Copyright © 2024 Sophos Ltd

Getting Started with

Application Control on
Sophos Firewall

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW4505: Getting Started with Application Control on Sophos Firewall

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Getting Started with Application Control on Sophos Firewall - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Getting Started with Application Control on Sophos Firewall

In this chapter you will learn how
to configure application control
filters and apply them to firewall
rules.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ Identify and understand the multiple layers of
protection provided by Sophos Firewall to detect
and block attacks
✓ How to configure firewall rules on Sophos Firewall

DURATION 15 minutes

In this chapter you will learn how to configure application control filters and apply them to firewall
rules.

Getting Started with Application Control on Sophos Firewall - 2

Copyright © 2024 Sophos Ltd

Application Control Overview

Cloud Storage Peer-to-Peer

Video Streaming Social Media

Protect against risky Guarantee bandwidth for

applications business applications

Block or limit unproductive

applications

Many applications and tools used for day-to-day business are provided through cloud-based services,
so ensuring good Internet connectivity to employees is vital.

Alongside these business applications are every other type of application and service that can be
imagined, many of which are unproductive or can expose users and the company network to risks.

Sophos Firewall can protect against risky applications and either block or limit access to unproductive
applications, and at the same time guarantee that business applications have the bandwidth they
need.

Getting Started with Application Control on Sophos Firewall - 3

Copyright © 2024 Sophos Ltd

Application List
Applications can be found in: PROTECT > Applications > Application list

Sophos Firewall comes with definitions for thousands of known applications, which you can filter and
view the details of in PROTECT > Applications > Application list.

Getting Started with Application Control on Sophos Firewall - 4

Copyright © 2024 Sophos Ltd

Live Connections
Current connections can be monitored in: MONITOR & MANAGE > Current Activities > Live connections

The Live connections page lists all of the current applications making connections through the Sophos
Firewall. You can use the link in the ‘Total’ column to get more detailed information about all of the
connections for that application.

The live connections can be shown by application, username or source IP address, and the page can
be optionally set up to automatically refresh to give a real-time view.

Getting Started with Application Control on Sophos Firewall - 5

Copyright © 2024 Sophos Ltd

Application Filters
Applications can be found in: PROTECT > Applications > Application filter

Application filters are sets of rules that can allow or deny access to applications. Unlike web policies,
application filter rules are not applied to users and groups, so the application filter will apply to all
users for the firewall rule it is used in.

Getting Started with Application Control on Sophos Firewall - 6

Copyright © 2024 Sophos Ltd

Creating Application Filters

You can optionally select an existing

application filter as a template

Application filters are created in two stages.

First you create the application filter. Here you can optionally select an existing application filter as a
template.

You save the application filter and if you selected a template the rules will be copied over to the new
filter.

Getting Started with Application Control on Sophos Firewall - 7

Copyright © 2024 Sophos Ltd

Creating Application Filters

You can now add rules to your

application filter

Drag and drop to reorder

You can now open the application filter and start adding rules or edit rules if you selected a template.

Please note that the rules are processed in order, and you can rearrange them by dragging and
dropping.

Getting Started with Application Control on Sophos Firewall - 8

Copyright © 2024 Sophos Ltd

Application Filter Rules

For each application filter rule, you select which applications it will apply to, set whether the action for
those applications is allow or deny, and optionally select a schedule for when the rule will be active.

Selecting the applications in the rule is done by filtering the applications using the criteria provided or
using a free-text smart filter. When new applications are added that match the filters they will
automatically be included in the rule.

You can optionally choose to select individual applications rather than all applications included in the
filtered results, in this case newly added applications will not automatically be added to the rule.

Getting Started with Application Control on Sophos Firewall - 9

Copyright © 2024 Sophos Ltd

Application Filter Rules

Below the selected applications, you can choose whether this rule is to allow or deny them. You can
also select when this rule is active based on a schedule.

Getting Started with Application Control on Sophos Firewall - 10

Copyright © 2024 Sophos Ltd

Apply an Application Filter

Once you have configured your application filter, it needs to be selected in a firewall rule in the ‘Other
security features’ section.

Getting Started with Application Control on Sophos Firewall - 11

Copyright © 2024 Sophos Ltd

Simulation: Create an Application Filter

In this simulation you will create a custom application

filter, apply it to a firewall rule, then test the results.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppFilter/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/AppFilter/2/start.html

Getting Started with Application Control on Sophos Firewall - 12

Copyright © 2024 Sophos Ltd

Synchronized App Control

I don’t recognize this traffic;

what application is it from?

Sophos Central
Managed device
Internet

Custom Business This is Custom Business

Application Application, and it is allowed

Synchronized app control can identify, classify and control previously unknown applications active on
the network. It uses the Security Heartbeat to obtain information from the endpoint about
applications that don’t have signatures or are using generic HTTP or HTTPS connections. This solves a
significant problem that affects signature-based app control on all firewalls today, where many
applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”.

Synchronized app control is not supported in active-active high availability deployments.

Getting Started with Application Control on Sophos Firewall - 13

Copyright © 2024 Sophos Ltd

Managing Synchronized App Control

Synchronized app control is enabled when you register the Sophos Firewall with Sophos Central.

In the Control center there is a synchronized application control widget that provides an at-a-glance
indication of new applications that have been identified.

