What is Sophos Firewall? Sophos Firewall Version: 19.0v1 Sophos Firewall FW0505: What is Sophos Firewall? April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. What is Sophos Firewall - 1 What is Sophos Firewall? In this chapter you will learn the key functions performed by Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Experience of Sophos Central and InterceptX ✓ Practical knowledge of networking, including subnets, routing, VLANs, and VPNs ✓ Experience configuring network security devices ✓ Knowledge of fundamental encryption and hashing algorithms and certificates DURATION 10 minutes in this chapter you will learn the key functions performed by Sophos Firewall. What is Sophos Firewall - 2 What is Sophos Firewall? Next-Gen Firewall All-in-One Protection School Protection Visibility, Protection, and Response Consolidate, Simplify, & Save Affordable, Simple Compliance & Control SD-WAN & Branch Endpoint Integration Public Cloud Retail, Branch Office, ICS & SD-WAN Synchronized Security & Automated Response Protection for Azure and Hybrid Networks Sophos Firewall is a comprehensive network security device, with a zone-based firewall, and identity-based policies at its core. Sophos Firewall does not only protect wired networks, but as a wireless controller for Sophos access points, can provide secure wireless networking functionality. Protection is provided through a single cloud-based platform, making day-to-day management of all your Sophos products (including Sophos Firewall) easy and scalable. There are features purpose built to help universities, higher education, K-12, and primary or secondary educational institutions overcome key challenges. For example, powerful web filtering policies, built-in policies for child safety and compliance. With Sophos Firewall and SD-RED you can connect sites across your geographically-distributed network. Sophos Firewall works together with Sophos Central and Intercept X in real time. So, when either Sophos Firewall or Intercept X identifies a threat, they work together to provide health and threat monitoring, lateral movement protection as well as synchronized application control and synchronized user ID. Sophos Firewall can be deployed using preconfigured virtual machines in the cloud where cloud servers can be secured, protecting them against hacking attempts. What is Sophos Firewall - 3 What is Sophos Firewall? See it Stop it Secure it Expose Hidden Risks Superior visibility into risky activity, suspicious traffic, and advanced threats helps you regain control of your network. Stop Unknown Threats Powerful next-gen protection technologies like deep learning and intrusion prevention keep your organization secure. Isolate Infected Systems Automatic threat response instantly identifies and isolates compromised systems on your network and stops threats from spreading. Sophos Firewall includes a comprehensive built-in reporting engine, which allows you to easily drill down into reports to find the information you need. It also provides comprehensive next-generation firewall protection that exposes hidden risks, blocks unknown threats, and automatically responds to incidents. Superior visibility into risky activity, suspicious traffic, and advanced threats helps you regain control of your network. Powerful next-gen protection technologies, like deep learning and intrusion prevention, keep your organization secure. Automatic threat response instantly identifies, and isolates compromised systems on your network and stops threats from spreading. What is Sophos Firewall - 4 See It See it Stop it Secure it The control center appears as soon as you sign in. It provides a single screen snapshot of the state and health of the security system with its traffic-light style indicators, which immediately draw attention to what matters most. Immediately you can see your top risks related to heartbeat, apps, payloads, users, threats, websites and attacks. What is Sophos Firewall - 5 Stop It See it Next-Gen Firewall Web Application Firewall Intrusion Prevention System Advanced Threat Protection Application Visibility and Control Synchronized Security Web Protection & SSL Inspection Deep learning Sandboxing Email, DLP, Encryption Wireless Protection RED and VPN Stop it Secure it Sophos Firewall analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP requests, and IP packets) for sophisticated attacks by using a full suite of protection technologies. These include: • • • • • Powerful zero-day protection sandboxing, Deep learning with artificial intelligence, Top performing IPS, Advanced threat and botnet protection, And web protection with dual AV, JavaScript emulation, and SSL inspection. All benefit from over 30 years of threat intelligence data from Sophos Labs. What is Sophos Firewall - 6 Secure It Malware Server See it Sophos Firewall Sophos Central Servers Phishing Email Sophos Firewall Stop it Infected Host Security Heartbeat™ Internet Devices Secure it Ransomware Attack Threats like Emotet, and targeted ransomware, such as Matrix and SamSam, demonstrate the ways cybercriminals are constantly changing their tactics to stay effective and profitable. The next-gen advancements of Sophos Firewall and Intercept X, combined with the intelligence of Synchronized Security, (which is covered in another chapter), and easy management of all products within Sophos Central, are essential for maintaining protection and responding quickly to any attack. What is Sophos Firewall - 7 Xstream Architecture TLS 1.3 Decryption Deep Packet Inspection Engine Xstreme Network Fastpath TLS inspection provides transparency into all the encrypted traffic on the network. Deep packet threat protection is provided in a single engine for anti-virus, intrusion protection, web protection, application control and TLS inspection. Network Fastpath accelerates SaaS, SD-WAN, cloud traffic such as VoIP and video and other trusted applications automatically or via defined policies. These are placed on the Xstreme Fastpath to optimize performance. What is Sophos Firewall - 8 Zero Trust Overview Trusted Zero Trust is a cybersecurity mindset based on the principle of trust nothing, check everything Traditionally cybersecurity has involved creating a security perimeter and trusting that everything inside that perimeter is secure. This is a vulnerable design as once an attacker or unauthorized user gains access to a network, that individual has easy access to everything inside the network, where they can progressively search for the key data and assets that are ultimately the target of their attack. Zero Trust is a relatively new and evolving approach to network design, but it's also part of a wider mind-set based on the principle of trusting nothing and checking everything. With zero trust, no user is trusted, whether inside or outside of the network. What is Sophos Firewall - 9 Zero Trust Overview Trusted Remote Users SaaS The number of users, who wish to work remotely, and use their own personal devices to access corporate data and resources on untrusted networks, such as those in coffee shops, is increasing. The use of SaaS apps, cloud platforms, and services, leaves some data outside of the corporate perimeter. The use of public cloud platforms, means that many of the devices or services that once ran within the corporate perimeter, are now run outside of it. The principle of Zero Trust is to secure every device as if it was connected to the Internet. What is Sophos Firewall - 10 ZTNA and Firewalls Sophos Central SD-RED Service Edge Access SD-WAN AWS APX Azure Core Network Access ZT ZTNA VPN Switch ZTNA is complimentary to a firewall, just as VPN is complimentary to a firewall. Of course, the firewall still plays a critically important role in protecting corporate network and data center assets from attacks, threats, and unauthorized access. ZTNA bolsters a firewall, by adding granular controls and security for networked applications, in the cloud or on-premise. What is Sophos Firewall - 11 Switch Network Segmentation Devices ! Switch Applications Internet Sophos Firewall Users On the firewall side, network segmentation or even micro-segmentation around your users, devices, apps, networks, and so on, provides one of the key benefits of the Zero Trust strategy. Dynamic policies are at the center of Sophos Firewall, with multiple sources of data available to leverage as part of a policy. Identity, time of day, network location, device health, network packet analysis – and more. All these different sources of data can be used in different combinations depending on the scenario. As a key example, Server Protection and Intercept X can be used to assign every device a health status. In the event one is compromised, the devices can be automatically isolated. What is Sophos Firewall - 12 Lateral Movement Protection Local Area Network Switch Infected Host Internet Sophos Firewall Endpoint Application Server Lateral Movement Protection effectively provides an adaptive micro-segmentation solution. With Lateral Movement Protection, each individual endpoint is effectively on its own segment – able to be isolated in response to an attack or threat – regardless of the network topology. Sophos Firewall uniquely integrates the health of connected hosts into your firewall rules, enabling you to automatically limit access to sensitive network resources from any compromised system, until it’s cleaned up. This is made possible by Synchronized Security, which is our cross-portfolio approach to analyze system and network activity, adapt to scenarios through dynamic policy, and automate complex tasks like isolating machines and more. What is Sophos Firewall - 13 Chapter Review A comprehensive network security device, with a zone-based firewall, and identitybased policies at its core Can expose hidden risks, stop unknown threats and isolate infected systems Supports ZTNA by providing network segmentation and lateral movement protection. Here are the three main things you learned in this chapter. Sophos Firewall is a comprehensive network security device, with a zone-based firewall, and identity-based policies at its core. The firewall can expose hidden risks, use next-gen protection technologies to stop unknown threats, while automatic threat response identifies, and isolates compromised systems. Sophos Firewall can support ZTNA by providing network segmentation and lateral movement protection. What is Sophos Firewall - 18 What is Sophos Firewall - 19 Sophos Firewall Features and the Attack Kill Chain Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW0510: Sophos Firewall Features and the Attack Kill Chain April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Firewall Features and the Attack Kill Chain - 1 Sophos Firewall Features and the Attack Kill Chain In this chapter you will learn what security features Sophos Firewall uses to protect networks, and how they map onto the attack kill chain. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ How Sophos Firewall acts as a zone-based firewall with identity-based policies ✓ The use of next-gen protection technologies to stop unknown threats ✓ How automatic threat response identifies and isolates compromised systems DURATION 20 minutes In this chapter you will learn what security features Sophos Firewall uses to protect networks, and how they map onto the attack kill chain. Sophos Firewall Features and the Attack Kill Chain - 2 Firewall Features The Sophos Firewall is a full featured firewall and security device that can be used in many different scenarios. It can be placed at the edge of the network or inline behind other security devices. It can be the sole point of security for a network, operating at the edge and providing multiple services, or be used to augment an existing implementation providing services that other devices lack. Sophos Firewall Features and the Attack Kill Chain - 3 Attack Kill Chain Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine Installing malware on the asset Reconnaissance Weaponization Delivery Exploitation Installation PRE-BREACH Command channel for remote manipulation of victim Command and Control With ‘hands on keyboard’ access, intruders accomplish their goal Behaviour POST-BREACH We will now look at the protection features offered by Sophos firewall. To do this, we will show adversary tactics and techniques and how Sophos Firewall is able to stop complex attacks at each phase of an attack. By reviewing these techniques, you will get a better and more reliable understanding of Sophos’ ability to stop the attacker’s techniques at each of the phases. Sophos Firewall Features and the Attack Kill Chain - 4 Protecting Against The Delivery of Malware Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine Installing malware on the asset Reconnaissance Weaponization Delivery Exploitation Installation PRE-BREACH Command channel for remote manipulation of victim Command and Control With ‘hands on keyboard’ access, intruders accomplish their goal Behaviour POST-BREACH The first part of the anatomy of a cyber attack is reconnaissance and weaponization. Hackers usually start by passively researching and gathering information about the target organization, for example, email addresses of key players in the organization such as CEOs and company directors. During passive reconnaissance, the attacker is not touching your network or systems so there is nothing to detect. During active reconnaissance, they may actively look for network ranges, IP addresses, and domain names, using port scanners or finding information about the company being sold on the dark web. Weaponization is done on the attackers’ device so there is nothing to detect with the Sophos Firewall. Now we come to the Delivery stage. This stage of an attack is defined by the attacker being able to access your estate through an attack vector, for example an email, and deliver malware to a specific target. This is sometimes referred to as delivering a weaponized bundle to a target. Sophos Firewall Features and the Attack Kill Chain - 5 Additional information in the notes Email Attacks Delivery Cyber Criminal Infiltrate Phishing Website Data Theft Attacker sends an email to the victim Attacker collects victim’s credentials Attacker users victims credentials to access the legitimate website Your Network Exploit Kit • • Victim Scans for vulnerabilities on the victim’s computer Exploit the vulnerabilities to download the exploits malicious code onto the system Victim clicks on the email and goes to the phishing website Attackers may send emails to users asking them to click on a link or go to a website that is compromised. This is referred to as Phishing. Typically, in a phishing scam, you and many of your colleagues will receive an email that appears to come from a reputable organization and will sometimes include attachments which, if opened, can infect a device. Attackers will use social engineering tactics over social networks, emails, applications, phone calls, text messages and in person to get people to reveal sensitive information. Typically, the attack is designed for some of the following purposes: • • • • • Phishing credit-card account numbers and passwords Hacking private e-mails and chat histories Hacking websites of companies or organizations and destroying their reputation Computer virus hoaxes And convincing users to run malicious code Many malware infections begin with a user visiting a specifically designed website that exploits one or more software vulnerabilities. This can be triggered by a user clicking on a link within an email or browsing the Internet. This type of infection will happen silently. Genuine websites can be compromised by attackers who place malicious advertisements on the site. In other cases, traffic to the website may be redirected to the attacker's server. The redirected site is designed to look authentic and usually requests a username and password to login. [Additional Information] You can find out more about social engineering and how it can be prevented by watching the video on Sophos’s Naked Security page. Sophos Firewall Features and the Attack Kill Chain - 6 https://nakedsecurity.sophos.com/tag/social-engineering/ Sophos Firewall Features and the Attack Kill Chain - 6 Web Protection Delivery Policies allow you to configure filters to automatically block categorized websites If a user visits a blocked website they will not be able to get to the site Sophos Firewall protects you by scanning HTTP and HTTPS traffic for unwanted content or malware. • Web Filtering provides pre-defined filters that automatically block access to categorized websites, such as gambling or pornography • Live Protection provides real-time lookups to SophosLabs to check for any threats and prevent them from infecting the device/network • Pharming Protection prevents users from being re-directed to fake or compromised websites • Certificate validation validates websites certificates to ensure legitimacy • File type filtering is based on MIME type, extension and active content types. This can be used to block macro enabled documents for example • Enforcing SafeSearch, which is a feature of Google Search that acts as an automated filter of pornography and potentially offensive content The Web Protection feature is customizable, for example, restricting users surfing quota and access time allows control over what users can have access to and when. If you wanted to restrict your users from being able to access websites that are not business essential you can place a restriction in the web policy that blocks access to non-business sites, for example social networking sites. Sophos Firewall Features and the Attack Kill Chain - 7 Email Encryption and Control Delivery Email Servers Sophos Firewall Cyber Criminal Quarantine To protect against email attacks, Email Encryption and Control can be used. The email scanning engine will scan all inbound emails for malicious content. You control what emails can be received into your network: • IP Reputation is enabled allowing you to determine whether you accept, reject or drop emails that are sent from known spam senders • File-Type detection is configured to scan and block specific file types. For example, you can block or quarantine any macro enabled files from being received by any senders The email scanning engine will also detect phishing URLs within e-mails and block those emails accordingly. As well as scanning inbound and outbound emails for malicious content, the email protection allows you to encrypt emails so that you can send sensitive data securely out of your network. It uses SPX encryption for one way message encryption and recipient self-registration SPX password management. This encryption is simple and secure and does not require certificates or keys. It also allows users to add attachments to SPX secure replies to allow your users to securely send files. Email protection also uses our Data Loss Protection (DLP) engine, which automatically scans emails and attachments for sensitive data. This is also a key benefit at the last stage of the attack which we’ll talk about later in the module. Sophos Firewall Features and the Attack Kill Chain - 8 Zero-Day Protection Delivery Sophos Zero-Day Protection Determine Behavior HASH Suspect Control Report Sophos Firewall Sophos zero-day protection uses next-gen sandbox technology with integrated deep learning, giving your organization an extra layer of security against ransomware and targeted attacks. It integrates with your Sophos Firewall and is cloud-delivered, so there’s no additional hardware required. It’s the best defense against the latest payload-based malware lurking in phishing attacks, spam, and file downloads. Let’s look at how Sophos zero-day protection tests for and identifies possible malware. The Sophos Firewall accurately pre-filters traffic using all the conventional security checks, including anti-malware signatures, known bad URLs and so forth, so only previously unseen suspicious files are submitted to Sophos ensuring minimal latency and end user impact. If the file is executable or has executable content, the file is treated as suspicious. Sophos Firewall sends the file hash to Sophos, to determine if it has been previously analyzed. If the file has been previously analyzed, Sophos passes the threat intelligence to the Sophos Firewall. Here, the file will be delivered to the user’s device or blocked, depending on the information provided by zero-day protection. Sophos Firewall keeps a local cache of file hashes and the results in a local database to prevent unnecessary lookups. Finally, Sophos Firewall uses the detailed intelligence supplied by zero-day protection to create deep, forensic reports on each threat incident. Sophos Firewall Features and the Attack Kill Chain - 9 Zero-Day Protection Delivery Sophos Zero-Day Protection Determine Behavior Suspect Control Report Sophos Firewall If the hash has not been seen before, a copy of the suspicious file is sent to Sophos. Here, the file is executed, and its behavior is monitored. Once fully analyzed, Sophos passes the threat intelligence to Sophos Firewall which will determine if the file is allowed or blocked. As with previous threats, a report is created for the threat incident. Sophos Firewall Features and the Attack Kill Chain - 10 Deep Learning Delivery Model trained to determine features of a file Millions of Samples Features of the Files Defined Features of the Files Labelled Windows EXE Documents with macros PDFs with scripts Vendor Size Printable Settings Metadata Import Contextual Byte Learned Model (Deep Learning) Malicious OR PE File Deep Learning Engine Legitimate Amongst the layers of protection within our sandbox is something called deep learning, which protects against the latest unseen advanced threats like ransomware, crypto mining, bots, worms, hacks, breaches, and Advanced Persistent Threats without using signatures. Deep Learning uses a set of algorithms that try to replicate the way a human brain would solve a problem. By looking at the features of an object, it decides as to what that object is. Let’s relate this to securing your network. The deep learning model is trained on millions of samples of known good and bad files, some examples shown here. It is taught the features (the size, compression setting, printable strings, vendor and so forth) of these files which are then labelled. The model is then trained to determine the features of a file to create a learned model. When a file is then tested with this model, deep learning evaluates portable executable (PE) files on a machine at the time of execution within the sandbox. The engine predicts if the file is malicious or legitimate based on the file characteristics, which have been learnt from the samples the model has been trained on. The prediction is returned, and the file is categorized as malicious or legitimate. Sophos Firewall Features and the Attack Kill Chain - 11 Application Control Delivery Configure Application Rules to restrict access to specific applications Application Control works on several levels to help protect your network, the most obvious of these is reducing the attack surface by controlling what applications are allowed. For example, users cannot download infected files through peer-to-peer applications if you are blocking them. Application Control can be used to block various types of application; including: • Unwanted applications. Some applications are non-malicious and possibly useful in the right context, but are not suitable for company networks. Examples are adware, tools for administering PCs remotely, and scanners that identify vulnerabilities in computer systems. • Peer-to-peer, or P2P, networking applications. P2P applications can contain vulnerabilities and can also act as servers as well as clients, meaning that they can be more vulnerable to remote exploits. • High risk applications. Sophos categorizes all applications, this means that you can apply the high risk application control policy and it will block all (and any new) applications categorized as high risk. For example, proxy and web storage applications are often high risk. • And very high risk applications. In the same way as for high risk category, the very high risk category allows you block all applications classified as very high risk. An example of these applications would be TOR proxy, SuperVPN and AppVPN. Sophos Firewall Features and the Attack Kill Chain - 12 Synchronized App Control Sophos Firewall sees app traffic that does not match a signature Delivery Sophos Endpoint shares app name, path and even category to Sophos Firewall for classification Automatically categorize and control where possible or admin can manually set category or policy to apply On average, 60% of application traffic is going unidentified. Static application signatures don’t work for custom, obscure, evasive, or any apps using generic HTTP or HTTPS. Synchronized App Control on Sophos Firewall automatically identifies all unknown applications enabling you to easily block the apps you don't want and prioritize the ones you do. What this means is that you can now identify – and deal with – the unknown threats and unwanted apps that are running on your network, putting organization at risk and impacting user productivity. Sophos Firewall Features and the Attack Kill Chain - 13 Protecting Against Exploits Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine Installing malware on the asset Reconnaissance Weaponization Delivery Exploitation Installation PRE-BREACH Command channel for remote manipulation of victim Command and Control With ‘hands on keyboard’ access, intruders accomplish their goal Behaviour POST-BREACH Users continue to be the easiest target for attackers, but an army of trained, phishing-aware employees can provide you with a human firewall against these threats. Let’s look at the next stage, exploitation, which is defined by leveraging a vulnerability to execute code on a victim’s machine. An exploit is basically a method, or a tool used for abusing software bugs for nefarious purposes. Sophos Firewall Features and the Attack Kill Chain - 14 Web Server Protection XSS Exploitation SQL Injection Firewall 10101010101010 0101010101010101010101 0101010101010101011010 1010101010101010101010 Attacker Internet Protocol Violations Generic Attacks Web Servers By their very nature, web servers need to be accessible from the Internet, but this makes them targets for attackers who may be trying to extract data or install malware to compromise other users visiting the website. Attacks can take many forms, including cross site scripting (XSS) attacks, using protocol violations and anomalies, cookie signing, SQL injection, or other generic attacks. Sophos Firewall Features and the Attack Kill Chain - 15 Web Server Protection XSS Exploitation SQL Injection Sophos Firewall 10101010101010 0101010101010101010101 0101010101010101011010 1010101010101010101010 Attacker Internet Protocol Violations Generic Attacks Web Servers Sophos Firewall includes comprehensive Web Server Protection, which is bundled with preconfigured templates to make protecting commonly used web-facing servers like Microsoft Exchange as easy as possible. Web Server Protection acts as a reverse proxy protecting web servers on the internal network or DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic, harden forms, sign cookies, and scan for malware. Web Server Protection can also authenticate incoming connections with a username and password before they even reach the web server. Sophos Firewall Features and the Attack Kill Chain - 16 Intrusion Prevention System (IPS) Exploitation Monitors network traffic for malicious activity Internet Endpoint Sophos Firewall Blocks and reports activities to prevent network infections Vulnerabilities and exploit kits can be protected against using Intrusion Prevention Systems (IPS). IPS monitors network traffic as it passes through the firewall for malicious activity. It logs the activity and attempts to block and prevent the infection and then reports the activity. Please note that Intrusion Prevention is not designed to replace applying software patches to fix bugs and security vulnerabilities. Sophos Firewall Features and the Attack Kill Chain - 17 Exploitation and Command and Control Connections Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine Installing malware on the asset Reconnaissance Weaponization Delivery Exploitation Installation PRE-BREACH Command channel for remote manipulation of victim Command and Control With ‘hands on keyboard’ access, intruders accomplish their goal Behaviour POST-BREACH This attack phase is where the installed malware makes a connection to a Command-and-Control server. In a typical advanced persistent threat lifecycle, the communication with a Command-and-Control host is a repeated process. This allows malware to adapt as more knowledge is gained by the attacker. Some of the more complex malware like Emotet includes communication to remote servers for further instructions and or updates or to upload or download further files. Sophos Firewall Features and the Attack Kill Chain - 18 Advanced Threat Protection (ATP) Allows isolation of the device and threat clean up Command and Control Detects and blocks malicious outgoing traffic Internet Globally monitors all outgoing traffic Sophos Firewall Records an alert in the Control Centre of the Sophos Firewall Computers Advanced Threat Protection monitors global outgoing traffic. It blocks outgoing network traffic attempting to reach malicious servers. This prevents remote access trojans from reporting back to their malicious servers. If ATP detects a threat an alert will be recorded, and the number of detections will be shown in the control center. The administrator can then check the alert for additional information about the threat such as: • • • • The affected device’s IP address The affected device’s hostname The threat and number of times the rule was triggered And the user and offending process This process allows the administrator to clean up the threat while the device is isolated, protecting the rest of the network from becoming infected. Sophos Firewall Features and the Attack Kill Chain - 19 Protecting Against Malicious Behavior Harvesting e-mail addresses, conference information, etc. Coupling exploit with backdoor into deliverable payload Delivering weaponized bundle to victim via email, web … Leveraging a vulnerability or functionality to execute code on victim’s machine Installing malware on the asset Reconnaissance Weaponization Delivery Exploitation Installation PRE-BREACH Command channel for remote manipulation of victim Command and Control With ‘hands on keyboard’ access, intruders accomplish their goal Behaviour POST-BREACH This stage of the attack varies depending upon the type of malware, for example a ransomware attack will look to encrypt data and demand ransom. Whereas spyware tends to log the keystrokes of victims and gain access to passwords or intellectual property. Next, we’ll review some of the Sophos Firewall protection components that detect malicious threats. Sophos Firewall Features and the Attack Kill Chain - 20 Automatic Device Isolation Behaviour Sophos Firewall instantly informs all healthy endpoints to ignore any traffic from a compromised device. Servers Security Heartbeat™ Internet Infected Host Sophos Firewall Endpoint Server Protection and Intercept X can be used to assign every device a health status. In the event a device is compromised, it can be automatically isolated from other parts of the network at the firewall, as well as blocking network connections between other healthy devices. This limits the fallout of a breach or the spread of malware or lateral movement of an attacker. Even on the same broadcast domain or network segment where the firewall has no opportunity to block the traffic. We’re effectively pushing isolation enforcement out to endpoints so they can help the firewall isolate any threats and keep the network secure. This will stop any threat or attacker attempting to move laterally. Sophos Firewall Features and the Attack Kill Chain - 21 Email Protection Behaviour Email protection stops data from being leaked outside of the organization by email. You can create data control lists from the content control list (CCL). CCLs are based on common financial and personally identifiable data types, for example, credit card or social security numbers, postal or email addresses. When Sophos Firewall finds a match for the specified information, it applies the action specified in the policy. Sophos Firewall Features and the Attack Kill Chain - 22 Summary SYNCHRONIZED SECURITY Heartbeat™ links your endpoints with Sophos Firewall Automatic device isolation Synchronized App Control Identify Infected Systems Monitor Network Health WEB PROTECTION Prohibited website blocking EMAIL PROTECTION Inbound antivirus and anti-spam scanning (with SPF and DKIM) SPX Email Encryption INTRUSION PREVENTION Local Security Authority (LSASS) Security Account Manager (SAM) ZERO-DAY PROTECITON WITH DEEP LEARNING Time of click URL Protection Reconnaissance Weaponization Delivery Exploitation PRE-BREACH NETWORK PROTECTION Stop unknown and sophisticated Threats Advanced networking protection Automatically responds to incidents MALWARE SCANNING On-board antivirus engines Zero-day protection Installation Command and Control Behaviour POST-BREACH WEB SERVER PROTECTION Blocks known attack techniques Active Adversary Mitigations Reverse proxy authentication. ADVANCED THREAT PROTECTION Detect and block C&C traffic APPLICATION CONTROL Block undesired applications Proxies, hacking tools, sniffers Out of date browsers, office apps DATA LOSS PREVENTION Email Digital security and physical security have many parallels. Think of a building and how it could be protected. If you were to build nothing but a giant wall, it may prove difficult to climb over but eventually someone will find a way to get over it (or under it). Now consider a fortress. Armed guards, attack dogs, CCTV, tripwires, barbed wire, motion sensors. It may be possible to hop the wall, but you still have many additional hurdles ahead of you. Single layers are simple to build but are also simple to bypass. Our goal has always been to build fortresses so that multiple security elements are present to detect movement across assets and for attacks to be detected and stopped. Sophos Firewall Features and the Attack Kill Chain - 23 Chapter Review Sophos Firewall provides multiple layers of protection to detect and block attacks The delivery and exploitation phases are both intended to get malicious code onto a device and have it executed Once malware is running or an attacker is on a device attacks can be detected based on behavior Here are the three main things you learned in this chapter. Sophos Firewall provides multiple layers of protection to detect and block attacks. The delivery and exploitation phases are both intended to get malicious code onto a device and have it executed. Once malware is running or an attacker is on a device attacks can be detected based on behavior. Sophos Firewall Features and the Attack Kill Chain - 28 Sophos Firewall Features and the Attack Kill Chain - 29 Sophos Firewall Deployment Options and Common Scenarios Sophos Firewall Version: 19.5v1 [Additional Information] Sophos Firewall FW1005: Sophos Firewall Deployment Options and Common Scenarios November 2022 Version: 19.5v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Firewall Deployment Options and Common Scenarios - 1 Sophos Firewall Deployment Options and Common Scenarios In this chapter you will learn what platforms can be used to deploy Sophos Firewall, and some of the common ways in which it is deployed. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ How Sophos Firewall acts as a zone-based firewall with identity-based policies ✓ The multiple layers of protection provided to detect and block attacks DURATION 11 minutes In this chapter you will learn what platforms can be used to deploy Sophos Firewall, and some of the common ways in which it is deployed. Sophos Firewall Deployment Options and Common Scenarios - 2 Deployment Options Hardware Software Sophos XGS and XG Devices Intel Compatible Hardware Virtual Hyper-V, VMWare, Citrix Hypervisor, KVM Cloud Azure, AWS, Nutanix Sophos Firewall can be deployed in four ways: • As a hardware device. Sophos XGS and XG devices come pre-loaded and ready to go • As software installed onto Intel compatible hardware • As a virtual device running on the most common hypervisors, including VMware, Citrix Hypervisor, Microsoft Hyper-V and KVM • And finally, Sophos Firewall can be deployed into the cloud on Azure, Amazon Web Services, and into the Nutanix ecosystem. However you choose to deploy Sophos Firewall, it uses the same software and provides the same functionality regardless of form-factor. Sophos Firewall Deployment Options and Common Scenarios - 3 XGS Series Highlights DUAL PROCESSOR ARCHITECTURE PERFORMANCE AND PROTECTION Intelligent, efficient traffic handling frees up resources for intensive tasks PORT DENSITY AND DIVERSITY Combines a multi-core CPU with a dedicated Xstream Flow Processor for hardware acceleration Wide range of built-in and add on connectivity options provide flexibility The XGS series of devices for Sophos Firewall provides excellent performance and protection. Intelligent and efficient traffic handling frees up resources for intensive tasks, such as TLS inspection. This is possible with the dual processor architecture, which pairs a multi-core CPU with a dedicated Xstream Flow Processor for hardware acceleration. The XGS series includes a wide range of built-in and add on connectivity options, providing the flexibility to adapt to most environments. Sophos Firewall Deployment Options and Common Scenarios - 4 XGS Series Hardware Overview Network Processing Unit (NPU) + NPU Memory 64-bit CPU + Memory Fixed network ports PoE support Optional modules for network port expansion Fail-to-wire Each XGS Series unit contains both a 64-bit CPU with system memory as well as a Xstream Flow Processor, also known as a Network Processing Unit or NPU, with its own memory. In addition to the fixed network ports, which increase with the unit model, there are optional modules that provide flexible options for expanding the network port selection. The XGS Series includes support for PoE, or Power over Ethernet, ports (802.3ad and 802.3at) and fail-to-wire, which can allow traffic to pass through the unit if power is lost. Fail-to-wire and PoE can be available both onboard and with additional modules depending on the unit model. Sophos Firewall Deployment Options and Common Scenarios - 5 XGS Series Models Desktop models 1U models (1.75 inches) 2U models (3 inches) XGS Series units come in five variants: • Desktop models, with and without built-in wireless • 1U server rack models, as short or long devices, with the lower range models being around 10cm less in depth • And 2U server rack models All of he 1U and 2U models come with rackmount wings, and either include rails, or have rails as an option. For the desktop models, rackmount wings are optional. [Additional Information] https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-firewall-br.pdf Sophos Firewall Deployment Options and Common Scenarios - 6 XGS Desktop Models 87/87w CPU (Cores/Threads) 107/107w 2/2 MEMORY STORAGE FIXED PORTS 126/126w 4/4 136/136w 2/4 4 GB 6 GB 16 GB 8 GB 64 GB 5 9 VDSL SFP MODEM 14 Optional 3G/4G MODULE POWER 116/116w n/a Single Optional Optional Dual PSU All the desktop models are available both with and without wireless built-in and come with a single power supply. All desktop models except the base XGS 87 have the option to plug in a second power supply. There is an optional user replaceable 3G/4G LTE module available for desktop XGS Series units, except the 87 and 107. Sophos Firewall Deployment Options and Common Scenarios - 7 XGS Wireless Models 87w 107w ANTENNA 126w 2 RADIOS 136w 3 1 STANDARDS OPTIONAL WIRELESS MODULE 116w 802.11a/b/g/n/ac Dual Band n/a 2x2 MIMO 802.11n/ac Dual Band The wireless desktop models all have a single 802.11a/b/g/n/ac dual band radio. As there is only a single radio, these can only broadcast on either 2.4Ghz or 5Ghz, not both simultaneously. The XGS 116w, 126w, and 136w also have the option for a second wireless module that is 802.11n/ac dual band. This addition allows the device to broadcast on both 2.4Ghz and 5Ghz band simultaneously and provide better coverage. Sophos Firewall Deployment Options and Common Scenarios - 8 XGS 1U Models XGS 3100 CPU (Cores/Threads) XGS 4300 2100 2300 3100 3300 4300 4500 2/4 2/4 4/4 4/8 6/12 8/16 MEMORY 8 GB STORAGE 120 GB FIXED PORTS FLEXIPORT BAYS POWER 12 GB 16 GB 32 GB 240 GB 10 2 x 240 GB SW RAID 12 1 Optional External PSU 2 Optional Hot Swappable PSU The XGS Series 1U devices all include an Ethernet management port that allows you to connect to the WebAdmin on https://10.0.1.1:4444. All 1U devices have an optional external PSU that can be mounted on the back of the unit so as not to take up additional rack space, except the XGS 4500, which has an optional internal hot swappable PSU. 1U devices also include either 1 or 2 FlexiPort bays. Sophos Firewall Deployment Options and Common Scenarios - 9 XGS 2U Models XGS 6500 XGS 5500 5500 6500 CPU (Cores/Threads) 16/32 24/48 MEMORY 64 GB 80 GB STORAGE 2 x 480 HW RAID 2 x 480 HW RAID 16 20 FIXED PORTS FLEXIPORT BAYS 2 NIC EXPANSION BAYS 1 2 POWER 2 2 The largest XGS Series 2U units include hardware RAID storage, 2 FlexiPort bays and 2 internal hot swappable power supplies. These units also include 1 or 2 NIC expansion bays, that can be used to add a module that has 4 x 2.5 GbE ports and 12 x GbE ports . Sophos Firewall Deployment Options and Common Scenarios - 10 FlexiPort Modules 4 Port 10 GbE SPF+ 4 Port 2.5 GbE PoE 8 Port GbE SFP 4 Port GbE copper (2 bypass pairs) (1U only) 4 Port GbE PoE & 4 Port GbE 8 Port GbE 2 Port GbE Fibre (LC) Bypass & 4 Port GbE SFP+ Here you can see the FlexiPort modules that are available for the 1U and 2U models, apart from the 4 port 2.5 GbE PoE, which is only available of the 1U models. There are three other FlexiPort modules available only for the 2U devices: • 8 port 10GbE SFP+ • 2 port 10 GbE fiber (LC) Bypass & 4 port 10 GbE SFP+ • 2 port 40 GbE QSFP+ Additionally, there is a VSDL SFP for all models that allows you to connect a DSL modem via SFP. Please note that FlexiPorts modules are not hot swappable and require the device to be powered off to install. Sophos Firewall Deployment Options and Common Scenarios - 11 Breakout Interface Support Sophos Firewall supports breakout cables for 40 gigabit interfaces, splitting them into 10 gigabit interfaces using DAC or fiber breakout cables. Sophos Firewall Deployment Options and Common Scenarios - 12 Supported Virtualization Platforms Additional information in the notes Before installing, turn off guest additions and services, and stop automated backups and snapshots Microsoft Hyper-V VMware Citrix Hypervisor KVM Nutanix Prism It is important to install Sophos Firewall on one of the supported virtualization platforms and their tested versions shown in the online help. These platforms have been tested and are known to work with the Sophos Firewall Operating System (SFOS). [Additional Information] Sophos Firewall: Supported virtualization platforms: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/enus/webhelp/onlinehelp/VirtualAndSoftwareAppliancesHelp/vs_VirtualSoftwareApplianceIntro/ind ex.html Sophos Firewall Deployment Options and Common Scenarios - 13 Gateway Mode WAN zone Internet Port B Port A LAN zone Port C Sophos Firewall DMZ zone Let’s take a minute to look at some of the most common ways Sophos Firewall is deployed. The most common scenario is where you are looking to replace an aging firewall and need to protect your internal network. Sophos Firewall is deployed to handle both the core routing and as the first-line of defense against network threats. This is shown here with Sophos Firewall in gateway mode. Port A is configured for the LAN zone, Port B for the WAN, and Port C for the DMZ. Any network threats trying to go to either the LAN or the DMZ zone will be stopped by the firewall. This is the type of deployment we will be focusing on in this course. Sophos Firewall Deployment Options and Common Scenarios - 14 Bridge Mode Existing Firewall WAN zone Internet Port B Port A LAN zone + Synchronized Security + Intrusion Prevention + Advanced Threat Protection + Bridging LAN and DMZ zones Port C Sophos Firewall DMZ zone Another common type of deployment is where there is an existing firewall that handles the WAN connectivity that is not going to be replaced. This is often done to add additional protection capabilities not offered by the existing firewall. So that you do not need to change the IP address schema of the network, Sophos Firewall can be deployed in bridge mode, which is also known as transparent mode or inline mode. In this mode the clients on the network are unaware of the Sophos Firewall and traffic passes through without the IP address being changed, but still allowing Sophos Firewall to scan for and protect against threats. Sophos Firewall Deployment Options and Common Scenarios - 15 Web Application Firewall Existing Firewall WAN zone Internet Port B Port A LAN zone Buffer Overflows + Web Application Firewall Port C Sophos Firewall SQL injection DMZ zone Web Server App Server Privilege escalation Sophos Firewall may also be added to a network to protect web applications. There are often many components that make up a web application, including web servers, databases, file servers and so forth, but this means that there are also a wide range attacks that can be launched at them. In the example here, the Sophos Firewall can protect the web application from common attacks including buffer overflows and SQL injection. Sophos Firewall Deployment Options and Common Scenarios - 16 Discover Mode Existing Firewall WAN zone Existing Firewall Internet Switch Port D LAN zone Port A Management port Discover mode enabled port Sophos Firewall DMZ zone + Port Mirroring + Security Audit Report The last type of deployment we will look at is generally used for evaluating the capabilities of Sophos Firewall without the need to make any changes to the network. In this example, the Sophos Firewall is connected to a port on the switch that has port mirroring enabled, so that a copy of all the traffic is sent to the Sophos Firewall. While the Sophos Firewall cannot influence the live traffic on the network, it can log and report on what is sees, and from this you can see the additional protection it can add to the network. This is called discover mode. Sophos Firewall Deployment Options and Common Scenarios - 17 Chapter Review Sophos Firewall can be deployed using XGS series and XG series hardware appliances, virtually on-premise and in the cloud, or using Intel compatible hardware XGS series appliances have a 64-bit CPU and a separate network processing unit (NPU), both with their own memory. The XGS series has support for dual power supplies, PoE, fail-to-wire, and expansion with FlexiPort modules Sophos Firewall can be deployed for use in various ways, the most common are the default gateway mode, as a transparent bridge, for web server protection, and in discover mode Here are the three main things you learned in this chapter. Sophos Firewall can be deployed using XGS series and XG series hardware appliances, virtually onpremise and in the cloud, or using Intel compatible hardware. XGS series appliances have a 64-bit CPU and a separate network processing unit (NPU), both with their own memory. The XGS series has support for dual power supplies, PoE, fail-to-wire, and expansion with FlexiPort modules. Sophos Firewall can be deployed for use in various ways, the most common are the default gateway mode, as a transparent bridge, for web server protection, and in discover mode. Sophos Firewall Deployment Options and Common Scenarios - 24 Sophos Firewall Deployment Options and Common Scenarios - 25 Deploying Sophos Firewall Using the Initial Setup Wizard Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW1020: Deploying Sophos Firewall Using the Initial Setup Wizard April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 1 Deploying Sophos Firewall Using the Initial Setup Wizard In this chapter you will learn how to use the Initial Setup Wizard to configure Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ How Sophos Firewall acts as a zone-based firewall ✓ The multiple layers of protection provided to detect and block attacks DURATION 10 minutes In this chapter you will learn how to use the Initial Setup Wizard to configure Sophos Firewall. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 2 Connecting Sophos Firewall to the Network SOPHOS Protection 1/LAN The default LAN port to connect to for initial configuration 2/WAN The default WAN port A different port can be selected in the initial setup wizard To setup the Sophos Firewall you need to start by connecting to power and then connecting the LAN port and WAN ports. On hardware XGS Series and XG Series firewalls the default LAN and WAN ports will be marked. On software and virtual Sophos Firewalls these will be the first and second network cards. You will have the option to modify these ports either during the initial setup or once the setup is complete. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 3 Additional information in the notes Command Line Interface (CLI) SSH Console Default credentials: • Username: admin • Password: admin These credentials are changed as part of the initial setup wizard Although Sophos Firewall is managed through a web interface, it also has a command line interface (CLI) that is accessible through SSH, a console connection, or you could use a monitor and keyboard to physically connect to the terminal. You may want to use the CLI to change the IP address of the management port to be in your LAN IP range, so that you can connect to the WebAdmin to complete the initial setup wizard. To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is ‘admin’; you change this as part of the initial setup wizard. In the slide notes you can find the parameters for a console connection. [Additional Information] Console connection parameters: • baud rate or speed: 38,400 • Data bits: 8 • Stop Bits: 1 • Parity and Flow Control: None or 0 Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 4 Simulation: Network Configuration Using the CLI In this simulation you will use the CLI to change the IP address of the management port to be in your LAN IP range. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/CliConf/1/start.html In this simulation you will use the CLI to change the IP address of the management port to be in your LAN IP range. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 5 WebAdmin Default IP address: 172.16.16.16 (/24) Port: 4444 WebAdmin URL: https://DeviceIP:4444 Sophos Firewall is configured and managed through a web interface. By default, the device’s IP address will be 172.16.16.16 and the WebAdmin on a Sophos Firewall runs on port 4444. So, to connect to the WebAdmin interface you would need to connect to HTTPS://172.16.16.16:4444 on a brand-new device. You will receive a certificate error when connecting to the Sophos Firewall because it is using an untrusted self-signed certificate. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 6 Initial Setup Wizard Set a new admin password Update the firmware Agree to the licence Optionally: • Restore a backup configuration • Connect as highavailability spare We will now walk through the initial setup of a Sophos Firewall. On the first page you set a new admin password and accept the terms and conditions. If you are configuring the firewall on behalf of someone else, they must accept the terms and conditions. By default, the Sophos Firewall will download and install the latest firmware as part of the initial setup, however you can deselect this to postpone it until later. You also have the option to restore a configuration backup, or connect the Sophos Firewall as an auxiliary device to a high-availability pair. Both of these options will provide a different initial setup to the full one we are going to show here. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 7 Initial Setup Wizard Configure the Internet connection This step is skipped if the WAN port is configured by DHCP The Sophos Firewall requires an Internet connection for registration and, if selected, to download the latest firmware. You can choose which port to configure the WAN connection on, then you need to specify the IP address, subnet, DNS server and gateway. When you save these settings the Sophos Firewall will test the connectivity then allow you to continue with the initial setup. If the WAN port is connected to a network that provides DHCP, this step will be skipped. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 8 Initial Setup Wizard Enter a hostname Set the time zone You can enter a fully qualified hostname for your Sophos Firewall, this can be either the internal or external hostname for the firewall; however, in most scenarios we would recommend using the internal hostname. Optionally, you can modify the automatically selected time zone. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 9 Initial Setup Wizard Register the Sophos Firewall Enter the serial number, this is prefilled on hardware devices Optionally: • Start a trial • Migrate a UTM license • Defer registration The next step is to register the Sophos Firewall. If you have a serial number, you can enter it to register your firewall. On hardware XGS Series and XG Series devices this will be prefilled. You also have the option to migrate an exiting UTM license, start a trial, or defer the registration for 30 days. Deferring the registration can be useful if you are preparing a Sophos Firewall prior to taking it onsite. It is worth noting that when registration is deferred there are several features that you are unable to use. To complete the registration, you need to login with your Sophos ID, and then the Sophos Firewall will synchronize the license. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 10 Initial Setup Wizard Configure the LAN network Select which ports to bridge together to create the LAN Select the gateway Configure the IP address Optionally enable DHCP You have the option to configure the local network configuration, which is different depending on whether you are deploying a, hardware, virtual or software Sophos Firewall. We will start by looking at hardware devices. Here you can select which ports to use for the LAN. All ports selected will be used to create a single bridged LAN interface. You can select the gateway for the LAN network to be either the Sophos Firewall, or an existing gateway, in which case the LAN will be bridged to the WAN. You can configure the IP address for the Sophos Firewall, and optionally enable DHCP. Please note that DHCP cannot be enabled if the Sophos Firewall is bridging the LAN and WAN. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 11 Initial Setup Wizard Configure the LAN network Select the LAN port Select the gateway mode Configure the IP address Optionally enable DHCP For virtual and software devices the configuration is very similar, except instead of selecting ports to create a LAN bridge interface you select a single LAN port. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 12 Initial Setup Wizard Enable protection in the default outbound firewall rule As part of the initial setup wizard the Sophos Firewall will create a default firewall rule for outbound traffic. Here you have the option of enabling various security options for that firewall rule. The options are: • Protect users from network threats, which will enable an IPS policy. • Protect users from the suspicious and malicious websites, which will enable a web policy. • Scan files that were downloaded from the web for malware, which will enable malware scanning. • And Send suspicious files to Sophos Sandstorm, which will enable Sandstorm scanning. This requires ‘Protect users from the suspicious and malicious websites’ to be enabled. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 13 Initial Setup Wizard Enter an email address and sender for notifications Optionally specify an internal mail server for notifications Optionally enable automatic backups and enter an encryption password The last piece of configuration is for notifications and backups. Here you configure recipient and sender email addresses for notifications. You can optionally choose to configure an internal email server to use to send these. You can also enable automatic backups, and to use this you need to set an encryption password for the backup files. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 14 Simulation: Sophos Firewall Initial Setup Wizard In this simulation you will configure Sophos Firewall using the initial setup wizard. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/InitialSetup/1/start.html In this simulation you will configure Sophos Firewall using the initial setup wizard. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 15 Secure Storage Master Key When you login to the firewall for the first time after installing, you will be prompted to create a secure storage master key. The secure storage master key is used to provide additional protection for account and password details stored in the device and in configuration backups. Once you have set the master key you cannot recover it, which is why the configuration asks you to confirm that you have stored it in a password manager, or another safe place. If you do lose the secure storage master key, you will not be able to restore backup or configurations created with that key. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 16 Secure Storage Master Key Additional information in the notes While the storage master key cannot be recovered, it can be reset. This is done via the command line using the default super administrator account. Login to the console of the Sophos Firewall as admin and choose option 2 for System Configuration, then option 5 to Reset the secure storage master key. [Additional Information] https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/enus/webhelp/onlinehelp/nsg/sfos/cliGuide/concepts/ResetSSMK.html Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 17 Chapter Review The CLI can be used to change the IP address of the management port so that you can connect to the WebAdmin to complete the initial setup wizard The Initial Setup Wizard provides a web interface to configure and register the firewall The secure storage master key is used to provide additional protection for account and password details stored in the device and in configuration backups Here are the three main things you learned in this chapter. The CLI can be used to change the IP address of the management port so that you can connect to the WebAdmin to complete the initial setup wizard. The Initial Setup Wizard provides a web interface to configure and register the firewall. The secure storage master key is used to provide additional protection for account and password details stored in the device and in configuration backups. Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 22 Deploying Sophos Firewall Using the Initial Setup Wizard v1.0 - 23 Managing Device Access and Certificates on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW1550: Managing Device Access and Certificates on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Managing Device Access and Certificates on Sophos Firewall - 1 Managing Device Access and Certificates on Sophos Firewall In this chapter you will learn how to control access to admin services and add a certificate to replace the default ‘ApplianceCertificate’. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and Managing the Sophos Firewall using the WebAdminSophos DURATION 10 minutes In this chapter you will learn how to control access to admin services and add a certificate to replace the default ‘ApplianceCertificate’. Managing Device Access and Certificates on Sophos Firewall - 2 Control Access to Local Services Local services are management services of Sophos Firewall Examples include Web admin and CLI consoles, and authentication services Firewall rules cannot be used to control access to local services Control access to the management services of Sophos Firewall from custom and default zones using the local service ACL (Access Control List) Local services are management services specific to the internal functioning of Sophos Firewall, such as web admin and CLI consoles, and authentication services. Firewall rules cannot be used to control traffic to these services. You can control access to the management services of Sophos Firewall from custom and default zones using the local service ACL (Access Control List). Managing Device Access and Certificates on Sophos Firewall - 3 Device Access Device Access is configured in: SYSTEM > Administration > Device Access The zones which are allowed access to Admin services can be managed on the Device Access page under the heading Local service ACL. The example shows that only the LAN and WiFi zones are allowed access to Admin services using HTTPS and SSH. This section gives an easy and graphical way to manage access to admin services as well as authentication, network, and other services from any zone on the Sophos firewall. Managing Device Access and Certificates on Sophos Firewall - 4 Best Practices BEST PRACTICES Sophos does not recommend allowing access to the web admin console (HTTPS), CLI console (SSH), and the user portal from the WAN zone or over the SSL VPN port. Even though you can enable access to admin services from these zones, the Webadmin will warn you that this is not a safe practice. If you must give access, best practices are provided in the Administrator Help. [Additional Information] Best practices: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/enus/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html Managing Device Access and Certificates on Sophos Firewall - 5 Local Service ACL Exception Rule Add a Local service ACL exception rule The Local service ACL rules allow an administrator to quickly enable or disable access to a service for a specific zone. While this is a simple way to enable access to these services, it does not allow an administrator to securely grant access to services from untrusted zones. Or an administrator may want to restrict access from specific IP addresses in a secure zone, for example, to prevent guests from being able to see the User Portal login page. To only allow specific hosts and networks to access the services, scroll down to Local service ACL exception rule, and click Add. Managing Device Access and Certificates on Sophos Firewall - 6 Local Service ACL Exceptions In the example shown here, we are allowing access to the WebAdmin and SSH in the WAN zone, but only from the specified IP address. Managing Device Access and Certificates on Sophos Firewall - 7 Device Access for a Zone We have looked at the built-in zones on the Sophos firewall. These include the LAN, WAN, VPN, DMZ, and WiFi zones. While you can choose to use only these zones, you also have the option of creating additional custom zones to further define your networks. When you create or edit a zone from Network > Zones, you can also configure which services it can access on the Sophos Firewall. Managing Device Access and Certificates on Sophos Firewall - 8 Certificates for Firewall Management Untrusted Default Appliance Certificate Trusted certificate when using Central Firewall Management When you first connect to a Sophos firewalls webadmin console, you may notice that you get a certificate error. This is not to say that your connection is insecure, but rather that the certificate is untrusted by your machine. This is because Sophos Firewall comes with a default certificate called ‘ApplianceCertificate’, this is used to provide HTTPS for the Admin Portal, User Portal and SSL VPNs. The common name on this certificate is the serial number of the appliance, and therefore you will almost certainly get a certificate error when you login. If you use Sophos Central to connect to Firewall Management, the certificate provided by Sophos Central will be trusted. Managing Device Access and Certificates on Sophos Firewall - 9 Certificates Options for adding a certificate to Sophos Firewall: 1 Upload Upload a certificate signed by a trusted CA 2 Self-Signed Create a self-signed certificate that will be signed by the ‘Default’ signing CA 3 CSR Create a certificate signing request that will be signed by a trusted CA Certificates can be added to Sophos Firewall and can then be selected to be used in place of the default ‘ApplianceCertificate’. There are three options for doing this: 1. Upload a certificate that has been signed by an external trusted certificate authority. This could be a third-party company such as GlobalSign, or an internal enterprise certificate authority. To upload a certificate, you need to provide the certificate, private key, and the passphrase for decrypting the private key. 2. Generate a self-signed certificate. This will be generated and signed by the Sophos Firewall’s own ‘Default’ signing certificate authority. 3. The third option is to generate a CSR and download it along with the private key and passphrase. This is a signing request for a certificate that can be signed by either a third-party company or an internal enterprise certificate authority. Once you have the certificate you can then upload it to the Sophos Firewall. Managing Device Access and Certificates on Sophos Firewall - 10 Adding a Locally Signed Certificate Generate locally signed certificate IP addresses used for SANs In this example, the option to Generate locally-signed certificate has been selected and the required information for the certificate has been entered. This must include the common name, which is included in the Distinguished name, and one or more Subject Alternative Names. SANs define the entities for which your certificate will be valid and can be DNS names or IP addresses. Managing Device Access and Certificates on Sophos Firewall - 11 Certificates Certificates can be viewed in: SYSTEM > Certificates > Certificates The new certificate is now listed as well as the ‘ApplianceCertificate’. Managing Device Access and Certificates on Sophos Firewall - 12 Select a Certificate If you have created a new certificate or uploaded a public certificate to the firewall, it can be assigned for use by the Webadmin and user portal. Admin and user settings, under Administration, allows you to select another certificate using the drop-down list. Managing Device Access and Certificates on Sophos Firewall - 13 Verification Certificate Authorities • Includes certificates for common trusted Internet root CAs • Upload certificate for additional CAs Sophos Firewall comes preconfigured with the certificates for common trusted Internet root certificate authorities; these are used to verify the certificates of devices the Sophos Firewall connects to. You can also upload additional CA certificates that you want to trust, such as an internal enterprise CA that signs the certificates for your internal servers. Managing Device Access and Certificates on Sophos Firewall - 14 Simulation: Import CA Certificates In this simulation you will import CA certificates from an internal certificate authority to Sophos Firewall. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/ImportCACertificates/1/start.html In this simulation you will import CA certificates from an internal certificate authority to Sophos Firewall. Application Traffic Shaping on Sophos Firewall - 15 Signing Certificate Authorities Two default signing CAs • Default: Used for creating certificates • SecurityApplicance_SSL_CA: Used for HTTPS scanning and email TLS/SSL connections Upload additional CAs • Provide certificate and private key • Can be selected for use in Web and Email protection Sophos Firewall also acts as a certificate authority, and so comes with two signing CAs. • The ‘Default’ signing CA is used for creating and signing certificates. • The ‘SecurityAppliance_SSL_CA’ is used for creating the certificates used in HTTPS web scanning and securing TLS/SSL email connections. You can upload additional signing CAs by providing the private key with the CA certificate when you upload it. These CAs can then be selected for use in Web and Email Protection. • The Email CAs can be separately selected for SMTPS and IMAPS & POPS. This is done in EMAIL > General settings. • The Web CA for HTTPS scanning can be selected in Web > Protection. Managing Device Access and Certificates on Sophos Firewall - 16 Simulation: Deploy Sophos Firewall CA Certificates In this simulation you will download Sophos Firewall’s CA certificates and deploy them using Active Directory Group Policy. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/DeployCertificates/1/start.html In this simulation you will download Sophos Firewall’s CA certificates and deploy them using Active Directory Group Policy. Application Traffic Shaping on Sophos Firewall - 17 Chapter Review The zones which are allow access to Admin services can be managed on the Device Access page. Local service ACL exception rules restrict by IP addresses or by network Certificates can be added and used in place of the default ’ApplianceCertificate’ Sophos Firewall acts as a certificate authority with two signing CAs. ’Default’ creates and signs certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web scanning and securing TLS/SSL email connections Here are the three main things you learned in this chapter. The zones which are allowed access to Admin services can be managed on the Device Access page. Local service ACL exception rules restrict by IP addresses or by network. Certificates can be added to Sophos Firewall and used in place of the default ’ApplianceCertificate’ which generates a certificate error. Sophos Firewall acts as a certificate authority with two signing CAs. ‘Default’ creates and signs certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web scanning and securing TLS/SSL email connections. Managing Device Access and Certificates on Sophos Firewall - 22 Managing Device Access and Certificates on Sophos Firewall - 23 Introduction to Routing and SD-WAN on Sophos Firewall Sophos Firewall Version: 19.5v1 [Additional Information] Sophos Firewall FW1525: Introduction to Routing and SD-WAN on Sophos Firewall November 2022 Version: 19.5v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Introduction to Routing and SD-WAN on Sophos Firewall - 1 Introduction to Routing and SD-WAN on Sophos Firewall In this chapter you will learn how to configure routing and SD-WAN on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and Managing the Sophos Firewall using the WebAdmin DURATION 20 minutes In this chapter you will learn how to configure routing and SD-WAN on Sophos Firewall. Introduction to Routing and SD-WAN on Sophos Firewall - 2 Routing Default route Directly connected network Where do I send this to reach its destination? When Sophos Firewall receives traffic, it needs to know where to send it so that it will reach its destination. If the traffic is destined for a network that Sophos Firewall is connected to, then it will know where to send it. Everything else will be sent to the default route, which is normally the ISP, or Internet service provider. Introduction to Routing and SD-WAN on Sophos Firewall - 3 Routing Gateway Indirectly connected network Where do I send this to reach its destination? If traffic is destined for a network that is not directly connected to the Sophos Firewall, by default it will not know where to send it, and so it will be sent to the default route. In the example shown here, we would need to create a route on the Sophos Firewall so that it knows to send traffic that is destined for the indirectly connected network to the gateway for that network. Introduction to Routing and SD-WAN on Sophos Firewall - 4 Types of Configurable Route STATIC SD-WAN The simplest type of configurable route Routing based on many attributes Traffic sent to specific gateway based on destination only Can route to specific gateway DYNAMIC Routes are learned by communicating with other routing devices on the network Gateway health monitoring Can select a gateway based on quality metrics or load balancing There are three types of configurable route you can create on Sophos Firewall: • Static routes. These are the simplest type of route that send traffic to a specific gateway based on the destination • SD-WAN routes. These can route traffic based on more attributes, including the source, service, application, and user. This can route to a specific gateway or backup gateway based on health monitoring; alternatively, you can use a profile to select a gateway based on quality metrics or load balancing • Dynamic routes. These are routes that are learned by communicating with other routing devices on the network Introduction to Routing and SD-WAN on Sophos Firewall - 5 Static Routes Static routes are configured in: CONFIGURE > Routing > Static routes Network that is not directly connected to the Sophos Firewall Gateway and interface to use to route the traffic Let’s start by looking at an example of a static unicast route. These are created in CONFIGURE > Routing > Static routes. Enter the network and netmask of the destination traffic that will match this route. In this example, any traffic to 192.168.16.0/24 will match. Enter the IP address of the gateway to send the traffic to and select the port to send the traffic on. Introduction to Routing and SD-WAN on Sophos Firewall - 6 Static Routes Static routes are configured in: CONFIGURE > Routing > Static routes Compare distances between routing protocols Route select between static routes For each static route you can also set the administrative distance and metric to set the relative priority. The administrative distance is used to compare distances between routing protocols; for example, the administrative distance for OSPF is the shortest distance learned for a route. The metric is used for route selection between static routes. Introduction to Routing and SD-WAN on Sophos Firewall - 7 Simulation: Create a Static Route In this simulation you will configure a static route on Sophos Firewall. