topic Re: Application Filter on Internal Traffic for 1570R in Spark Firewall (SMB)

Application Filter on Internal Traffic for 1570R

Schnell — Wed, 22 Jun 2022 08:59:31 GMT

Hi,

New here. Working on 1570R and SMB R80.20.30.

We would like to leverage some of this "OT intelligence" in the 1570R for tighter control of the traffic in an OT environment. For that I'm trying to make application filtering work between two hosts, but it looks like the functionality is locked to the "Outgoing access to the Internet" policy. To circumvent that I have tried making one the LAN interfaces an "Internet" interface, and the policy kicks in, but only in the outgoing direction. NAT is disabled.

How to use application filtering on internal traffic in general? Is that not possible?

Would it work with another model? I'm under the impression that 1570R is currently the only model you can buy that has "OT intelligence" regarding SCADA protocols etc.

Best regards

Schnell

Re: Application Filter on Internal Traffic for 1570R

G_W_Albrecht — Wed, 22 Jun 2022 11:08:03 GMT

sk102296: How to activate inspection on internal traffic on Quantum Spark appliances

Stateful Inspection - Perform deep packet inspection on LAN to LAN traffic

bool

false

Stateful Inspection - Perform deep packet inspection on traffic between LAN and DMZ networks

bool

false

Re: Application Filter on Internal Traffic for 1570R

G_W_Albrecht — Wed, 22 Jun 2022 12:18:23 GMT

See sk177203: Quantum IoT Controller [IoT Protect] Security Best Practices

Re: Application Filter on Internal Traffic for 1570R

Schnell — Wed, 22 Jun 2022 15:17:26 GMT

Thank you.

I have changed both to "true", rebooted and done some testing. It seems to be the same as before. I can still only choose applications in "Outgoing access to the Internet" policy, however that policy does not seem to apply for internal traffic.

In "Firewall" -> "Blade Control" I have tried enabling and editing the "Block other undesired applications". I used every version of Internet Explorer as a test. However when I do a HTTP request in IE on either host it simply just allows the traffic. It uses the "Any Any HTTP Allow" test rule which is currently first on the list in "Incoming, Internal and VPN traffic" policy.

In either case, a black list like "Block other undesired applications" was not the intended solution, we were looking for a white list functionality like it seems to be possible with "Outgoing access to the Internet" policy.

Am I missing something?