Copyright © 2024 Sophos Ltd

Getting Started with

the Sophos Central
Web Control Policy

Sophos Central Endpoint Protection

Version: 5.0v1

[Additional Information]

Sophos Central Endpoint Protection

EP3525: Getting Started with the Sophos Central Web Control Policy

April 2024
Version: 5.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with the Sophos Central Web Control Policy - 1

Copyright © 2024 Sophos Ltd

Getting Started with the Web Control Policy

In this chapter you will learn how website
access can be controlled using the web
control policy.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How to access and navigate Sophos Central
✓ How to protect and manage devices
✓ How to assign policies

DURATION 10 minutes

In this chapter you will learn how website access can be controlled using the web control policy.

Getting Started with the Sophos Central Web Control Policy - 2

Copyright © 2024 Sophos Ltd

Web Control and Web Protection

Web Control
▪ Control website access based on website category
▪ Configured in the Web Control policy
▪ Specify an action for each website category (allow, warm, or block)
▪ Exceptions can be created via tags or category override

Web Protection
▪ Blocks access to malicious websites
▪ Configured in the Threat Protection policy
▪ IP and domain exclusions can be applied

There are two types of protection for devices accessing Internet resources. These are web control and
web protection.

Web control can allow, warn, or block websites based on their category and is configured in the web
control policy whilst web protection blocks access to malicious websites. This setting is enabled by
default and can be found in the threat protection policy.

This chapter focuses on web control.

Getting Started with the Sophos Central Web Control Policy - 3

Copyright © 2024 Sophos Ltd

Web Control Policy

Used to define which website categories can be accessed
Control access to inappropriate websites
Assists with compliance and liability coverage

The web control policy is used to define which categories of websites can be accessed.

This allows you to control access to inappropriate websites and assists with compliance and liability
coverage for inappropriate web browsing.

Getting Started with the Sophos Central Web Control Policy - 4

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Web Control
Sophos Servers

WEBSITE CATGEORIES
bbc.co.uk = news
facebook.com = social
123bet.com = gambling
SXL

HTTP GET
WFP provides the Web Intelligence Service with the
IP/URL being requested <identity>.sophosxl.net

WFP Sophos Web Intelligence Service

Web control is one of several components that uses the Windows Filtering Platform (WFP) to integrate
with networking applications such as Internet browsers. Web control uses HTTP to contact the WFP,
the information provided is used to perform SXL lookups to determine the category of a website. Web
control utilizes Sophos Extensible List (SXL) lookups to provide the most up-to-date protection. The
main purpose of SXL is to extend the protection offered on the endpoint by providing access to a
wider amount of detection data and information when needed. It will allow lookups against live data
using a checksum.

This diagram shows this in action; firstly, a user attempts to open a web page, in this example using
the Chrome browser. WFP grabs the URL or IP address being requested. Finally, the Sophos Web
Intelligence service performs the SXL lookup which checks the website category.

[Additional Information]
A full list of SXL lookup types can be found in Knowledge base KB-000034570.
https://support.sophos.com/support/s/article/KB-000034570

Getting Started with the Sophos Central Web Control Policy - 5

Copyright © 2024 Sophos Ltd

Web Control Policy

Configure access to advertisements, uncategorized

sites and risky downloads

Control the sites users are allowed to visit

Configure data loss settings

The web control policy is split into sections; Additional security options which is used to configure
access to advertisements, uncategorized sites, and risky downloads. The acceptable web usage
controls which control the sites that users are allowed to visit. Lastly, the protect against data loss
section which is used to configure data loss settings.

Getting Started with the Sophos Central Web Control Policy - 6

Copyright © 2024 Sophos Ltd

Web Control Policy

Configure customized settings

Select from pre-configured

settings

View more details about each section

The policy settings are pre-configured however, these can be changed to suit your requirements. To
change the options select Let me specify from the drop-down menu in each section.

You can define the action to allow, warn, or block websites. Clicking the View more option will expand
each section so you can view the website categories in more detail.

