Applications

SF-OS offers several pre-configured templates to create a protection rule for commonly used non-HTTP applications and services. You can use these templates to create a rule for the web application, that is close to your configuration, then modify it to fit your needs.

Pre-defined templates include:

1.

DNAT/Full NAT/Load Balancing

2.

Mail Servers (SMTP)

Add DNAT/Full NAT/Load Balancing Rule

This page describes how to configure a DNAT/Full NAT/Load Balancing (Non-web) rule.

A DNAT/Full NAT/Load Balancing based rule is used to protect non-web servers, like mail or other servers hosted inside the network (LAN or DMZ). Using this rule, you can define access rights of such servers to users who require access over the WAN or Internet.

1. Go to Protect > Firewall and select between IPv4 or IPv6 using the default filter.

2. Now, click +Add Firewall Rule and select Business Application Rule.



Select DNAT/Full NAT/Load Balancing to configure a rule for generic Non-Web based applications.

Description


Rule Position



Rule Name



4. Specify Source details.

Source Zones

Select a source zone or click Add New Item to define a new LAN or DMZ zone.


Select the allowed host(s) or add a new one by clicking Add New Item.



Figure 101: Source

5. Specify Destination & Service details.

Destination Host/Network

Select the destination host/network to apply rule. It is the public IP address through which users access an internal server/host over the Internet.

Available Options: IP Address: Specified IP address is mapped to a corresponding mapped single

IP address or a range of IP addresses. If a single IP address is mapped to a range of IP addresses, the device uses a round robin algorithm to load balance the requests.IP Range (only available for

IPv4): Specified IP address range is mapped to a corresponding range of mapped IP addresses. The

IP range defines the start and end of an address range. The start of the range must be lower than the end of the IP. Select when any of the device port, alias or virtual LAN (VLAN) sub-interface is required to be mapped to the destination host or network.

Forward Type

Select the type of external port from the available options.

Available Options: PortPort RangePort List Everything

When Everything is selected, all ports are forwarded. Select other options to enable custom port forwarding and specify port forwarding details.

Service Port(s) Forwarded (not available if Forward Type selected is Everything)

Specify the public port number for which you want to configure port forwarding.

Protocol (not available if Forward Type selected is Everything)

Select the protocol TCP or UDP to be used by forwarding packets.

| Protect | 104

Figure 102: Destination and Service

6. Specify Forward To details.

Protected Server(s)

From the available options, select the application server(s) on which the web server is to be hosted.

Available options: IP Address – External IP address is mapped to the specified IP address.IP

Range – External IP address range is mapped to the specified IP address range.IP List – External

IP address is mapped to the specified IP list.FQDN – External IP address is mapped to the specified

FQDN. Internal mapped server can be accessed by FQDN. This option is only available for IPv4

Virtual hosts.

Mapped Port Type (available only if Change Destination Port(s) is selected)

Select the type of mapped port from the available options.

Available Options:PortPort RangePort List

Mapped Port (available only if Change Destination Port(s) is selected)

Specify the mapped port number on the destination network to which the public port number is mapped.

Protected Zone

Select the zone to apply web server rule.

Change Destination Port(s)

Select the check box to specify different mapped port. Clear the check box to use the same Service

Port(s) Forwarded as mapped port.

Figure 103: Forward To

7. Specify Load balancing details.

Load Balancing (available only if selected Protected Server is IP Range or IP List or selected Destination

Host/Network is IP Address)

Select the method for load balancing from the available options.

Available Options:Round Robin - In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on. When a request is received, the device checks to see which was the last server that was assigned a request.

It then assigns this new request to the next available server. This method can be used when equal distribution of traffic is required and there is no need for session-persistence.First Alive - In this method, all incoming requests are served by the first server (the first IP address that is configured in the IP range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. This method is used for failover scenarios. Random - In this method, the requests are forwarded to the servers randomly. Nevertheless, the device makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. This method can be used when equal distribution of traffic is required and there is no need for session-persistence or order of distribution.Sticky IP - In this method, along with the Round Robin distribution of traffic, the device forwards incoming traffic according to the source IP address. All traffic from a particular source is forwarded only to its mapped server. This means that all requests for a given source IP are sent to the same application server instance. This method is useful in cases where all requests or sessions are required to be processed by the same server. For example: banking websites, E-

Commerce websites.

Health Check (available only if Load Balancing is enabled)

Click to enable a health check for failover and specify the parameters based on the description shown below.

Port (available only if selected Health Check Method is TCP Probe)

Specify the port number on the server health is monitored.

Acceptable range: 1 to 65535

Interval

Specify the time interval in seconds after which the health will be monitored.

