Sophos Firewall

- Comprehensive network security device with a zone-based firewall and identity-based policies at
its core.
- Not only protects wired networks but also wireless controller for Sophos access points can
provide secure wireless networking functionality.
- Protection is given through a single cloud-based platform.
- Can expose hidden risks, stop unknown threats and isolate infected systems.
- Supports Zero Trust Network Access (ZTNA) by providing network segmentation and lateral
movement protection.
- Provides multiple layers of protection to detect and block attacks.
- The delivery and exploitation phases are both intended to get malicious code onto device and
have it executed.
- Once malware is running or an attacker is on a device, attacks can be detected based on behavior.
Deployment
- Can be deployed using XGS series and XG series hardware appliances, virtually on-premise and
in the cloud or using intel compatible hardware.
- XGS series appliances have 64-bit CPU and a separate network processing unit (NPU), both with
their own memory. The XGS series has support for dual power supplies, PoE, fail-to-wire, and
expansion with FlexiPort modules.
- Can be deployed for use in various ways, the most common are the default gateway mode, as a
transparent bridge, for web server protection, and in discover mode.
- The CLI can be used to change the IP address of the management port so that you can connect to
the WebAdmin to complete the initial setup wizard.
- The initial Setup Wizard provides a web interface to configure and register the firewall.
- The secure storage master key is used to provide additional protection for account and password
details stored in the device and in configuration backups.
Firewall and NAT rules
- Firewall and NAT rules are processed in order with the first rule to match being used.
- If no firewall rule is matched the traffic will be dropped.
- Firewall rules of DNAT traffic use the post-NAT zone and pre-NAT IP address.
Configuring TLS Decryption on Sophos Firewall
- TLS inspection rules can match on source and destination zones and networks, users, services and
websites.
- TLS inspection exclusions are managed using web URL groups. There are two URL groups by
default, one locally managed and one Sophos managed.
- TLS inspection settings are generic engine-based settings that will apply globally to all rules.
- Decryption profiles contain the settings for which signing Cas to use, how to manage non-
decryptable traffic, and which connections will be blocked based on errors, key size and
algorithms.
Intrusion Prevention on Sophos Firewall
- Intrusion Prevention on Sophos Firewall comprises IPS policies, spoof protection and denial-of-
service (DoS) protection.
 - IPS policies are an ordered list of rules. Each rule contains one or more signatures, and signatures
can be automatically selected for the rule using filters. Each rule also has an action.
- To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to a
firewall rule.
Enabling Advanced Threat Protection on Sophos Firewall
- ATP uses data from all enabled services on Sophos Firewall to detect compromised computers on
the network connecting to command-and-control servers.
- ATP can be configured to either log or log and drop traffic to command-and-control servers.
- ATP can be configured to either inspect only content coming from untrusted sources or going to
untrusted destinations, or to inspect all content.
Security Heartbeat on Sophos Firewall
- The Security Heartbeat is established between the Sophos Central managed endpoints and the
firewall. Sophos Central brokers trust between the endpoints and firewall so they must be
registered to the same Sophos Central account.
- Traffic from endpoints with a RED health status can be blocked if it is passing through the
firewall. To prevent lateral movement, the firewall will share the MAC addresses of devices with
a RED health status with all other devices it has a heartbeat with.
- Security Heartbeat must be configured in firewall rules to set a minimum health status for source
and destination. Optionally, you can select to require a heartbeat.
Connecting Sites with Sophos Firewall
- Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices
(REDs).
- Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and
IPsec, which is more configurable and flexible.
- All VPN connections are automatically added to the VPN zone, which is a special zone with no
physical interfaces that cannot be edited.
Configuring SSL Site-to-Site VPNs on Sophos Firewall
- SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs.
- You need to enable SSL VPNs for the zones you want to create them in.
- You configure the connection on the server Sophos Firewall then upload the configuration file to
the client Sophos Firewall.
IPsec Site-to-Site VPNs on Sophos Firewall
- IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of
the VPN need to support the same settings.
- Route-based VPNs create an xrfm interface that is configured like any other interface. Routes are
created manually, separate to the connection.
- Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a
reconnection if you edit the networks for the VPN.
- Firewall rules can be created automatically when you create a policy-based VPN but are broad
and should be edited.
Remote Ethernet Devices on Sophos Firewall
 - RED requires DHCP, DNS, port TCP 3400 and UDP 3410.
- RED can be deployed in three modes: standard/unified, standard/split and transparent/split. Each
deployment mode requires a slightly different configuration.
- There are two RED models: SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G
module using the expansion bay.
Authentication on Sophos Firewall
- Sophos Firewall’s authentication capabilities provide the opportunity to control access to network
resources, filter websites, route traffic, control applications and more. You can also get detailed
reporting on user activity and identify high-risk users.
- Authentication can be done locally on the Sophos Firewall or more commonly configured to use
external servers such as Active Directory, Novell eDirectory, RADIUS server, TACACS+,
LDAP/LDAPS.
- You can add users to the Sophos Firewall manually or import via CSV and these can be either
users or administrators.
Authentication Servers and Services on Sophos Firewall
- Sophos Firewall can be configured to authenticate using external servers. To use Synchronized
User Identity an Active Directory authentication server must be configured.
- Groups can be imported from Active Directory. When a user logs in they will be automatically
added to the firewall group that matches their Active Directory group.
- By default, authentication for Services is Local. Once authentication servers have been added
these can be enabled for services such as Firewall and User portal.
Configuring Azure AD SSO on Sophos Firewall
- Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to
the web console using capabilities included in the free tier of Azure AD.
- You need to configure an app registration with a client secret, app role, API permissions and
redirect URI in Azure AD.
- On Sophos Firewall you need to add an authentication server using the app registration details
from Azure. This page will provide the redirect URI to use in the app registration.

