Professional Documents
Culture Documents
FW4505 20.0v1 Getting Started with Application Control on Sophos Firewall
FW4505 20.0v1 Getting Started with Application Control on Sophos Firewall
FW4505 20.0v1 Getting Started with Application Control on Sophos Firewall
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW4505: Getting Started with Application Control on Sophos Firewall
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 15 minutes
In this chapter you will learn how to configure application control filters and apply them to firewall
rules.
Many applications and tools used for day-to-day business are provided through cloud-based services,
so ensuring good Internet connectivity to employees is vital.
Alongside these business applications are every other type of application and service that can be
imagined, many of which are unproductive or can expose users and the company network to risks.
Sophos Firewall can protect against risky applications and either block or limit access to unproductive
applications, and at the same time guarantee that business applications have the bandwidth they
need.
Application List
Applications can be found in: PROTECT > Applications > Application list
Sophos Firewall comes with definitions for thousands of known applications, which you can filter and
view the details of in PROTECT > Applications > Application list.
Live Connections
Current connections can be monitored in: MONITOR & MANAGE > Current Activities > Live connections
The Live connections page lists all of the current applications making connections through the Sophos
Firewall. You can use the link in the ‘Total’ column to get more detailed information about all of the
connections for that application.
The live connections can be shown by application, username or source IP address, and the page can
be optionally set up to automatically refresh to give a real-time view.
Application Filters
Applications can be found in: PROTECT > Applications > Application filter
Application filters are sets of rules that can allow or deny access to applications. Unlike web policies,
application filter rules are not applied to users and groups, so the application filter will apply to all
users for the firewall rule it is used in.
First you create the application filter. Here you can optionally select an existing application filter as a
template.
You save the application filter and if you selected a template the rules will be copied over to the new
filter.
You can now open the application filter and start adding rules or edit rules if you selected a template.
Please note that the rules are processed in order, and you can rearrange them by dragging and
dropping.
For each application filter rule, you select which applications it will apply to, set whether the action for
those applications is allow or deny, and optionally select a schedule for when the rule will be active.
Selecting the applications in the rule is done by filtering the applications using the criteria provided or
using a free-text smart filter. When new applications are added that match the filters they will
automatically be included in the rule.
You can optionally choose to select individual applications rather than all applications included in the
filtered results, in this case newly added applications will not automatically be added to the rule.
Below the selected applications, you can choose whether this rule is to allow or deny them. You can
also select when this rule is active based on a schedule.
Once you have configured your application filter, it needs to be selected in a firewall rule in the ‘Other
security features’ section.
https://training.sophos.com/fw/simulation/AppFilter/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/AppFilter/2/start.html
Sophos Central
Managed device
Internet
Synchronized app control can identify, classify and control previously unknown applications active on
the network. It uses the Security Heartbeat to obtain information from the endpoint about
applications that don’t have signatures or are using generic HTTP or HTTPS connections. This solves a
significant problem that affects signature-based app control on all firewalls today, where many
applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”.
Synchronized app control is enabled when you register the Sophos Firewall with Sophos Central.
In the Control center there is a synchronized application control widget that provides an at-a-glance
indication of new applications that have been identified.
Where possible, Sophos Firewall will automatically classify identified applications and they will be
controlled based on the current application filters you have in place.
Through the menu for the application, you customize the classification.
Here you can see that OneDrive has been assigned to the application category ‘Storage and Backup’. If
you were blocking this category but wanted to allow OneDrive, you could choose to move it to
another category such as ‘General Business’.
1 month
3 months
6 months
9 months
12 months
You can configure clean up of the synchronized application control database to remove obsolete
applications that are no longer in use; this is done in PROTECT > Central synchronization.
You can choose how long to retain applications in the database from 1 month to 12 months. Sophos
Firewall will then run a daily check for applications older than the threshold and remove them in
batches of 100 every 5 minutes. Applications are also deleted from application filter policies if they
were added individually.
The time applications are retained for is since they were last detected by synchronized application
control. If the application is frequently used, then the last detection date will always be updated, and
the application will not be purged. This feature is designed to only purge applications that are no
longer in use, and therefore no longer being detected by synchronized application control.
https://training.sophos.com/fw/simulation/SyncAppControl/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/SyncAppControl/2/start.html
Application Routing
To use this functionality, you need to create an application object. An application object is a list of
applications selected using the same filtering criteria and options as for application filter rules.
In the example here, we have selected remote access applications that have been detected by
synchronized application control.
Cloud Applications
OneDrive OneDrive
Dropbox Dropbox
OneDrive is sanctioned
Dropbox is unsanctioned
Identify cloud Classify cloud Apply traffic shaping Block using application
applications being used applications rules control
Sophos Firewall has a lite cloud access security broker, or CASB, implementation, which helps to
identify risky behavior by providing insights into what cloud services are being used. You can then take
appropriate action by educating users or implementing application control or traffic shaping policies to
control or eliminate potential risky or unwanted behavior.
For example, if your company has a corporate Microsoft 365 and uses OneDrive for file storage, and
one user is consistently uploading data to Dropbox, that could be a red flag that needs further
investigation or policy enforcement. This practice of using unsanctioned cloud services is called
“Shadow IT”, a term you’ll often hear in association with CASB.
In Control center there is a widget that provides a visual summary of cloud application usage by
classification. This can be New, Sanctioned, Unsanctioned, or Tolerated.
The statistics show the number of cloud applications, and the amount of data in and out.
Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can get
more detailed information.
Cloud Applications
Cloud applications can be found in: PROTECT > Applications > Cloud applications
Here you can see all the cloud applications that have been detected, and filter them by classification
and category, and can be sorted either by volume of data or number of users.
You can expand each application to see which users have been using it, and how much data they have
transferred.
For each detected application you can select a classification and a traffic shaping policy.
By selecting a classification for the applications, you can then use this to customize reports to show,
for example, use of unsanctioned applications on your network.
Traffic shaping policies can be applied to either limit or guarantee bandwidth for applications.
https://training.sophos.com/fw/simulation/CloudApplications/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/CloudApplications/2/start.html
Chapter Review
Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.
Synchronized application control can detect unknown applications using Security Heartbeat. Discovered
applications are automatically classified and allowed or blocked based on your application filters. You can
also reclassify applications.
Sophos Firewall can detect cloud applications; these can be classified to report on use of unsanctioned
applications on the network.
Here are the three main things you learned in this chapter.
Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.
Synchronized application control can detect unknown applications using Security Heartbeat.
Discovered applications are automatically classified and allowed or blocked based on your application
filters. You can also reclassify applications.
Sophos Firewall can detect cloud applications; these can be classified to report on use of unsanctioned
applications on the network.