Acceptable range: 5 to 65535 seconds

Default: 60

Probe Method

Select the probe method to check the health of the server from the available options.

Available Options:ICMP TCP

Timeout

Specify the time interval in seconds within which the server must respond.


Default: 2

Retries

| Protect | 105

Specify the number of tries to probe the health of the server, after which the server will be declared unreachable.


Default: 3

| Protect | 106

Figure 104: Load Balancing

8. Specify Identity details.

Match known users

Match rule based on user identity allows you to check whether the specified user/user group from the selected zone is allowed to access the selected service or not.

Click to attach the user identity.

Enable check identity to apply the following policies per user.

Show Captive Portal to unknown users

Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.

Clear the check box to drop traffic from unknown users.

User or Groups (available if Match known users is selected)

Select the user(s) or group(s) from the list of available options.

Exclude this user activity from data accounting (available if Match known users is selected)

Click to enable/disable user traffic activity from data accounting.

By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.

Figure 105: Identity

9. Specify Advanced settings details.

a) Specify Polices for Business Applications.


Select the required IPS policy. If Match rule based on user identity is enabled, user’s IPS policy will be applied automatically, but will not be effective till the respective module is subscribed. A new IPS policy can be created directly from this page or from the Protect > Intrusion Prevention >

IPS Policies page.

Traffic Shaping Policy

Select the required traffic shaping policy. If Match rule based on user identity is enabled, user’s traffic shaping policy will be applied automatically.

You need to select traffic shaping policy for the rule if Match known users is not selected.

A new traffic shaping policy can be created directly from this page or from the System > Profiles >

Traffic Shaping page.

| Protect | 107


b) Specify Security Heartbeat details (available only if IPv4 is selected).

Minimum Source HB Permitted

Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.

Block clients with no heartbeat

Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.

Based on that information, you can restrict a source device's access to certain services and networks.

Enable the option to require the sending of heartbeats.

Block request to destination with no heartbeat (not available if Protected Zone selected is WAN)


Based on that information, you can block requests to destinations not sending heartbeat.

Enable/disable the option to require the sending of heartbeats.

Figure 107: Synchronized Security

c) Specify Routing details.

Rewrite source address (Masquerading)

Enable/disable to re-write the source address or specify a NAT policy.

Use Outbound Address (available only if Rewrite source address is enabled)

Select the NAT policy to be applied from the list of available NAT policies.

A new NAT policy can be created directly from this page or from the System > Profiles > Network

Address Translation page.

The default NAT policy is Masquerade.

MASQ (Interface Default IP): IP Address of the selected Protected Zone as configured in

Configure > Network > Interfaces will be displayed instead of (Interface Default IP).

Create Reflexive Rule

Enable to automatically create a reflexive firewall rule for the protected host.

A reflexive rule has the same policies as those rules configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone.

By default, the reflexive rule is not created.

Figure 108: Routing

10. Specify the logging option for the user application traffic.

Log Firewall Traffic

Click to enable logging of permitted and denied traffic.

Figure 109: Log Traffic

11. Click Save.

The non-web based rule has been created and appears on the Firewall page when the appropriate filter is set.

| Protect | 108

| Protect | 109

Add Rule for Email Clients (POP and IMAP)

Email Clients (POP and IMAP) rule is used to protect mail servers which are hosted publicly (WAN). This page describes how to configure a protection rule and control access of mail servers using application template - Email

Clients .

Note:

If you delete Email Clients rule, the Emails which are under process by this rule will be queued but will not be delivered.

We recommend to follow below given steps so that you do not lose all the emails processed by this rule:

1. Before deleting this rule, clone this rule by choosing Clone Above option and change the Action to Drop.

This cloned rule will hold all the incoming emails.

2. Go to Email > Mail Spool and check if spool is empty.

3. Once the spool is empty, delete both the firewall rules.





Select Email Clients (POP & IMAP) to define a application filter policy for POP and IMAP based email clients.

Description

Specify the rule description.

Rule Position


Available Options:TopBottom

Rule Name




Zone

Select the allowed source zone(s).

Networks

Select the allowed source network(s) . A new network host can be created directly from this page or from the System > Hosts and Services > IP Host page.


5. Specify Destination details.

Zone

Select the zone to which the rule applies.

Networks

Select the network(s) to be protected.

A new network host can be created directly from this page or from the System > Hosts and

Services > IP Host page.

| Protect | 110

Figure 112: Destination


Match rule based on user identity

Click to enable a rule based on the user identity.




User or Groups (available only if Match rule based on user identity is enabled)


Exclude this user activity from data accounting (only available if Match rule based on user identity is

enabled)


By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.