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/StaticRoutes/1/start.html In this simulation you will configure a static route on Sophos Firewall. Application Traffic Shaping on Sophos Firewall - 8 Gateways Gateways are configured in: CONFIGURE > Routing > Gateways To configure SD-WAN routes you need to start by creating the gateway you will be sending the traffic to. This is done in CONFIGURE > Routing > Gateways. On this page you can see all your gateways, both those that you have added here, and the gateways configured for WAN interfaces. Introduction to Routing and SD-WAN on Sophos Firewall - 9 Gateways Gateways are configured in: CONFIGURE > Routing > Gateways Gateway details Gateway health monitoring When you add a gateway, start by specifying the IP address, the interface it can be reached on, and optionally the zone it is in. Further down the page you can configure the health monitoring for the gateway. This will be filled in with the gateway IP address by default but can be customized to use a host accessed through the gateway. You may need to do this if the gateway will not respond to PING or TCP requests from Sophos Firewall. Introduction to Routing and SD-WAN on Sophos Firewall - 10 SD-WAN Routes SD-WAN routes are configured in: CONFIGURE > Routing > SD-WAN routes SD-WAN routes are configured in two sections, the ‘Traffic selector’, which defines what traffic to match on for the route, and the ‘Link selection settings’, which is used to determine the gateway to use. SD-WAN routes provide a much wider range of traffic selection criteria. You can select the traffic you want to route based on: • The interface it arrives at the Sophos Firewall on • The source and destination networks • The service • DSCP marking • User • And application Introduction to Routing and SD-WAN on Sophos Firewall - 11 SD-WAN Routes SD-WAN routes are configured in: CONFIGURE > Routing > SD-WAN routes In the ‘Link selection settings’ section you can choose between using an SD-WAN profile, which we will cover shortly, or a primary and backup gateway. The SD-WAN route will use the gateway health status to determine which of the gateways to use, preferring the primary gateway when it is available. If you always want the traffic to be routed via a specific gateway and no other, you can optionally enable Route only through specified gateways. This means the routing will not failover to an alternative gateway even if it is unavailable. Introduction to Routing and SD-WAN on Sophos Firewall - 12 Additional information in the notes Routing Precedence Health Check Routes Precedence Static Routes Directly Connected Networks Dynamic Routing Protocols Unicast Routes SSL VPN Routes Configurable route precedence SD-WAN Routes IPsec VPN Routes Default Route (WAN Link Manager) Routes are processed in order of precedence. By default, this is health check routes first, then static routes, SD-WAN routes, VPN routes, and finally the default route. Health check routes always take precedence as routing traffic to check gateway health must be done independently of any routes configured. The default route is the gateway derived from the load balancing configuration across active gateways. The precedence of routes, SD-WAN routes, VPN routes, and static routes can be modified on the command line; however, the precedence within static routes is dependent on the specificity of the route and the distance metric. The more specific the route the higher the precedence, and the lower the distance the higher the precedence. [Additional Information] Routing behaviour documentation: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/enus/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyBe havior/index.html Introduction to Routing and SD-WAN on Sophos Firewall - 13 Routing Precedence Additional information in the notes console> system route_precedence show Default routing Precedence: 1. Static routes 2. SD-WAN policy routes 3. VPN routes console> system route_precedence set sdwan_policyroute vpn static At the top of the SD-WAN routes page, the current route precedence is displayed. This can be checked and modified via the console using the system route_precedence command. [Additional Information] To access the console, connect using SSH and login as admin. Choose option 4 for Console. Introduction to Routing and SD-WAN on Sophos Firewall - 14 Multiple Internet Connections ISP 1 ISP 2 Sophos Firewall supports environments with multiple WAN connections. When you add a WAN connection in Sophos Firewall you must specify a gateway, you can then use the WAN link manager to configure how the WAN connections are used. Introduction to Routing and SD-WAN on Sophos Firewall - 15 WAN Link Manager WAN link manager configured in: CONFIGURE > Network > WAN link manager The WAN link manager provides an immediate view of the status of your WAN gateways. Through this page you can access advanced settings for your WAN gateways to configure how they are used. Introduction to Routing and SD-WAN on Sophos Firewall - 16 WAN Link Manager WAN link manager configured in: CONFIGURE > Network > WAN link manager Gateway type: Active or Backup Failover and failback behaviour Rules for detecting failed active gateways WAN gateways can be configured as either active or backup. Where there are multiple active gateways, Sophos Firewall will load balance traffic between them. Where a gateway has been configured as a backup, it will only be activated based on the configuration on this page, this could be manually, or if any, all, or a specific gateway fails. When a backup gateway is activated, it can inherit the weight of the gateway it is replacing, or you can manually set the weight that it will be given. You can configure how connections are handled when the active gateway comes back online, either gradually serving new connections to the active gateway, or immediately switching all connections to the active gateway. If all connections are immediately switched to the active gateway when it comes back online, it can cause existing connections to be dropped and reestablished. Further down the page you can define how Sophos Firewall can test if the gateway has failed, this can use either PING or TCP connections to an IP address. You can also add multiple test conditions so that if the test server is offline, it does not cause the gateway to failover. Introduction to Routing and SD-WAN on Sophos Firewall - 17 SD-WAN Profiles Latency 5ms Latency 134ms Traffic selection using SD-WAN routes Link selection based on SLA SD-WAN profiles provide link management that allow you to define routing strategies across multiple gateways. Using SD-WAN profiles enables seamless and efficient routing and rerouting of traffic based on the performance and stability of the link, optimizing network performance and ensuring continuity. For example, if you have multiple ISP connections, you can use SD-WAN profiles and policy routing to ensure that business critical applications always use the best link. Introduction to Routing and SD-WAN on Sophos Firewall - 18 SD-WAN Profiles Latency 5ms Latency 134ms Load balancing using SD-WAN routes Link selection based on SLA Alternatively, you can choose to load balance the traffic between multiple connections and use the SLA to determine which connections should be used. Introduction to Routing and SD-WAN on Sophos Firewall - 19 SD-WAN Profiles Source IP address Destination IP address Source and destination IP address Connection SD-WAN profiles are managed in CONFIGURE > Routing. Start by selecting the routing strategy, which can be either first available gateway or load balancing. When the load balancing mode is selected you can select the load balancing method used. You can use ‘Round-robin’, which distributes the connections to each gateway in turn. Alternatively, you can choose a session persistence type to use to route the traffic through the same gateway. You can choose between: • Source IP address • Destination IP address • Source and destination IP address • Or connection Introduction to Routing and SD-WAN on Sophos Firewall - 20 SD-WAN Profiles Select up to 8 gateways You can select up to 8 gateways, these can include custom gateways such as route-based VPN gateways. Introduction to Routing and SD-WAN on Sophos Firewall - 21 SD-WAN Profiles If you are using load balancing, you can choose to weight the distribution of traffic across the gateways. For example, you may want to do this if the connections are different speeds. By default, all gateways are given a weight of one. Introduction to Routing and SD-WAN on Sophos Firewall - 22 SD-WAN Profiles Select performance criteria for SLA The default SLA, service level agreement, selects the gateway with the best quality link based on latency. You can change this to alternatively use jitter or packet loss for determining the quality of the link. For load balancing, the SLA can be used to select only the gateways that meet the minimum quality settings that you select. Introduction to Routing and SD-WAN on Sophos Firewall - 23 SD-WAN Profiles Probe via Ping or TCP connection Configure one or two probe targets Customize the health check settings SD-WAN profiles provide granular options for monitoring the health of the link. Please note that when you have an SLA enabled for the profile, you cannot disable the health check. The health check can be done using either Ping or TCP, to either one or two probe targets. Where TCP is selected, the port must be entered for the probe targets. You may want to change the probe target, either in the case that the gateway does not respond to PING, or to better test that the gateway is able to route through to the destination network. If you are only testing the gateway, you are testing the interface closest the firewall, this does not test that the outbound interface is also operational. You can also refine the health checks by specifying the interval between checks, response timeout, when to deactivate and activate gateways, and the sample size that is used for the SLA. Introduction to Routing and SD-WAN on Sophos Firewall - 24 SD-WAN Profiles From the SD-WAN profile page you can see immediately which gateway has been selected. You can also get real-time status of the gateways by clicking the clipboard icon. The chart icon will take you to the SD-WAN monitoring graphs. Introduction to Routing and SD-WAN on Sophos Firewall - 25 SD-WAN Profiles The SD-WAN monitoring graphs can be found in MONITOR & ANALYZE > Diagnostics > SD-WAN performance. Here you can see the distribution of the connections and data across the gateways. This data can be reset if you are troubleshooting your SD-WAN profile configuration. Introduction to Routing and SD-WAN on Sophos Firewall - 26 SD-WAN Profiles Further down the page, the graphs provide current and historical data on latency, jitter, and packet loss, for each of the gateways in the selected SD-WAN profile. The view can be changed to show graphs for Live, the last 24 and 48 hours, the last week, or the last month. Introduction to Routing and SD-WAN on Sophos Firewall - 27 SD-WAN Profiles Demo In these demos you will see how to configure an SD-WAN profile for multiple Internet connections. PLAY FIRST AVAILBLE GATEWAY DEMO PLAY FIRST LOAD BALANCING DEMO CONTINUE FIRST AVAILABLE GATEWAY: https://training.sophos.com/fw/demo/SdWanProfile/1/play.html LOAD BALANCING: https://training.sophos.com/fw/demo/SdWanLoadBalancing/1/play.html In these demos you will see how to configure an SD-WAN profile for multiple Internet connections. Click Continue when you are ready to proceed. Introduction to Routing and SD-WAN on Sophos Firewall - 28 Chapter Review The default route precedence on Sophos Firewall is static routes, SD-WAN routes, VPN routes, and then the default route. Static routes are comprised of directly connected networks, dynamic routing protocols, and static unicast routes WAN link manager is used to manage Internet links. You can configure links as active or backup and customize failover and failback settings and health monitoring. Gateways is used to create health monitored gateways for use with SD-WAN routes and profiles SD-WAN profiles provide link management that allow you to define routing strategies across multiple gateways, rerouting traffic based on the performance and stability of the link, optimizing network performance and ensuring continuity Here are the three main things you learned in this chapter. The default route precedence on Sophos Firewall is static routes, SD-WAN routes, VPN routes, and then the default route. Static routes are comprised of directly connected networks, dynamic routing protocols, and static unicast routes. The WAN link manager is used to manage Internet links. You can set links as active or backup, set the failover and failback configuration, and customize the health monitoring. The Gateways page is used to create health monitored gateways for use with SD-WAN routes and profiles. SD-WAN profiles provide link management that allow you to define routing strategies across multiple gateways, rerouting traffic based on the performance and stability of the link, optimizing network performance and ensuring continuity. Introduction to Routing and SD-WAN on Sophos Firewall - 33 Introduction to Routing and SD-WAN on Sophos Firewall - 34 Navigating and Managing Sophos Firewall Sophos Firewall Version: 19.5v1 Sophos Firewall FW1505: Navigating and Managing Sophos Firewall November 2022 Version: 19.5v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Navigating and Managing Sophos Firewall v1.0 - 1 Navigating and Managing Sophos Firewall When you have completed this chapter, you will be familiar with the Sophos Firewall WebAdmin and understand how it uses objects as the building blocks for the configuration of rules and policies. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Sophos Firewall configuration using the Initial Setup Wizard DURATION 11 minutes When you have completed this chapter, you will be familiar with the Sophos Firewall WebAdmin and understand how it uses objects as the building blocks for the configuration of rules and policies. Navigating and Managing Sophos Firewall v1.0 - 2 WebAdmin: Control Center When you first login to the WebAdmin you are presented with the Control Center, which provides a live view of what is happening on the Sophos Firewall, and allows you to quickly identify anything that requires your attention. The Control Center is broken down into six main areas. • System, which shows the health of the firewall and services. Each item can be clicked to get more detailed information. • Traffic insight, which provides an at a glance overview of what is happening on the network and the traffic being processed • User and device insight, for the status of users and devices being protected by Sophos Firewall. This section includes the User Threat quotient, which is a risk assessment of users based on their behaviour. • Active firewall rules displays the usage of firewall rules by type. Below the graph you can see the state of firewall rules over the last 24 hours. Clicking these will take you to the firewall rules filtering for the selected type of rule. • Reports provides access to commonly used reports. These can either be opened by clicking on the name of the report or downloaded using the icon to the right of each. It shows when the report was last updated and the size of the file. • And Messages, which displays alerts or information for the administrator, including security warnings and new firmware updates. Messages are clickable to access the relevant configuration. Navigating and Managing Sophos Firewall v1.0 - 3 WebAdmin: Main Menu Information on current activity, reports and diagnostic tools Down the left-hand side is the main menu for navigating the Sophos Firewall. This is divided into four sections: MONITOR & ANALYZE, provides access to information on the current activity on the Sophos Firewall, and reports and diagnostic tools. Navigating and Managing Sophos Firewall v1.0 - 4 WebAdmin: Main Menu Configure rules policies and settings related to protection features PROTECT, for configuring the rules, policies and settings related to protection features. Navigating and Managing Sophos Firewall v1.0 - 5 WebAdmin: Main Menu Setup connectivity, routing, authentication and global settings CONFIGURE, where you setup connectivity, routing, authentication and global settings. Navigating and Managing Sophos Firewall v1.0 - 6 WebAdmin: Main Menu Device access settings, objects and profiles that are used in rules and policies SYSTEM, which houses the device access settings, as well as objects and profiles that are used within rules and policies. Navigating and Managing Sophos Firewall v1.0 - 7 WebAdmin: Tabbed Navigation Each section that is accessible from the main menu is further broken down into tabs for accessing each area of configuration. On some screens additional, less frequently used tabs, can be accessed using the ellipses on the right-hand side of the tabs. Navigating and Managing Sophos Firewall v1.0 - 8 WebAdmin: Advanced Settings Display additional Settings for reports In the Reports section there is an additional, Show Reports settings option, that allows you to access some of the less often used options. When the settings are accessed, the screen will flip to the additional options. You can identify when you are on this screen because the title bar at the top of the page will be yellow. Navigating and Managing Sophos Firewall v1.0 - 9 WebAdmin: Admin Drop-Down Menu Found in the top-right is the admin menu. Here you can reboot, shutdown, lock and logout of the Sophos Firewall. This menu also provides links to the support website, the Sophos Firewall licensing page, and web-based access to the console. Navigating and Managing Sophos Firewall v1.0 - 10 WebAdmin: Help Found on every screen on the Sophos firewall is a context sensitive link to the online help file. When clicked, it opens a separate window. This online version of the help is fully interactive, and can be browsed by selecting the various menu items in the left side menu. It can also be searched using keywords. When a search result is selected it will load the appropriate section within the help file. [Additional Information] https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html Navigating and Managing Sophos Firewall v1.0 - 11 WebAdmin: Log Viewer Next to the help link is the Log viewer, which opens in a new window to provide access to all log files. In the ‘Log viewer’ you can filter the logs and perform context sensitive actions. Other chapters in the course will explore this in more detail. Navigating and Managing Sophos Firewall v1.0 - 12 How-to Guides View How-to videos Clicking the How-to guides link in the Web Admin takes you to the Sophos Community page. This provides a link to a library of videos that demonstrate how to perform common tasks on Sophos Firewall. Navigating and Managing Sophos Firewall v1.0 - 13 Objects Objects are the building blocks for rules and policies Define hosts, networks, services, groups and profiles Can be created inline when configuring rules and policies The Sophos Firewall uses objects as the building blocks for the configuration of rules and policies. By defining reusable objects once for things such as hosts, services and networks, it can speed up configuration, and simplify future changes by having a single place to make a change. Objects can be created and edited ahead of time, but they can also be created inline when configuring protection features. This means that you do not have to navigate away from what you are configuring to create an object, because you will have the option to create it where you need it. There are two categories of object – hosts and services; and profiles. These can be found in the SYSTEM section on the Sophos Firewall. Navigating and Managing Sophos Firewall v1.0 - 14 Hosts IP MAC FQDN There are three types of host object on the Sophos Firewall: IP, MAC and FQDN There are three types of host object on the Sophos Firewall: IP, MAC and FQDN. Navigating and Managing Sophos Firewall v1.0 - 15 Hosts IP MAC FQDN IP version and host type cannot be changed after creation IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but not IP lists IP host objects can represent a single IP address, a subnet, a range of IP addresses or a list of IP address, for either IPv4 or IPv6. The object has a name and then must be configured by IP version (IPv4 or IPv6) and a type. Note that the IP version and type cannot be modified after the object has been created. You then provide the data for the type of object you selected. Note that IP address lists are comma separated. IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but not IP lists. Navigating and Managing Sophos Firewall v1.0 - 16 Hosts IP Type cannot be changed after it has been created MAC FQDN Lists are comma separated MAC host objects can be created for individual MAC addresses or MAC address lists. The MAC host object has a name and then must be configured for a specific type, either MAC address or MAC list. This cannot be changed once the object has been saved. MAC address lists are comma separated. Navigating and Managing Sophos Firewall v1.0 - 17 Hosts IP MAC FQDN Supports wildcard prefix to resolve subdomains Can be grouped with FQDN host groups FQDN hosts are used to define fully qualified domain names. FQDN host objects can include a wildcard prefix to resolve sub-domains, for example, *.sophos.com. FQDN host groups allow you to create a collection of FQDN host objects to further simplify the using of objects in rules and policies. Navigating and Managing Sophos Firewall v1.0 - 18 Services Service based on TCP and UDP ports Service based on IP protocol numbers Service based on ICMP types & codes Service objects can be created for: • TCP and UDP based on protocol, source and destination port, • IP based on protocol number, • ICMP and ICMPv6 based on the ICMP type and code. Each service object is for a single type, and can contain one or more definitions. You can also create groups of service objects. Navigating and Managing Sophos Firewall v1.0 - 19 Country Groups Sophos Firewall maintains a geo IP database that maps IP addresses to countries, and this is automatically updated with the pattern definitions. There are several predefined country groups that ship with Sophos Firewall, which can be edited. You can also create custom groups of countries. Navigating and Managing Sophos Firewall v1.0 - 20 Profiles Schedule Access time • Defines a period of time • Recurring or one-off • Allow or deny action for a schedule Surfing quota Network traffic quota • Browsing time restrictions • Recurring or one-off • Bandwidth restrictions • Separate upload/download or combined Decryption IPsec • Settings for TLS decryption • IKE parameters for establishing tunnels between two firewalls Device access • Roles for administrators Profiles are a collection of settings that can be defined and used when configuring protection features. There are profiles for: • Schedule, which defines a period, either recurring or one-off, • Access time, that defines an allow or deny action for a schedule, • Surfing quota, which defines either recurring or one-off restrictions for browsing time, • Network traffic quota, for upload and download bandwidth quota restrictions, • Decryption, for controlling the decryption of TLS traffic, • IPsec, to specify the IKE (Internet Key Exchange) parameters for establishing tunnels between two firewalls, • And Device access, which defines access roles for admins logging into the WebAdmin. Navigating and Managing Sophos Firewall v1.0 - 21 Firmware Updates Upload firmware Boot firmware image Boot with factory default configuration Sophos Firewall has two firmware slots, one for the current active firmware, and the other that can be updated with a new version. This means that if an issue is encountered with the running firmware, the previous version can be booted. Firmware can be downloaded automatically or uploaded manually. When there is a new firmware version you will be prompted to upgrade when you login. As well as uploading new firmware, you can select which firmware version to boot, or choose to boot one of the firmware versions with the default factory settings. Navigating and Managing Sophos Firewall v1.0 - 22 Firmware Updates Three free firmware updates Mandatory updates during initial setup wizard do not count Pattern updates are not affected Firmware updates require a valid support license. For devices that do not have a valid support license applied, a banner is shown on the firmware page that shows the number of free firmware updates that are left. Three free firmware updates are provided, and mandatory updates that are installed as part of the initial setup wizard are not counted towards this. Pattern updates are not affected. Navigating and Managing Sophos Firewall v1.0 - 23 Chapter Review The main menu is the primary navigation tool and is divided into four sections. Pages are further broken down into tabs for accessing each area of configuration Every page provides a link to context sensitive help Two types of object – hosts and services, and profiles – are used as the building blocks for the configuration of rules and policies Here are the three main things you learned in this chapter. The main menu is the primary navigation tool and is divided into four sections. Pages are further broken down into tabs for accessing each area of configuration. Every page provides a link to context sensitive help. The Sophos Firewall uses two types of object – hosts and services, and profiles - as the building blocks for the configuration of rules and policies. Navigating and Managing Sophos Firewall v1.0 - 28 Navigating and Managing Sophos Firewall v1.0 - 29 Getting Started with Traffic Shaping on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW1565: Getting Started with Traffic Shaping on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Traffic Shaping on Sophos Firewall - 1 Network Traffic Shaping on Sophos Firewall In this chapter you will learn how to configure the global settings for traffic shaping, including default policy settings, and the different types of traffic shaping policy you can create. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and Managing the Sophos Firewall using the WebAdmin DURATION 8 minutes In this chapter you will learn how to configure the global settings for traffic shaping, including default policy settings, and the different types of traffic shaping policy you can create. Getting Started with Traffic Shaping on Sophos Firewall - 2 Traffic Shaping What are some example scenarios where traffic shaping can be deployed to help optimize and manage network performance? Using traffic shaping policies, you can manage bandwidth and prioritize network traffic to reduce the impact of heavy bandwidth usage. What are some example scenarios where traffic shaping can be deployed to help optimize and manage network performance? Getting Started with Traffic Shaping on Sophos Firewall - 3 Traffic Shaping Protect business continuity Prioritize or guarantee bandwidth for cloud services Limit bandwidth of non-business critical heavy bandwidth applications Control bandwidth usage from guest networks Traffic shaping is primarily deployed to protect business continuity. With the increasing move to using cloud services it is important to prioritize and guarantee bandwidth for these business critical applications. Another approach is to limit bandwidth of non-business critical heavy bandwidth applications, such as streaming and downloads. Traffic shaping is also a great tool for controlling the amount of bandwidth used by guest networks, ensuring they do not impact more important business use. Getting Started with Traffic Shaping on Sophos Firewall - 4 Traffic Shaping Settings Traffic shaping settings are configured in : CONFIGURE > System Services > Traffic shaping settings Sum of the maximum bandwidth of all WAN links in KBps To start using traffic shaping you should first configure the general traffic shaping settings. It is important to specify the settings found on the CONFIGURE > System Services > Traffic shaping settings tab. This includes the total WAN bandwidth available, which Sophos Firewall needs so it can allocate bandwidth effectively. The total available WAN bandwidth is the sum of the maximum bandwidth of all WAN links in KBps. To view bandwidth usage, click Show bandwidth usage at the bottom of the page. Getting Started with Traffic Shaping on Sophos Firewall - 5 Traffic Shaping Settings Traffic shaping settings are configured in: CONFIGURE > System services > Traffic shaping settings The option Optimize for real-time (VoIP) gives priority to real-time traffic such as VoIP. If disabled, priority will be applicable only for excess bandwidth, that is, bandwidth remaining after guaranteed bandwidth allocation. If ‘Optimize for Real-Time (VoIP)’ is enabled real-time traffic (Traffic Shaping policy with priority 0) like VoIP will be given precedence over all other traffic. As priority is given to the real time traffic, it is possible that some non-real-time traffic will not get their minimum guaranteed bandwidth. Specifically, if the sum of Limit (max allowed) of all Traffic Shaping policies (real-time and non real-time) is greater than total max-limit, then guaranteed bandwidth of the real-time policies will be fulfilled but non-real-time might not get the minimum guaranteed bandwidth. Getting Started with Traffic Shaping on Sophos Firewall - 6 Traffic Shaping Settings Traffic shaping settings are configured in: CONFIGURE > System services > Traffic shaping settings Default traffic shaping policy for firewall. The setting to Enforce guaranteed bandwidth should only be enabled if you would like to apply the Default policy shown here to all traffic that does not have an explicit Traffic shaping policy applied to it. If this option is enabled, you should take the time to configure the Default policy as well. Enforce guaranteed bandwidth handles all Internet-bound traffic by the traffic-shaping policy applied to it. If there is no policy applied to the traffic, it will be handled by the default policy. • Enable this setting if you want to enforce bandwidth restriction on the traffic to which a trafficshaping policy is not applied • Disable this setting if you do not want to enforce a bandwidth restriction on traffic to which a traffic-shaping policy is not applied (it will handle traffic only on which a traffic-shaping policy is applied) If you have enabled Enforce guaranteed bandwidth you can configure the default policy to use for traffic that does not have a traffic-shaping policy applied. • Guarantee, is the minimum bandwidth available to the user • Limit, is the maximum bandwidth available to the user • Priority, can be set from 1 (highest) to 7 (lowest) depending on the traffic required to be shaped Getting Started with Traffic Shaping on Sophos Firewall - 7 Traffic Shaping Traffic shaping policies are configured in: CONFIGURE > System services > Traffic shaping What the traffic shaping policy will be applied to Traffic shaping policies are configured in CONFIGURE > System services > Traffic shaping. Traffic shaping policies can be applied to either users, rules, web categories or applications, and can be used to either limit or guarantee bandwidth. You can choose to set bandwidth limits for upload and download either separately or combined. The Priority field is used to set the traffic type to which bandwidth priority is to be allocated. By default, priority is assigned to realtime traffic. When priority is allocated to real-time traffic, the ability of non-real time policies to receive their guaranteed bandwidth is determined by the bandwidth remaining in the total available bandwidth after real-time policies have been serviced. Bandwidth usage can either be configured to be individual or shared. Individual applies the policy to a single user, firewall rule, web category or application. Shared applied to policy to all the users, firewall rules web categories or applications which have the policy assigned. [Additional Information] Rule type: • Limit User cannot exceed the defined bandwidth limit • Guarantee User is guaranteed the specified bandwidth and can draw on bandwidth up to the specified limit, if available. Allowing users to draw on additional bandwidth can ensure constant service levels during peak periods Getting Started with Traffic Shaping on Sophos Firewall - 8 Traffic Shaping Policies Example Let's look at an example policy. Here we have a policy to limit the bandwidth of streaming media applications to 480p based on their web category as determined by the firewall. We have set the association to Web categories and the Rule type to Limit. We then calculated the bandwidth needed for 480p video to 1000 KB/s and set it as an individual limit, so each person viewing a video will have enough bandwidth to view the video at 480p. Finally, the Priority is set low. We have chosen a priority of 5 to make sure it is processed after any business-critical applications. Getting Started with Traffic Shaping on Sophos Firewall - 9 Applying Traffic Shaping - Web Traffic shaping can also be applied to web categories under PROTECT > Web > Categories. By editing a category, you can select a traffic shaping policy to apply to that web category, independent of the firewall rule matched. Getting Started with Traffic Shaping on Sophos Firewall - 10 Chapter Review The total WAN bandwidth needs to be configured before using traffic shaping You can configure a default traffic shaping policy for all traffic that does not have a policy applied Traffic shaping policies can be created for users, rules, web categories, and applications Here are the three main things you learned in this chapter. The total WAN bandwidth needs to be configured before using traffic shaping. You can configure a default traffic shaping policy for all traffic that does not have a policy applied. Traffic shaping policies can be created for users, rules, web categories, and applications. Getting Started with Traffic Shaping on Sophos Firewall - 15 Getting Started with Traffic Shaping on Sophos Firewall - 16 Getting Started with Zones and Interfaces on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW1515: Getting Started with Zones, Interfaces and Routing on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 1 Getting Started with Zones and Interfaces on Sophos Firewall in this chapter you will learn how to use Sophos Firewall WebAdmin to configure network zones and interfaces. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and Managing the Sophos Firewall using the WebAdmin DURATION 8 minutes in this chapter you will learn how to use Sophos Firewall WebAdmin to configure network zones, interfaces and routing. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 2 Interfaces and Zones The firewall is shipped with physical and virtual interfaces A physical interface is for example, Port1, PortA, or eth0 A virtual interface is a logical representation, for example an alias A zone is a grouping of interfaces The firewall is shipped with physical and virtual interfaces. A physical interface is, for example, Port1, PortA, or eth0. A virtual interface is a logical representation of an interface, for example an alias that allows you to bind multiple IP addresses to a single physical interface. A zone is a grouping of interfaces. When used with firewall rules, zones provide a convenient method of managing security and traffic for a group of interfaces. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 3 Zones LAN 1 Sophos Firewall Internet LAN Zone DMZ WAN Zone LAN 2 Hosted Servers Zone We’ll start by looking at zones. Sophos Firewall is a zone-based firewall, and it is important to understand what a zone is before we proceed to look at interfaces and routing. When we talk about zones on the Sophos Firewall, we mean a logical group of networks where traffic originates or is destined to. Each interface is associated with a single zone, which means that traffic can be managed between zones rather than by interface or network simplifying the configuration. Interfaces and zones are not equivalent; multiple interfaces can be associated with a zone and each zone can be made up of multiple networks. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 4 Zones Zones are created and managed in: CONFIGURE > Network > Zones LAN – most secure by default For internal networks WAN –for external interfaces that provide Internet access DMZ –for hosting publicly accessible servers VPN – does not have a physical port or interface assigned to it WiFi – for providing security for wireless networks Sophos Firewall comes with five default zones, these are: • • • • LAN – this is the most secure zone by default and is for your internal networks. WAN – this zone is used for external interfaces that provide Internet access. DMZ – this zone is for hosting publicly accessible servers. VPN – this is the only zone that does not have a physical port or interface assigned to it. When a VPN is established, either site-to-site or remote access, the connection is dynamically added to the zone and removed when disconnected. • WiFi – this zone is for providing security for wireless networks. Except for the VPN zone, the default zones can be customized. Zones are managed and created in CONFIGURE > Network > Zones. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 5 Creating Zones Choose whether this is a LAN or DMZ zone Access for managing the Sophos Firewall Network services Client authentication services Other services provided by the Sophos Firewall Let’s look at how you can create your own zones. When you create a custom zone, you can choose between two types of zones, LAN or DMZ, which is used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type zones as there can only be one of each of these. You then customize the zone to define which services the Sophos Firewall provides and will be accessible. This is broken down into four categories: • Admin services, for accessing and managing the Sophos Firewall. • Authentication services, for user authentication. • Network services, for PING and DNS. • And Other services, which controls access to things like the web proxy, wireless access point management, and user portal. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 6 Activity Match the zone with its description WiFi This is the only zone that does not have a physical port or interface assigned to it LAN This zone is for hosting publicly accessible servers VPN This zone is for providing security for wireless networks WAN This is the most secure zone by default and is for your internal networks DMZ This zone is used for external interfaces that provide Internet access Take a moment to test your knowledge and match the zone with its description. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 7 Network Interfaces Now that you know how to create zones, we will look at Network Interfaces. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 9 Configuring Interfaces Interfaces are configured in: CONFIGURE > Network > Interfaces Interfaces can be given a friendly name Interfaces must be assigned to a zone By default, interfaces are named after their hardware device ID. However, you can give them a friendly name to make identifying them easier. To begin configuring the network settings, you must assign the interface to a zone. This will determine what IP configuration can be set, as only interfaces in the WAN zone are configured with a gateway. You can configure interfaces either statically or by DHCP. IPv4 configuration also supports configuration via PPPoE. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 10 Configuring Interfaces Interfaces can be configured for IPv4 or IPv6 or both You can configure interfaces with IPv4 or IPv6 or both. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 11 Interface Types BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 bridged interface for seamless communication between interfaces ALIAS: An additional IP address added to an interface VLAN: A virtual LAN interface created on an existing Sophos Firewall interface, used when the Sophos Firewall needs to perform inter-VLAN routing or tagging LAG: A group of interfaces acting as a single connection which can provide redundancy and increased speed between two devices RED: Used to connect Sophos’ Remote Ethernet Devices back to the Sophos Firewall In addition to those used for configuring the network adapters in the Sophos Firewall, there are several other interface types that can be created. These are: • Bridge • Alias • VLAN • LAG • And RED Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 12 Bridge Interface Two physical ports are assigned to this bridge interface We’ll look at two examples of these interfaces. The first is a bridge interface which bridges over physical interfaces, such as ports or virtual interfaces, such as VLANs. In this example, two physical interfaces are selected. If ‘enable routing’ is selected, you must assign an IP address to the bridge interface. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 13 Alias Interface An Alias interface is added for the GuestAP physical interface An Alias interface is used to bind multiple IP addresses to a physical interface. In this example an alias is added to the GuestAP interface and can then be seen in the interfaces listing page. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 14 Activity Match the interface type with its description Bridge An additional IP address added to an interface Alias Creates a transparent layer 2 or 3 interface for seamless communication VLAN Can provide redundancy and increased speed between two devices LAG Connects Sophos’ remote devices back to the Sophos Firewall RED Created on an existing interface and can be used to perform tagging Take a moment to test your knowledge and match the interface type with its description. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 15 Interface Types TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard routing to be used to send traffic over the VPN WiFi: A wireless network where traffic is routed back to the Sophos Firewall from the access point instead of directly onto the network the access point is connected to Additionally, you can create wireless interfaces and IPsec interfaces. These two interface types are created as part of configuring other functionality on Sophos Firewall, IPsec VPNs, and wireless networks using separate zone configuration. Tunnel interfaces are created using a type of IPsec VPN that allows standard routing to be used to send traffic over the VPN. WiFi interfaces are created when a wireless network routes traffic back to the Sophos Firewall using separate zone configuration, instead of to either the physical LAN the access point is connected to, or a VLAN. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 17 Simulation: Create Zones and Interfaces In this simulation you will configure zones and interfaces on Sophos Firewall. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/ZonesAndInterfaces/1/start.html In this simulation you will configure zones and interfaces on Sophos Firewall. Application Traffic Shaping on Sophos Firewall - 18 Chapter Review A zone is a logical group of networks. Each firewall interface is associated with a single zone, meaning that traffic can be managed using zones Network interfaces are assigned to a zone, which determines what IP configuration can be set IPsec tunnel and wireless interface types are created as part of configuring other functionality on Sophos Firewall. These use separate zone configuration Here are the three main things you learned in this chapter. A zone is a logical group of networks. Each firewall interface is associated with a single zone, meaning that traffic management can be simplified using zones instead of interfaces and networks. Network interfaces are assigned to a zone, which determines what IP configuration can be set. IPsec tunnel and wireless interface types are created as part of configuring other functionality on Sophos Firewall. These use separate zone configuration. Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 21 Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 22 Configuring DNS and DHCP on Sophos Firewall Sophos Firewall Version: 19.0v2 [Additional Information] Sophos Firewall FW1545: Configuring DNS and DHCP on Sophos Firewall June 2022 Version: 19.0v2 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 1 Configuring DNS and DHCP on Sophos Firewall In this chapter you will learn how to configure the DNS and DHCP settings on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and Managing the Sophos Firewall using the WebAdmin DURATION 5 minutes In this chapter you will learn how to configure the DNS and DHCP settings on Sophos Firewall. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 2 DNS on Sophos Firewall There are three ways to assign DNS servers to Sophos Firewall: 1. From your DHCP server 2. From PPPoE interface settings sent by your Internet provider 3. Manually, by assigning static server entries Sophos Firewall needs to be able to resolve hostnames and IP addresses. There are three ways to assign DNS servers to Sophos Firewall: • From your DHCP server • From PPPoE interface settings sent by your Internet provider • Manually, by assigning static server entries Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 3 DNS Settings DNS is configured in: CONFIGURE > Network > DNS Select how Sophos Firewall obtains DNS servers Set up to three DNS servers for IPv4 and IPv6 During the initial setup you will have to set a DNS server, this can be modified in CONFIGURE > Network > DNS. Here you can set how Sophos Firewall obtains its DNS server, and you can set up to three DNS servers statically for IPv4 and IPv6. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 4 DNS Server Preference between IPv4 and IPv6 DNS servers DNS records hosted by the Sophos Firewall Sophos Firewall also acts as a DNS server, using its configured DNS servers to resolve and respond to requests. You can set how Sophos Firewall handles the preference between IPv4 and IPv6 lookups. You can also configure DNS records on the Sophos Firewall itself. These can include a reverse lookup from the IP address back to the hostname. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 5 DNS Request Routes Set the DNS server to use to lookup hosts in the sophos.local domain Set the DNS server to use to lookup IP addresses in the network 172.16.16.0/24 If the Sophos Firewall is configured to use your ISPs DNS servers, so that it can resolve hosts on the Internet, you can override this for specific domains and networks by configuring DNS request routes. A DNS request route defines what DNS server should be used to lookup hosts in the selected domain. Request routes can also be created for reverse lookups to define what DNS server should be used to lookup IP addresses in the selected network. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 6 Simulation: Configure DNS Request Routes In this simulation you will configure DNS request routes on Sophos Firewall. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/ConfigureDNS/1/start.html In this simulation you will configure DNS request routes on Sophos Firewall. Application Traffic Shaping on Sophos Firewall - 7 Dynamic DNS Dynamic DNS is configured in: CONFIGURE > Network > Dynamic DNS If your ISP assigns your IP through DHCP, you can use a dynamic DNS provider to host a DNS record for this IP address, and have the Sophos Firewall update the IP address associated with it. To configure dynamic DNS, you enter the hostname, and select the WAN interface it should resolve to. You then need to select your provider, and enter your login details. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 8 DHCP Server DHCP is configured in: CONFIGURE > Network > DHCP Each DHCP server is assigned to an interface The range of IP address it will lease Sophos Firewall can provide DHCP to any networks that are connected to it. Each DHCP server you configure on the Sophos Firewall can be either IPv4 or IPv6 and is bound to an interface. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 9 DHCP Relay The interface where the clients are located The IP address of the DHCP server to relay requests for Sophos Firewall can also act as a DHCP relay, passing DHCP requests between clients and a DHCP server on another network. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 10 Chapter Review DNS servers can be assigned to Sophos Firewall using DHCP, from PPPoE interface settings and manually DNS request routes define what DNS server should be used to lookup hosts in the selected domain Sophos Firewall can provide DHCP to any networks that are connected to it. It can also pass requests to another DHCP server. Here are the three main things you learned in this chapter. DNS servers can be assigned to Sophos Firewall using DHCP, from PPPoE interface settings and manually. A DNS request routes define what DNS server should be used to lookup hosts in the selected domain. Sophos Firewall can provide DHCP to any networks that are connected to it. It can also pass requests to another DHCP server. Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 15 Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 16 Getting Started with Firewall and NAT Rules on Sophos Firewall Sophos Firewall Version: 19.0v2 [Additional Information] Sophos Firewall FW2005: Getting Started with Firewall and NAT Rules on Sophos Firewall June 2022 Version: 19.0v2 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Firewall and NT Rules on Sophos Firewall - 1 Getting Started with Firewall and NAT Rules on Sophos Firewall In this chapter you will learn how to create and manage firewall and NAT rules. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ How Sophos Firewall acts as a zone-based firewall with identity-based policies ✓ Navigating and Managing the Sophos Firewall using the WebAdmin DURATION 17 minutes In this chapter you will learn how to create and manage firewall and NAT rules. Getting Started with Firewall and NT Rules on Sophos Firewall - 2 Firewall Rules Firewall and NAT rules are processed in order The first rule to match is used If there is no matching firewall rule the traffic is dropped To allow network traffic in and out of the network through a firewall you generally need two things; a firewall rule and a NAT rule. When you start configuring firewall and NAT rules on Sophos Firewall, there are three key things to remember: • Rules are processed in order from top to bottom • The first rule to match is used • And if there is no matching firewall rule, the traffic is dropped The default drop rule cannot be edited and does not log traffic. If you want to log dropped traffic you need to create a drop firewall rule that will match all traffic and enable logging. This rule should be at the bottom of the rule-set. For NAT rules, if there is no matching rule then no NATing will be applied to the traffic. Unlike with firewall rules, traffic is not blocked when no NAT rule is matched. Getting Started with Firewall and NT Rules on Sophos Firewall - 3 Creating Firewall Rules Let’s start by looking at how to create a basic firewall rule. In this example we will create a rule that allows web traffic from computers on the network out to the Internet. To start, navigate to PROTECT > Rules and policies, then select Add firewall rule. Getting Started with Firewall and NT Rules on Sophos Firewall - 4 Creating Firewall Rules Rule Properties In the top section you configure the properties including the rule position, group, action and whether to log traffic for the rule. By default, Sophos Firewall will try to place the rule in the most appropriate group based on the configuration of source and destination zone, and the type of firewall rule. Getting Started with Firewall and NT Rules on Sophos Firewall - 5 Creating Firewall Rules Matching Criteria The matching criteria for the firewall rule covers source and destination zones and network, services and the ability to schedule when the rule will be active. You can also match on users and groups. For the moment we will focus on the configuration of a network firewall rule. Getting Started with Firewall and NT Rules on Sophos Firewall - 6 Creating Firewall Rules Exclusions You can exclude specific zones, networks and services from being matched by the firewall rule. This simplifies creating firewall rules where there are exceptions as you can create a single generic rule and add exclusions, whereas it would take multiple rules if exclusions were not available. Getting Started with Firewall and NT Rules on Sophos Firewall - 7 Creating Firewall Rules Linked NAT You can create NAT rules that are linked to firewall rules. Here you only need to configure the source NAT as all the sources, destinations and services will have the same matching criteria as the firewall rule. Linked NAT rules are primarily designed to ensure a smooth migration from earlier versions of Sophos Firewall where the NAT configuration was completed as part of the firewall rule. To get the full benefit of Sophos Firewall we would recommend not creating new linked NAT rules. We will cover creating NAT rules shortly. Getting Started with Firewall and NT Rules on Sophos Firewall - 8 Creating Firewall Rules Security Features At the end of the firewall rule, you can enable security features and select policies for web filtering, Security Heartbeat, IPS, application control and more. Getting Started with Firewall and NT Rules on Sophos Firewall - 9 Simulation: Create a Firewall Rule In this simulation you will modify the default firewall rule to allow outbound traffic from additional zones, and then create firewall rules to allow traffic to and from the New York branch office over the MPLS. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/FirewallRule/1/start.html In this simulation you will modify the default firewall rule to allow outbound traffic from additional zones, and then create firewall rules to allow traffic to and from the New York branch office over the MPLS. Getting Started with Firewall and NT Rules on Sophos Firewall - 10 Managing Firewall Rules Now that you have seen how to create a firewall rule, let’s take a moment to look at how you can manage the firewall rules. You can see the key details such as source, destination and service for each of the firewall rules, and where a field is truncated, you can hover your mouse over it to see the full contents. On the right you can see which features have been enabled within the firewall rule, and if you hover over this you can see a full summary of the rule. Getting Started with Firewall and NT Rules on Sophos Firewall - 11 Managing Firewall Rules Rule ID Rule position Red octagon for drop/reject rules Web server protection firewall rule Network rule Rule group Grey for disabled rules User rule Green for allow rules There are two numbers for each firewall rule, the first is the rule position, and this will be updated if you move a rule, which can be done by dragging and dropping them. The second is the rule ID, this is the rules unique reference and will not change. The important thing to note is that the rule ID does not reflect the rule position; they can be, and usually will be, different. You will notice that firewall rules use different icons, green icons for allow rules, red for drop or reject, and grey for disabled. Each icon also shows what type of rule it is: • Web server protection firewall rule, for protecting web servers • Network rule, where traffic is matched only on network properties • User rule, where the Sophos Firewall also matches on user identity Getting Started with Firewall and NT Rules on Sophos Firewall - 12 Managing Firewall Rules Along the top of the Firewall rules tab are common filters that can be applied using the drop-down menus. You can also add more detailed filters based on any field in the firewall rule. Getting Started with Firewall and NT Rules on Sophos Firewall - 13 Managing Firewall Rules On the right-hand side of each rule is an ellipses menu that provides additional controls, including: • Resetting the data counter for the rule, which can be useful when troubleshooting • Moving the rule to a specific position • Cloning the rule • Adding a new rule above or below it • Add the rule to a group or detaching it from a group • And deleting, enabling or disabling the rule Getting Started with Firewall and NT Rules on Sophos Firewall - 14 Managing Firewall Rules Any User/network Network User WAF When we looked at creating a firewall rule we said that Sophos Firewall will try to add the rule to the most appropriate group based on the configuration you select. To add a new group, use the option from the ellipses menu. Here you can configure the matching criteria that will be used for assigning rules to groups automatically. Getting Started with Firewall and NT Rules on Sophos Firewall - 15 NAT Rules You can create a linked NAT rule that matches on the same criteria as the firewall rule it is linked to We recommend configuring NAT rules independently using the NAT table NAT rules still require firewall rules to allow traffic You can create linked NAT rules for source NATing from within the firewall rule configuration; however, this is primarily designed to support the migration of configuration from version 17.5. We recommend configuring NAT rules independently using the NAT table to support more powerful and flexible configuration scenarios, including SNAT (source NAT) and DNAT (destination NAT) in a single rule. NAT rules still require a firewall rule to allow the traffic! You generally need far fewer NAT rules than firewall rules, so creating them separately allows you to simplify your configuration. In simple environments you may only need a single blanket outbound masquerading rule rather than having it configured individually in each firewall rule. Getting Started with Firewall and NT Rules on Sophos Firewall - 16 Managing NAT Rules Video on using NAT In the NAT tab you can manage the NAT ruleset, reorder the rules and see how many connections each of the rules have translated. From the menu for each rule you can reset the usage counter, and in the case of linked NAT rules, unlink them from their associated firewall rule. When adding NAT rules you can either create a NAT rule, or for DNAT scenarios use the server access assistant to create both the firewall rule and NAT rules. There is also a button at the top of the page to a video that explains NAT configuration in depth. Getting Started with Firewall and NT Rules on Sophos Firewall - 17 Configuring NAT Rules Matching criteria Translations Matching criteria Override source translation for specific outbound interfaces Within the NAT rule, you configure the matching criteria on the original source, destination and service, and any translations that need to be made. This design allows you to configure the NATing of source, destination, service, and interface in a single rule. You can also match on the inbound and outbound interfaces. By enabling the option Override source translation for specific outbound interfaces, you can select different source NATs based on the outbound interface all within a single rule. At the bottom of the NAT rule, you can optionally choose to create a: • Loopback policy: when internal user wants to access an internal server using its public hostname or IP address • Reflexive policy: allows traffic to traverse the NAT in the opposite direction In the Advanced section are the load-balancing settings for the NAT rule. This can only be configured when the destination is an IP range. Getting Started with Firewall and NT Rules on Sophos Firewall - 18 Masquerading SNAT Scenario WAN: Port2 LAN: VLAN33 DMZ: Port6 LAN: Port1 Let’s consider an example scenario where we want to perform a masquerading SNAT on all of the traffic going out on WAN Port2. We can create a single NAT rule for this. Getting Started with Firewall and NT Rules on Sophos Firewall - 19 Default SNAT Rule Translation Matching criteria Here you can see the default SNAT rule that satisfies the scenario. The rule matches on the outbound interface and applies the MASQ NAT policy to the source address. MASQ is the default masquerading policy and will change the source IP address to be the same as the interface the traffic is leaving through. Getting Started with Firewall and NT Rules on Sophos Firewall - 20 Simulation: Configure NAT Rules In this simulation you will remove the linked NAT rule for the default firewall rule, unlink the NAT rule for email protection, and create a NAT rule for MPLS traffic. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/NatRule/1/start.html In this simulation you will remove the linked NAT rule for the default firewall rule, unlink the NAT rule for email protection, and create a NAT rule for MPLS traffic. Getting Started with Firewall and NT Rules on Sophos Firewall - 21 DNAT Scenario IP address: 172.30.30.50 Zone: DMZ Client Sophos Firewall Server IP address of #Port2 Port: 80 Another common use case is using destination NAT, or DNAT, to publish an application to the Internet. To do this you will use a network firewall rule to allow the traffic and a NAT rule to perform the destination translation. If we look at an example, we might have a web-based application on an internal server in the DMZ that we want to publish on an public IP address assigned on the WAN port, this is #Port2. When the user connects to port 80 using the public IP address we want to change the destination to the internal server and send the traffic on. Getting Started with Firewall and NT Rules on Sophos Firewall - 22 Server Access Assistant (DNAT) Let’s have a look at using the server access assistant to create a DNAT and firewall rule for this scenario. Start by selecting the internal server or enter the IP address and an IP host object will be created for it. Choose the interface that users will connect to when accessing the internal server. Alternatively, you can enter the IP address that users will be connecting to, and an IP host object will be created for it. Getting Started with Firewall and NT Rules on Sophos Firewall - 23 Server Access Assistant (DNAT) Select the services you want to access on the internal server and the source networks allowed. Getting Started with Firewall and NT Rules on Sophos Firewall - 24 Server Access Assistant (DNAT) Review the summary of the configuration selected then click Save and finish. Getting Started with Firewall and NT Rules on Sophos Firewall - 25 DNAT Firewall Rule Interface on the Sophos Firewall Zone of internal server Here you can see the firewall rule created by the server access assistant. Note that the destination zone is the zone the internal server is in, this is the zone after NATing has taken place. The destination network is the interface on the Sophos Firewall that the user will connect to, this is the IP address before NATing has taken place. You can edit this firewall rule and enable additional protection such as IPS. Getting Started with Firewall and NT Rules on Sophos Firewall - 26 DNAT Rules Here you can see the three NAT rules created by the server access assistant, the DNAT rule, the loopback rule and the reflexive rule. You can further modify the DNAT rule. For example, you may also want to translate the port. Getting Started with Firewall and NT Rules on Sophos Firewall - 27 Reflexive and Loopback Policies Reflexive Policy SNAT (Masquerade) Loopback Policy app.sophostraining.xyz Application Server SNAT app.sophostraining.xyz Application Server Internal User Internal User Reflexive rules create an SNAT from internal sources, for example, from a protected server to the Internet. In our previous example it would effectively create a masquerading rule for traffic from the application server. Loopback rules are used when internal users use the public IP address or hostname to access a resource, and it performs an SNAT on the connection. These can only be created automatically when creating new NAT rules and not when editing. Getting Started with Firewall and NT Rules on Sophos Firewall - 28 Simulation: Create a DNAT Rule Using the Server Access Assistant In this simulation you will publish a server using a DNAT rule created using the server access assistant. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/DnatRule/1/start.html In this simulation you will publish a server using a DNAT rule created using the server access assistant. Getting Started with Firewall and NT Rules on Sophos Firewall - 29 Chapter Review Firewall and NAT rules are processed in order with the first rule to match being used If no firewall rule is matched the traffic will be dropped Firewall rules of DNAT traffic use the post-NAT zone and pre-NAT IP address Here are the three main things you learned in this chapter. Firewall and NAT rules are processed in order with the first rule to match being used. If no firewall rule is matched the traffic will be dropped. Firewall rules of DNAT traffic use the post-NAT zone and pre-NAT IP address. Getting Started with Firewall and NT Rules on Sophos Firewall - 40 Getting Started with Firewall and NT Rules on Sophos Firewall - 41 Configuring TLS Decryption on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2030: Configuring TLS Decryption on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring TLS Decryption on Sophos Firewall - 1 Configuring TLS Decryption on Sophos Firewall In this chapter you will learn how to configure TLS decryption for traffic passing through Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Using the WebAdmin to configure rules and policies DURATION 8 minutes In this chapter you will learn how to configure TLS decryption for traffic passing through Sophos Firewall. Configuring TLS Decryption on Sophos Firewall - 2 TLS Inspection Rules TLS inspection engine that is port and application agnostic TLS policy is separate from firewall policies Decrypted packets are sent to IPS, application control, web filtering and antivirus The TLS inspection engine in Sophos Firewall is port and application agnostic, it doesn’t know or care about what higher level applications are being used. The TLS policy for the inspection engine is separate from firewall rules, this allows you to create and apply policies to traffic without the complexity of having to consider the ordering and matching of firewall rules. The TLS inspection engine sends decrypted packets to IPS, application control, web filtering and antivirus for checking. Configuring TLS Decryption on Sophos Firewall - 3 SSL/TLS Inspection Rules Here you can see a set of TLS inspection rules. The first excludes specific websites from being decrypted and uses two lists, a local list where you can add websites to exclude, and a list managed by Sophos of websites where we know SSL inspection causes problems. An example of when this may happen is where there is mutual authentication by the server and the client or application. These two lists of websites can be viewed in PROTECT > Web > URL Groups, and in the case of the Local TLS exclusion list you can edit it. Configuring TLS Decryption on Sophos Firewall - 4 TLS Inspection Rules • Decrypt • Do not decrypt • Deny Certificate, protocol and cipher settings Matching criteria the same as firewall rules Match on categories and websites Let’s take a look at how you would configure a rule. TLS inspection rules can be configured to: • Decrypt matched traffic, when you want to scan the contents • Not decrypt matched traffic, when it will cause problems with the site or application • Or deny the matched traffic Each rule has a decryption profile that is a collection of certificate, protocol and cipher settings. We will look at decryption profiles in more detail shortly. The matching criteria for TLS inspection rules is the same as for firewall rules, but with the addition of being able to match on categories of websites. Configuring TLS Decryption on Sophos Firewall - 5 TLS Inspection Rules Here I have created three rules as an example, which do the following: • Enforce strict decryption for users in finance • Applies a more relaxed and compatible policy to specific domains that require it • And decrypt all other internal to external traffic and block insecure SSL Configuring TLS Decryption on Sophos Firewall - 6 Catch-all TLS Rule Example As an example, we create a catch-all TLS inspection rule for traffic going to the WAN zone from the client networks. Start by giving the rule a descriptive name, set the rule position and select the action. Select a decryption profile that defines the resigning CAs, acceptable ciphers and how to handle non-decryptable traffic. Configure the source and destination settings in the same way that you would for a firewall rule, in this case to select traffic from clients to the Internet. You can optionally further restrict the rule to apply to specific websites. Configuring TLS Decryption on Sophos Firewall - 7 TLS Inspection Settings From the top of the TLS inspection rules tab you can open the TLS inspection settings; these are generic engine-based settings that will apply globally to all rules. There are three sections: • The certificate authorities to use for resigning RSA and EC certificates • How to handle non-decryptable traffic, this is either insecure traffic that is not supported by TLS decryption, or what to do if the Sophos Firewall reaches its connection limit. The connection limit is a fixed value based on the model of the Sophos Firewall • TLS 1.3 compatibility. TLS 1.3 is still fairly new and not widely adopted, so there is an option to either decrypt as TLS 1.3 or to downgrade to TLS 1.2 Configuring TLS Decryption on Sophos Firewall - 8 Decryption Profiles Decryption profiles are configured in: SYSTEM > Profiles > Decryption profiles Decryption profiles are a collection of settings that are applied by a rule-by-rule basis. There are three default decryption profiles provided: • Block insecure, this blocks known weak protocols and ciphers • Maximum compatibility, this is the most relaxed profile and is focused on trying to ensure restrictions do not cause any unexpected problems • Strict compliance, is for people that need to meet more strict compliance standards such as PCI Configuring TLS Decryption on Sophos Firewall - 9 Decryption Profiles You can also create your own custom decryption profiles, either from scratch or by cloning an existing profile. There are three main sections to the profile: • Re-signing certificate authority, which can either use the CAs defined in the SSL/TLS settings, or they can be overridden • Non-decryptable traffic, where you can specify a different set of actions from the SSL/TLS settings Configuring TLS Decryption on Sophos Firewall - 10 Decryption Profiles • And enforcement rules, where you can block specific protocols, ciphers and certificate errors. These can be used to enforce security settings to meet compliance criteria Configuring TLS Decryption on Sophos Firewall - 11 Simulation: Create a TLS inspection rule on Sophos Firewall In this simulation you create a TLS inspection rule on Sophos Firewall that will decrypt all outbound traffic. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/TlsRule/1/start.html In this simulation you create a TLS inspection rule on Sophos Firewall that will decrypt all outbound traffic. Getting Started with Firewall and NT Rules on Sophos Firewall - 12 Chapter Review TLS inspection rules can match on source and destination zones and networks, users, services, and websites TLS inspection exclusions are managed using web URL groups. There are two URL groups by default, one locally managed and one Sophos managed TLS inspection settings are generic engine-based settings that will apply globally to all rules Decryption profiles contain the settings for which signing CAs to use, how to manage non-decryptable traffic, and which connections will be blocked based on errors, key size, and algorithms Here are the four main things you learned in this chapter. TLS inspection rules can match on source and destination zones and networks, users, services, and websites. TLS inspection exclusions are managed using web URL groups. There are two URL groups by default, one locally managed and one Sophos managed. TLS inspection settings are generic engine-based settings that will apply globally to all rules. Decryption profiles contain the settings for which signing CAs to use, how to manage nondecryptable traffic, and which connections will be blocked based on errors, key size, and algorithms. Configuring TLS Decryption on Sophos Firewall - 17 Configuring TLS Decryption on Sophos Firewall - 18 Getting Started with Intrusion Prevention on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall SF2505: Getting Started with Intrusion Prevention on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Intrusion Prevention on Sophos Firewall - 1 Getting Started with Intrusion Prevention on Sophos Firewall In this chapter you will learn how to enable and configure basic intrusion prevention settings on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Using the Sophos Firewall WebAdmin to configure policies DURATION 10 minutes In this chapter you will learn how to enable and configure basic intrusion prevention settings on Sophos Firewall. Getting Started with Intrusion Prevention on Sophos Firewall - 2 Intrusion Prevention Overview Intrusion prevention system (IPS) policies Spoof protection Denial-of-Service (DoS) protection Intrusion prevention on Sophos Firewall has three parts: • Intrusion prevention system, or IPS, policies that are applied to firewall rules to protect against exploits and malformed traffic • Spoof protection, which drops traffic that is trying to pretend to come from a different MAC or IP address to bypass protection • And denial-of-service DoS protection, which drops traffic that is maliciously trying to prevent legitimate traffic from being able to access services Getting Started with Intrusion Prevention on Sophos Firewall - 3 IPS Policies Detect and block malicious and malformed traffic coming into the network SOPHOS FIREWALL ATTACKER SERVERS Detect and block malicious and malformed traffic coming from computers on the network COMPROMISED COMPUTER Let’s start with IPS policies. IPS policies are a collection of rules to detect malicious and malformed data that can exploit computers and servers. IPS policies are selected in firewall rules, so they can be used to protect against attacks on traffic coming into the network, and traffic coming from compromised computers on the network. Getting Started with Intrusion Prevention on Sophos Firewall - 4 Enabling IPS Before you can configure and use intrusion prevention you need to enable IPS protection. This will download the IPS signatures to the Sophos Firewall. Once the signatures have been downloaded, they will be kept up-to-date. If IPS is disabled via the switch, the IPS signatures will be removed after 30-day unless it is enabled again. Getting Started with Intrusion Prevention on Sophos Firewall - 5 Out-of-the-Box IPS Policies IPS policies are configured in: PROTECT > Intrusion prevention > IPS policies Sophos Firewall comes with several predefined IPS policies, which can be found in PROTECT > Intrusion prevention > IPS policies. These policies cover most of the everyday scenarios that you would encounter on an average network. You can edit the included policies or create new ones to meet your security needs. Getting Started with Intrusion Prevention on Sophos Firewall - 6 Creating IPS Policies Maximum 15 characters Optionally clone rules from an existing IPS policy When you create a new IPS policy you give it a name, limited to fifteen characters, and a description. You can then optionally select to clone the rules from an existing policy. This can save a lot of time when building new policies. You have to save the policy at this point so that if you have selected to clone rules they can be added. You can then edit the policy. Getting Started with Intrusion Prevention on Sophos Firewall - 7 Configuring IPS Policies Drag and drop to order rules The policy is made up of an ordered list of rules. Each rule contains one or more signatures and has an action. You can change the order of the rules within the policy by dragging and dropping them. Getting Started with Intrusion Prevention on Sophos Firewall - 8 Creating IPS Policy Rules Free-text filter All filtered signatures or selected signatures only When you add or edit a rule you can quickly and easily select the desired IPS patterns by category, severity, platform, and target type, with support for persistent smart filter lists that will automatically update as new patterns are added that match the selected criteria. For example, you can use the smart filter to select all signatures that relate to a specific application. You can choose to include all the signatures returned by the filters or only selected signatures. Please note that if you choose only selected signatures the rule cannot update the included signatures automatically. Sophos Firewall includes the Talos commercial IPS signature library from Cisco. We augment the Talos library with additional signatures as required to ensure optimal intrusion protection. Talos is a highly respected network security analysis group working around the clock to respond to the latest trends in hacking, intrusions, and malware… just like our own SophosLabs. So, this is a great partnership that bolsters our IPS protection and provides more granular IPS policy controls. Getting Started with Intrusion Prevention on Sophos Firewall - 9 Creating IPS Policy Rules Recommended action for the signature At the bottom of the rule, you can select the action you want to take. One of these actions is ‘Recommended’. You will notice that each signature has a recommended action associated with it that can be used, or you can override this with the action applied to the rule. Getting Started with Intrusion Prevention on Sophos Firewall - 10 Applying IPS Policies Select an IPS policy for the firewall rule Once you have created an IPS policy it needs to be selected in a firewall rule to be active. The firewall rule you select will determine what traffic is checked, and the IPS policy will determine the checks that are carried out. Getting Started with Intrusion Prevention on Sophos Firewall - 11 Simulation: Create an IPS Policy In this simulation you will create an IPS policy and apply it to a firewall rule. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/IpsPolicy/1/start.html In this simulation you will create an IPS policy and apply it to a firewall rule. [Additional Information] https://training.sophos.com/fw/simulation/IpsPolicy/1/start.html Getting Started with Intrusion Prevention on Sophos Firewall - 12 Spoof Protection Drop packets that are not from a trusted MAC address Drop if source IP does not match an entry on the firewalls routing table Drop packets if source IP and MAC do not match trusted MAC address If spoof protection is misconfigured, you can lock yourself out of the Sophos Firewall In addition to the protection that can be configured in IPS policies, there are denial of service (DoS) and spoof protection services that can be enabled. We will start with the spoof protection, which has three modes of protection that can be enabled per-zone. • IP spoofing – packets will be dropped if the source IP address does not match an entry on the firewalls routing table • MAC filter – packets will be dropped if the source MAC address is not configured as a trusted MAC • IP-MAC pair filter – packets will be dropped if the IP and MAC do not match with any entry in the IP-MAC trusted list The MAC filter cannot be enabled until at least one entry is added to the trusted MAC list. In addition to these three modes, there is the option to restrict unknown IP on Trusted MAC. With this option enabled, any traffic from an unknown IP address on a trusted MAC address is dropped. Please note, if spoof protection is misconfigured you can lock yourself out of the Sophos Firewall! Getting Started with Intrusion Prevention on Sophos Firewall - 13 Spoof Protection If spoof protection is misconfigured, you can lock yourself out of the Sophos Firewall In the spoof protection trusted MAC section, you can add MAC addresses that can be used with the MAC filter. MAC addresses can be associated to IP addresses; this can either be set to none, DHCP, or static. For static IP addresses you can enter multiple values. Getting Started with Intrusion Prevention on Sophos Firewall - 14 Denial of Service (DoS) Protection View dropped packet counters for each attack type A denial of service (DoS) attack is a method that hackers use to prevent or deny legitimate users’ access to a service. DoS attacks are typically executed by sending many request packets to a targeted server, which floods the server’s resources making the system unusable. Their goal is not to steal the information, but to disable or deprive a device or network so that users no longer have access to the network services/resources. All servers can handle traffic volume up to a maximum, beyond which they become disabled. Attackers send a very high volume of redundant traffic to a system so it cannot keep up with the bad traffic and allow permitted network traffic. The best way to protect against a DoS attack is to identify and block such redundant traffic. Here we can see the configuration for a SYN flood attack. You can set the allowed packet rate per minute for each source and destination, as well as a burst rate for each source and destination in packets per second. When the burst rate is crossed, Sophos Firewall considers it as an attack and provides DoS attack protection by dropping all the excess packets from the source or destination. The firewall will continue to drop the packets until the attack subsides. Because the device applies threshold values per IP address, only traffic from the source or destination will be dropped. The rest of the network traffic will continue to be processed as normal. You can view the counters for dropped packets on the DoS attacks tab. Please note that DoS protection is applied globally to all traffic passing through the Sophos Firewall. Getting Started with Intrusion Prevention on Sophos Firewall - 15 Chapter Review Intrusion prevention on Sophos Firewall comprises IPS policies, spoof protection, and denial-of-service (DoS) protection IPS policies are an ordered list of rules. Each rule contains one or more signatures, and signatures can be automatically selected for the rule using filters. Each rule also has an action To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to a firewall rule Here are the three main things you learned in this chapter. Intrusion prevention on Sophos Firewall comprises IPS policies, spoof protection, and denial-ofservice protection. IPS policies are an ordered list of rules. Each rule contains one or more signatures, and signatures can be automatically selected for the rule using filters. Each rule also has an action. To use IPS policies, IPS must be enabled using the switch, and a policy must be applied to a firewall rule. Getting Started with Intrusion Prevention on Sophos Firewall - 20 Getting Started with Intrusion Prevention on Sophos Firewall - 21 Enabling Advanced Threat Protection on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Central FW2525: Enabling Advanced Threat Protection on Sophos Firewall April 2021 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Enabling Advanced Threat Protection on Sophos Firewall - 1 Enabling Advanced Threat Protection on Sophos Firewall In this chapter you will learn how to enable advanced threat protection and review details of detections. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ The role of Advanced Threat Protection (ATP) in the attack kill chain, blocking outgoing traffic to command and control servers DURATION 5 minutes In this chapter you will learn how to enable advanced threat protection and review details of detections. Enabling Advanced Threat Protection on Sophos Firewall - 2 Advanced Threat Protection (ATP) Overview Detect compromised devices on your network Block access to command-and-control servers Uses data from all enabled services on Sophos Firewall If you have a compromised device on your network the Advanced Threat Protection, or ATP, on the Sophos Firewall can help to detect it when it tries to contact the Internet. ATP is a global configuration that monitors traffic and data from all enabled services on the Sophos Firewall, including DNS and web requests, to detect and block access to command-and-control servers. Enabling Advanced Threat Protection on Sophos Firewall - 3 Configuring Advanced Threat Protection Log and drop Log only Exclusions ATP is configured through a simple policy in PROTECT > Advanced protection. ATP is enabled using the toggle slider at the top of the page. The policy itself is a choice between either only logging detections, or logging and dropping the traffic. ATP is applied globally, so if you need to exclude specific devices or networks this can be done here. You can also choose to exclude specific threats; however, we recommend only doing this under the guidance of Sophos support. Enabling Advanced Threat Protection on Sophos Firewall - 4 Configuring Advanced Threat Protection At the bottom of the page is the ‘Advanced security settings’ section. Here you choose whether ATP inspects untrusted content, this is the default option, or all content. Inspect untrusted content inspects traffic from untrusted sources or traffic going to untrusted destinations only. This option gives the best performance. Inspect all content inspects all content to and from both trusted and untrusted sources and destinations. While the difference between these two options is minimal, in high-traffic environments it may become significant. Enabling Advanced Threat Protection on Sophos Firewall - 5 Advanced Threat Protection Alerts There is a widget for ATP alerts on the Sophos Firewall Control center, which you can click to get additional information. Enabling Advanced Threat Protection on Sophos Firewall - 6 Advanced Threat Protection Alerts After clicking the widget, you will see this page that shows the detections, including the IP address, hostname, and threat. You can further click through from this screen to the ATP report. Enabling Advanced Threat Protection on Sophos Firewall - 7 Advanced Threat Protection Report Control Center You can access the ATP report in Reports > Network & threats. Here you can see where requests came from and where they were going to, which users made the requests, and what action was taken, log or log-and-drop. Enabling Advanced Threat Protection on Sophos Firewall - 8 Simulation: Enabling Advanced Threat Protection In this simulation you will enable advanced threat protection, trigger a detection, and review the resulting information. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/Atp/1/start.html In this simulation you will enable advanced threat protection, trigger a detection, and review the resulting information. [Additional Information] https://training.sophos.com/fw/simulation/Atp/1/start.html Getting Started with Intrusion Prevention on Sophos Firewall - 9 Chapter Review Advanced threat protection, or ATP, uses data from all enabled services on Sophos Firewall to detect compromised computers on the network connecting to commandand-control servers ATP can be configured to either log, or log and drop traffic to command-and-control servers ATP can be configured to either inspect only content coming from untrusted sources or going to untrusted destinations, or to inspect all content Here are the three main things you learned in this chapter. Advanced threat protection, or ATP, uses data from all enabled services on Sophos Firewall to detect compromised computers on the network connecting to command-and-control servers. ATP can be configured to either log, or log and drop traffic to command-and-control servers. ATP can be configured to either inspect only content coming from untrusted sources or going to untrusted destinations, or to inspect all content. Enabling Advanced Threat Protection on Sophos Firewall - 12 Enabling Advanced Threat Protection on Sophos Firewall - 13 Getting Started with Security Heartbeat on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW2535: Getting Started with Security Heartbeat on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Security Heartbeat on Sophos Firewall - 1 Getting Started with Security Heartbeat on Sophos Firewall In this chapter you will learn what Security Heartbeat is, and how to enable it to help protect your network. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ The role of Security Heartbeat in the attack kill chain, automatically isolating devices that have been compromised DURATION 10 minutes In this chapter you will learn what Security Heartbeat is, and how to enable it to help protect your network. Getting Started with Security Heartbeat on Sophos Firewall - 2 Security Heartbeat Intelligent communication between Sophos Central managed endpoints and Sophos Firewall Regular heartbeat sent to Sophos Firewall with current status Notification sent to Sophos Firewall when events occur Sophos Firewall can request additional information from endpoints about processes accessing the network Sophos Security Heartbeat provides intelligent communication between endpoints that are managed in Sophos Central and the Sophos Firewall so that they can coordinate their response to threats. The computer sends a small regular heartbeat to the Sophos Firewall to identify itself and show that it is still active and protected. When an event occurs, such as a malware detection, information about the event is shared with the Sophos Firewall. The computer announces its health status to the Sophos Firewall, which can be either GREEN, YELLOW or RED. If the Sophos Firewall detects an advanced attack, it can request additional details from the endpoint such as the process name. The Sophos Firewall can use the heartbeat and health information from endpoints to control access to hosts and networks. Getting Started with Security Heartbeat on Sophos Firewall - 3 Security Heartbeat Status No risk – no action is required Endpoint Agent is running No active or inactive malware No PUAs detected Medium risk – action may be required Endpoint Agent is running Inactive malware detected or PUA detected Endpoint Agent is out of date High risk – action is required Endpoint Agent may not be running/devices may not be protected Active malware or malware not cleaned up, malicious network traffic (e.g., to a known command and control network), or communication to a known bad host Here you can see what each heartbeat status means. If a computer has a GREEN status, this means that the Endpoint Agent is running (so the computer is protected) and no active or inactive malware or PUAs, or potentially unwanted applications, have been detected. If the computer has a YELLOW status, the Endpoint Agent is running so the computer is still protected, but inactive malware or a PUA has been detected. It can also indicate that the endpoint agent is out of date When a computer has a RED status, it can indicate that the Endpoint Agent may not be running, so the computer may not be protected. Alternatively, it could mean that active malware has been detected or malware that has not been cleaned up, malicious network traffic has been detected, or communication to a known bad host. Getting Started with Security Heartbeat on Sophos Firewall - 4 How Security Heartbeat Works? The computer must be managed by Sophos Central Computer Sophos Firewall The computer establishes a two-way communication channel with the Sophos Firewall The Sophos Firewall registers with Sophos Central and gets a list of managed computers Sophos Central Computers must be connected to the local network or to the Sophos Firewall via a VPN Sophos Central brokers the trust between computers that it manages and Sophos Firewalls that are registered with it. Sophos Central will provide the certificates required to the computers and Sophos Firewall to be able to communicate. The computer will initiate a connection to the Sophos Firewall, and if it is a computer that is managed by the same Sophos Central account a two-way communication channel is established. Please note that Security Heartbeat is only supported when computers are connected to the local network, or to the Sophos Firewall via a VPN. Security Heartbeat is not supported in the WAN zone. Getting Started with Security Heartbeat on Sophos Firewall - 5 How Security Heartbeat Works? Internet PROTECTED PROTECTED Sophos Firewall Computers Laptop Servers Let’s look at what would happen if malware is detected on a computer with Security Heartbeat. When malware is detected on the computer, Security Heartbeat will send event information and its new health status to the Sophos Firewall. Sophos Firewall can then prevent the compromised computer from connecting to other computers or servers, protecting them from possible infection. Once the Sophos Endpoint Agent has cleaned up the malware; Security Heartbeat will send its updated health status to the Sophos Firewall, and the firewall can allow it to access hosts and networks as normal. In this example Sophos Firewall can protect computers where the traffic must pass through the firewall, but what about where computers are connected via a switch? Getting Started with Security Heartbeat on Sophos Firewall - 6 Lateral Movement Protection Additional information in the notes Sophos Firewall shares the MAC address of computers with a red health status Sophos Firewall Switch PROTECTED PROTECTED Laptop A Laptop B Laptop C This is where lateral movement protection comes in. Let’s consider the same scenario, but this time look at the computers that are connected to the same section of network as the laptop that has detected malware. The computers on this section of the network can communicate with each other without the traffic passing through the Sophos Firewall. In this scenario when the Sophos Firewall receives a red health status for laptop B it shares the MAC address of laptop B with all of the endpoints it has a heartbeat with. The computers can use the MAC address to drop traffic from the computer with the RED health status. This is done by the Sophos Central software and has to be enabled in Sophos Central. Currently, only Windows endpoints will drop traffic based from computers with a red health status. It is important to note that because this relies on the other computers being able to see the MAC address of computer with a red health status, this would not work if we replaced the switch with a router. [Additional Information] Lateral movement protection is enabled and configured in Sophos Central in Global Settings > Reject Network Connections. Getting Started with Security Heartbeat on Sophos Firewall - 7 Red Health Status from Sophos Firewall detection 2. Sophos Firewall sends message to endpoint to change its health status to red Process information 1. Sophos Firewall detects call home or IPS rule is triggered Red health status Sophos Firewall 3. Endpoint reports back additional information to the Sophos Firewall Laptop So far, we have only looked at the red health status being triggered by something being detected on the endpoint, but the Sophos Firewall can also inform the endpoint when it has detected something that requires the laptop to have a red health status. This can be either a call home to a command-and-control server or because the endpoint has triggered an IPS rule. Getting Started with Security Heartbeat on Sophos Firewall - 8 Registering with Sophos Central SYSTEM > Sophos Central To start using Security Heartbeat the Sophos Firewall needs to be registered with the same Sophos Central account that is used to manage the protection on the computers. Registration is completed in SYSTEM > Sophos Central. You can either register the firewall using a one-time password or the username and password of a Central admin. Getting Started with Security Heartbeat on Sophos Firewall - 9 Registering with Sophos Central To create a one-time password in Sophos Central, navigate to the Firewall management section, then MANAGE > Firewalls. Click Add Firewall, then select join a firewall that is already configured. Enter the serial number of your firewall and click Next. Click Copy OTP code and finish. In Sophos Firewall, choose to register using a one-time password, then paste in the code and click Register. Getting Started with Security Heartbeat on Sophos Firewall - 10 Configuring Security Heartbeat Register Sophos Firewall with Sophos Central PROTECT > Central synchronization Once enabled you can optionally configure which zones you want to detect missing heartbeats for. A missing heartbeat is a computer that has established a heartbeat in the past but is no longer sending a heartbeat. This could indicate that the protection software has been disabled. Getting Started with Security Heartbeat on Sophos Firewall - 11 Security Heartbeat Status In the Control center you can see how many devices have established a heartbeat with the firewall and their current status. Getting Started with Security Heartbeat on Sophos Firewall - 12 Configuring Security Heartbeat Select Security Heartbeat restrictions in firewall rules • Source and destination-based rules • Set the minimum health status • Optionally require a heartbeat With the Sophos Firewall registered with Sophos Central, endpoints will start to establish a heartbeat. There will be a short delay before this happens while they download the required certificates. For the Sophos Firewall to start controlling network access based on a computer’s heartbeat status you need to enable the restrictions in your firewall rules. Restrictions can be configured for either the source, destination or both, and are configured to set the minimum required health status; green, yellow or no restriction. You can optionally require computers to have a heartbeat. This means that any device not running Sophos Central will not be able to meet the requirement. This can be used to block unknown devices on the network. Please note that destination restrictions cannot be applied to computers in the WAN zone. Getting Started with Security Heartbeat on Sophos Firewall - 13 Simulation: Getting Started with Security Heartbeat In this simulation you will register Sophos Firewall with Sophos Central and enable Security Heartbeat in a firewall rule. You will trigger a RED health status and confirm the device is blocked. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/Heartbeat/1/start.html In this simulation you will register Sophos Firewall with Sophos Central and enable Security Heartbeat in a firewall rule. You will trigger a RED health status and confirm the device is blocked. [Additional Information] https://training.sophos.com/fw/simulation/Heartbeat/1/start.html Getting Started with Security Heartbeat on Sophos Firewall - 14 Chapter Review The Security Heartbeat is established between the Sophos Central managed endpoints and the firewall. Sophos Central brokers trust between the endpoints and firewall so they must be registered to the same Sophos Central account Traffic from endpoints with a RED health status can be blocked if it is passing through the firewall. To prevent lateral movement, the firewall will share the MAC addresses of devices with a RED health status with all other devices it has a heartbeat with Security Heartbeat must be configured in firewall rules to set a minimum health status for source and destination. Optionally, you can select to require a heartbeat Here are the three main things you learned in this chapter. The Security Heartbeat is established between the Sophos Central managed endpoints and the firewall. Sophos Central brokers trust between the endpoints and firewall so they must be registered to the same Sophos Central account. Sophos Firewall can block traffic from endpoints with a RED health status if it is passing through the firewall. To prevent lateral movement the firewall will share the MAC addresses of devices with a RED health status with all other endpoints that it has a heartbeat with so they can drop the traffic. Security Heartbeat must be configured in firewall rules to set a minimum health status for source and destination. Optionally, you can select to require a heartbeat. Getting Started with Security Heartbeat on Sophos Firewall - 21 Getting Started with Security Heartbeat on Sophos Firewall - 22 Connecting Sites with Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3005: Connecting Sites with Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Connecting Sites with Sophos Firewall - 1 Connecting Sites with Sophos Firewall In this chapter you will learn about the different methods Sophos Firewall offers for connecting sites. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Sophos Firewall zones and interfaces ✓ Protocols used for VPN access DURATION 5 minutes In this chapter you will learn about the different methods Sophos Firewall offers for connecting sites. Connecting Sites with Sophos Firewall - 2 Site-to-Site Connections Sophos Firewall Site-to-site VPN Sophos Firewall Remote Ethernet Device Remote Ethernet Device Sophos Firewall includes two main ways to connect sites; site-to-site VPNs, and Remote Ethernet Devices, or REDs. How you choose to connect your sites will depend on the requirements of the site. For example, a small site that routes all traffic back to the head office might be a good fit for a RED, saving on the need for a full Sophos Firewall on-site. Whereas a large site that needs a Sophos Firewall for web filtering and web server protection could be connected using a site-to-site VPN without the need for additional hardware. Connecting Sites with Sophos Firewall - 3 Site-to-Site Connections Site-to-Site VPN Remote Ethernet Device (RED) ✓ Connection between two Sophos Firewalls ✓ Connection between a Sophos Firewall and a small hardware device ✓ Connection can be made to thirdparty firewalls ✓ Plug and play with no technical expertise required onsite ✓ Sophos Firewall can provide security filtering at the remote site ✓ Can transparently extend the network between sites If we look at a high-level comparison of the two connectivity options, there are a few key differences. Site-to-site VPNs can be used to create an encrypted tunnel between two Sophos Firewalls, or between a Sophos Firewall and another device that supports compatible protocols. Having a Sophos Firewall at the remote site also allows you to provide the same level of security filtering onsite without sending all traffic back over the VPN. Remote Ethernet Devices are small hardware devices that are connected in branch offices that can transparently extend the network between sites with a layer-2 connection. REDs are plug-and-play, and don’t require any technical expertise to connect at the remote site. The RED tunnel technology can also be used to establish connections between Sophos Firewalls without using additional hardware; this can be used as an alternative to the other supported siteto-site VPN options. Connecting Sites with Sophos Firewall - 4 Site-to-Site VPNs IPsec SSL ✓ Simple configuration ✓ Effective site-to-site connectivity ✓ ✓ ✓ ✓ • HTTPS (TLS) • Port 8443 (can be changed) • Digital certificates for authentication • UDP port 500 • IP protocols 50 & 51 • Pre-shared key, RSA key, or digital certificates for authentication • Tunnel mode for site-to-site connections Can be more secure if configured correctly Flexible routing options Supports failover groups Compatibility with third-party devices For site-to-site VPN connections, Sophos Firewall supports two protocols, SSL and IPsec. SSL site-to-site VPNs are simple to configure, providing a quick and effective way to connect branch offices. IPsec on the other hand, can be more secure if configured correctly, provides more flexible routing options and supports failover groups. IPsec can also be used to connect with third-party devices but can be more complex to setup. Connecting Sites with Sophos Firewall - 5 VPN Zone All VPNs that are created are automatically added to the VPN zone. This is a special zone that has no physical interfaces; all VPN connections, whether they are site-to-site or remote access are always in this zone, but you cannot add or remove any other types of interface. While you cannot edit interface membership for this zone, you can manage the device access options. RED connections are not included in the VPN zone and can be configured to be in any zone, providing flexible alternative if you need to create a custom zone. Connecting Sites with Sophos Firewall - 6 Chapter Review Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices (REDs) Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and IPsec, which is more configurable and flexible All VPN connections are automatically added to the VPN zone, which is a special zone with no physical interfaces that cannot be edited Here are the three main things you learned in this chapter. Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices, or REDs. Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and IPsec, which is more configurable and flexible. All VPN connections are automatically added to the VPN zone, which is a special zone with no physical interfaces that cannot be edited. Connecting Sites with Sophos Firewall - 11 Connecting Sites with Sophos Firewall - 12 Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3020: Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 1 Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall In this chapter you will learn how to configure IPsec site-to-site VPN connections for simple environments. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Sophos Firewall zones and interfaces ✓ Protocols used for VPN access DURATION 11 minutes In this chapter you will learn how to configure IPsec site-to-site VPN connections for simple environments. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 2 IPsec Site-to-Site VPNs Route-based VPN Policy-based VPN • VPN connection is independent of routes for traffic • Local and remote networks are defined as part of the VPN • Routes can be modified without disconnecting VPN • VPN must be edited to change networks and requires disconnecting and reconnecting • Routes are created manually • Routes are created automatically Sophos Firewall supports two types of IPsec VPN; route-based and policy based. With route-based VPNs you create a VPN connection between two firewalls, then separately configure routing for the traffic you want to send over the connection. With policy-based VPNs, you define the local and remote networks as part of the VPN connection and routes will be created for these networks only. The advantage of route-based VPNs is that you can make changes to the traffic being routed over the connection without having to edit, and therefore disconnect and reconnect, the VPN. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 3 IPsec VPN Profiles IPsec VPN profiles are configured in: SYSTEM > Profiles > IPsec profiles Security parameters used to establish and maintain the VPN connection Both sides of the VPN must allow the same settings There are several profiles provided out-of-the-box IPsec VPNs require a matching set of algorithms and settings on both ends for a tunnel to be successfully created. On the Sophos Firewall these are configured in IPsec profiles. There are several preconfigured profiles that ship with the Sophos Firewall, but these can be cloned and modified to meet your requirements. This may be necessary to meet compliance criteria, or to create a VPN with a third-party device. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 4 Route-Based VPN xfrm tunnel interface Sophos Firewall 172.16.16.0/24 Sophos Firewall 172.20.77.0/24 192.168.16.0/24 192.168.2.0/24 When you create a route-based VPN, an xfrm tunnel interface is created on the Sophos Firewall. This can be configured like any other interface, except it is always in the VPN zone. You can create routes, NAT rules, and firewall rules in the same way you would for any other traffic. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 5 Creating the VPN Tunnel Interfaces IPsec VPNs are configured in: CONFIGURE > Site-to-Site VPN > IPsec Select the Tunnel interface connection type At least one side of the connection must be configured to initiate the connection Select either: • Preshared key • Digital certificate • RSA key Let’s look at how you can configure this. We will look at the configuration for one side of the tunnel; however, this will need to be done on both ends. The first step is to create the tunnel interfaces. This is done by creating a new IPsec configuration; select Tunnel interface for the connection type. You will notice that when you select tunnel interface the IP version automatically changes to Dual, as tunnel interfaces support both IPv4 and IPv6. One side of the connection must be configured to initiate the connection. The other can be configured to only respond. In the ‘Encryption’ section, select the IPsec profile and type of authentication you want to use. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 6 Creating the VPN Tunnel Interfaces You do not need to specify the local and remote networks for tunnel interfaces In the ‘Gateway settings’ section, select the local interface that will be used to create the VPN connection and enter the IP address of the firewall that will be on the other side. When configuring the local and remote gateways you do not specify the local and remote networks for tunnel interfaces; however, you must set the remote gateway address. Unlike IPsec VPNs, you cannot use a wildcard for the remote gateway address even if the tunnel interface is configured to respond only. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 7 Configuring the Tunnel Interfaces Tunnel interfaces are always in the VPN zone Once you have saved the IPsec connection you will see a new interface has been created for it. The interface will be bound to the physical interface selected when you created the IPsec connection. The interface itself is configured in the same way as any other interface; however, you cannot configure the zone. Tunnel interfaces are always in the VPN zone. You must ensure that the tunnel interfaces at each end of the tunnel are in the same subnet. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 8 Routing for Route-Based VPNs Configure routes to send the traffic over the tunnel Supports static routes, SD-WAN policy routes, and dynamic routing Once you have configured the tunnel interfaces you can create routes for the traffic to use the VPN. Routing can be configured using static routes, SD-WAN policy routes, and dynamic routing. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 9 Simulation: Create a Route-Based IPsec Site-to-Site VPN In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos Firewalls. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/IpsecVpnS2s/1/start.html In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos Firewalls. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 10 Policy-Based IPsec VPN: IPsec VPN Wizard Step-by-step guide for creating IPsec VPNs IPsec VPN policies are configured in: CONFIGURE > VPN > IPsec Connections Additional information about the configuration shown on the left We will now look at configuring policy-based VPNs. There is a wizard that can be launched from the IPsec site-to-site VPN page, which can be used to create a policy-based VPN. The wizard will walk through the steps necessary to create a VPN, providing additional help and descriptions for each field on the left. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11 Policy-Based IPsec VPN 1 Let’s walk through the configuration created by the wizard. In the ‘General settings’ you can choose between IPv4 or IPv6 and whether the Sophos Firewall should only respond to VPN requests or try to initiate them. When you are creating a new VPN you can also optionally choose to have the Sophos Firewall automatically create firewall rules, although these will be fairly general and should be reviewed. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12 Policy-Based IPsec VPN Copy this to the ‘Remote RSA key’ field on the peer device 2 Copy this from the ‘Local RSA key’ field on the peer device In the ‘Encryption’ section you select the VPN profile, either one of the out-of-the-box profiles, or one you have created yourself. Select the authentication type, which can be either a pre-shared key, an RSA key, or a digital certificate. Pre-shared keys are a passphrase that is entered on both devices. This is generally the weakest authentication type, mostly because the key length is usually short in comparison to the other options. RSA keys are public private key pairs. The public key is copied from each device to the other device. This provides good security, as the key length is much longer, and different keys are used for each device. As a bonus, you do not need to create a passphrase, you can simply copy and paste the keys. Digital certificates are the most secure option, but take some additional effort to configure. They provide similar public private key pairs to RSA keys, but are also signed by trusted certificate authorities, and have the longest key lengths. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 13 Policy-Based IPsec VPN 3 In the ‘Gateway settings’ you configure the interface the Sophos Firewall will use for the VPN and where it will be connecting to. If the remote side has a dynamic IP address a wildcard can be used; however, this also means the Sophos Firewall cannot initiate the connection as it does not know where to connect to. IPsec VPNs can also have an ID, which can be based on DNS, IP address, email address, or an X.509 certificate name. Finally, you need to define which networks will be available over the VPN. That is, the local networks that remote devices will be able to access, and the remote networks you expect to be able to access over the VPN. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14 IPsec Acceleration XGS Series Appliances Support IPsec Acceleration Cipher and Authentication Combinations SUPPORTED • AES-CBC 128/192/256-bit AES keys with SHA-1, SHA-256, SHA-384, or SHA-512 HMAC • AES-GCM with 128/192/256-bit AES key • NULL cipher with 128-bit GMAC authentication UNSUPPORTED • DES, 3DES • TwoFish • MD5 Sophos XGS Series appliances support IPsec acceleration, which offloads the IPsec encryption and decryption to the NPU. This is both faster in terms of performance, but it is also offloading work from the CPU, freeing up cycles to work on other security processing functions. Here you can see that the most used ciphers and authentication combinations are supported, with only DES, 3DES, TwoFish, and MD5 being unsupported. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 15 IPsec Acceleration console> system ipsec-acceleration disable This will restart all IPsec tunnels and stop offloading IPsec VPN traffic to the Xstream flow processor. Turn off IPsec acceleration(Y/N)? Y console> system ipsec-acceleration enable This will restart all IPsec tunnels and offload IPsec VPN traffic to the Xstream flow processor. Turn on IPsec acceleration(Y/N)? Y IPsec acceleration is configured on the Console using the system ipsec-acceleration command to enable and disable the feature. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 16 IPsec Acceleration SOPHOS FIREWALL Kernel does packet encapsulation and adds the ESP header KERNEL ESP + Request The NPU detects the encapsulated packet and performs the encryption NPU/Xstream Processor Request ESP Request With IPsec acceleration enabled, when a packet comes in the kernel will still perform the encapsulation, but it will not encrypt the packet. The NPU will detect the ESP header and perform the encryption on the packet. The reverse will happen with the reply. The NPU will decrypt the packet and the kernel will remove the encapsulation. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17 IPsec Acceleration with Firewall Acceleration (FastPath) SOPHOS FIREWALL KERNEL NPU does packet encapsulation and adds the ESP header The NPU detects the encapsulated packet and performs the encryption NPU/Xstream Processor Request ESP + Request ESP Request If you also have firewall acceleration enabled, offloading to the FastPath, the NPU will do the packet encapsulation and the encryption. This is the ideal scenario. The opposite is true with IPsec acceleration and firewall acceleration both disabled, as the kernel will do both the encapsulation and encryption. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 18 Chapter Review IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of the VPN need to support the same settings Route-based VPNs create an xfrm interface that is configured like any other interface. Routes are created manually, separate to the connection Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a reconnection if you edit the networks for the VPN Firewall rules can be created automatically when you create a policy-based VPN but are broad and should be edited Here are the four main things you learned in this chapter. IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of the VPN need to support the same settings. Route-based VPNs create an xfrm interface that is configured like any other interface. Routes are created manually, separate to the connection. Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a reconnection if you edit the networks for the VPN. Firewall rules can be created automatically when you create a policy-based VPN but are broad and should be edited. Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 23 Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 24 Configuring SSL Site-to-Site VPNs on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3010: Configuring SSL Site-to-Site VPNs on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 1 Configuring SSL Site-to-Site VPNs on Sophos Firewall In this chapter you will learn how to create an SSL site-to-site VPN between two Sophos Firewalls. