Professional Documents
Culture Documents
Sophos Firewall
Sophos Firewall
- Comprehensive network security device with a zone-based firewall and identity-based policies at
its core.
- Not only protects wired networks but also wireless controller for Sophos access points can
provide secure wireless networking functionality.
- Protection is given through a single cloud-based platform.
- Can expose hidden risks, stop unknown threats and isolate infected systems.
- Supports Zero Trust Network Access (ZTNA) by providing network segmentation and lateral
movement protection.
- Provides multiple layers of protection to detect and block attacks.
- The delivery and exploitation phases are both intended to get malicious code onto device and
have it executed.
- Once malware is running or an attacker is on a device, attacks can be detected based on behavior.
Deployment
- Can be deployed using XGS series and XG series hardware appliances, virtually on-premise and
in the cloud or using intel compatible hardware.
- XGS series appliances have 64-bit CPU and a separate network processing unit (NPU), both with
their own memory. The XGS series has support for dual power supplies, PoE, fail-to-wire, and
expansion with FlexiPort modules.
- Can be deployed for use in various ways, the most common are the default gateway mode, as a
transparent bridge, for web server protection, and in discover mode.
- The CLI can be used to change the IP address of the management port so that you can connect to
the WebAdmin to complete the initial setup wizard.
- The initial Setup Wizard provides a web interface to configure and register the firewall.
- The secure storage master key is used to provide additional protection for account and password
details stored in the device and in configuration backups.
Firewall and NAT rules
- Firewall and NAT rules are processed in order with the first rule to match being used.
- If no firewall rule is matched the traffic will be dropped.
- Firewall rules of DNAT traffic use the post-NAT zone and pre-NAT IP address.
Configuring TLS Decryption on Sophos Firewall
- TLS inspection rules can match on source and destination zones and networks, users, services and
websites.
- TLS inspection exclusions are managed using web URL groups. There are two URL groups by
default, one locally managed and one Sophos managed.
- TLS inspection settings are generic engine-based settings that will apply globally to all rules.
- Decryption profiles contain the settings for which signing Cas to use, how to manage non-
decryptable traffic, and which connections will be blocked based on errors, key size and
algorithms.
Intrusion Prevention on Sophos Firewall
- Intrusion Prevention on Sophos Firewall comprises IPS policies, spoof protection and denial-of-
service (DoS) protection.
- IPS policies are an ordered list of rules. Each rule contains one or more signatures, and signatures
can be automatically selected for the rule using filters. Each rule also has an action.
- To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to a
firewall rule.
Enabling Advanced Threat Protection on Sophos Firewall
- ATP uses data from all enabled services on Sophos Firewall to detect compromised computers on
the network connecting to command-and-control servers.
- ATP can be configured to either log or log and drop traffic to command-and-control servers.
- ATP can be configured to either inspect only content coming from untrusted sources or going to
untrusted destinations, or to inspect all content.
Security Heartbeat on Sophos Firewall
- The Security Heartbeat is established between the Sophos Central managed endpoints and the
firewall. Sophos Central brokers trust between the endpoints and firewall so they must be
registered to the same Sophos Central account.
- Traffic from endpoints with a RED health status can be blocked if it is passing through the
firewall. To prevent lateral movement, the firewall will share the MAC addresses of devices with
a RED health status with all other devices it has a heartbeat with.
- Security Heartbeat must be configured in firewall rules to set a minimum health status for source
and destination. Optionally, you can select to require a heartbeat.
Connecting Sites with Sophos Firewall
- Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices
(REDs).
- Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and
IPsec, which is more configurable and flexible.
- All VPN connections are automatically added to the VPN zone, which is a special zone with no
physical interfaces that cannot be edited.
Configuring SSL Site-to-Site VPNs on Sophos Firewall
- SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs.
- You need to enable SSL VPNs for the zones you want to create them in.
- You configure the connection on the server Sophos Firewall then upload the configuration file to
the client Sophos Firewall.
IPsec Site-to-Site VPNs on Sophos Firewall
- IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of
the VPN need to support the same settings.
- Route-based VPNs create an xrfm interface that is configured like any other interface. Routes are
created manually, separate to the connection.
- Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a
reconnection if you edit the networks for the VPN.
- Firewall rules can be created automatically when you create a policy-based VPN but are broad
and should be edited.
Remote Ethernet Devices on Sophos Firewall
- RED requires DHCP, DNS, port TCP 3400 and UDP 3410.
- RED can be deployed in three modes: standard/unified, standard/split and transparent/split. Each
deployment mode requires a slightly different configuration.
- There are two RED models: SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G
module using the expansion bay.
Authentication on Sophos Firewall
- Sophos Firewall’s authentication capabilities provide the opportunity to control access to network
resources, filter websites, route traffic, control applications and more. You can also get detailed
reporting on user activity and identify high-risk users.
- Authentication can be done locally on the Sophos Firewall or more commonly configured to use
external servers such as Active Directory, Novell eDirectory, RADIUS server, TACACS+,
LDAP/LDAPS.
- You can add users to the Sophos Firewall manually or import via CSV and these can be either
users or administrators.
Authentication Servers and Services on Sophos Firewall
- Sophos Firewall can be configured to authenticate using external servers. To use Synchronized
User Identity an Active Directory authentication server must be configured.
- Groups can be imported from Active Directory. When a user logs in they will be automatically
added to the firewall group that matches their Active Directory group.
- By default, authentication for Services is Local. Once authentication servers have been added
these can be enabled for services such as Firewall and User portal.
Configuring Azure AD SSO on Sophos Firewall
- Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to
the web console using capabilities included in the free tier of Azure AD.
- You need to configure an app registration with a client secret, app role, API permissions and
redirect URI in Azure AD.
- On Sophos Firewall you need to add an authentication server using the app registration details
from Azure. This page will provide the redirect URI to use in the app registration.