Sophos Certified Engineer ES80: Sophos Firewall ENGINEER SIMULATION WORKBOOK Version 19.0v2 June 2022 Sophos Certified Engineer Contents Introduction Sophos Firewall Deployment Network Configuration Using the CLI Sophos Firewall Initial Setup Wizard Getting Started with Sophos Firewall Create Definitions on Sophos Firewall Configure Zones and Interfaces on Sophos Firewall Configure a Static Route on Sophos Firewall Configure a DNS Request Route on Sophos Firewall Deploy Sophos Firewall Certificates Import CA Certificates on Sophos Firewall Base Firewall Create a Firewall Rule Configure NAT Rules Create a DNAT Rule Using the Server Access Assistant Create a TLS inspection rule on Sophos Firewall Network Protection Create an IPS Policy Enabling Advanced Threat Protection Getting Started with Security Heartbeat Site-to-Site Connections Create an SSL Site-to-Site VPN Create a Route-Based IPsec Site-to-Site VPN Deploy a RED on Sophos Firewall Authentication Add an Active Directory Authentication Server Configure Single Sign-On Using STAS on Sophos Firewall Configure User Policies Enable Multifactor Authentication Web Protection Create Custom Web Categories on Sophos Firewall Create a Web Content Filter on Sophos Firewall Create a Custom Web Policy on Sophos Firewall Delegate Web Policy Overrides on Sophos Firewall Create a Surfing Quota for Guest Users on Sophos Firewall Sophos Certified Engineer Application Control Create an Application Filter User Synchronized App Control to Block an Application Categorize Cloud Applications on Sophos Firewall Create an Application Traffic Shaping Policy Remote Access Configure an SSL Remote Access VPN Configure an IPsec Remote Access VPN Configure Clientless SSL VPN Access Wireless Protection Deploying an Access Point Logging and Reporting Run and Filter a Report Central Firewall Management Manage Sophos Firewall in Sophos Central Central Firewall Reporting © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without t he prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions, or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Certified Engineer Introduction These simulations accompany the certification. course and form the practical part of the You should complete each section of the simulations when directed to do so in the training content. If you need help or support at any point while completing the simulations, please contact us at globaltraining@sophos.com and one of the team will be able to assist you Sophos Certified Engineer Sophos Firewall Deployment Network Configuration Using the CLI In this simulation you will use the CLI to change the IP address of the management port to be your LAN IP range. Sophos Firewall Initial Setup Wizard In this simulation you will configure Sophos Firewall using the initial setup wizard Sophos Certified Engineer Getting Started with Sophos Firewall Create Definitions on Sophos Firewall In this simulation you create IP host, FQDN host, and service definitions on Sophos Firewall that can be used in firewall rules, VPNs, and other configuration. Configure Zones and Interfaces on Sophos Firewall In this simulation you will create zones for the Intranet and MPLS, and then configure the interfaces PortD and PortF for these zones respectively. Configure a Static Route on Sophos Firewall In this simulation you will create a simple static route on London Gateway 1 that will route traffic destined for the New York LAN subnet over the MPLS connection to New York Gateway. Configure a DNS Request Route on Sophos Firewall In this simulation you will configure DNS request routes on the Sophos Firewall. Sophos Certified Engineer Deploy Sophos Firewall Certificates In this simulation you will deploy the Sophos Firewall certificate authorities using Active Directory Group Policy. Import CA Certificates on Sophos Firewall In this simulation you will import a CA certificate on Sophos Firewall. This can be required for the Sophos Firewall to validate certificates signed by authorities not included on Sophos Firewall by default, such as enterprise CAs. Sophos Certified Engineer Base Firewall Create a Firewall Rule In this simulation you will modify the default firewall rule to allow outbound traffic from additional zones, and then create firewall rules to allow traffic to and from the New York branch office over the MPLS. Configure NAT Rules In this simulation you will remove the linked NAT rule for the default firewall rule, unlink the NAT rule for email protection, and create a NAT rule for MPLS traffic. Create a DNAT Rule Using the Server Access Assistant In this simulation you will publish a server using a DNAT rule created using the server access assistant. Create a TLS inspection rule on Sophos Firewall In this simulation you will create a TLS inspection rule on Sophos Firewall that will