7. Specify Malware Scanning details.

Scan IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS

Click to enable/disable scanning of IMAP/IMAPS/POP3/POP3S/SMTP/SMTPS traffic.

Figure 114: Malware Scanning


a) Specify Policies for Business Applications.


Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from the Protect > Intrusion Prevention > IPS Policies page.

Traffic Shaping (Not available if Match rule based on user identity is selected)

Select a traffic shaping policy for the rule.

A traffic shaping policy allocates & limits the maximum bandwidth usage of the user.



| Protect | 111


b) SpecifySecurity Heartbeat settings (available only if IPv4 is selected).







Minimum Destination HB Permitted (Not available if the only Destination Zone selected is WAN)

Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this policy will not be granted to the user.

Note: You can use the option if you have selected multiple zones along with WAN.

Block request to destination with no heartbeat (Not available if the only Destination Zone selected is WAN)




Note: You can use the option if you have selected multiple zones along with WAN.

| Protect | 112

Figure 116: Security Heartbeat




Use Gateway Specific Default NAT Policy (only if Masquerading is selected)

Select to override the default NAT policy with a gateway specific policy.

Override default NAT policy for specific Gateway (only if Use Gateway Specific Default NAT Policy

is selected )

Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.

Use Outbound Address (available only if Rewrite source address is enabled and Use Gateway

Specific Default NAT Policy is disabled )

Select the NAT policy to be applied the list or available NAT policies.




MASQ (Interface Default IP)

• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.

• (Interface Default IP) will be displayed when multiple Destination Zones are selected.

Primary Gateway

Select the primary gateway to route the request. You can create new gateway from this page itself or from Configure > Routing > Gateways.

Note: On deletion of the gateway, Primary Gateway will display WAN Link Load

Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.

Backup Gateway

Select the backup gateway to route the request. You can create new gateway from this page itself or from Configure > Routing > Gateways.

Note: On deletion of the gateway, Backup Gateway will display None.

Figure 117: Routing

9. Specify logging option for the user application traffic.

Log Firewall Traffic

Click to enable logging of permitted and denied traffic.

Figure 118: Log Traffic

Add Rule for Email Servers (SMTP)

This page describes how to configure a rule for email servers (SMTP).





Select Email Servers (SMTP) to configure a rule for SMTP based email applications.

Description

Specify the policy description.

Rule Position



Rule Name

Specify a name to identify the policy.



Source Zones

Click to select the source zone. Click Add New Item to define a new LAN or DMZ zone.


Select the allowed host(s) or add a new one by clicking Add New Item.


| Protect | 113



5. Specify Destination & Service details.

Destination Host/Network

Select the destination host/network to apply rule. It is the public IP address through which users access internal server/host over the Internet.

Available Options:IP Address – Specified IP address is mapped to a corresponding mapped single or range of IP addresses. If a single IP address is mapped to a range of IP addresses, the device uses a round robin algorithm to load balance the requests.IP Range – Specified IP address range is mapped to a corresponding range of mapped IP addresses. The IP range defines the start and end of an address range. The start of the range must be lower than the end of the range.Interface IP (only

available for IPv4) – Select when any of the device port, alias or virtual LAN (VLAN) sub interface is required to be mapped to the destination host or network.

Forward Type

Select the type of external port from the available options.

Available Options: PortPort RangePort List Everything

When Everything is selected, all ports are forwarded. Select other options to enable custom port forwarding and specify port forwarding details.

Service Port(s) Forwarded (not available if Forward Type selected is Everything)

Specify the public port number for which you want to configure port forwarding.

Protocol (not available if Forward Type selected is Everything)

Select the protocol TCP or UDP to be used by forwarded packets.

| Protect | 114

Figure 121: Destination and Service

6. Specify Forward To details.

Protected Server(s)

Select from the available options on which the email server is to be hosted.

Available options: IP Address – External IP address is mapped to the specified IP address.IP Range

– External IP address range is mapped to the specified IP address range.IP List – External IP address is mapped to the specified IP list.FQDN (available only for IPv4 virtual hosts) – External IP address is mapped to the specified FQDN. Internal mapped server can be accessed by FQDN.

Mapped Port Type (available only if Change Destination Port(s) is selected)

Select the type of mapped port from the available options.

Available Options:PortPort RangePort List

Mapped Port (available only if Change Destination Port(s) is selected)

Specify mapped port number on the destination network to which the public port number is mapped.

Protected Zone

Select the zone to which the email server rule applies.

Change Destination Port(s)

Select the check box to specify different mapped port. Clear the check box to use the same Service

Port(s) Forwarded as mapped port.

| Protect | 115

Figure 122: Forward To

7. Specify Load balancing details.

Load Balancing (available only if selected Protected Server is IP Range or IP List and selected

Destination Host/Network is IP Address)

Select the method for load balancing from the available options.