Getting Started with the Sophos Central Web Control Policy - 7

Copyright © 2024 Sophos Ltd

Web Control Policy

▪ This setting enables the recording of any restricted website accessed by users
▪ It records any time a user proceeds past a warning message

The option to log web control events will record any time a user browses to a site that has been
blocked. It will also record any time a user browses to a site that has a warning control applied. This
allows you to review the users that visit blocked or warned websites, and more importantly when they
proceed past the warning message to access the site.

Getting Started with the Sophos Central Web Control Policy - 8

Copyright © 2024 Sophos Ltd

Web Control Policy

Any website that is included in that category

Website category rules in the Web will be blocked based on the policy settings
Control policy

Web control settings DO NOT apply to websites you have excluded in General Settings.
We recommend creating website exclusions in a threat protection policy and applying to specific users/devices.

When a web control policy is applied, all websites accessed will be checked to confirm the website
category. This is then compared to the policy settings which will then either allow or block access to
the site or warn the user about the site they are trying to access.

It is important to note that web control settings don't apply to websites you've excluded. When
creating an exclusion for a website, create a policy exclusion in a threat protection policy.

Getting Started with the Sophos Central Web Control Policy - 9

Copyright © 2024 Sophos Ltd

Website Management
Website management is used to extend and customize website filtering

General Settings > Website Management

Website management is used to extend and customize website filtering.

Getting Started with the Sophos Central Web Control Policy - 10

Copyright © 2024 Sophos Ltd

Website Management

Control websites not in one of the Sophos categories

Tag websites to put them in group and use policies to control these website groups for
specific users

Override the Sophos category for a website. This changes the website’s category for all
users

You can use website management to; control websites not in one of the Sophos categories, tag
websites to put them in groups, which are like custom categories. You can then use policies to control
these websites for certain users. You can also use them to override the Sophos category for a site. This
changes that site’s category for all your users.

If you think Sophos has put a website in the wrong category, you can request that Sophos change the
category. We recommend that you submit a change request rather than overriding the category.

Getting Started with the Sophos Central Web Control Policy - 11

Copyright © 2024 Sophos Ltd

Website Management

Specify the action for website tags in the

Web Control policy

You can create a tag for a website and specify the action for that website tag in the web control policy.
This will allow access to the specific website whilst still blocking the category it belongs to.

Let’s look at how this works.

Getting Started with the Sophos Central Web Control Policy - 12

Copyright © 2024 Sophos Ltd

Website Management

Select the website override

category
Enter a tag for the website

In this example, we are going to allow access to vimeo.com whilst blocking access to other streaming
media category websites.

We start by adding the website to the website management list in Sophos Central. We add the website
along with the override category, in this example, streaming media and then give the website a new
tag. In this example ‘Allowed company media’. It can be helpful to include information about tags you
have created and categories you have overridden for troubleshooting policy issues in the future.

Please note that entries in the website list can be single URLs, full domains, IP addresses, CIDR ranges,
or even top-level domains. Managing websites using IP addresses only controls browser-based access.
It does not block other applications or interact with rules for a local firewall.

Getting Started with the Sophos Central Web Control Policy - 13

Copyright © 2024 Sophos Ltd

Website Management

Block the ‘Streaming Media’ category in the web

control policy

Next, set the action for the streaming media category to block in the web control policy.

Getting Started with the Sophos Central Web Control Policy - 14

Copyright © 2024 Sophos Ltd

Website Management

Add the website tag you created in General

Settings and set the action to Allow

In the ‘Control sites tagged in Website Management’ section, click Add New and select the ‘WEBSITE
TAG’ you created from the drop-down menu and select an ‘action’.

In this example, we set the action to Allow.

Getting Started with the Sophos Central Web Control Policy - 15

Copyright © 2024 Sophos Ltd

Website Management

Streaming media website

category is blocked

The tagged website is

allowed

Once the policy has been applied to a protected device, when the user browses to a website
categorized as streaming media, the site is blocked.

When the user browses to vimeo.com, the site is allowed. It might be necessary to add multiple
website entries to allow the full functionality of the website.