Sophos Firewall Authentication

- Sophos Firewall has three types of users. Clientless users are identified by their IP address. Guest
users are given temporary network access. Standard users authenticate locally or using an external
server such as Active Directory.
- Synchronized User Identity provides transparent user authentication by sharing the user’s identity
through the Security Heartbeat connection.
- Authentication agents for Windows, Mac and Linux can be installed locally on the computer. The
Sophos Transparent Authentication Suite provides transparent SSO using an agent on the
Microsoft Active Directory domain controller.
Enabling MFA on Sophos Firewall
- Sophos Firewall supports MFA using OTP. These can be either software tokens, such as Sophos
Authenticator, or hardware tokens if they conform to RFC 6238.
 - Tokens can be automatically generated so when a user logs into the User Portal after OTP has
been enabled, the prompt to configure a software token is displayed. Typically, this is done by
scanning the QR code with an app.
- Additional codes can be added to a user’s token if the user does not have access to the OTP app.
These are a set of single use codes that will automatically be removed after they are used.
Sophos Firewall Web Protection
- DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol
detection and supports offload of traffic flows to the network FastPath. It can decrypt and scan
TLS 1.3 traffic.
- When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be processed by
the web proxy for decryption, web policy and content scanning before being handed to the DPI
engine for application control and IPS.
- If Sophos Firewall is the network gateway, web filtering can be enabled for the traffic passing
through it. When it is not the primary network gateway it can operate in bridge mode,
transparently filtering the web traffic, or be configured as an explicit proxy.
Configuring Web Protection on Sophos Firewall
- Web policy rules can apply to specific users and groups, or anyone. They define the activities or
types of web traffic and have an action to allow, warn, apply quota or block. A separate action can
be applied to HTTPS traffic.
- The web filtering policy is selected in the security features of the firewall rule. It provides an
option to use the web proxy or the DPI engine. Some policy options can only be enforced by the
web proxy.
- Web policy overrides allow authorized users to override blocked sites on user devices,
temporarily allowing access.

