Copyright © 2024 Sophos Ltd

Configuring Web
Protection on Sophos
Firewall

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW4010: Configuring Web Protection on Sophos Firewall

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Configuring Web Protection on Sophos Firewall - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Configuring Web Protection on Sophos Firewall

In this chapter you will learn how
to create policies for web
protection and TLS decryption
and configure global settings for
protection and an explicit proxy.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How Sophos Firewall provides web protection as a
transparent or explicit proxy

DURATION 24 minutes

In this chapter you will learn how to create policies for web protection and TLS decryption and
configure global settings for protection and an explicit proxy.

Configuring Web Protection on Sophos Firewall - 2

Copyright © 2024 Sophos Ltd

Web Policies
Web Protection Policies Policy Rules

▪ Include options to control end users’ web browsing
▪ SafeSearch prevents potentially inappropriate
images, videos, and text from appearing in search
results
▪ YouTube restrictions also restrict search results
▪ Time quotas can allow limited access to restricted
websites
▪ Define the type of usage to restrict
▪ Specify content filters to restrict web content that
contains any terms in the lists
▪ Define the action to take when the firewall
encounters traffic that matches the rule criteria

Web policies can be used to control end users’ web browsing activities. Policies include options for:
• SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in
Google, Yahoo, and Bing search results.
• YouTube restrictions, which prevent access to potentially inappropriate content by restricting
YouTube search results.
• Time quotas, that allow access to restricted websites, such as online shopping, for a limited period.

Policies include rules, which are used to:

• Define the type of usage to restrict. This can include user activities, categories, URL groups, file
types, and dynamic categories.
• Specify content filters to restrict web content that contains any terms in the lists.
• Define the action to take when the firewall encounters HTTP traffic that matches the rule criteria.

Configuring Web Protection on Sophos Firewall - 3

Copyright © 2024 Sophos Ltd

Creating and Editing Web Policies

This shows an example of a web policy. It has an ordered list of rules and a default action, in this case
allow, that determines the behaviour if the traffic does not match any of the rules.

Configuring Web Protection on Sophos Firewall - 4

Copyright © 2024 Sophos Ltd

Creating and Editing Web Policies

Dynamic Categories

User Activities
Categories

URL Groups

Users &
Groups File Types Constraints

Content Filter Action Status

Each web policy rule applies to either specific users and groups, or anybody.

You define the activities, or types of web traffic that are going to be controlled by the rule, and you can
optionally also apply a keyword content filter to the traffic.

Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a
separate action applied to HTTPS traffic.

You can set time constraints for the rule. If no time constraints are selected, then the rule will be
active all the time.

Finally, you can enable and disable individual rules. This is especially useful when creating new rules
and testing.

Configuring Web Protection on Sophos Firewall - 5

Copyright © 2024 Sophos Ltd

Web Policies

Below the web policy rules are further options, some of which require the web proxy to be enforced.
These are indicated with a notice. If these options are selected and used with the DPI engine, they will
not be enforced.

The available options are:

• Enforce SafeSearch in common search engines. This is done by modifying the request to enable the
features in the search engine and requires decrypting the web traffic.
• Enforce YouTube restrictions, which is done in the same ways as enforcing SafeSearch.
• Configure how much quota time users have per day.

Configuring Web Protection on Sophos Firewall - 6

Copyright © 2024 Sophos Ltd

Advanced Settings

Advanced settings allow you to:

• Include this policy in logs and reports.
• Prevent the downloading of files greater than the size specified.
• Add X-Forwarded-For header to pass on the IP address of the original HTTP request.
• Allow users to sign into Google Apps, such as Gmail and Drive, only with the domains specified.
• Apply Microsoft Azure AD tenant restrictions.

Again, a notice indicates which settings require the web proxy to be enforced.

Configuring Web Protection on Sophos Firewall - 7

Copyright © 2024 Sophos Ltd

User Activities
User activities are a group of web categories, URL groups, and file types

Let’s look at the types of traffic you can select to control in the web policy rules, starting with User
Activities.

User Activities are a way of grouping web categories, URL groups and file types into a single object to
simplify management.

Configuring Web Protection on Sophos Firewall - 8

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Categories

Web categories are what most people think of when they think of web filtering. Sophos Firewall
comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping
policies to.

You can also create custom web categories based on either local lists of domains and keywords or an
external URL database.

[Additional Information]
External URL databases can be from either a HTTP or FTP server. The database should be in one of the
following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.