Available Options:Round Robin - In this method, requests are served in a sequential manner where the first request is forwarded to the first server, second request to the second server and so on. When a request is received, the device checks to see which the last server that was assigned a request was.

It then assigns this new request to the next available server. This method is can be used when equal distribution of traffic is required and there is no need for session-persistence.First Alive - In this method, all incoming requests are served by the first server (the first IP address that is configured in the IP range). This server is considered as the primary server and all others are considered as backup. Only when the first server fails, the requests are forwarded to the next server in line. This method is used for failover scenarios. Random -In this method, the requests are forwarded to the servers randomly. Although, the device makes sure that all configured servers receive equally distributed load. Hence, this method is also called uniform random distribution. This method can be used when equal distribution of traffic is required and there is no need for session-persistence or order of distribution.Sticky IP - In this method, along with Round Robin distribution of traffic, the device forwards incoming traffic according to the source IP address. All traffic from a particular source is forwarded only to its mapped server. This means that all requests for a given source IP are sent to the same application server instance. This method is useful in cases where all requests or sessions are required to be processed by the same server. For example: Banking websites, E-

Commerce websites.

Health Check (available only if Load Balancing is enabled)

Click to enable health check for failover and specify the parameters based on the description shown below.

Port (available only if selected health check method is TCP Probe)

Specify the port number on the server health is monitored.


Interval

Specify the time interval in seconds after which the health will be monitored.


Default: 60

Probe Method

Select the probe method to check the health of the server from the available options.

Available Options:ICMP TCP

Timeout

Specify the time interval in seconds within which the server must respond.


Default: 2

Retries

Specify the number of tries to probe the health of the server, after which the server will be declared unreachable


Default: 3

| Protect | 116

Figure 123: Load Balancing


Match known users

Match known users allows you to check whether the specified user/user group from the selected zone is allowed to access the selected service or not.

Click to attach the user identity.




User or Groups (available only if Match known users is enabled)


Exclude this user activity from data accounting (available only if Match known users is enabled)


By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic from user data accounting. The traffic allowed through this firewall rule will not be accounted towards data transfer for the user.


9. Specify Malware Scanning details.

Scan SMTP

Click to enable/disable scanning of SMTP traffic.

Scan SMTPS

Click to enable/disable scanning of SMTPS traffic.

Figure 125: Malware Scanning

10. Specify Advanced settings details.

a) Specify Polices for Business Applications.


Select the required IPS policy. If Match rule based on user identity is enabled, user’s IPS policy will be applied automatically, but will not be effective till the respective module is subscribed.

A new IPS policy can be created directly from this page or from the Protect > Intrusion

Prevention > IPS Policies page.

Traffic Shaping Policy (not available if Match known users is selected)

Select the required IPS policy. If Match rule based on user identity is enabled, user’s QoS policy will be applied automatically.




b) Specify Security Heartbeat settings (available only if IPv4 is selected).


| Protect | 117






Minimum Destination HB Permitted (not available if Protected Zone selected is WAN)

Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.

Block request to destination with no heartbeat (not available if Protected Zone selected is WAN)




| Protect | 118

Figure 127: Security Heartbeat




Use Outbound Address (available only if Rewrite source address is enabled)

Select the NAT policy to be applied from the list of available NAT policies.




MASQ (Interface Default IP): IP Address of the selected Protected Zone as configured in

Configure > Network > Interfaces will be displayed instead of (Interface Default IP).

Create Reflexive Rule

Select ON to automatically create a reflexive firewall rule for the protected host.

The reflexive rule has the same policies as those configured for the hosted server but instead of source zone to destination zone, this rule is applicable on traffic from destination zone to source zone.

Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

Business Application Rule

Key Features

Related manuals

Frequently Answers and Questions

What is the purpose of Sophos XG Firewall?

What are the key features of Sophos XG Firewall?

How do I access the Sophos XG Firewall web interface?

How do I configure basic firewall rules?

How do I enable web filtering?

What is the difference between a user rule and a network rule?

How do I create a VPN tunnel?

Table of contents

Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

Business Application Rule

Key Features

Related manuals

Swisscom

Huawei Router B593s-22

Sophos

Group Level Web Interface

Sophos

Cloud Firewall Manager

Lee's High-Tech Enterprise

LWNF21-12D1

Frequently Answers and Questions

What is the purpose of Sophos XG Firewall?

What are the key features of Sophos XG Firewall?

How do I access the Sophos XG Firewall web interface?

How do I configure basic firewall rules?

How do I enable web filtering?

What is the difference between a user rule and a network rule?

How do I create a VPN tunnel?

Table of contents