Professional Documents
Culture Documents
FW4010 20.0v1 Configuring Web Protection On Sophos Firewall
FW4010 20.0v1 Configuring Web Protection On Sophos Firewall
Configuring Web
Protection on Sophos
Firewall
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW4010: Configuring Web Protection on Sophos Firewall
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 24 minutes
In this chapter you will learn how to create policies for web protection and TLS decryption and
configure global settings for protection and an explicit proxy.
Web Policies
Web Protection Policies Policy Rules
▪ Include options to control end users’ web browsing ▪ Define the type of usage to restrict
▪ SafeSearch prevents potentially inappropriate
images, videos, and text from appearing in search ▪ Specify content filters to restrict web content that
results contains any terms in the lists
▪ YouTube restrictions also restrict search results
▪ Time quotas can allow limited access to restricted ▪ Define the action to take when the firewall
websites encounters traffic that matches the rule criteria
Web policies can be used to control end users’ web browsing activities. Policies include options for:
• SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in
Google, Yahoo, and Bing search results.
• YouTube restrictions, which prevent access to potentially inappropriate content by restricting
YouTube search results.
• Time quotas, that allow access to restricted websites, such as online shopping, for a limited period.
This shows an example of a web policy. It has an ordered list of rules and a default action, in this case
allow, that determines the behaviour if the traffic does not match any of the rules.
User Activities
Categories
URL Groups
Users &
Groups File Types Constraints
Each web policy rule applies to either specific users and groups, or anybody.
You define the activities, or types of web traffic that are going to be controlled by the rule, and you can
optionally also apply a keyword content filter to the traffic.
Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a
separate action applied to HTTPS traffic.
You can set time constraints for the rule. If no time constraints are selected, then the rule will be
active all the time.
Finally, you can enable and disable individual rules. This is especially useful when creating new rules
and testing.
Web Policies
Below the web policy rules are further options, some of which require the web proxy to be enforced.
These are indicated with a notice. If these options are selected and used with the DPI engine, they will
not be enforced.
Advanced Settings
Again, a notice indicates which settings require the web proxy to be enforced.
User Activities
User activities are a group of web categories, URL groups, and file types
Let’s look at the types of traffic you can select to control in the web policy rules, starting with User
Activities.
User Activities are a way of grouping web categories, URL groups and file types into a single object to
simplify management.
Web categories are what most people think of when they think of web filtering. Sophos Firewall
comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping
policies to.
You can also create custom web categories based on either local lists of domains and keywords or an
external URL database.
[Additional Information]
External URL databases can be from either a HTTP or FTP server. The database should be in one of the
following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.
URL Groups
URL groups are used to create a match list of domains for which the default configuration should not
be applied. All subdomains for the entered domains will also be matched.
File Types
Sophos Firewall can manage access to files through the web policy and comes with several groups of
common file types defined by extension and MIME type.
You can also create custom file types, which can use an existing group as a template to import already
defined types.
https://training.sophos.com/fw/simulation/WebCategories/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/WebCategories/2/start.html
Content Filters
Web policies include the option to log, monitor and enforce policies related to keyword lists. This
feature is particularly important in educational environments to ensure online child safety and to
provide insights into students using keywords related to self-harm, bullying, radicalization or otherwise
inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and applied to any web
filtering policy as an added criteria with actions to log and monitor or block search results or websites
containing the keywords of interest.
Comprehensive reporting is provided to identify keyword matches and users that are searching or
consuming keyword content of interest, enabling proactive intervention before an at-risk user
becomes a real problem.
Keyword lists are plain text files with one term per line.
https://training.sophos.com/fw/simulation/ContentFilter/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/ContentFilter/2/start.html
Applying Policies
Once you have created your web policy you can apply it in firewall rules.
Web Policies
If there are options that cannot be enforced, this will be indicated in the firewall rule with a warning
triangle. Hovering over the warning will provide additional information.
https://training.sophos.com/fw/simulation/WebPolicy/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/WebPolicy/2/start.html
When any web filtering is enabled, Sophos Firewall will automatically block websites that are
identified as containing child sexual abuse content by the Internet Watch Foundation.