Configuring Web Protection on Sophos Firewall - 9

Copyright © 2024 Sophos Ltd

URL Groups

Local TLS exclusion list

Managed TLS exclusion

list (read only)

URL groups are used to create a match list of domains for which the default configuration should not
be applied. All subdomains for the entered domains will also be matched.

There are a couple of important default groups:

• Local TLS exclusion list, which you can use to manage domains you do not want to decrypt traffic
for.
• Managed TLS exclusion list, which is a Sophos managed list of domains that are excluded from TLS
decryption. On this page you can see the domains that are included, although you cannot edit or
delete this group.

Configuring Web Protection on Sophos Firewall - 10

Copyright © 2024 Sophos Ltd

File Types

Sophos Firewall can manage access to files through the web policy and comes with several groups of
common file types defined by extension and MIME type.

You can also create custom file types, which can use an existing group as a template to import already
defined types.

Configuring Web Protection on Sophos Firewall - 11

Copyright © 2024 Sophos Ltd

Simulation: Create Custom Web Categories

In this simulation you will create a keyword filter, modify

the existing ‘unproductive browsing’ user activity, and
create user activity for controlling access to specific
categories of website.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebCategories/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/WebCategories/2/start.html

Configuring Web Protection on Sophos Firewall - 12

Copyright © 2024 Sophos Ltd

Content Filters

Web policies include the option to log, monitor and enforce policies related to keyword lists. This
feature is particularly important in educational environments to ensure online child safety and to
provide insights into students using keywords related to self-harm, bullying, radicalization or otherwise
inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and applied to any web
filtering policy as an added criteria with actions to log and monitor or block search results or websites
containing the keywords of interest.

Comprehensive reporting is provided to identify keyword matches and users that are searching or
consuming keyword content of interest, enabling proactive intervention before an at-risk user
becomes a real problem.

Keyword lists are plain text files with one term per line.

Configuring Web Protection on Sophos Firewall - 13

Copyright © 2024 Sophos Ltd

Simulation: Create a Web Content Filter

In this simulation you will create a custom content filter

that will be used to detect web pages that contain
common bullying terms.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ContentFilter/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/ContentFilter/2/start.html

Configuring Web Protection on Sophos Firewall - 14

Copyright © 2024 Sophos Ltd

Applying Policies

Once you have created your web policy you can apply it in firewall rules.

Configuring Web Protection on Sophos Firewall - 15

Copyright © 2024 Sophos Ltd

Web Policies

If there are options that cannot be enforced, this will be indicated in the firewall rule with a warning
triangle. Hovering over the warning will provide additional information.

Configuring Web Protection on Sophos Firewall - 16

Copyright © 2024 Sophos Ltd

Simulation: Create a Customer Web Policy

In this simulation you will clone and customize a web

policy by adding additional rules. You will then test the
policy using two different users and the Policy Test tool.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicy/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/WebPolicy/2/start.html

Configuring Web Protection on Sophos Firewall - 17

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Web Protection
When any web filtering is enabled Sophos Firewall will:
Automatically block websites that are identified as containing child sexual abuse content by the
Internet Watch Foundation (IWF)
Hide the domain name in logs and reports
Not support any policy or exclusion to allow the sites

We minimize the availability of online sexual abuse content. Specifically:

▪ Child sexual abuse content hosted anywhere in the world
▪ Non-photographic child sexual abuse images hosted in the UK

When any web filtering is enabled, Sophos Firewall will automatically block websites that are
identified as containing child sexual abuse content by the Internet Watch Foundation.

No policy or exclusions can be configured to allow these sites, and the domain names will be hidden in
the logs and reports.

[Additional Information]
Find out more about the IWF at https://www.iwf.org.uk

Configuring Web Protection on Sophos Firewall - 18

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Protection Settings

There are several protection settings that can be managed in Web > General settings, including:
• Selecting between single and dual engine scanning.
• Scan mode.
• And the action to take for unscannable content and potentially unwanted applications.

[Additional Information]
Zero-day protection requires the Sophos scan engine; this means that you need to either select
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use dual
engine scanning.
The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more
cautious approach.
Then we must decide on how to handle content that cannot be scanned due to factors such as being
encrypted, or password protected. The safest option is to block this content, but it can be allowed if
required.
An option is available as part of web protection to block Potentially Unwanted Applications from being
downloaded. Specific applications can be allowed by adding them to the Authorized PUAs list; and this
is applied as part of the malware protection in firewall rules.

Configuring Web Protection on Sophos Firewall - 19

Copyright © 2024 Sophos Ltd

Protection Settings

The HTTPS decryption and scanning settings on this page allow you to change the signing CA and
modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS
decryption rules.