Getting Started with the Sophos Central Web Control Policy - 16

Copyright © 2024 Sophos Ltd

Website Management

In Sophos Central, locate the device and select the EVENTS tab. The block events will be displayed.

Getting Started with the Sophos Central Web Control Policy - 17

Copyright © 2024 Sophos Ltd

Website Management

Select the website that is being blocked and copy it.

Getting Started with the Sophos Central Web Control Policy - 18

Copyright © 2024 Sophos Ltd

Add the URL as a new website entry. Ensure you use the same website tag you create for the initial
website. In this example, Allowed Company Media.

Getting Started with the Sophos Central Web Control Policy - 19

Copyright © 2024 Sophos Ltd

Website Management

Once the policy has been applied to protected devices. The website page will load successfully.

Getting Started with the Sophos Central Web Control Policy - 20

Copyright © 2024 Sophos Ltd
Additional information in
the notes
SSL/TLS Decryption of HTTPS Websites

All websites must be encrypted (HTTPS) to be secure. Sophos can only scan the
contents of a secure website if it can be decrypted first

With SSL/TLS description of HTTPS websites enabled, Sophos can intercept the
connection from the Internet browser and inspect the inbound and outbound traffic
which is monitored and protected

SSL/TLS decryption of HTTPS websites is not enabled by default. Either enable it in a

threat protection policy or via General Settings

General Settings > SSL/TLS decryption of HTTPS websites

In modern web browsers, all sites must be HTTPS encrypted to be secure. It is only possible to scan
the contents of a secure website if it can be decrypted first. SSL/ TLS decryption of HTTPS websites
enables the scanning of IPv6 and HTTPS websites.

This works by intercepting the connection from an Internet browser and inspecting both the inbound
and outbound traffic which is monitored and protected. HTTPS websites will not be scanned by
default, this feature must be enabled either in a threat protection policy or via General Settings >
SSL/TLS decryption of HTTPS Websites. When this setting is enabled, it will enable HTTPS decryption
for web protection as well as web control.

[Additional Information]
Further information about this setting can be found in the help here:
https://docs.sophos.com/central/Customer/help/en-
us/ManageYourProducts/GlobalSettings/DecryptHTTPS/index.html

Getting Started with the Sophos Central Web Control Policy - 21

Copyright © 2024 Sophos Ltd

HTTPS Website Exclusions

Websites that fail to load and websites that require client

certificates will need to be excluded from HTTPS decryption

Websites that fail to load and websites that require client certificates will need to be excluded from
HTTPS decryption. These websites and website categories can be excluded in the general setting.

You can add domain names, IP addresses, or IP address ranges to be excluded by clicking Add
Exclusion at the bottom right. Categories set to allow in the web control policy will also be added to
categories excluded from HTTPS decryption. By adding a website exclusion, all subdomains will also be
excluded from HTTPS decryption.

Getting Started with the Sophos Central Web Control Policy - 22

Copyright © 2024 Sophos Ltd

Simulation: Configure and Test a Web Control Policy

In this simulation you will configure and test a web

control policy.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/ce/simulation/TestWebControl/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

Getting Started with the Sophos Central Web Control Policy - 23

Copyright © 2024 Sophos Ltd

Chapter Review

Web control allows you to control access to inappropriate websites and assists with compliance and
liability coverage for inappropriate web browsing.

The web control base policy settings are pre-configured and can be changed to suit your requirements. To
change the options, select ‘Let me specify’ from the drop-down menu in each section.

Web control settings do not apply to excluded websites.

Here are the three main things you learned in this chapter.

Web control allows you to control access to inappropriate websites and assists with compliance and
liability coverage for inappropriate web browsing.

The web control base policy settings are pre-configured and can be changed to suit your requirements.
To change the options, select ‘Let me specify’ from the drop-down menu in each section.

Web control settings do not apply to excluded websites.

Getting Started with the Sophos Central Web Control Policy - 29

Copyright © 2024 Sophos Ltd

Getting Started with the Sophos Central Web Control Policy - 30