Here in this article we will discuss how to implement web protection in sophos XG to block or allow the websites through Sophos XG firewall.
In this article my requirement is to block Facebook website and allow twitter website in the same web policy. First we need to create web policy.
Creating Web Policy:
Login to firewall and click on Web and then create individual URL groups for Facebook and twitter.
Click on Web >> URL groups and then add URL group
Facebook URL Group
Twitter URL Group
Now add these two URL groups into two different user activities. Click on Web >> user activities and add user activity and add URL group into this User Activity
Facebook User Activity
Twitter User Activity
Now we have created two different user activities for two different URL groups, we need to integrate these two user activities in web policy. We need to allow twitter user activity and block Facebook user activity
Once you add this web policy, make sure to turn on that web policy rule by clicking on enable option beside that rule as shown in the above image. Now save the web policy which you have created.
We need to integrate web policy with firewall rule, identify the specific firewall rule and add this new policy to the specific firewall rule as shown below
As shown in the above image, we have added test web policy in the firewall rule. Sometimes if we do not enable this option “Scan HTTP and Decrypted HTTPS“, firewall might not block secured URL’s as firewall cannot intercept the secure connections. Now to make this scan HTTP option to work properly, we need to download firewall HTTPS certificate in all clients in your network.
Installing HTTPS Certificate:
To identify which secure certificate is being used, click on Web and then click on General Settings
It is using securityappliance certificate. Click on Certificates >> Certificate Authorities identify Securityappliance_SSl_CA and then click on download option as shown in below image
It will be downloaded in PEM format as shown in the below image
Open run button in windows machine and type this command “certmgr.msc” as shown in below image
Then right click on trusted root certificate authorities and then click on import certificate as shown in below image
Now click on next and select local machine then click browser for PEM file which we have downloaded in this machine as shown in image below
Note: Make sure to select all files option as shown in the above image, else PEM file will not be listed to select.
Now click Next and select place in trusted root certificate authorities and then click on Next button multiple times and click on finish button in final step.
Import will be successful.
Hope this article helps you