Sophos Firewall Web Protection Quotas and Traffic Shaping

- Using web policies, you can include rules to apply a quota action to all activities. When a user
accesses an activity with a quota, they are asked how much time to use.
- Surfing quotas are applied to users and groups. Unlike web policy rule quotas, surfing quotas
apply to all Internet traffic.
- Traffic shaping does not limit the amount of time or data. Instead, it can either limit or guarantee
how much bandwidth will be available. As well as web categories, it can be applied to users and
groups, firewall rules and applications.
Application Control on Sophos Firewall
- Application filters are an ordered list of rules that allow or deny applications based on filter
criteria. Application filters need to be applied in a firewall rule.
- Synchronized application control can detect unknown applications using Security Heartbeat.
Discovered applications are automatically classified and allowed or blocked based on your
application filters. You can also reclassify applications.
 - Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network.
Remote Access VPNs on Sophos Firewall
- The VPN assistant streamlines the configuration of everything required for remote access SSL
VPNs.
- The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These
settings are global and apply to site-to-site SSL VPNs.
- The Sophos Connect client supports both IPsec and SSL VPNs and can be downloaded from both
the web admin and user portal. The SSL VPN configuration is downloaded in the user portal,
whereas the IPsec VPN configuration is downloaded in the web admin.
Configuring Clientless Access on Sophos Firewall
- Clientless SSL VPN provides access to internal resources through bookmarks in VPN section of
the user portal.
- Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB and VNC. Each bookmark is a
single session for that resource.
- Policies assign bookmarks to users and groups.
Wireless Protection on Sophos Firewall
- Sophos Firewall can manage wireless network traffic using three client traffic modes: bridge to
AP LAN, bridge to VLAN and separate zone.
- Sophos Firewall supports the APX series and legacy AP series access points.
- The desktop models of XGS have an internal wireless variant that includes a single radio. Larger
desktop models include an option to add a second wireless radio module.

Deploying Wireless Protection on Sophos Firewall

- Access points send discover packets 1.2.3.4, which as an internet routable address sent to the
default gateway, assumed to be Sophos Firewall. This can be overridden by DHCP if Sophos
Firewall is not the default gateway.
- Access points will appear as pending in the web admin until they are accepted by an
administrator.
- Wireless networks define security and authentication requirements as well as network parameters.
Wireless networks need to be assigned to access points to start broadcasting.
Creating Hotspots on Sophos Firewall
- There are three types of hotspots: terms of acceptance, voucher and password of the day. Terms
can optionally be enabled for voucher and password hotspots.
- Voucher-based hotspots require voucher definitions that specify the validity period and can
optionally also have time and data quotas.
- Vouchers and passwords can be managed in the user portal by the administrative users selected in
the hotspot configuration.
Running and Customizing Reports on Sophos Firewall
- Sophos Firewall includes many built-in reports, including for compliance. You can quickly filter
these reports by selecting fields in the charts. Once you have customized the report you can create
a bookmark, and optionally schedule it to be sent via email.
- Sophos Firewall includes metrics such as the application risk meter and user threat quotient
(UTQ) to help identify risks on the network.
- Threat intelligence reports for files that have been referred to zero-day protection are accessed
from Monitor & Analyze > Zero-day protection > Downloads and attachments.
Managing Logs and Notifications on Sophos Firewall
- Access the log viewer using the link in the top-right from every page of the WebAdmin. Here you
can select which logs to view, filter the logs, customize the columns, and click on fields to access
and modify policies.
- You can select which events Sophos Firewall will log, and optionally choose to suppress identical
firewall events. Sophos Firewall supports up to five external syslog servers to tie into your
existing reporting systems.
- You can enable email and SNMP notifications from Sophos Firewall, and you can select which
events to log independently for each protocol.

Managing Sophos Firewall in Sophos Central

- All licenses include Central Management for Sophos Firewall, including real-time remote access
to the web admin, scheduling of firmware updates and backups, firewall configuration
management using groups.
- You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN
connection groups. This requires Central Orchestration as part of the license.
- Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. Zero-touch configuration files can only
be created for unregistered hardware serial numbers.
Firewall Reporting in Sophos Central
- Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos
Central. You can filter logs and reports from Sophos Firewall and create customized reports.
- To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos
Central and the option Send logs and reports to Sophos Central must be enabled. You can
customize the data that is uploaded in the log settings.
- Each CFR Advanced license includes 100GB of data storage and enables reporting on multiple
firewalls, saving templates and scheduling reports.
How to Find Help from Sophos
- Help can be found by navigating to sophos.com/support.
- Contact Sophos support via the support portal, live chat and Twitter.
- Stay up to date with Sophos news and alerts by joining the Sophos Community, signing up for
news alerts using SMS or RSS.