Professional Documents
Culture Documents
EP3525 5.0v1 Getting Started With The Sophos Central Web Control Policy
EP3525 5.0v1 Getting Started With The Sophos Central Web Control Policy
EP3525 5.0v1 Getting Started With The Sophos Central Web Control Policy
[Additional Information]
April 2024
Version: 5.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 10 minutes
In this chapter you will learn how website access can be controlled using the web control policy.
Web Protection
▪ Blocks access to malicious websites
▪ Configured in the Threat Protection policy
▪ IP and domain exclusions can be applied
There are two types of protection for devices accessing Internet resources. These are web control and
web protection.
Web control can allow, warn, or block websites based on their category and is configured in the web
control policy whilst web protection blocks access to malicious websites. This setting is enabled by
default and can be found in the threat protection policy.
The web control policy is used to define which categories of websites can be accessed.
This allows you to control access to inappropriate websites and assists with compliance and liability
coverage for inappropriate web browsing.
WEBSITE CATGEORIES
bbc.co.uk = news
facebook.com = social
123bet.com = gambling
SXL
HTTP GET
WFP provides the Web Intelligence Service with the
IP/URL being requested <identity>.sophosxl.net
Web control is one of several components that uses the Windows Filtering Platform (WFP) to integrate
with networking applications such as Internet browsers. Web control uses HTTP to contact the WFP,
the information provided is used to perform SXL lookups to determine the category of a website. Web
control utilizes Sophos Extensible List (SXL) lookups to provide the most up-to-date protection. The
main purpose of SXL is to extend the protection offered on the endpoint by providing access to a
wider amount of detection data and information when needed. It will allow lookups against live data
using a checksum.
This diagram shows this in action; firstly, a user attempts to open a web page, in this example using
the Chrome browser. WFP grabs the URL or IP address being requested. Finally, the Sophos Web
Intelligence service performs the SXL lookup which checks the website category.
[Additional Information]
A full list of SXL lookup types can be found in Knowledge base KB-000034570.
https://support.sophos.com/support/s/article/KB-000034570
The web control policy is split into sections; Additional security options which is used to configure
access to advertisements, uncategorized sites, and risky downloads. The acceptable web usage
controls which control the sites that users are allowed to visit. Lastly, the protect against data loss
section which is used to configure data loss settings.
The policy settings are pre-configured however, these can be changed to suit your requirements. To
change the options select Let me specify from the drop-down menu in each section.
You can define the action to allow, warn, or block websites. Clicking the View more option will expand
each section so you can view the website categories in more detail.
▪ This setting enables the recording of any restricted website accessed by users
▪ It records any time a user proceeds past a warning message
The option to log web control events will record any time a user browses to a site that has been
blocked. It will also record any time a user browses to a site that has a warning control applied. This
allows you to review the users that visit blocked or warned websites, and more importantly when they
proceed past the warning message to access the site.
Web control settings DO NOT apply to websites you have excluded in General Settings.
We recommend creating website exclusions in a threat protection policy and applying to specific users/devices.
When a web control policy is applied, all websites accessed will be checked to confirm the website
category. This is then compared to the policy settings which will then either allow or block access to
the site or warn the user about the site they are trying to access.
It is important to note that web control settings don't apply to websites you've excluded. When
creating an exclusion for a website, create a policy exclusion in a threat protection policy.
Website Management
Website management is used to extend and customize website filtering
Website Management
Tag websites to put them in group and use policies to control these website groups for
specific users
Override the Sophos category for a website. This changes the website’s category for all
users
You can use website management to; control websites not in one of the Sophos categories, tag
websites to put them in groups, which are like custom categories. You can then use policies to control
these websites for certain users. You can also use them to override the Sophos category for a site. This
changes that site’s category for all your users.
If you think Sophos has put a website in the wrong category, you can request that Sophos change the
category. We recommend that you submit a change request rather than overriding the category.
Website Management
You can create a tag for a website and specify the action for that website tag in the web control policy.
This will allow access to the specific website whilst still blocking the category it belongs to.
Website Management
In this example, we are going to allow access to vimeo.com whilst blocking access to other streaming
media category websites.
We start by adding the website to the website management list in Sophos Central. We add the website
along with the override category, in this example, streaming media and then give the website a new
tag. In this example ‘Allowed company media’. It can be helpful to include information about tags you
have created and categories you have overridden for troubleshooting policy issues in the future.
Please note that entries in the website list can be single URLs, full domains, IP addresses, CIDR ranges,
or even top-level domains. Managing websites using IP addresses only controls browser-based access.
It does not block other applications or interact with rules for a local firewall.
Website Management
Next, set the action for the streaming media category to block in the web control policy.
Website Management
In the ‘Control sites tagged in Website Management’ section, click Add New and select the ‘WEBSITE
TAG’ you created from the drop-down menu and select an ‘action’.
Website Management
Once the policy has been applied to a protected device, when the user browses to a website
categorized as streaming media, the site is blocked.
When the user browses to vimeo.com, the site is allowed. It might be necessary to add multiple
website entries to allow the full functionality of the website.
Website Management
In Sophos Central, locate the device and select the EVENTS tab. The block events will be displayed.
Website Management
Add the URL as a new website entry. Ensure you use the same website tag you create for the initial
website. In this example, Allowed Company Media.
Website Management
Once the policy has been applied to protected devices. The website page will load successfully.
All websites must be encrypted (HTTPS) to be secure. Sophos can only scan the
contents of a secure website if it can be decrypted first
With SSL/TLS description of HTTPS websites enabled, Sophos can intercept the
connection from the Internet browser and inspect the inbound and outbound traffic
which is monitored and protected
In modern web browsers, all sites must be HTTPS encrypted to be secure. It is only possible to scan
the contents of a secure website if it can be decrypted first. SSL/ TLS decryption of HTTPS websites
enables the scanning of IPv6 and HTTPS websites.
This works by intercepting the connection from an Internet browser and inspecting both the inbound
and outbound traffic which is monitored and protected. HTTPS websites will not be scanned by
default, this feature must be enabled either in a threat protection policy or via General Settings >
SSL/TLS decryption of HTTPS Websites. When this setting is enabled, it will enable HTTPS decryption
for web protection as well as web control.
[Additional Information]
Further information about this setting can be found in the help here:
https://docs.sophos.com/central/Customer/help/en-
us/ManageYourProducts/GlobalSettings/DecryptHTTPS/index.html
Websites that fail to load and websites that require client certificates will need to be excluded from
HTTPS decryption. These websites and website categories can be excluded in the general setting.
You can add domain names, IP addresses, or IP address ranges to be excluded by clicking Add
Exclusion at the bottom right. Categories set to allow in the web control policy will also be added to
categories excluded from HTTPS decryption. By adding a website exclusion, all subdomains will also be
excluded from HTTPS decryption.
https://training.sophos.com/ce/simulation/TestWebControl/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
Chapter Review
Web control allows you to control access to inappropriate websites and assists with compliance and
liability coverage for inappropriate web browsing.
The web control base policy settings are pre-configured and can be changed to suit your requirements. To
change the options, select ‘Let me specify’ from the drop-down menu in each section.
Here are the three main things you learned in this chapter.
Web control allows you to control access to inappropriate websites and assists with compliance and
liability coverage for inappropriate web browsing.
The web control base policy settings are pre-configured and can be changed to suit your requirements.
To change the options, select ‘Let me specify’ from the drop-down menu in each section.