Creating Hotspots on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5530: Creating Hotspots on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Creating Hotspots on Sophos Firewall - 1

 Creating Hotspots on Sophos Firewall
In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
three types of hotspot that you ✓ Deploying wireless networks on Sophos Firewall
can create on Sophos Firewall.

DURATION

8 minutes

In this chapter you will learn the three types of hotspot that you can create on Sophos Firewall.

Creating Hotspots on Sophos Firewall - 2

 Type of Hotspot

Terms of acceptance

Password of the day

Voucher

Hotspots can be used to provide a number of functions depending on how it is configured. There
are three hotspot types:
• Terms of use acceptance, where users have to agree to a set of terms before getting access
through the hotspot
• Password of the day, a password needs to be provided by users and it is generated daily
• Voucher, each user has their own voucher for access that can be used to limit access time or
data allowance

Hotspots are accessed after the device is connected to the network and do not replace the security
mode selected for wireless networks. They are deployed to interfaces on the Sophos Firewall,
whether that is a physical port or a wireless interface from a separate zone. This means that
hotspots are not limited to being used with wireless networks or Sophos access points.

Users can only access the hotspot to authenticate, and resources defined in the walled garden
hotspot settings until they are authenticated. Once authenticated, network access is controlled by
firewall rules.

Creating Hotspots on Sophos Firewall - 3

 Creating Hotspots

Any interface not in the

WAN zone

Policies to apply to traffic

from the hotspot

To configure a hotspot, start by selecting which interfaces it will apply to; this can be any interface
that is not in the WAN zone.

You can select policies to apply to the traffic coming from the hotspot. You will see where these
are used later.

Creating Hotspots on Sophos Firewall - 4

 Creating Hotspots

Force HTTPS for

authenticating with the
hotspot

Terms of acceptance
Password of the day
Voucher

When users access the hotspot using HTTP you can choose to redirect to HTTPS.

You need to select the hotspot type, each of which will have some associated configuration.

For voucher and password hotspots you need to select administrative users. These are users that
can manage the vouchers and password for the hotspot in the user portal. Note that these users
do not have to be administrators on the firewall.

Creating Hotspots on Sophos Firewall - 5

 Creating Hotspots

Terms can be enabled for

password of the day and
voucher hotspots

Customize the look of the

hotspot

If you are using a password of the day or voucher hotspot you can still enable a terms of use that
has to be accepted.

You can optionally redirect users to a specific URL after they have authenticated with the hotspot,
and you can customize the look of the hotspot.

Creating Hotspots on Sophos Firewall - 6

 Firewall and NAT

When you save the hotspot, a firewall rule and linked NAT rule will be created. In the firewall rule,
the policies that you selected when creating the hotspot will be applied.

Creating Hotspots on Sophos Firewall - 7

 Voucher Definitions

For voucher-based hotspots you can define different vouchers. All vouchers must have a validity
period but can also include time and data quotas.

Creating Hotspots on Sophos Firewall - 8

 Creating Vouchers

Vouchers are created for hotspots in the user portal by the administrative users selected in the
hotspot configuration.

To generate vouchers, select the hotspot, the voucher definition, and the number of vouchers to
create. You can optionally choose to print the vouchers with a QR code, and this will generate a
PDF you can print.

Creating Hotspots on Sophos Firewall - 9

 Creating Vouchers

Once vouchers have been created you can view and manage them at the bottom of the page.

Creating Hotspots on Sophos Firewall - 10

 Managing Passwords

Similarly, when using a password of the day, this can be managed through the user portal by the
selected administrative users. Here you can view the current password for a hotspot and generate
a new password.

Creating Hotspots on Sophos Firewall - 11

 Hotspot Settings

Automatically delete
expired vouchers

Select the certificate for

the hotspot

There are some hotspot specific settings where you can:

• Delete expired vouchers from the database after a given time period
• Select a certificate for the hotspot to use for authentication

Creating Hotspots on Sophos Firewall - 12

 Hotspot Settings

Limit access to internal

resources through the
hotspot

Download templates for

customizing the hotspot
and vouchers

Further down on the hotspot settings page you can configure a walled garden. This is the set of
resources that devices can access without authentication to the hotspot.

At the bottom of the page, you can download sign-in page templates and voucher templates and
change them to suit your branding and security requirements. For the voucher template we
support PDF version 1.5 and later.

Creating Hotspots on Sophos Firewall - 13

 Chapter Review

There are three types of hotspot: terms of acceptance, voucher, and password of the
day. Terms can optionally be enabled for voucher and password hotspots

Voucher-based hotspots require voucher definitions that specify the validity period and
can optionally also have time and data quotas

Vouchers and passwords can be managed in the user portal by the administrative users
selected in the hotspot configuration

Here are the main things you learned in this chapter.

There are three types of hotspot: terms of acceptance, voucher, and password of the day. Terms
can optionally be enabled for voucher and password hotspots.

Voucher-based hotspots require voucher definitions that specify the validity period and can
optionally also have time and data quotas.

Vouchers and passwords can be managed in the user portal by the administrative users selected in
the hotspot configuration.

Creating Hotspots on Sophos Firewall - 18

Creating Hotspots on Sophos Firewall - 19