decrypt all outbound traffic. Sophos Certified Engineer Network Protection Create an IPS Policy In this simulation you will create an IPS policy and apply it to a firewall rule. Enabling Advanced Threat Protection In this simulation you will enable advanced threat protection, trigger a detection, and review the resulting information. Getting Started with Security Heartbeat In this simulation you will register Sophos Firewall with Sophos Central and enable Security Heartbeat in a firewall rule. You will trigger a RED health status and confirm the device is blocked. Sophos Certified Engineer Site-to-Site Connections Create an SSL Site-to-Site VPN In this simulation you will create an SSL site-to-site VPN between two Sophos Firewalls. Create a Route-Based IPsec Site-to-Site VPN In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos Firewalls. Deploy a RED on Sophos Firewall In this simulation you will a Remote Ethernet Device (RED) on Sophos Firewall in standard/split mode. Sophos Certified Engineer Authentication Add an Active Directory Authentication Server In this simulation you will add an Active Directory authentication server to Sophos Firewall and import groups. Configure Single Sign-On Using STAS on Sophos Firewall In this simulation you will configure a single sign-on using the Sophos Transparent Authentication Suite on Sophos Firewall. You will then test your configuration. Configure User Policies In this simulation you will configure firewall rules to match based on user identity on Sophos Firewall. Enable Multifactor Authentication In this simulation you will enable multi-factor authentication on Sophos Firewall. You will then test your configuration. Sophos Certified Engineer Web Protection Create Custom Web Categories on Sophos Firewall In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user activity, and create user activity for controlling access to specific categories of website. Create a Web Content Filter on Sophos Firewall In this simulation you will create a custom content filter that will be used to detect web pages that contain common bullying terms. Create a Custom Web Policy on Sophos Firewall In this simulation you will clone and customize a web policy by adding additional rules. You will then test the policy using two different users and the Policy Test tool Delegate Web Policy Overrides on Sophos Firewall In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web policy override and use the access code generated to allow John Smith to access a site that is currently blocked. Sophos Certified Engineer Create a Surfing Quota for Guest Users on Sophos Firewall In this simulation you will configure a surfing quota for guest users and apply it to the ‘Guest Group’. You will create a guest user and test your quota policy. Sophos Certified Engineer Application Control Create an Application Filter In this simulation you will create a custom application filter, apply it to a firewall rule, then test the results. User Synchronized App Control to Block an Application In this simulation you will reclassify an application detected by synchronized application control, then test that it is blocked. Categorize Cloud Applications on Sophos Firewall In this simulation you will review the cloud applications detected by Sophos Firewall and classify them. Create an Application Traffic Shaping Policy In this simulation you will configure and apply a traffic shaping policy for applications. Sophos Certified Engineer Remote Access Configure an SSL Remote Access VPN In this simulation you will configure an SSL remote access VPN using the assistant. You will then review the configuration created and test your VPN using the Sophos Connect client. Configure an IPsec Remote Access VPN In this simulation you will configure an IPsec remote access VPN. You will then test your VPN using the Sophos Connect client. Configure Clientless SSL VPN Access In this simulation you will configure bookmarks and policies for clientless SSL VPN access. You will then login to the user portal to test your configuration. Sophos Certified Engineer Wireless Protection Deploying an Access Point In this simulation you will deploy an Access Point on Sophos Firewall. Sophos Certified Engineer Logging and Reporting Run and Filter a Report In this simulation you will run a report and filter it to customize the view. You will then create a bookmark for the report and schedule an executive report to be sent by email. Sophos Certified Engineer Central Firewall Management Manage Sophos Firewall in Sophos Central In this simulation you will add a Sophos Firewall to Sophos Central, assign it to a group, and push configuration changes to the firewall, including using VPN orchestration. Central Firewall Reporting In this simulation you will run reports for Sophos Firewall in Sophos Central.