Configuring Web Protection on Sophos Firewall - 20

Copyright © 2024 Sophos Ltd

Zero-Day Protection

The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection
settings.

Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos
decide where to send files for analysis based on which will give the best performance. You may need
to configure this to remain compliant with data protection laws.

You can also choose to exclude certain types of file from zero-day protection using the predefined file
type options.

Zero-day protection scanning is enabled in the Web filtering section of firewall rules.

Configuring Web Protection on Sophos Firewall - 21

Copyright © 2024 Sophos Ltd

Advanced Settings

On the General settings tab there are also some advanced settings where you can enable web caching
and caching Sophos endpoint updates.

You can also configure some web proxy settings:

• The port that clients should use to configure the Sophos Firewall as an explicit proxy.
• The ports that can be connected to.
• And the minimum TLS version.

Configuring Web Protection on Sophos Firewall - 22

Copyright © 2024 Sophos Ltd

Web Proxy Content Caching

The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites with
limited or slower Internet access; however, the web proxy is required in order to enforce this.

Configuring Web Protection on Sophos Firewall - 23

Copyright © 2024 Sophos Ltd

User Notifications

In the User notifications tab, you can modify the images and text shown on the warn and block pages.
The text can include variables to display the category detected, and to link to suggesting a different
category.

You can preview what the message will look like when users see it using the link.

Configuring Web Protection on Sophos Firewall - 24

Copyright © 2024 Sophos Ltd

Policy Overrides

Web policy overrides settings allow authorized users to override blocked sites on user devices,
temporarily allowing access.

You define which users (for example this could be teachers in an education setting) have the option to
authorize policy overrides. Those users can then create their own override codes in the Sophos
Firewall User Portal and define rules about which sites they can be used for. In the web admin console
you can see a full list of all override codes created and disable or delete them, as well as defining sites
or categories that can never be overridden. There is also a report providing full historical insight into
web override use.

Configuring Web Protection on Sophos Firewall - 25

Copyright © 2024 Sophos Ltd

Policy Overrides

Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse,
codes can easily be changed or cancelled.

Configuring Web Protection on Sophos Firewall - 26

Copyright © 2024 Sophos Ltd

Policy Overrides

Codes can be shared with end users, who enter them directly into the block page to allow access to a
blocked site.

Configuring Web Protection on Sophos Firewall - 27

Copyright © 2024 Sophos Ltd

Simulation: Delegate Web Policy Overrides

In this simulation you will enable web policy overrides for

Fred Rogers. You will then create a web policy override
and use the access code generated to allow John Smith to
access a site that is blocked.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicyOverrides/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/WebPolicyOverrides/2/start.html

Configuring Web Protection on Sophos Firewall - 28

Copyright © 2024 Sophos Ltd

Exceptions

The exceptions found within the web protection in the Sophos Firewall can be used to bypass certain
security checks or actions for any sites that match criteria specified in the exception. There are a few
predefined exceptions already in Sophos Firewall and more can be created at the administrator's
discretion. It is important to note that exceptions apply to all web protection policies no matter where
they are applied in Sophos Firewall.

Configuring Web Protection on Sophos Firewall - 29

Copyright © 2024 Sophos Ltd

Exceptions

Exceptions can be matched on any combination of:

• URL patterns, which can be either simple strings or regular expressions.
• Website categories.
• Source IP addresses.
• And destination IP addresses.

Please note that many websites have multiple IP addresses, and all of them would need to be listed.
Where multiple matching criteria are used, then the traffic must match all the criteria to match
successfully. You can then select which checks the exception will bypass.

Configuring Web Protection on Sophos Firewall - 30

Copyright © 2024 Sophos Ltd

Chapter Review

Web policy rules can apply to specific users and groups, or anyone. They define the activities or types of
web traffic and have an action to allow, warn, apply quota, or block. A separate action can be applied to
HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It provides an option to
use the web proxy or the DPI engine. Some policy options can only be enforced by the web proxy.

Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.

Here are the three main things you learned in this chapter.

Web policy rules can apply to specific users and groups, or anyone. They define the activities or types
of web traffic and have an action to allow, warn, apply quota or block. A separate action can be
applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It provides an option to
use the web proxy or the DPI engine. Some policy options can only be enforced by the web proxy.

Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.

Configuring Web Protection on Sophos Firewall - 36

Copyright © 2024 Sophos Ltd

Configuring Web Protection on Sophos Firewall - 37