Getting Started with Application Control on Sophos Firewall - 14

Copyright © 2024 Sophos Ltd

Categorizing Identified Applications

Identified applications are managed in: PROTECT > Applications > Synchronized Application Control

Where possible, Sophos Firewall will automatically classify identified applications and they will be
controlled based on the current application filters you have in place.

Through the menu for the application, you customize the classification.

Getting Started with Application Control on Sophos Firewall - 15

Copyright © 2024 Sophos Ltd

Categorizing Identified Applications

Here you can see that OneDrive has been assigned to the application category ‘Storage and Backup’. If
you were blocking this category but wanted to allow OneDrive, you could choose to move it to
another category such as ‘General Business’.

Getting Started with Application Control on Sophos Firewall - 16

Copyright © 2024 Sophos Ltd

Synchronized Application Control

1 month
3 months
6 months
9 months
12 months

You can configure clean up of the synchronized application control database to remove obsolete
applications that are no longer in use; this is done in PROTECT > Central synchronization.

You can choose how long to retain applications in the database from 1 month to 12 months. Sophos
Firewall will then run a daily check for applications older than the threshold and remove them in
batches of 100 every 5 minutes. Applications are also deleted from application filter policies if they
were added individually.

The time applications are retained for is since they were last detected by synchronized application
control. If the application is frequently used, then the last detection date will always be updated, and
the application will not be purged. This feature is designed to only purge applications that are no
longer in use, and therefore no longer being detected by synchronized application control.

Getting Started with Application Control on Sophos Firewall - 17

Copyright © 2024 Sophos Ltd

Simulation: Use Synchronized App Control to Block an App

In this simulation you will reclassify an application

detected by synchronized application control, then test
that it is blocked.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SyncAppControl/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/SyncAppControl/2/start.html

Getting Started with Application Control on Sophos Firewall - 18

Copyright © 2024 Sophos Ltd

Application Routing

Routing > SD-WAN Routing > Add

Applications can be added as a traffic selector for SD-WAN policy Routes.

To use this functionality, you need to create an application object. An application object is a list of
applications selected using the same filtering criteria and options as for application filter rules.

In the example here, we have selected remote access applications that have been detected by
synchronized application control.

Getting Started with Application Control on Sophos Firewall - 19

Copyright © 2024 Sophos Ltd

Cloud Applications

OneDrive OneDrive

Dropbox Dropbox

OneDrive is sanctioned

Dropbox is unsanctioned

Identify cloud Classify cloud Apply traffic shaping Block using application
applications being used applications rules control

Sophos Firewall has a lite cloud access security broker, or CASB, implementation, which helps to
identify risky behavior by providing insights into what cloud services are being used. You can then take
appropriate action by educating users or implementing application control or traffic shaping policies to
control or eliminate potential risky or unwanted behavior.

For example, if your company has a corporate Microsoft 365 and uses OneDrive for file storage, and
one user is consistently uploading data to Dropbox, that could be a red flag that needs further
investigation or policy enforcement. This practice of using unsanctioned cloud services is called
“Shadow IT”, a term you’ll often hear in association with CASB.

Getting Started with Application Control on Sophos Firewall - 20

Copyright © 2024 Sophos Ltd

Cloud Applications in the Control Center

In Control center there is a widget that provides a visual summary of cloud application usage by
classification. This can be New, Sanctioned, Unsanctioned, or Tolerated.

The statistics show the number of cloud applications, and the amount of data in and out.

Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can get
more detailed information.

Getting Started with Application Control on Sophos Firewall - 21

Copyright © 2024 Sophos Ltd

Cloud Applications
Cloud applications can be found in: PROTECT > Applications > Cloud applications

Here you can see all the cloud applications that have been detected, and filter them by classification
and category, and can be sorted either by volume of data or number of users.

You can expand each application to see which users have been using it, and how much data they have
transferred.

Getting Started with Application Control on Sophos Firewall - 22

Copyright © 2024 Sophos Ltd

Classifying and Traffic Shaping

For each detected application you can select a classification and a traffic shaping policy.

By selecting a classification for the applications, you can then use this to customize reports to show,
for example, use of unsanctioned applications on your network.

Traffic shaping policies can be applied to either limit or guarantee bandwidth for applications.

Getting Started with Application Control on Sophos Firewall - 23

Copyright © 2024 Sophos Ltd

Simulation: Categorize Cloud Applications on Sophos Firewall

In this simulation you will review the cloud applications

detected by Sophos Firewall and classify them.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CloudApplications/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/CloudApplications/2/start.html

Getting Started with Application Control on Sophos Firewall - 24

Copyright © 2024 Sophos Ltd

Chapter Review

Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.

Synchronized application control can detect unknown applications using Security Heartbeat. Discovered
applications are automatically classified and allowed or blocked based on your application filters. You can
also reclassify applications.

Sophos Firewall can detect cloud applications; these can be classified to report on use of unsanctioned
applications on the network.

Here are the three main things you learned in this chapter.

Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.

Synchronized application control can detect unknown applications using Security Heartbeat.
Discovered applications are automatically classified and allowed or blocked based on your application
filters. You can also reclassify applications.

Sophos Firewall can detect cloud applications; these can be classified to report on use of unsanctioned
applications on the network.

Getting Started with Application Control on Sophos Firewall - 30

Copyright © 2024 Sophos Ltd

Getting Started with Application Control on Sophos Firewall - 31