Pen Test flag for <control-hostout-traffic>
One of my clients had a pen test done recently and it flagged this for a T45 cluster setup:
Unrestricted Firewall Outbound Traffic
Firewalls are typically designed to control inbound and outbound traffic for internal networks. However, the firewall itself should also be restricted from initiating arbitrary outbound connections.
In this case, outbound traffic control for the firewall is disabled. This allows the firewall device to initiate connections to any external destination without restriction.
This appears to be because they analysed the XLM config file and fond:
control-hostout-traffic
0
/control-hostout-traffic
Does this mean I have to start with a From Firebox To Any Denied and then specifically allow the services that it needs? I'm worried that could go very wrong very quickly and lock me out. I know I could factory reset back to the last config but that's downtime.
Anyone else been down this path?
Thanks.
Comments
Sorry, that should have read:
control-hostout-traffic
0
/control-hostout-traffic
in the XML.
You can enable this option - Traffic Generated by the Firebox
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html#FireboxGeneratedTraffic
This will create an "Any From Firebox" Policy at the top of your policies list.
You can change to manual order and place specific policies above this policy.
You can enable this option - Enable logging for traffic sent from this device
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html#FireboxGeneratedTraffic
This will allow you to see what traffic is generated by the firewall and allow you to define policies to allow such traffic to be placed above the "Any From Firebox".
When all desired "from firewall" policies have been added, you can add a general deny from the firewall to Any-external, just above the "Any From Firebox" policy.
Have logging on this policy and perhaps "Send email notification" so that you can find out if there is some outgoing traffic that you have missed.