No policy or exclusions can be configured to allow these sites, and the domain names will be hidden in
the logs and reports.
[Additional Information]
Find out more about the IWF at https://www.iwf.org.uk
There are several protection settings that can be managed in Web > General settings, including:
• Selecting between single and dual engine scanning.
• Scan mode.
• And the action to take for unscannable content and potentially unwanted applications.
[Additional Information]
Zero-day protection requires the Sophos scan engine; this means that you need to either select
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use dual
engine scanning.
The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more
cautious approach.
Then we must decide on how to handle content that cannot be scanned due to factors such as being
encrypted, or password protected. The safest option is to block this content, but it can be allowed if
required.
An option is available as part of web protection to block Potentially Unwanted Applications from being
downloaded. Specific applications can be allowed by adding them to the Authorized PUAs list; and this
is applied as part of the malware protection in firewall rules.
Protection Settings
The HTTPS decryption and scanning settings on this page allow you to change the signing CA and
modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS
decryption rules.
Zero-Day Protection
The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection
settings.
Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos
decide where to send files for analysis based on which will give the best performance. You may need
to configure this to remain compliant with data protection laws.
You can also choose to exclude certain types of file from zero-day protection using the predefined file
type options.
Zero-day protection scanning is enabled in the Web filtering section of firewall rules.
Advanced Settings
On the General settings tab there are also some advanced settings where you can enable web caching
and caching Sophos endpoint updates.
The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites with
limited or slower Internet access; however, the web proxy is required in order to enforce this.
User Notifications
In the User notifications tab, you can modify the images and text shown on the warn and block pages.
The text can include variables to display the category detected, and to link to suggesting a different
category.
You can preview what the message will look like when users see it using the link.
Policy Overrides
Web policy overrides settings allow authorized users to override blocked sites on user devices,
temporarily allowing access.
You define which users (for example this could be teachers in an education setting) have the option to
authorize policy overrides. Those users can then create their own override codes in the Sophos
Firewall User Portal and define rules about which sites they can be used for. In the web admin console
you can see a full list of all override codes created and disable or delete them, as well as defining sites
or categories that can never be overridden. There is also a report providing full historical insight into
web override use.
Policy Overrides
Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse,
codes can easily be changed or cancelled.
Policy Overrides
Codes can be shared with end users, who enter them directly into the block page to allow access to a
blocked site.
https://training.sophos.com/fw/simulation/WebPolicyOverrides/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/WebPolicyOverrides/2/start.html
Exceptions
The exceptions found within the web protection in the Sophos Firewall can be used to bypass certain
security checks or actions for any sites that match criteria specified in the exception. There are a few
predefined exceptions already in Sophos Firewall and more can be created at the administrator's
discretion. It is important to note that exceptions apply to all web protection policies no matter where
they are applied in Sophos Firewall.
Exceptions
Please note that many websites have multiple IP addresses, and all of them would need to be listed.
Where multiple matching criteria are used, then the traffic must match all the criteria to match
successfully. You can then select which checks the exception will bypass.
Chapter Review
Web policy rules can apply to specific users and groups, or anyone. They define the activities or types of
web traffic and have an action to allow, warn, apply quota, or block. A separate action can be applied to
HTTPS traffic.
The web filtering policy is selected in the security features of the firewall rule. It provides an option to
use the web proxy or the DPI engine. Some policy options can only be enforced by the web proxy.
Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.
Here are the three main things you learned in this chapter.
Web policy rules can apply to specific users and groups, or anyone. They define the activities or types
of web traffic and have an action to allow, warn, apply quota or block. A separate action can be
applied to HTTPS traffic.
The web filtering policy is selected in the security features of the firewall rule. It provides an option to
use the web proxy or the DPI engine. Some policy options can only be enforced by the web proxy.
Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.