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Methods offered by Sophos Firewall for connecting sites DURATION 5 minutes In this chapter you will learn how to create an SSL site-to-site VPN between two Sophos Firewalls. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 2 SSL Site-to-Site VPN Client initiates connection with server Branch Office Sophos Firewall Client for SSL VPN Site with dynamic public IP address Head Office Sophos Firewall Server for SSL VPN Site with static public IP address SSL site-to-site VPNs are implemented using a client-server configuration where each end of the tunnel has a distinct role. The client side will always initiate the connection to the server, and the server will always respond to client requests. This is different from IPsec where normally either end can initiate a connection. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 3 Device Access for SSL VPN Device access is configured in: SYSTEM > Administration > Device access Before creating any VPNs, first ensure that SSL VPN is enabled for the zones in which you want to use it. This will be the zones where the VPN will connect to the Sophos Firewall from. For site-tosite VPNs this will most likely be the WAN zone. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 4 SSL VPN Global Settings SSL VPNs are configured in: CONFIGURE > Site-to-Site VPN > SSL VPN SSL site-to-site VPNs are configured in CONFIGURE > Site-to-Site VPN > SSL VPN. In the top-left of the page is a link to the SSL VPN global settings; you should check and configure these before you start creating VPNs. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 5 SSL VPN Global Settings SSL VPN settings apply to both site-to-site and remote access VPNs It is important to note that these settings apply to both site-to-site and remote access SSL VPNs, so this should be considered when making changes. Sophos Firewall uses port 8443 by default; if you are going to change this port you should do so before you begin creating any VPNs. Here, you can configure the network settings for SSL VPNs, including, the subnet for IP leases, DNS servers, and the domain name. You can also customize the cryptographic settings for the connection and choose whether to compress the traffic. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 6 Creating an SSL VPN 1 Configure server The configuration of SSL site-to-site VPNs is done in three steps, the first is to create the server side of the connection. On the firewall that will be acting as the SSL VPN server, click Add in the ‘Server’ section. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 7 Creating an SSL VPN 1 Configure server The server connection is configured with a name and the local and remote networks. You can also optionally set a static IP address for the client rather than an IP address from the address pool. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 8 Creating an SSL VPN 2 Download configuration Next, download the configuration file from the server connection. You can choose to encrypt the connection file so that it requires a password to import. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 9 Creating an SSL VPN 3 Upload on client On the client Sophos Firewall, click Add in the ‘Client’ section. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 10 Creating an SSL VPN 3 Upload on client Here, you will give the connection a name and upload the configuration file. If necessary, you can override the hostname for the server Sophos Firewall, this can be a static or dynamic DNS name or an IP address. You can also optionally define a HTTP proxy server. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 11 Creating an SSL VPN SERVER CLIENT Here you can see a connected SSL site-to-site VPN. Sophos Firewall will automatically create the required routes and firewall rules so that traffic can flow between the networks defined in the connection. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 12 Simulation: Create an SSL Site-to-Site VPN In this simulation you will create an SSL site-to-site VPN between two Sophos Firewalls. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/SslVpnS2s/1/start.html In this simulation you will create an SSL site-to-site VPN between two Sophos Firewalls. Getting Started with Firewall and NT Rules on Sophos Firewall - 13 Chapter Review SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs You need to enable SSL VPNs for the zones you want to create them in You configure the connection on the server Sophos Firewall then upload the configuration file to the client Sophos Firewall Here are the three main things you learned in this chapter. SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs. You need to enable SSL VPNs for the zones you want to create them in. You configure the connection on the server Sophos Firewall then upload the configuration file to the client Sophos Firewall. Configuring SSL Site-to-Site VPNs on Sophos Firewall - 18 Configuring SSL Site-to-Site VPNs on Sophos Firewall - 19 Getting Started with Remote Ethernet Devices on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3035: Getting Started with Remote Ethernet Devices on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Remote Ethernet Devices on Sophos Firewall - 1 Getting Started with Remote Ethernet Devices on Sophos Firewall In this chapter you will learn how to deploy a Remote Ethernet Device on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Sophos Firewall zones and interfaces ✓ Protocols used for VPN access DURATION 9 minutes In this chapter you will learn how to deploy a Remote Ethernet Device on Sophos Firewall. Getting Started with Remote Ethernet Devices on Sophos Firewall - 2 RED Overview • Plug and play branch office connectivity • No technical expertise required onsite • Creates a layer-2 tunnel to Sophos Firewall RED Layer-2 Tunnel Router DHCP & DNS Server TCP:3400 UDP:3410 Sophos Firewall Sophos Remote Ethernet Devices or RED provide a simple way to connect remote sites to a central network securely, by creating a layer-2 tunnel. Installing the RED device on-site requires no configuration or technical expertise. RED connections use a small hardware RED device at the remote location and all configuration for that device is done locally at the Sophos Firewall. At the remote location, the RED requires: • A power connection • A network connection • A DHCP server to provide an IP address, DNS server and default gateway • And ports 3400 TCP and 3410 UDP open on the firewall Getting Started with Remote Ethernet Devices on Sophos Firewall - 3 RED Deployment RED Provisioning Service: red.astaro.com 1. Configure RED device Head Office RED 7. Establish Layer-2 Tunnel 4. Receive local IP (DHCP) Router Sophos Firewall 3. Deploy RED device Let’s look at how you deploy a RED. You configure the RED on the Sophos Firewall. You need to provide the publicly resolvable hostname the RED will connect to and the IP address and netmask of the RED interface that will be created on the Sophos Firewall. You also enter the 15-character RED ID that is printed on a sticker on the base of the RED. This is used to tie the configuration to the device. The Sophos Firewall then sends the configuration to the cloud-based provisioning server. Next, the RED is plugged in at the remote office and gets an IP address, DNS server and gateway from the local DHCP server. The RED connects to the provisioning server with its ID, and the provisioning server sends back the configuration that the RED needs to connect to the Sophos Firewall at the central office. The provisioning server is no longer used from this point forward. Finally, the RED establishes a layer-2 tunnel to the Sophos Firewall using TCP port 3400 and UDP port 3410. Getting Started with Remote Ethernet Devices on Sophos Firewall - 4 RED Deployment Modes Standard/Unified Standard/Split Default GW DHCP Server Default GW DHCP Server Transparent/Split Default GW DHCP Server DHCP Client Traffic routed over RED tunnel Traffic routed directly to the Internet REDs can be deployed in three modes. In Standard/Unified mode the remote network is managed by the Sophos Firewall, which serves as the DHCP server and default gateway for all clients connecting through the RED. All traffic generated on the remote network is sent through the RED to Sophos Firewall. In Standard/Split mode the Sophos Firewall still manages the remote network, acting as the DHCP server and default gateway. However, in this configuration only traffic to defined networks is sent through the RED to Sophos Firewall, and all other traffic is sent directly to the Internet. In Transparent/Split mode the Sophos Firewall doesn’t manage the remote network but is a member of it. The Firewall gets its IP address from a DHCP server running on the remote network. Only traffic to defined networks is sent through the RED to Sophos Firewall, and all other traffic is sent directly to the Internet. As this mode of deployment does not require any re-addressing it is an easy way to connect networks following an acquisition or similar. In the case of Standard/Split and Transparent/Split deployment modes, the Sophos Firewall does not provide any web filtering or other security to clients on the remote network. Please note that you still need to create firewall rules for the computers connected to the remote network to be able to interact with computers on the central office network. Getting Started with Remote Ethernet Devices on Sophos Firewall - 5 Configuring RED in Different Deployment Modes Standard/Unified DHCP server for the remote network Split networks (Networks that are accessed through the RED from the remote site) Transparent/Split Zone for the RED interface on the Sophos Firewall IP address for the RED interface on the Sophos Firewall Standard/Split Static Static DHCP Optional Optional No Split DNS server (DNS server for the split networks) Split domains (Domains that are accessed through the RED from the remote site) MAC address filtering Optional Tunnel compression Optional The configuration required when deploying REDs in the different modes is slightly different and is summarised in this table. Both standard modes have similar configuration; you set IP address for the RED interface on Sophos Firewall statically and can optionally provide DHCP for the remote side of the tunnel. Where it differs is that for standard/split, you need to define for which networks traffic will be routed over the RED tunnel, with all other traffic being routed onto the local Internet gateway. The transparent mode is most different. In this case the RED interface on Sophos Firewall will get its IP address settings from a DHCP on the remote side of the tunnel. As the Sophos Firewall is not the default gateway for the network you need to supply more split settings. In addition to the split networks, you configure a DNS server for those networks, and the split domains. Getting Started with Remote Ethernet Devices on Sophos Firewall - 6 Simulation: Deploy a RED on Sophos Firewall In this simulation you will deploy a Remote Ethernet Device (RED) on Sophos Firewall in standard/split mode. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/DeployRED/1/start.html In this simulation you will deploy a Remote Ethernet Device (RED) on Sophos Firewall in standard/split mode. Getting Started with Firewall and NT Rules on Sophos Firewall - 7 Additional information in the notes SD-RED Models SD-RED 20 and SD-RED 60 There are two RED models, SD-RED 20 and SD-RED 60. The SD-RED hardware provides the option for dual power supplies for redundancy, and an expansion slot that can be used to add WiFi or 4G. [Additional Information] https://community.sophos.com/xg-firewall/f/recommended-reads/119318/substituting-xg-for-reddevices-via-light-touch-deployment-from-sophos-central Getting Started with Remote Ethernet Devices on Sophos Firewall - 8 Additional information in the notes SD-RED Models SD-RED 20 SD-RED 60 250 Mbps 850 Mbps PERFORMANCE Maximum Throughput CONNECTIVITY LAN Interfaces WAN Interfaces SPF Interfaces PoE Ports 4 x 10/100/1000 Base-TX (1 GbE Copper) 1 x 10/100/1000 Base-TX (shared with SFP) 2 x 10/100/1000 Base-TX (WAN1 shared port with SFP) 1x SFP Fiber (shared port with WAN) 1x SFP Fiber (shared port with WAN1) None 2 PoE Ports (total power 30W) MODULARITY Expansion Bays 1 (for use with optional Wi-Fi OR 4G/LTE Card) REDUNDANCY Swappable Components Optional 2nd power supply Here you can see a table comparing the SD-RED 20 and 60. The number of users that can be used with the RED models is unlimited, and the model selected is driven by the maximum throughput and other features. The SD-RED 20 is designed for smaller sites with a maximum throughput of 250 Mbps, while the SD-RED 60 is ideal for larger sites reaching a throughput of up to 850 Mbps. Both models have gigabit connections on both the internal and external interfaces and have support for SFP fiber. The SD-RED 60 adds dual WAN ports, as well as two power over ethernet ports and can supply a total of up to 30 watts of power. [Additional Information] Datasheet: https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-sd-red-ds.pdf Optional Wi-Fi Module: 802.11 a/b/g/n/ac Wave 1 (Wi-Fi 5) dual-band capable 2x2 MIMO 2 antennas Optional 3G/4G LTE Module: MC7430/MC7455 Sierra Wireless Card Getting Started with Remote Ethernet Devices on Sophos Firewall - 9 Discontinued Supported RED Models Maximum users Maximum throughput RED 15 RED 15 W RED 50 Unrestricted Unrestricted Unrestricted 90 Mbit/s 90 Mbit/s 360 Mbit/s LAN ports 4 x Gbit 4 x Gbit 4 X Gbit WAN ports 1 x Gbit 1 X Gbit 2 x Gbit USB ports 1 1 2 Hardware accelerated encryption ✓ Configure VLANs on LAN ports ✓ Data compression Built-in wireless access point ✓ ✓ ✓ ✓ There are three discontinued models of RED that are still supported, starting with the RED 15, which is suitable for small sites. All three RED models feature gigabit connections and at least one USB port that can be used to provide backup connectivity using UMTS. The RED 15w has all the features of the RED 15 and includes a built-in wireless access point. The RED 50, which is designed for larger sites and includes advanced features including: • Two external ports that can be configured for load balancing or failover • The ability to configure the internal ports in either switch mode or for VLANs • And two USB ports Getting Started with Remote Ethernet Devices on Sophos Firewall - 10 Chapter Review RED requires DHCP, DNS, ports TCP 3400 and UDP 3410 RED can be deployed in three modes; standard/unified, standard/split, and transparent/split. Each deployment mode requires slightly different configuration There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G module using the expansion bay Here are the three main things you learned in this chapter. RED requires DHCP, DNS, ports TCP 3400 and UDP 3410. RED can be deployed in three modes; standard/unified, standard/split, and transparent/split. Each deployment mode requires slightly different configuration. There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G module using the expansion bay. Getting Started with Remote Ethernet Devices on Sophos Firewall - 15 Getting Started with Remote Ethernet Devices on Sophos Firewall - 16 Getting Started with Sophos Firewall Authentication Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3515: Getting Started with Sophos Firewall Authentication April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Sophos Firewall Authentication - 1 Getting Started with Sophos Firewall Authentication In this chapter you will learn the types of users and groups that can be configured for Sophos Firewall and the methods that can be used for authentication. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Authentication methods that are supported by Sophos Firewall DURATION 30 minutes In this chapter you will learn the types of users and groups that can be configured for Sophos Firewall and the methods that can be used for authentication. Getting Started with Sophos Firewall Authentication - 2 Authentication Methods Hotspot Precedence Clientless Users Single Sign-On (SSO) • • • • • • Synchronized User Identity Sophos Transparent Authentication Suite (STAS) SSO Client VPN RADIUS Web Authentication (NTLM and Kerberos) Authentication Agent Captive Portal Sophos Firewall supports five main methods for authenticating users, these are: • Hotspot • Clientless Users • Single Sign-On (SSO) • Authentication Agent • Captive Portal This is the order in which authentication is checked for users. Throughout the rest of this chapter, we will look at some of the most common forms of authentication in more detail. Getting Started with Sophos Firewall Authentication - 3 Activity Put the authentication methods in order or precedence Captive Portal Authentication Agent Hotspot Clientless Users Clientless Single Sign-On Getting Started with Sophos Firewall Authentication - 4 Hotspots Hotspot type selection A hotspot is a portal that controls network access to devices connecting to the network. Hotspots are typically used to provide guest Internet access in public areas. When you add an interface to a hotspot, all devices connecting through that interface must authenticate through the hotspot. Hotspots support a full suite of protection features and authentication methods. You can redirect users to a captive portal or sign-in page where users must accept terms of usage or authenticate themselves using a generated password or voucher. Getting Started with Sophos Firewall Authentication - 6 Types of User Clientless Users Authenticated by IP address Locally authenticated Guest Users Temporary users authenticated with a system generated username and password Locally authenticated Users Authenticate with a username and password Can be locally or externally authenticated Sophos Firewall has three types of user. Clientless users do not authenticate using a username and password, but instead are identified purely by their IP address. Clientless users are always authenticated locally by the Sophos Firewall. Guest users are given temporary network access, usually to access the Internet. They authenticate with a username and password that are generated by the Sophos Firewall and are always authenticated locally. Standard users authenticate with a username and password. They can be authenticated locally by the Sophos Firewall or using an external authentication server such as Active Directory. Getting Started with Sophos Firewall Authentication - 7 Creating Clientless Users Clientless users are managed in: CONFIGURE > Authentication > Clientless users Typically, you would use clientless users to control network access for servers or devices such as printers and VoIP phones. Here you can see an example of two printers being added as a clientless users. You give the devices a name, specify the IP address and select which group they will be a member of. You will use the group in the firewall rules to then control the network access the devices have. Clientless users can also be added in bulk by specifying a range of IP addresses and selecting the group they will be a member of. You can edit the details for each IP address after adding them. Getting Started with Sophos Firewall Authentication - 8 Creating Guest Users Guest users are managed in: CONFIGURE > Authentication > Guest users You can create guest users either individually, shown on the left, or in bulk, shown on the right. There are two main options when creating guest users: 1. How long the credentials will be valid for 2. And whether the time will start as soon as the user is added or when the user first logs in Using the Print option, you can print the credentials for multiple selected users. This is useful if someone will be providing these to visitors when they ask for access to the guest Wi-Fi, for example. Getting Started with Sophos Firewall Authentication - 9 Creating Guest Users All guest users are created with the same settings that can be managed in CONFIGURE > Authentication > Guest user settings. Here you can set the group that the user will be added to and the password complexity. Optionally you can also integrate Sophos Firewall with an SMS gateway to allow guest users to register for their own access details. This can save significant time where there are large volumes of guest users such as in hotels and airports. Getting Started with Sophos Firewall Authentication - 10 Creating Local Users Local users are managed in: CONFIGURE > Authentication > Users Administration Profiles Select policies to attach to the user Local users can also be added to Sophos Firewall. The user types are: • User: End users who are connecting to the internet from behind the firewall. • Administrator: Users who have access to firewall objects and settings as defined in an administration profile. Policies can also be assigned, such as for internet access and VPN. Those specified at the user level take precedence over those specified at the group level. Getting Started with Sophos Firewall Authentication - 11 Synchronized User Identity Sophos Firewall gets user ID from endpoints that are on an Active Directory domain automatically Sophos Firewall Sophos Endpoints Security Heartbeat™ Internet Active Directory Server Synchronized User Identity leverages the presence of Sophos on the Windows endpoints to provide transparent user authentication with the firewall by sharing the user’s identity through the Security Heartbeat connection. This makes authentication seamless, without having to deploy additional agents onto domain controllers. Synchronized User Identity is enabled by default for all Windows endpoints that establish a Security Heartbeat with the Sophos Firewall. Getting Started with Sophos Firewall Authentication - 12 Synchronized User Identity 1 Add an Active Directory authentication server on Sophos Firewall 2 Import groups from Active Directory into the Sophos Firewall 3 Enable Active Directory server in Firewall authentication methods 4 Computers with a Security Heartbeat™ will synchronize the user details For Synchronized User Identity to work, you will need to have added an Active Directory authentication server on the Sophos Firewall and imported the groups using the wizard. The Active Directory authentication server must be enabled as an authentication source for the firewall in CONFIGURE > Authentication > Services. With this done, all Windows endpoints with a heartbeat to the Sophos Firewall will be authenticated transparently. Getting Started with Sophos Firewall Authentication - 13 Disabling Synchronized User Identity – add link Sophos Firewall =============== (C) Copyright 2000-2020 Sophos Limited and others. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. For End User License Agreement - http://www.sophos.com/en-us/legal/sophos-enduser-license-agreement.aspx NOTE: If not explicitly approved by Sophos support, any modifications done through this option will void your support. XG135_XN02_SFOS 18.0.0# touch /content/no_userid XG135_XN02_SFOS 18.0.0# service access_server:restart -ds nosync 200 OK XG135_XN02_SFOS 18.0.0# Synchronized User Identity will work by default if the prerequisites are satisfied, however if you want to disable it this can be done via the console by creating the file /content/no_userid. Removing this file will re-enable Synchronized User ID again, however, you do need to restart the authentication service for this change to take effect. Getting Started with Sophos Firewall Authentication - 14 Groups Groups are managed in: CONFIGURE > Authentication > Groups Now that we’ve looked at the different types of users, we’ll look at groups. There are two types of groups: normal and clientless, named for their respective user types. A group is a collection of users with common policies and can be used to assign access to resources. The user will automatically inherit all the policies added to the group. Examples of policies that can be applied to groups include: • Surfing Quota • Access Time • Network Traffic • and Traffic Shaping These are configured in SYSTEM > Profiles. By default, users will inherit their assigned group’s policies. To adjust a group’s assigned policies, select a policy from the list of available policies while editing or creating a new group. You can also create a new policy directly from the group page. Getting Started with Sophos Firewall Authentication - 15 Group Import from Active Directory When using Active Directory as an authentication server, users will be created on Sophos Firewall and assigned to a group when they first successfully login. To use Active Directory groups, use the import wizard, and users will be assigned to their associated Active Directory group. Please note that Sophos Firewall groups cannot be nested, and if a user is a member of multiple groups, they will be added to the first one they match on Sophos Firewall. Getting Started with Sophos Firewall Authentication - 16 Additional information in the notes Web Authentication Unknown user tries to visit a webpage Transparent web filtering Redirect to URL served by Sophos Firewall and send an HTTP_AUTH challenge so the browser responds with the user credentials Direct proxy mode Respond with a PROXY_AUTH challenge so the browser responds with the user credentials User is recorded against the IP address for future transactions If user authentication is only required for web filtering, Sophos Firewall can use a proxy challenge to authenticate Active Directory users with NTLM or Kerberos. Let’s start by looking at what happens when an unknown user tries to visit a web page. There are two scenarios: 1. For transparent web filtering Sophos Firewall will redirect to a URL served by the firewall and send a HTTP_AUTH challenge so that the browser responds with the credentials. 2. In the case of direct proxy mode, Sophos Firewall can respond with a PROXY_AUTH challenge so that the browser responds with the user credentials. In both cases the user is recorded against the IP address for future transactions. [Additional Information] Kerberos is more secure and has lower overheads than NTLM: • NTLM requires an additional response round-trip between Sophos Firewall and the browser • NTLM requires a lookup between Sophos Firewall and the challenge/domain controller for every authentication event To avoid clients seeing a popup for authentication we would recommend configuring Sophos Firewall as an explicit proxy in the browser using the internal hostname of the firewall that is in the domain. The default proxy port is 3128, but this can be changed in PROTECT > Web > General settings. Getting Started with Sophos Firewall Authentication - 17 Web Authentication Browser can now respond with Kerberos or NTLM Enable AD SSO on the Device Access page To use Active Directory SSO (NTLM and Kerberos) it must be enabled per-zone on the Device Access page. With this option enabled, if you have an authentication server configured, AD SSO will be tried before the captive portal is displayed. The Web authentication tab combines the AD SSO configuration and captive portal behaviour appearance settings. The page is laid out to follow the authentication flow: • Try to authenticate the user using NTLM and/or Kerberos. • If authentication fails then display the captive portal with this configuration. Getting Started with Sophos Firewall Authentication - 18 Web Authentication Will try NTLM and Kerberos as per the web authentication configuration and fall back to the captive portal In the firewall rules, the option to ‘Use web authentication for unknown users’ will try to authenticate the user using NTLM or Kerberos based on the configuration you have selected, and then fall back to using the captive portal. Getting Started with Sophos Firewall Authentication - 19 Captive Portal Captive portal appearance Port 8090 used for Captive portal The Captive portal is a browser interface that requires users behind the firewall to authenticate when attempting to access a website. After authenticating, the user proceeds to the address or the firewall redirects the user to a specified URL. This shows the default appearance of the Captive portal, using port 8090. With the current configuration, once the user has logged in, another browser tab will open. Closing the page showing the successful login will cause the user to be signed out. Getting Started with Sophos Firewall Authentication - 20 Captive Portal Behavior The behavior of captive portal can be customized. For example, changing when a user is signed out. While there is an option to never sign-out a user logged in through the captive portal, this is not recommended. Getting Started with Sophos Firewall Authentication - 21 Captive Portal Appearance As shown, it is also possible to customize the appearance and contents of the captive portal. For example, you can change the logo and custom button text. The new appearance can be previewed before the changes are applied. Getting Started with Sophos Firewall Authentication - 22 Per Connection Authentication Add multi-user servers Sophos Firewall can authenticate multiple different users coming from the same source IP address when their proxy settings configured to use the Sophos Firewall as an explicit proxy. This is ideal for terminal servers, Windows remote desktop, or direct access systems. To use the multi-host client, you need to: • Add an Active Directory authentication server • Enable AD SSO (NTLM and Kerberos web authentication) for the zone where the multi-user server is located • Create a firewall rule to allow the traffic to match traffic from the multi-user server • And add your multi-user servers in Authentication > Web authentication Sophos XG Firewall v19.0 EAP 1 - 23 Authentication Demo In this demo you will see how to configure per connection authentication for multiuser servers. PLAY DEMO CONTINUE https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7 In this demo you will see how to configure per connection authentication for multiuser servers. [Additional Information] https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7 Getting Started with Sophos Firewall Authentication - 24 Sophos Transparent Authentication Suite (STAS) • • • • Uses an agent installed onto domain controllers Requires one STAS installation serving each domain controller Provides SSO without a client on the endpoints Supports IPv4 only Lucy Fox logs into the domain from a computer with the IP address 10.1.1.1 The domain controller writes the login details to the event log with ID 4768 Sophos Firewall logs in Lucy Fox and maps traffic from 10.1.1.1 to the user STAS notifies the Sophos Firewall of the login on port 6060 The Sophos Transparent Authentication Suite, or STAS, provides transparent SSO authentication for users without requiring a client on the endpoint. It employs an agent on the Microsoft Active Directory domain controller or a member server that monitors and stores authentication activity and sends authentication information to Sophos Firewall. There must be an STAS installation serving all domain controllers to ensure that all logon events can be monitored. It is important to note that the STAS software only works with Microsoft Active Directory, and only works with IPv4. Please note that the SSO Client cannot be used when STAS is enabled on the Sophos Firewall. Let’s have a look at how STAS works. The user Lucy Fox logs into the domain on a computer that has the IP address 10.1.1.1. The domain controller writes the login details to the security event log with ID 4768. This includes the IP address of the computer and the name of the user that logged in. STAS monitors the event logs for login events. When a login event is detected, the STAS records the details. As STAS is monitoring the event logs, you need to ensure that successful logon events are being audited in the Local Security Policy. STAS notifies Sophos Firewall of the login and supplies the details recorded from the event log, this is done on port 6060. Sophos Firewall updates the live users, mapping the traffic from 10.1.1.1 to the user Lucy Fox. Getting Started with Sophos Firewall Authentication - 25 Additional information in the notes Installing the STAS Software • Download from the WebAdmin • CONFIGURE > Authentication > Client downloads • One installation per domain controller • Either on domain controller or member server Select Components Provide a user for the service To get started with STAS, download the software from the WebAdmin at CONFIGURE > Authentication > Client downloads and install it on all Active Directory domain controllers, or a member server for each domain controller. During the installation you can choose to install just the Collector or Agent component of STAS or both. There may be benefits to installing individual components in larger and more complex environments. STAS also needs to be configured with a user that will be used to run the service. The user must have the right to logon as a service and must be able to monitor the Security event log. [Additional Information] The service account should be added to the Backup Operators and Event Log Readers Groups in AD, and the local Administrators groups on endpoints (this can be done via a group policy and is required for WMI logoff detection to work). The account should also be granted ‘Logon as a service’ permission on the domain controller, and full NTFS permission on the STAS folder. Getting Started with Sophos Firewall Authentication - 26 Configure the STAS Software Required if installed on a member server Once installed, the STAS software needs to be configured. On the ‘General’ tab, configure the domain that STAS will be monitoring login events for. On the ‘STA Agent’ tab, configure the networks for which logon events will be monitored. Here you can see we are monitoring logon events for the 172.16.16.0/24 network. If a user logs in from another network, 10.1.1.0/24 for example, this login will not be forwarded to the Sophos Firewall. If STAS is being installed on a member server instead of a domain controller you need to specify the IP address of the domain controller here. Getting Started with Sophos Firewall Authentication - 27 Configure the STAS Software The IP address(es) of the Sophos Firewall(s) to send the login information to Optionally detect when user's logoff via polling or PING Polling for the currently logged on user can be done using WMI or registry read access The IP address of the Sophos Firewall needs to be added to the ‘Sophos Appliances’ section of STAS. Workstation polling can be configured to use either WMI (this is the default option) or registry read access. This is used to determine the currently logged on user when a computer is not found in the live users table. STAS can also be configured to detect when user’s logoff. This can be done using the same method as workstation polling (which is the default option) or PING. Getting Started with Sophos Firewall Authentication - 28 Configure STAS on Sophos Firewall STAS is configured in: CONFIGURE > Authentication > STAS Once the STAS software is installed and configured STAS needs to be enabled on the Sophos Firewall, which is done in CONFIGURE > Authentication > STAS. You can configure how long Sophos Firewall will try to probe for the identity, and whether access should be limited while it tries to confirm the user’s identity. You can also optionally enable and configure user inactivity handling, by setting the inactivity timer and data transfer threshold. Getting Started with Sophos Firewall Authentication - 29 Configure STAS on Sophos Firewall For every server you installed STAS on, you must add the IP address as a collector on the Sophos Firewall. If you are installing the full STA suite for each domain controller, you should put each collector in its own group. Using collector groups is beyond the scope of this chapter. Getting Started with Sophos Firewall Authentication - 30 Simulation: Configure Single Sign-On Using STAS on Sophos Firewall In this simulation you will configure single sign-on using the Sophos Transparent Authentication Suite (STAS) on Sophos Firewall. You will then test your configuration. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/STAS/1/start.html In this simulation you will configure single sign-on using the Sophos Transparent Authentication Suite on Sophos Firewall. You will then test your configuration. [Additional Information] https://training.sophos.com/fw/simulation/STAS/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 31 Authentication Agent Agent and certificate need to be installed The user sets their credentials The agent authenticates the user Another method for authenticating with the Sophos Firewall is to use an agent on each endpoint. You can download agents for Windows, Mac and Linux, and then need to install the agent and certificate on the computer. The user sets the credentials for authentication, and then the agent will authenticate with the Sophos Firewall. The agent also shares the MAC address telemetry with the Sophos Firewall, which allows MAC address restrictions to be used. Getting Started with Sophos Firewall Authentication - 32 Chromebook Single Sign-On (SSO) 1. Deploy Extension 2. Active Directory Server 3. Chromebook Authentication The Chrome extension needs to be pushed to devices from Google G Suite Sophos Firewall needs to be configured with an Active Directory server that is synchronized with G Suite, and Chromebook SSO enabled The Chromebook extension shares the user ID with Sophos Firewall Sophos Firewall Google G Suite Active Directory Server Chromebook Devices Chromebooks are increasingly popular in education and some corporate environments, but they create a unique set of challenges for user identification with network firewalls. Sophos Firewall provides a Chromebook extension that shares Chromebook user IDs with the firewall to enable full user-based policy enforcement and reporting. Pre-requisites include an onpremise Active Directory Server synced to Google G Suite. The Chrome extension is pushed from the G Suite admin console providing easy and seamless deployment that is transparent to users. Getting Started with Sophos Firewall Authentication - 33 Chromebook Single Sign-On (SSO) Chromebook SSO is configured in: CONFIGURE > Authentication > Services The domain name as registered with G Suite The port number Chromebooks connect to from the LAN or Wi-Fi The certificate used for communication with the Chromebooks. The certificate CN must match the zone/network where the Chromebook users are, for example: xg.sophostraining.xyz. Chromebook SSO must be enabled in CONFIGURE > Authentication > Services. To do this it is necessary to provide your domain that is registered with G Suite, and the certificate used to communicate with the Chromebooks. The common name must match the network where the Chromebook users are. A couple of things to remember: • You will need to enable the Chromebook SSO service in device access for the zones where the devices are located. • You will also need to create a firewall rule that allows the Chromebooks to access the Google API and Chrome Web Store. Getting Started with Sophos Firewall Authentication - 34 G Suite Configuration Additional information in the notes Navigate to App Management Search for and open Sophos Chromebook User ID Upload the configuration (sample in the notes) Only required where the Sophos Firewall uses a self-signed certificate Navigate to Device Management > Networks Upload the CA certificate from the Sophos Firewall (select Use this certificate as an HTTPS certificate authority) To configure the Chromebook app in G Suite, you need to navigate to App Management, and then search for and open the Sophos Chromebook User ID app. Here you will need to upload the configuration as a JSON file that includes server address, port and log settings. If the Sophos Firewall is using a self-signed certificate, you will also need to upload the CA certificate in Device Management > Networks, selecting the option, Use this certificate as an HTTPS certificate authority. [Additional Information] Example JSON configuration of G Suite configuration Note: the uppercase Value is important, otherwise it won't work. { "serverAddress": { "Value": "10.8.19.132" }, "serverPort": { "Value": 65123 }, "logLevel": { "Value": 2 }, "logoutOnLockscreen": { "Value": true Getting Started with Sophos Firewall Authentication - 35 }, "logoutOnIdle": { "Value": true }, "idleInterval": { "Value": 900 } { Getting Started with Sophos Firewall Authentication - 35 Simulation: Configuring User Policies In this simulation you will configure firewall rules to match based on user identity on Sophos Firewall. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/UserPolicies/1/start.html In this simulation you will configure firewall rules to match based on user identity on Sophos Firewall. [Additional Information] https://training.sophos.com/fw/simulation/UserPolicies/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 36 Chapter Review Sophos Firewall has three types of user. Clientless users are identified by their IP address. Guest users are given temporary network access. Standard users authenticate locally or using an external server such as Active Directory Synchronized User Identity provides transparent user authentication by sharing the user’s identity through the Security Heartbeat connection. Authentication agents for Windows, Mac and Linux can be installed locally on the computer. The Sophos Transparent Authentication Suite provides transparent SSO using an agent on the Microsoft Active Directory domain controller Here are the three main things you learned in this chapter. Sophos Firewall has three types of user. Clientless users are identified by their IP address. Guest users are given temporary network access. And standard users provide a username and password to authenticate locally or using an external server such as Active Directory. Synchronized User Identity provides transparent user authentication by sharing the user’s identity through the Security Heartbeat connection. This is enabled by default for all Windows endpoints that establish a Security Heartbeat with the firewall. Authentication agents for Windows, Mac and Linux can be installed locally on the computer. The Sophos Transparent Authentication Suite provides transparent SSO authentication for users without requiring a client on the endpoint. It employs an agent on the Microsoft Active Directory domain controller. Getting Started with Sophos Firewall Authentication - 45 Getting Started with Sophos Firewall Authentication - 46 Introducing Authentication on Sophos Firewall Sophos Firewall Version: 19.5v1 [Additional Information] Sophos Firewall FW3505: Introducing Authentication on Sophos Firewall November 2022 Version: 19.5v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Introducing Authentication on Sophos Firewall - 1 Introducing Authentication on Sophos Firewall In this chapter you will learn how authentication provides granular controls to many of Sophos Firewall’s functions and can be performed locally or using an external server. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and Managing the Sophos Firewall using the WebAdmin DURATION 7 minutes In this chapter you will learn how authentication provides granular controls to many of Sophos Firewall’s functions and can be performed locally or using an external server. Introducing Authentication on Sophos Firewall - 2 Authentication Overview Network Access Web Filtering Routing Application Control Leveraging the Sophos Firewall’s authentication capabilities provides the opportunity to control access to network resources, filter websites, route traffic, control applications and more. You can also get detailed reporting on user activity and identify high-risk users. Introducing Authentication on Sophos Firewall - 3 Local Authentication Users can be created manually or imported using a CSV file Choose between user and administrator Users inherit policies from groups they are assigned to Best suited to small organizations Authentication can be done locally on the Sophos Firewall, although it is more commonly configured to use external authentication sources. You can add users to the Sophos Firewall manually or import via a CSV, and these can be either users or administrators. The difference is that administrators have a profile associated to them that controls their administrative access to the Sophos Firewall. Users can be manually assigned to a group and will inherit policy settings that can be overridden per-user. Local authentication is best suited to smaller organizations that do not have an existing directory service in place, or when guest users need access in authentication-enabled networks. Introducing Authentication on Sophos Firewall - 4 Authentication Servers Supported authentication servers • Active Directory • eDirectory • OpenLDAP • RADIUS • Apple Directory • TACACS+ • Other standard LDAP directories • LDAP/S • Azure AD SSO (admin web console only) Sophos Firewall can also be configured to authenticate with external servers such as: • Active Directory • Novell eDirectory • RADIUS Server • TACACS+ • LDAP / LDAPS Using LDAP or LDAPS, Sophos Firewall can authenticate using OpenLDAP, Apple Directory or any other standard LDAP directory. Sophos Firewall can be configured to authenticate administrators to the web console using Azure AD SSO. You cannot currently use this to authenticate users with the firewall. Introducing Authentication on Sophos Firewall - 5 Additional information in the notes Authentication Servers External authentication server SOPHOS FIREWALL AZURE AD DIRECTORY SERVICES If you want to authenticate users with Sophos Firewall using Azure Active Directory as an external Active Directory authentication server, you need to use the Azure AD Directory Services functionality. You can find a guide on setting this up in the Sophos Community pages recommended reads. Note that Azure AD Directory Services is an additional charged service and is not included with Azure AD. [Additional Information] Guide https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125872/sophos-xgfirewall-integrate-xg-firewall-with-azure-ad Azure AD Domain Services https://azure.microsoft.com/en-gb/pricing/details/active-directory-ds/ Introducing Authentication on Sophos Firewall - 6 Where can Authentication be Used? Firewall Rules Enable ‘Match known users’ to control network access based on user identity TLS Decryption Rules SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication User Portal WebAdmin Enable ‘Exclude this user activity from data accounting’ if this traffic should not count towards quotas Within firewall rules you can enable the option to ‘Match known users’, and you can select the users and groups that you want to match on. This makes the firewall rule a user rule instead of a network rule. If the Sophos Firewall is unable to match the user’s identity you can choose to enable the web authentication, which can then further fall back to displaying the captive portal. If the firewall rule is for business applications, such as Office 365, you can choose to exclude the traffic from data accounting, which means that it will not count towards any quotas you have configured. Introducing Authentication on Sophos Firewall - 8 Where can Authentication be Used? Firewall Rules Select users and groups as part of the source matching in TLS decryption rules TLS Decryption Rules SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication User Portal WebAdmin TLS decryption rules can be matched on user identity. This allows you to customize decryption peruser or group, allowing you to set specific decryption rules and standards for a department, for example finance. Introducing Authentication on Sophos Firewall - 9 Where can Authentication be Used? Firewall Rules TLS Decryption Rules SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication User Portal WebAdmin SD-WAN policy routes allow you to select traffic based on various properties, including users and groups, to determine which gateway it should be routed to. Introducing Authentication on Sophos Firewall - 10 Where can Authentication be Used? Firewall Rules TLS Decryption Rules SD-WAN Policy Routes Remote Access VPNs Web Policies Wireless Networks Web Server Authentication User Portal WebAdmin Select the users and groups that can connect to the VPN Remote access VPNs allow you to control who can connect to and login to the network. First the authentication source needs to be selected in the authentication services, and the users and groups need to be selected in the VPN configuration. Introducing Authentication on Sophos Firewall - 11 Where can Authentication be Used? Firewall Rules TLS Decryption Rules Apply web filtering rules to users and groups SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication User Portal WebAdmin Within web policies you can create rules that apply to specific users and groups. This allows you to build a single policy of rules that you can then apply to web traffic. Introducing Authentication on Sophos Firewall - 12 Where can Authentication be Used? Firewall Rules TLS Decryption Rules SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication User Portal WebAdmin Wireless protection on Sophos Firewall supports WPA and WPA2 Enterprise security that can use a RADIUS authentication server to control access to wireless networks. Introducing Authentication on Sophos Firewall - 13 Where can Authentication be Used? Firewall Rules TLS Decryption Rules SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication Protect access to web resources with user authentication User Portal WebAdmin You can protect access to web servers by forcing users to authenticate before the connection even reaches the destination server. This means that attackers cannot try to exploit the web server as they don’t have access to it. Introducing Authentication on Sophos Firewall - 14 Where can Authentication be Used? Firewall Rules TLS Decryption Rules SD-WAN Policy Routes VPNs Download authentication client and SPX plug-in Web Policies Wireless Networks Download VPN clients and configuration Web Server Authentication Manage email quarantine User Portal Review Internet usage WebAdmin The user portal allows users to manage their own quarantine, password and Internet usage, as well as download VPN and authentication clients. The User Portal is accessed using HTTPS to the IP address of the firewall. By default, the user portal is only available to clients connecting from the LAN zone, but it can also be enabled for other zones. Please note that the port for the user portal can be changed in SYSTEM > Administration > Admin settings. Introducing Authentication on Sophos Firewall - 15 Where can Authentication be Used? Firewall Rules TLS Decryption Rules SD-WAN Policy Routes VPNs Web Policies Wireless Networks Web Server Authentication Allow users to login and manage the Sophos Firewall User Portal WebAdmin Users can be configured as either a user or administrator. If they are an administrator, then they can login to the WebAdmin and manage the Sophos Firewall based on the profile that is applied to their account. Introducing Authentication on Sophos Firewall - 16 Chapter Review Sophos Firewall’s authentication capabilities provide the opportunity to control access to network resources, filter websites, route traffic, control applications and more. You can also get detailed reporting on user activity and identify high-risk users Authentication can be done locally on the Sophos Firewall or more commonly configured to use external servers such as Active Directory, Novell eDirectory, RADIUS Server, TACACS+, LDAP / LDAPS You can add users to the Sophos Firewall manually or import via a CSV, and these can be either users or administrators Here are the three main things you learned in this chapter. Sophos Firewall’s authentication capabilities provide the opportunity to control access to network resources, filter websites, route traffic, control applications and more. You can also get detailed reporting on user activity and identify high-risk users Authentication can be done locally on the Sophos Firewall or more commonly configured to use external servers. You can add users to the Sophos Firewall manually or import via a CSV, and these can be either users or administrators. Introducing Authentication on Sophos Firewall - 21 Introducing Authentication on Sophos Firewall - 22 Configuring Authentication Servers and Services on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3510: Configuring Authentication Servers and Services on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring Authentication Servers and Services on Sophos Firewall - 1 Configuring Authentication Servers and Services In this chapter you will learn how external authentication servers can be added in Sophos Firewall and configured for service authentication. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Authentication methods that are supported by Sophos Firewall ✓ How authentication can be used to provide granular controls to Sophos Firewall’s functions DURATION 16 minutes When you have completed this chapter, you will know how external authentication servers can be added in Sophos Firewall and configured for service authentication. Configuring Authentication Servers and Services on Sophos Firewall - 2 Authentication Servers Sophos Firewall can be configured to authenticate using external servers. This is beneficial if the organization already has a directory service in place. This will allow an organization to leverage the user information they already have. Sophos Firewall supports directory services such as: • Active Directory • Novell eDirectory • RADIUS Server • TACACS+ • and LDAP / LDAPS Configuring Authentication Servers and Services on Sophos Firewall - 3 Add a Server Additional information in the notes Go to CONFIGURE > Authentication > Servers and click Add Enter a name Select a server type and specify settings • • • • • LDAP server Active Directory server RADIUS server TACACS+ server eDirectory server Click Test connection to validate credentials and check the connection To add an authentication server, navigate to CONFIGURE > Authentication > Servers and click Add. • Enter a name. • Select a server type and specify the settings. • Click Test connection to validate the user credentials and check the connection to the server. Use the link in the student notes to find out more about authentication servers and how to add them. We will look at two examples in this chapter. [Additional Information] https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/enus/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/index.html Configuring Authentication Servers and Services on Sophos Firewall - 4 Active Directory Server One or more search queries are required To use Synchronized User Identity, an Active Directory authentication server must be configured on the Sophos Firewall, so we will use adding an Active Directory server as our first example. In addition to the settings that configure the connectivity to the server, one or more search queries are required to define where the users are located. Once configured, the firewall can use the server to query user and resource information on the Windows domain network. Configuring Authentication Servers and Services on Sophos Firewall - 5 Active Directory Server The Test Connection button will allow the firewall to perform a sample query against the AD server. In this example, test connection shows that there is connectivity with the AD server. Configuring Authentication Servers and Services on Sophos Firewall - 6 Group Import from Active Directory When using Active Directory as an authentication server, users will be created on Sophos Firewall and assigned to a group when they first successfully login. To use Active Directory groups, use the import wizard before the user's login and they will be assigned to their associated Active Directory group. Please note that Sophos Firewall groups cannot be nested. Configuring Authentication Servers and Services on Sophos Firewall - 7 Import Group Wizard Base DN for the import Select the Base DN from which groups will be imported. The Base DN is the starting point for the search in the Active Directory domain. The list is populated from the ‘Search Queries’ configured for the server. Configuring Authentication Servers and Services on Sophos Firewall - 8 Import Group Wizard Select the groups to import The organizational units below SOPHOS.LOCAL are listed. One or more OUs can be selected and the groups they contain will be shown in the selected groups pane. Configuring Authentication Servers and Services on Sophos Firewall - 9 Import Group Wizard Select policies to attach to the groups Common policies, such as ‘Surfing quota’ and ‘Access time’ can be selected and attached to the groups. Configuring Authentication Servers and Services on Sophos Firewall - 10 Imported Groups On completion of the wizard the imported groups are now shown in Sophos Firewall. When a user logs in they will be automatically added to the firewall group that matches their Active Directory group. Please note that if a user is a member of multiple groups, they will be added to the first one they match on Sophos Firewall. The groups can be reordered as required. Configuring Authentication Servers and Services on Sophos Firewall - 11 Service Authentication Authentication services are configured in: CONFIGURE > Authentication > Services By default, authentication for Services is Local. Once authentication servers have been added these can be enabled for: • Firewall • User portal • VPN • Administrator • and SSL VPN In the example, an Active Directory server named DC has been added for Firewall authentication. Configuring Authentication Servers and Services on Sophos Firewall - 12 Service Authentication Enabled authentication servers are processed from top to bottom and can be reordered by dragging and dropping the servers in the list. In the example, the Active Directory server is now the primary authentication method. To simplify the configuration for services, you can optionally choose to set it to be the same as the firewall authentication so that it will mirror those settings and any changes you make to it. Configuring Authentication Servers and Services on Sophos Firewall - 13 Simulation: Add an Active Directory Authentication Server In this simulation you add an Active Directory authentication server to Sophos Firewall and import groups. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/AddAdServer/1/start.html In this simulation you add an Active Directory authentication server to Sophos Firewall and import groups. [Additional Information] https://training.sophos.com/fw/simulation/AddAdServer/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14 RADIUS Authentication Server For our second example we will look at RADIUS (Remote Authentication Dial In User Service). This is a protocol that allows network devices, such as routers to authenticate users against a database and it is used with Sophos Firewall wireless protection. Passwords are encrypted using the RADIUS shared secret. RADIUS also supports accounting, which is commonly used for billing and statistical purposes. Configuring Authentication Servers and Services on Sophos Firewall - 15 RADIUS Accounting Real-time data collection Data can be collected and stored at a central location 3rd party products can be used to analyze accounting data RADIUS accounting can be configured on the Sophos Firewall so that it can send accounting start and stop messages to a RADIUS server. This allows the radius server to track network usage for auditing and billing purposes. There are three main advantages to radius authentication: • Real-time data collection • Accounting data can be collected and stored at a central location • Third-party products can be used to analyze RADIUS accounting data to provide charge-back, performance, and exception reports Configuring Authentication Servers and Services on Sophos Firewall - 16 RADIUS Accounting User signs into the domain Sophos Firewall Internet Computer 10.1.1.1 Domain Controller User performs a log off operation The Sophos Firewall sends an Accounting Start Request The Sophos Firewall sends an Accounting Stop Request RADIUS Server Let's look at how radius accounting works. When a user logs into the network and communicates with the Sophos Firewall, the firewall sends an accounting start request packet to a configured RADIUS server along with the user's login time. The RADIUS server will then begin collecting accounting information for that user. When the user logs out from the domain, the Sophos Firewall will send an accounting stop request along with the user's logout time. At this point, the RADIUS server stops recording accounting information for that user. If the Sophos Firewall reboots or is shut down, the accounting stop message is not sent. Clients that are supported for RADIUS accounting are: Windows client, HTTP client, Linux client, Android, iOS, iOS HTTP client, Android HTTP client, API client. RADIUS accounting can be very useful when working with third party wireless controllers, as it provides a mechanism for logged on user’s details to be passed to the Sophos Firewall, allowing single sign-on and accurate reporting. Configuring Authentication Servers and Services on Sophos Firewall - 17 Configuration Select Radius server type Name for server IP address of server Communication port Enable Radius accounting Radius accounting port Shared secret group name To configure RADIUS with accounting, first configure the external RADIUS server in the Sophos Firewall by selecting RADIUS as the server type, giving the server a name and entering the IP address to contact the server and the port that will be used to communicate with the RADIUS server for authentication requests. Also, a shared secret to secure the authentication requests and the group name attribute must be entered. These steps will configure a basic RADIUS server. To enable RADIUS accounting, first select the Enable Accounting checkbox. Enter the port that corresponds with the accounting port selected on the RADIUS server. The RADIUS server should then be added to the Authentication server list for the required services. Configuring Authentication Servers and Services on Sophos Firewall - 18 Secure LDAP (LDAPS) Additional information in the notes SSL/TLS over port 636 STARTTLS over port 389 As well as Active Directory, Sophos Firewall also supports native LDAP servers for authentication. Traditional LDAP works on plain text. With Secure LDAP (also known as LDAPS), the communication can be encrypted via two techniques: • SSL/TLS over port 636 • STARTTLS which works over the standard LDAP port of 389 [Additional Information] https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/enus/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigur eLDAP/index.html Configuring Authentication Servers and Services on Sophos Firewall - 19 Secure LDAP CONFIGURE > Authentication > Servers > Add STARTTLS • Attempts to negotiate an encrypted connection • Falls back to plain text using the plaintext port SSL/TLS • Enforces an encrypted connection STARTTLS uses the plaintext port and will attempt to negotiate an encrypted connection. If this fails, then it will fall back to using plain text. SSL/TLS enforces the use of an encrypted connection. Configuring Authentication Servers and Services on Sophos Firewall - 20 Secure LDAP (LDAPS) Requirements A client certificate is used to establish a secure connection. This shows an example of a certificate that has been issued to Sophos Firewall by the organization's Active Directory CA. A requirement of the certificate is that the Enhanced Key Usage extension needs to include the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID). Configuring Authentication Servers and Services on Sophos Firewall - 21 Public Key Secure LDAP: Method One Certificate signed by enterprise CA SF-CSR Private Key Import certificate and CA cert on Sophos Firewall 1. Certificate Request CA Server CA-CERT 2. Import CA-CERT and SF-CERT SF-CERT Sophos Firewall 4. Secure Communication LDAP Server CA-CERT 3. Select SF-CERT as the client certificate for the secure LDAP server LDAP-CERT There are two methods that can be used to configure secure LDAP. The first is to sign a certificate for the Sophos Firewall using your trusted enterprise CA. To obtain a certificate signed by the enterprise CA: 1. Create a certificate signing request (SF-CSR) on the Sophos Firewall and request a certificate from the enterprise CA. 2. Import the CA certificate and SF-CERT server certificate on the Sophos Firewall from the enterprise CA. 3. Select the SF-CERT certificate as the client certificate for the secure LDAP server. 4. The Sophos Firewall and LDAP server can now communicate securely. This works because the LDAP server already trusts the enterprise CA server that has signed the certificate for the Sophos Firewall. By importing the CA certificate on the Sophos Firewall, it can also validate and trust the certificate used by the LDAP server. Configuring Authentication Servers and Services on Sophos Firewall - 22 Create a CSR Certificates > Add > Generate certificate signing request (CSR) This shows an example of a certificate signing request created on Sophos Firewall. Configuring Authentication Servers and Services on Sophos Firewall - 23 Additional information in the notes Download or Copy the CSR Certificate type CSR The CSR can be downloaded as a file or copied to the clipboard and then sent to the CA. [Additional Information] If you are using a Microsoft CA, you cannot sign a certificate without a template. The links below provides guidance if you see an error stating that the request contains no certificate template information. https://www.vxav.fr/2020-02-18-how-to-sign-a-certificate-with-no-template-information-on-amicrosoft-ca/ Configuring Authentication Servers and Services on Sophos Firewall - 24 Public Key Secure LDAP: Method Two Certificate signed by Sophos Firewall Private Key Import CA cert on Sophos Firewall Import Sophos Firewall CA cert on LDAP server CA Server 1. Generate a certificate CA-CERT 2. Import CA-CERT Sophos Firewall SF-CA-CERT SF-CERT 3. Import SF-CA-CERT LDAP Server 5. Secure Communication 4. Select SF-CA-CERT as the client certificate for the secure LDAP server CA-CERT LDAP-CERT The second method that can be used to configure secure LDAP is a certificate signed by the Sophos Firewall’s internal CA. 1. 2. 3. 4. Create a certificate on the Sophos Firewall signed by the internal CA. Import the CA certificate from the enterprise CA into the Sophos Firewall. Import the certificate of the Sophos Firewall internal CA into the LDAP server. Select the certificate created in the first step as the client certificate for the LDAP server on Sophos Firewall. 5. The Sophos Firewall and LDAP server can now communicate securely. This works because the LDAP server now has the CA certificate of the Sophos Firewall to validate the certificate. By importing the CA certificate on the Sophos Firewall, it can also validate and trust the certificate used by the LDAP server. Configuring Authentication Servers and Services on Sophos Firewall - 25 Secure LDAP Validate server certificate Client certificate In the example, the LDAP server has been configured with a client certificate. You can also choose whether the Sophos Firewall will validate the LDAP server's certificate. If you have imported the CA certificate as recommended in both approaches described, then this should succeed if selected. Configuring Authentication Servers and Services on Sophos Firewall - 26 Chapter Review Sophos Firewall can be configured to authenticate using external servers. To use Synchronized User Identity an Active Directory authentication server must be configured Groups can be imported from Active Directory. When a user logs in they will be automatically added to the firewall group that matches their Active Directory group By default, authentication for Services is Local. Once authentication servers have been added these can be enabled for services such as Firewall and User portal Here are the three main things you learned in this chapter. Sophos Firewall can be configured to authenticate using external servers. To use Synchronized User Identity an Active Directory authentication server must be configured. Groups can be imported from Active Directory. When a user logs in they will be automatically added to the firewall group that matches their Active Directory group. By default, authentication for Services is Local. Once authentication servers have been added these can be enabled for services such as Firewall and User portal. Configuring Authentication Servers and Services on Sophos Firewall - 31 Configuring Authentication Servers and Services on Sophos Firewall - 32 Configuring Azure AD SSO on Sophos Firewall Sophos Firewall Version: 19.5v1 [Additional Information] Sophos Firewall FW3511: Configuring Azure AD SSO on Sophos Firewall November 2022 Version: 19.5v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring Azure AD SSO on Sophos Firewall - 1 Configuring Azure AD SSO on Sophos Firewall In this chapter you will learn how to configure Azure AD SSO to authenticate administrators on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Add authentication servers and select them to authenticate users for firewall services ✓ Administering Azure AD DURATION 10 minutes In this chapter you will learn how to configure Azure AD SSO to authenticate administrators on Sophos Firewall. Configuring Azure AD SSO on Sophos Firewall - 2 Azure AD SSO for Web Console Login Sophos Firewall Azure AD Single username and password for administrators Dynamically manage administrators using roles and groups Uses Open ID Connect and Oauth 2.0 Works with Azure AD free tier Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to the web console. Using Azure AD for the administrator login, allows administrators to have a single username and password for all the systems they need to access, and provides a single place where you can manage administrator’s access. The Azure AD capabilities utilized for this integration are part of the free tier of Azure AD, and our implementation takes advantage of Open ID Connect and OAuth 2.0 for optimal security. Configuring Azure AD SSO on Sophos Firewall - 3 Configuration Process Create an app registration in Azure Create a new client secret in the app registration Add an app role to the app registration Add API permissions to the app registration Add a redirect URI to the app registration on Azure Select the authentication server as an authentication source for administrators on Sophos Firewall Add an Azure AD SSO authentication server on Sophos Firewall Assign users to the app role The configuration process can be broken down in to eight steps, most of which are completed in Azure. • Start by creating an app registration in Azure, this will provide the basis for Sophos Firewall to communicate with Azure • In the App registration, create a client secret that Sophos Firewall will use to authenticate • Add an app role to the app registration, this will be used to manage access • Add API permissions to the app registration, these are the permissions required for Sophos Firewall to authenticate the users • Assign users to the app role • On Sophos Firewall, add an Azure AD SSO authentication server • Select the Azure AD SSO authentication service as an authentication source for administrators • Add a redirect URI to the app registration on Azure so that users are redirected back to Sophos Firewall once they have authenticated Configuring Azure AD SSO on Sophos Firewall - 4 Create an App Registration on Azure Let’s look at each of these steps in a little more detail. The configuration is done in Azure AD, and you start by creating a new app registration. Give the app registration a name and select the redirect URI type as ‘Web’. You will add the redirect URI later. Configuring Azure AD SSO on Sophos Firewall - 5 Create a New Client Secret for the App Registration Once you navigate away from this page you can no longer copy the secret! So the Sophos Firewall can authenticate you will need to create a new client secret. When you create the secret you can only copy the value once. As soon as you navigate away from the page you lose the ability to copy it. When you create the client secret you can choose how long it is valid for. We would recommend rotating the secret periodically for security. Configuring Azure AD SSO on Sophos Firewall - 6 Add an App Role to the App Registration Create an app role in the app registration. This role will be used to assign a role on Sophos Firewall. You can create multiple roles that will determine the role the administrator logging in will get on Sophos Firewall. You can only assign one role to a user. Configuring Azure AD SSO on Sophos Firewall - 7 Add API Permissions to the App Registration You will need to add permissions to the app registration so that Sophos Firewall can retrieve the information required as part of the login process. In addition to the default User.Read permission, add User.Read.All and Group.Read.All Microsoft Graph permissions as Delegated permissions. Once you have added the permissions, use the Grant admin consent button. If you do not do this step then administrators will have an additional step to grant the permissions when logging in. Configuring Azure AD SSO on Sophos Firewall - 8 Assign Users to the App Role Assign administrators to the app role so they are assigned the correct permissions when they authenticate. Configuring Azure AD SSO on Sophos Firewall - 9 Add an Azure AD SSO Authentication Server on Sophos Firewall App Registration The next step is to configure Sophos Firewall. You need to add an Azure AD SSO authentication server and configure it with the details from the app registration you created in Azure. You will need to enter the ‘Application (client) ID’ and ‘Directory (tenant) ID’ from the Overview page of the app registration. You also need to enter the client secret you created. On this page you will find the ‘Web admin console URL’, which will need to be added as the redirect URI in Azure. Configuring Azure AD SSO on Sophos Firewall - 10 Add an Azure AD SSO Authentication Server on Sophos Firewall Further down the page you select the fallback user group. This is the group that will be assigned to the user if they do not match any other group. You also create a mapping between the app role you created in Azure and the roles on Sophos Firewall. Enter the value from the role you created in Azure and select the Sophos Firewall role. Configuring Azure AD SSO on Sophos Firewall - 11 Enable the Authentication Server for Administrator Logins Once the authentication server has been created, you need to select it as an authentication method for Sophos Firewall administrators. Configuring Azure AD SSO on Sophos Firewall - 12 Add a Redirect URL to the App Registration on Azure Back in Azure, you need to add the redirect URI from the Azure AD SSO authentication server on Sophos Firewall to the app registration. Configuring Azure AD SSO on Sophos Firewall - 13 Web Console Login with SSO Enabled When SSO is configured on Sophos Firewall the login screen will change to give administrators the choice between using SSO or local credentials to login. If they choose SSO they will be redirected to the Azure login screen. Configuring Azure AD SSO on Sophos Firewall - 14 Simulation: Sophos Firewall Admin Azure SSO for Web Console In this simulation you will configure single sign-on for administrators using Azure AD. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html Please complete this simulation. Click Launch Simulation to start. Once you have finished, click Continue. [Additional Information] https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html Configuring Azure AD SSO on Sophos Firewall - 15 Chapter Review Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to the web console using the capabilities included in the free tier of Azure AD. You need to configure an app registration with a client secret, app role, API permissions, and redirect URI in Azure AD. On Sophos Firewall you need to add an authentication server using the app registration details from Azure. This page will provide the redirect URI to use in the app registration. Here are the three main things you learned in this chapter. Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to the web console using the capabilities included in the free tier of Azure AD. You need to configure an app registration with a client secret, app role, API permissions, and redirect URI in Azure AD. On Sophos Firewall you need to add an authentication server using the app registration details from Azure. This page will provide the redirect URI to use in the app registration. Configuring Azure AD SSO on Sophos Firewall - 20 Configuring Azure AD SSO on Sophos Firewall - 21 Enabling Multifactor Authentication on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW3545: Enabling Multifactor Authentication on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Enabling Multifactor Authentication on Sophos Firewall - 1 Enabling Multifactor Authentication on Sophos Firewall In this chapter you will learn how to configure multi-factor authentication on Sophos Firewall and how this changes the way in which users authenticate. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Configuring authentication and users on Sophos Firewall DURATION 9 minutes In this chapter you will learn how to configure multi-factor authentication on Sophos Firewall and how this changes the way in which users authenticate. Enabling Multifactor Authentication on Sophos Firewall - 2 Multi-factor Authentication Multi-factor authentication means that two pieces of information are required to login: • Something you know • Something you have Sophos Firewall supports multi-factor authentication using one-time passwords One-time passwords can be software tokens or hardware tokens that conform to RFC 6238 Multi-factor authentication means that two pieces of information are required to login: • something you know, your password, and • something you have, your token Sophos Firewall supports multi-factor authentication using one-time passwords. There are different types of one-time password. You can use either software tokens, such as the Sophos Authenticator App or Sophos Intercept X App that are available for Android and iOS, or hardware tokens, if they conform to RFC 6238. Please note that RSA tokens are not supported. Enabling Multifactor Authentication on Sophos Firewall - 3 One-Time Passwords Time 456789 Time 345678 User Sophos Firewall 234567 123456 Key Key Token Algorithm 567890 Token Algorithm 678901 Let’s look at how one time passwords work. In this diagram we have the user with their token on the left, and the Sophos Firewall on the right. The user has a token that contains a key and gets the time from a synchronized clock. These are processed using the algorithm described in RFC 6238 to produce the token code. The Sophos Firewall needs to have the same key and be synchronized to the same clock so that when it calculates the token code it comes out with the same number. To allow for variations in the time between the token and the Sophos Firewall, it will accept the previous and next token code as valid by default. This is the token offset step and can be changed in the settings. Enabling Multifactor Authentication on Sophos Firewall - 4 Configuration One-time passwords are configured in: CONFIGURE > Authentication > Multi-factor Authentication Optionally select which users need to use OTP Create software tokens for users Where Sophos Firewall will require OTP OTP timestamp settings Multi-factor authentication is not enabled by default and must be turned on. This can be done for either all users, or a selected set of users and groups. You can choose to have the Sophos Firewall automatically generate a token secret (key) when users try to authenticate, and they don’t have one. Sophos Firewall generated secrets can be used with software tokens. Hardware tokens need to be added manually. Sophos Firewall can use multi-factor authentication to improve the security of the WebAdmin, User Portal (including the Clientless VPN Portal), and SSL and IPsec remote access VPNs. You can configure the global token settings. For example, if you are using a hardware token with a 60 second timestep you can configure this here. You can also configure the passcode offset steps which we discussed in the previous slide. Enabling Multifactor Authentication on Sophos Firewall - 5 Adding Tokens Manually Optionally override the global token timestep To add a token, you simply need to specify the secret, which is a 32-to-120-character HEX string and select which user to assign the token to. Optionally, the global timestep can be overridden, which may be necessary if you are using a mixture of tokens. Enabling Multifactor Authentication on Sophos Firewall - 6 Adding Tokens Automatically The password becomes <User_Password><Generated_Password> Now let’s look at how tokens can be automatically generated for users. When a user logs into the User Portal for the first time after one-time passwords have been enabled, the Sophos Firewall will generate and display the information they need to configure a software token. In most cases this can be done automatically by scanning the QR code with an app, such as the Sophos Authenticator App. Once the token is configured, the user clicks Proceed to login. The user will then be presented with the User Portal login again. This time they login with their password and append their current token code. Enabling Multifactor Authentication on Sophos Firewall - 7 Sophos Authenticator App training-user@C01001CP99YB30E This shows an example of the generated password on the Sophos Authenticator App. Enabling Multifactor Authentication on Sophos Firewall - 8 Additional Token Settings Here we can see a token for training-user that we will use to consider two scenarios. In the first scenario, the user has their token, but the login is failing. This might be caused if the time of the token and Sophos Firewall are out of sync. To resolve this, you can enter the current passcode into the firewall, and it can compensate for the time difference. Enabling Multifactor Authentication on Sophos Firewall - 9 Additional Token Settings Generate 10 one-time codes that can be used In the second scenario, the user is on the road but has dropped and broken the mobile phone that has the Sophos Authenticator app on it. They need to access the SSL VPN, but it is secured using OTP. If this happens, you can add additional codes to the token. These are a set of single use codes that will automatically be removed after they are used. They would have to be sent to the user in some fashion, preferably through a secure channel, after they have been created. These codes will persist until they are used, or an administrator removes them. Enabling Multifactor Authentication on Sophos Firewall - 10 Simulation: Enable Multifactor Authentication In this simulation you will enable multi-factor authentication on Sophos Firewall. You will then test your configuration. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/MFA/1/start.html In this simulation you will enable multi-factor authentication on Sophos Firewall. You will then test your configuration. [Additional Information] https://training.sophos.com/fw/simulation/MFA/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11 Chapter Review Sophos Firewall supports multi-factor authentication using one-time passwords. These can be either software tokens, such as the Sophos Authenticator, or hardware tokens if they conform to RFC 6238 Tokens can be automatically generated so when a user logs into the User Portal after one-time passwords have been enabled, the prompt to configure a software token is displayed. Typically, this is done by scanning the QR code with an app Additional codes can be added to a user’s token if the user does not have access to the OTP app. These are a set of single use codes that will automatically be removed after they are used Here are the three main things you learned in this chapter. Sophos Firewall supports multi-factor authentication using one-time passwords. These can be either software tokens, such as the Sophos Authenticator, or hardware tokens if they conform to RFC 6238. Tokens can be automatically generated so when a user logs into the User Portal after one-time passwords have been enabled, the prompt to configure a software token is displayed. Typically, this is done by scanning the QR code with an app. Additional codes can be added to a user’s token if the user does not have access to the OTP app. These are a set of single use codes that will automatically be removed after they are used. Enabling Multifactor Authentication on Sophos Firewall - 16 Enabling Multifactor Authentication on Sophos Firewall - 17 Configuring Web Protection on Sophos Firewall Sophos Firewall Version: 19.5v1 [Additional Information] Sophos Firewall 4010: Configuring Web Protection on Sophos Firewall November 2022 Version: 19.5v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring Web protection on Sophos Firewall- 1 Configuring Web Protection on Sophos Firewall In this chapter you will learn how to create policies for web protection and TLS decryption and configure global settings for protection and an explicit proxy. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ How Sophos Firewall provides web protection as a transparent or explicit proxy DURATION 24 minutes In this chapter you will learn how to create policies for web protection and TLS decryption and configure global settings for protection and an explicit proxy. Configuring Web protection on Sophos Firewall- 2 Web Policies Web Protection Policies • Include options to control end users’ web browsing • SafeSearch prevents potentially inappropriate images, videos, and text from appearing search results • YouTube restrictions also restrict search results • Time quotas can allow limited access to restricted websites Policy Rules • Define the type of usage to restrict • Specify content filters to restrict web content that contains any terms in the lists • Define the action to take when the firewall encounters traffic that matches the rule criteria Web policies can be used to control end users’ web browsing activities. Policies include options for: • SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in Google, Yahoo, and Bing search results. • YouTube restrictions, which prevent access to potentially inappropriate content by restricting YouTube search results. • Time quotas, that allow access to restricted websites, such as online shopping, for a limited period. Policies include rules, which are used to: • Define the type of usage to restrict. This can include user activities, categories, URL groups, file types, and dynamic categories. • Specify content filters to restrict web content that contains any terms in the lists. • Define the action to take when the firewall encounters HTTP traffic that matches the rule criteria. Configuring Web protection on Sophos Firewall- 3 Creating and Editing Web Policies This shows an example of a web policy. It has an ordered list of rules and a default action, in this case allow, that determines the behaviour if the traffic does not match any of the rules. Configuring Web protection on Sophos Firewall- 4 Creating and Editing Web Policies User Activities Dynamic Categories Users & Groups Categories URL Groups File Types Content Filter Constraints Action Status Each web policy rule applies to either specific users and groups, or anybody. You define the activities, or types of web traffic that are going to be controlled by the rule, and you can optionally also apply a keyword content filter to the traffic. Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a separate action applied to HTTPS traffic. You can set time constraints for the rule. If no time constraints are selected, then the rule will be active all the time. Finally, you can enable and disable individual rules. This is especially useful when creating new rules and testing. Configuring Web protection on Sophos Firewall- 5 Web Policies Below the web policy rules are further options, some of which require the web proxy to be enforced. These are indicated with a notice. If these options are selected and used with the DPI engine, they will not be enforced. The available options are: • Enforce SafeSearch in common search engines. This is done by modifying the request to enable the features in the search engine and requires decrypting the web traffic. • Enforce YouTube restrictions, which is done in the same ways as enforcing SafeSearch. • Configure how much quota time users have per day. Configuring Web protection on Sophos Firewall- 6 Advanced Settings Advanced settings allow you to: • Include this policy in logs and reports. • Prevent the downloading of files greater than the size specified. • Add X-Forwarded-For header to pass on the IP address of the original HTTP request. • Allow users to sign into Google Apps, such as Gmail and Drive, only with the domains specified. • Apply Microsoft Azure AD tenant restrictions. Again, a notice indicates which settings require the web proxy to be enforced. Configuring Web protection on Sophos Firewall- 7 User Activities User activities are a group of web categories, URL groups and file types Let’s look at the types of traffic you can select to control in the web policy rules, starting with User Activities. User Activities are a way of grouping web categories, URL groups and file types into a single object to simplify management. Configuring Web protection on Sophos Firewall- 8 Additional information in the notes Categories Web categories are what most people think of when they think of web filtering. Sophos Firewall comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping policies to. You can also create custom web categories based on either local lists of domains and keywords or an external URL database. [Additional Information] External URL databases can be from either a HTTP or FTP server. The database should be in one of the following formats: • .tar • .ga • .bz • .bz2 • .txt The database will be checked every two hours for updates. Configuring Web protection on Sophos Firewall- 9 URL Groups Local TLS exclusion list Managed TLS exclusion list (read only) URL groups are used to create a match list of domains for which the default configuration should not be applied. All subdomains for the entered domains will also be matched. There are a couple of important default groups: • Local TLS exclusion list, which you can use to manage domains you do not want to decrypt traffic for. • Managed TLS exclusion list, which is a Sophos managed list of domains that are excluded from TLS decryption. On this page you can see the domains that are included, although you cannot edit or delete this group. Configuring Web protection on Sophos Firewall- 10 File Types Sophos Firewall can manage access to files through the web policy and comes with several groups of common file types defined by extension and MIME type. You can also create custom file types, which can use an existing group as a template to import already defined types. Configuring Web protection on Sophos Firewall- 11 Simulation: Create Custom Web Categories on Sophos Firewall In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user activity, and create user activity for controlling access to specific categories of website. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/WebCategories/1/start.html In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user activity, and create user activity for controlling access to specific categories of website. [Additional Information] https://training.sophos.com/fw/simulation/WebCategories/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12 Content Filters Web policies include the option to log, monitor and enforce policies related to keyword lists. This feature is particularly important in educational environments to ensure online child safety and to provide insights into students using keywords related to self-harm, bullying, radicalization or otherwise inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and applied to any web filtering policy as an added criteria with actions to log and monitor or block search results or websites containing the keywords of interest. Comprehensive reporting is provided to identify keyword matches and users that are searching or consuming keyword content of interest, enabling proactive intervention before an at-risk user becomes a real problem. Keyword lists are plain text files with one term per line. Configuring Web protection on Sophos Firewall- 13 Simulation: Create a Web Content Filter on Sophos Firewall In this simulation you will create a custom content filter that will be used to detect web pages that contain common bullying terms. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/ContentFilter/1/start.html In this simulation you will create a custom content filter that will be used to detect web pages that contain common bullying terms. [Additional Information] https://training.sophos.com/fw/simulation/ContentFilter/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14 Applying Policies Once you have created your web policy you can apply it in firewall rules. Configuring Web protection on Sophos Firewall- 15 Web Policies If there are options that cannot be enforced, this will be indicated in the firewall rule with a warning triangle. Hovering over the warning will provide additional information. Configuring Web protection on Sophos Firewall- 16 Simulation: Create a Custom Web Policy on Sophos Firewall In this simulation you will clone and customize a web policy by adding additional rules. You will then test the policy using two different users and the Policy Test tool. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/WebPolicy/1/start.html In this simulation you will clone and customize a web policy by adding additional rules. You will then test the policy using two different users and the Policy Test tool. [Additional Information] https://training.sophos.com/fw/simulation/WebPolicy/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17 Additional information in the notes Web Protection When any web filtering is enabled Sophos Firewall will: • Automatically block websites that are identified as containing child sexual abuse content by the Internet Watch Foundation (IWF) • Hide the domain name in logs and reports • Not support any policy or exclusion to allow the sites We minimize the availability of online sexual abuse content. Specifically: • Child sexual abuse content hosted anywhere in the world • Non-photographic child sexual abuse images hosted in the UK When any web filtering is enabled, Sophos Firewall will automatically block websites that are identified as containing child sexual abuse content by the Internet Watch Foundation. No policy or exclusions can be configured to allow these sites, and the domain names will be hidden in the logs and reports. [Additional Information] Find out more about the IWF at https://www.iwf.org.uk Configuring Web protection on Sophos Firewall- 18 Protection Settings Additional information in the notes There are several protection settings that can be managed in Web > General settings, including: • Selecting between single and dual engine scanning. • Scan mode. • And the action to take for unscannable content and potentially unwanted applications. [Additional Information] Zero-day protection requires the Sophos scan engine; this means that you need to either select Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use dual engine scanning. The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more cautious approach. Then we must decide on how to handle content that cannot be scanned due to factors such as being encrypted, or password protected. The safest option is to block this content, but it can be allowed if required. An option is available as part of web protection to block Potentially Unwanted Applications from being downloaded. Specific applications can be allowed by adding them to the Authorized PUAs list; and this is applied as part of the malware protection in firewall rules. Configuring Web protection on Sophos Firewall- 19 Protection Settings The HTTPS decryption and scanning settings on this page allow you to change the signing CA and modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS decryption rules. Configuring Web protection on Sophos Firewall- 20 Zero-Day Protection The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection settings. Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos decide where to send files for analysis based on which will give the best performance. You may need to configure this to remain compliant with data protection laws. You can also choose to exclude certain types of file from zero-day protection using the predefined file type options. Zero-day protection scanning is enabled in the Web filtering section of firewall rules. Configuring Web protection on Sophos Firewall- 21 Advanced Settings On the General settings tab there are also some advanced settings where you can enable web caching and caching Sophos endpoint updates. You can also configure some web proxy settings: • The port that clients should use to configure the Sophos Firewall as an explicit proxy. • The ports that can be connected to. • And the minimum TLS version. Configuring Web protection on Sophos Firewall- 22 Web Proxy Content Caching The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites with limited or slower Internet access; however, the web proxy is required in order to enforce this. Configuring Web protection on Sophos Firewall- 23 User Notifications In the User notifications tab, you can modify the images and text shown on the warn and block pages. The text can include variables to display the category detected, and to link to suggesting a different category. You can preview what the message will look like when users see it using the link. Configuring Web protection on Sophos Firewall- 24 Policy Overrides Web policy overrides settings allow authorized users to override blocked sites on user devices, temporarily allowing access. You define which users (for example this could be teachers in an education setting) have the option to authorize policy overrides. Those users can then create their own override codes in the Sophos Firewall User Portal and define rules about which sites they can be used for. In the WebAdmin you can see a full list of all override codes created and disable or delete them, as well as defining sites or categories that can never be overridden. There is also a report providing full historical insight into web override use. Configuring Web protection on Sophos Firewall- 25 Policy Overrides Override code rules can be broad – allowing any traffic or whole categories – or more narrow – allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse, codes can easily be changed or cancelled. Configuring Web protection on Sophos Firewall- 26 Policy Overrides Codes can be shared with end users, who enter them directly into the block page to allow access to a blocked site. Configuring Web protection on Sophos Firewall- 27 Simulation: Delegate Web Policy Overrides on Sophos Firewall In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web policy override and use the access code generated to allow John Smith to access a site that is currently blocked LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web policy override and use the access code generated to allow John Smith to access a site that is currently blocked. [Additional Information] https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 28 Exceptions The exceptions found within the web protection in the Sophos Firewall can be used to bypass certain security checks or actions for any sites that match criteria specified in the exception. There are a few predefined exceptions already in Sophos Firewall and more can be created at the administrator's discretion. It is important to note that exceptions apply to all web protection policies no matter where they are applied in Sophos Firewall. Configuring Web protection on Sophos Firewall- 29 Exceptions Exceptions can be matched on any combination of: • URL patterns, which can be either simple strings or regular expressions. • Website categories. • Source IP addresses. • And destination IP addresses. Please note that many websites have multiple IP addresses, and all of them would need to be listed. Where multiple matching criteria are used, then the traffic must match all the criteria to match successfully. You can then select which checks the exception will bypass. Configuring Web protection on Sophos Firewall- 30 Chapter Review Web policy rules can apply to specific users and groups, or anyone. They define the activities or types of web traffic and have an action to allow, warn, apply quota or block. A separate action can be applied to HTTPS traffic. The web filtering policy is selected in the security features of the firewall rule. It provides an option to use the web proxy or the DPI engine. Some policy options can only be enforced by the web proxy Web policy overrides allow authorized users to override blocked sites on user devices, temporarily allowing access Here are the three main things you learned in this chapter. Web policy rules can apply to specific users and groups, or anyone. They define the activities or types of web traffic and have an action to allow, warn, apply quota or block. A separate action can be applied to HTTPS traffic. The web filtering policy is selected in the security features of the firewall rule. It provides an option to use the web proxy or the DPI engine. Some policy options can only be enforced by the web proxy. Web policy overrides allow authorized users to override blocked sites on user devices, temporarily allowing access. Configuring Web protection on Sophos Firewall- 35 Configuring Web protection on Sophos Firewall- 36 Sophos Firewall Web Protection Quotas and Traffic Shaping Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW4035: Sophos Firewall Web Protection Quotas and Traffic Shaping April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Firewall Web Protection Quotas and Traffic Shaping - 1 Sophos Firewall Web Protection Quotas and Traffic Shaping In this chapter you will learn how to use web policy rule quotas, surfing quotas and traffic shaping to control web access. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Configuring Web Protection on Sophos Firewall ✓ Configuring traffic shaping settings DURATION 7 minutes In this chapter you will learn how to use web policy rule quotas, surfing quotas and traffic shaping to control web access. Sophos Firewall Web Protection Quotas and Traffic Shaping - 2 Quotas and Traffic Shaping Web policy rule quotas (category and time-based) Surfing quotas (time-based) Traffic shaping (bandwidth-based) Sophos Firewall can control web access in three ways: • Using the quota action in web policy rules. • Applying surfing quotas to groups of users. • And applying traffic shaping policies. Sophos Firewall Web Protection Quotas and Traffic Shaping - 3 Web Policy Rule Quotas Choose which activities should have a quota restriction In the web policy you can set rules to apply a quota action. This will apply to all activities in that rule. Sophos Firewall Web Protection Quotas and Traffic Shaping - 4 Web Policy Rule Quotas Configure how much quota time users have per day Further down in the policy you can configure how much quota time users have per day. All quota activities share the same pool of quota time. When a user accesses an activity with a quota, they are asked how much quota time to use now. This is to prevent quota time being exhausted by websites updating in the background. Sophos Firewall Web Protection Quotas and Traffic Shaping - 5 Surfing Quotas Surfing quotas are applied to users and groups Surfing quotas are applied to users and groups and are another way to control the amount of time spent on the Internet. Unlike web policy rule quotas, surfing quotas apply to all Internet traffic. Sophos Firewall Web Protection Quotas and Traffic Shaping - 6 Surfing Quotas Surfing quotas are applied to users and groups Surfing quotas define an amount of surfing time, which can either be a single amount of time or cyclic, where the surfing time is reset on a schedule. Surfing quotas can also have a validity period, which could be useful to guest users. The validity period defines how long the quota is active for. Sophos Firewall Web Protection Quotas and Traffic Shaping - 7 Simulation: Create a Surfing Quota for Guest Users on Sophos Firewall In this simulation you will configure a surfing quota for guest users and apply it to the ‘Guest Group’. You will create a guest user and test your quota policy. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/SurfingQuota/1/start.html In this simulation you will configure a surfing quota for guest users and apply it to the ‘Guest Group’. You will create a guest user and test your quota policy. [Additional Information] https://training.sophos.com/fw/simulation/SurfingQuota/1/start.html Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 8 Traffic Shaping Traffic shaping does not limit the amount of time or data, instead it can either limit or guarantee how much bandwidth will be available. Sophos Firewall Web Protection Quotas and Traffic Shaping - 9 Traffic Shaping Sophos Firewall supports traffic shaping for several types of policy. In this context, the traffic shaping would be applied to web categories, but can be applied to users and groups, firewall rules and applications. Sophos Firewall Web Protection Quotas and Traffic Shaping - 10 Traffic Shaping Applying the traffic shaping policy to the new category The example shows a new web category that has been created for www.example.com and has the traffic shaping policy applied. Sophos Firewall Web Protection Quotas and Traffic Shaping - 11 Chapter Review Using web policies, you can include rules to apply a quota action to all activities. When a user accesses an activity with a quota, they are asked how much time to use Surfing quotas are applied to users and groups. Unlike web policy rule quotas, surfing quotas apply to all Internet traffic Traffic shaping does not limit the amount of time or data. Instead, it can either limit or guarantee how much bandwidth will be available. As well as web categories, it can be applied to users and groups, firewall rules and applications Here are the main things you learned in this chapter. Using web policies, you can include rules to apply a quota action to all activities within the rule. When a user accesses an activity with a quota, they are asked how much time to use. Surfing quotas are applied to users and groups. Unlike web policy rule quotas, surfing quotas apply to all Internet traffic. Traffic shaping does not limit the amount of time or data. Instead, it can either limit or guarantee how much bandwidth will be available. As well as web categories, it can be applied to users and groups, firewall rules and applications. Sophos Firewall Web Protection Quotas and Traffic Shaping - 14 Sophos Firewall Web Protection Quotas and Traffic Shaping - 15 Getting Started with Remote Access VPNs on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW5005: Getting Started with Remote Access VPNs on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Remote Access VPNs on Sophos Firewall - 1 Configuring SSL Remote Access VPNs on Sophos Firewall In this chapter you will learn how to configure SSL and IPsec remote access VPNs on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Protocols used for VPN access ✓ Authentication servers, users and groups DURATION 20 minutes In this chapter you will learn how to configure SSL and IPsec remote access VPNs on Sophos Firewall. Getting Started with Remote Access VPNs on Sophos Firewall - 2 Remote Access VPNs IPsec SSL Establish remote access IPsec VPNs using the Sophos Connect client or third-party clients Establish remote access SSL VPNs using the Sophos Connect client, legacy SSL VPN client, or OpenVPN clients Clientless SSL L2TP over IPsec PPTP Provide access to internal services and resources using a browser Compatible with VPN client built into Windows Support for legacy PPTP connections (not recommended) Sophos Firewall supports a range of common protocols for remote access VPNs. The most used are IPsec and SSL, so in this chapter we will focus on these two, but it is useful to remember that Sophos Firewall also supports L2TP over IPsec, which is compatible with the Windows built-in VPN client, and PPTP, although we do not recommend you use it as it is less secure. Getting Started with Remote Access VPNs on Sophos Firewall - 3 Additional information in the notes SSL and IPsec VPNs SSL Remote Access VPN IPsec Remote Access VPN • Sophos Connect VPN Client for Windows and Mac OS X • Sophos Connect VPN Client for Windows and Mac OS X • Compatible with OpenVPN clients on all platforms • Compatible with third-party IPsec VPN clients • Support for multi-factor authentication • Support for multi-factor authentication • Supports Synchronized Security • Supports Synchronized Security • Split tunnelling and tunnel all • Split tunnelling and tunnel all • Guided configuration wizard Sophos Firewall’s SSL remote access VPN is based on OpenVPN, a full-featured VPN solution. The encrypted tunnels between remote devices and the Sophos Firewall use both SSL certificates and username and password to authenticate the connection, and you can also enable multi-factor authentication for additional security. The IPsec remote access VPN can be authenticated using a pre-shared key or digital certificate, with users then authenticating with their username and password, and optionally multi-factor authentication. As a standard IPsec VPN, it is compatible with third-party VPN clients. For both the SSL and IPsec remote access VPNs we provide the Sophos Connect VPN client for Windows and Mac OS X devices. For SSL remote access VPNs, we still support the legacy Sophos SSL VPN Client; however, we recommend upgrading to Sophos Connect when possible. [Additional Information] https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/enus/webhelp/onlinehelp/nsg/sfos/concepts/VPNSophosConnectClient.html Getting Started with Remote Access VPNs on Sophos Firewall - 4 SSL VPN Assistant Sophos Firewall has a wizard to streamline and simplify the configuration of everything required for remote access SSL VPNs. The assistant includes: • Selecting the users and groups the policy will apply to • Configuring the authentication servers • Selecting the resources users will be able to access • Choosing between split tunneling or tunnel all • Selecting which zones can access the user portal to download the client and configuration • And selecting which zones users can establish an SSL VPN from As part of the assistant, a firewall rule will be created to control access to internal resources from the VPN. Getting Started with Remote Access VPNs on Sophos Firewall - 5 Demo: SSL VPN Assistant In this demo you will see how to use the SSL VPN assistant to quickly configure remote access for users. PLAY DEMO CONTINUE https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html In this demo you will see how to use the SSL VPN assistant to quickly configure remote access for users. [Additional Information] https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html In this short demo we will look at the SSL VPN assistant, which brings together the configuration of the VPN profile, creation of a firewall rule, as well as several global settings, to make setting up SSL VPNs quick and easy. The SSL VPN assistant is launched from the Remote access VPN section on the SSL VPN tab. The first screen here gives you an overview of some of the global SSL VPN settings. These can be configured using the SSL VPN global settings link here. Give the VPN a name, then select the users and groups that can use this connection. I will select the Training group here. Next, you can customize the authentication servers for SSL VPNs. I will remove local authentication. This setting is global for SSL VPNs, and if you need to update it you will find it in Authentication > Services. Select the resources you want users to be able to access through the VPN. This will be used to configure a firewall rule. Getting Started with Remote Access VPNs on Sophos Firewall - 6 Choose whether the VPN will be the default gateway for all traffic, or whether you will be using split tunnelling. Select which zones can access the user portal, where users can download the SSL VPN client and configuration files. Note that this is a global setting that can be found in Administration > Device access. Finally, select from which zones users can establish SSL VPNs from. This is also a global setting in device access. Review the configuration, then click Finish. In addition to creating the SSL VPN configuration you can see here; the assistant also created a firewall rule to limit the scope of access for VPN users to the resources selected. Getting Started with Remote Access VPNs on Sophos Firewall - 6 Security Heartbeat over SSL VPN Split tunnel or tunnel all option To enable using the Security Heartbeat over the SSL VPN, you need to add the built-in ‘SecurityHeartbeat_over_VPN’ host object. This contains the public IP address used for Security Heartbeat and will ensure it is routed over the VPN to Sophos Firewall. Getting Started with Remote Access VPNs on Sophos Firewall - 7 SSL VPN Settings By default, Sophos Firewall uses port 8443 By default, Sophos Firewall hosts the SSL VPN on port 8443, however this can be changed to a different available port in the SSL VPN settings. Note that the SSL VPN can share port 443 with other services on Sophos Firewall, such as the user portal and web application firewall rules. You can modify the SSL certificate for the connection and override the hostname used in the configuration files. You can configure the IP lease range, DNS, WINS and domain name that will be used for clients that connect. In addition to this, there are several advanced connection settings such as the algorithms, key size, key lifetime and compression options. The SSL VPN settings are global for both remote access and site-to-site SSL VPNs; if you make changes here you may need to update any SSL site-to-site VPNs you have configured. Getting Started with Remote Access VPNs on Sophos Firewall - 8 SSL VPN Client Recommended VPN Client for Windows and Mac OS X Legacy SSL VPN client for Windows Configuration for all platforms Once an SSL VPN profile has been created for a user, they can download an SSL VPN client from their User Portal. For Windows and Mac OS X we recommend using the Sophos Connect client. There is also a legacy SSL VPN Client for Windows, and configuration download for all platforms. Getting Started with Remote Access VPNs on Sophos Firewall - 9 Additional information in the notes Sophos Connect Client and Legacy SSL VPN Client If the legacy SSL VPN client is not installed in the default location the Sophos Connect installer will not detect it The legacy SSL VPN client and Sophos Connect client cannot be installed on the same computer as they will conflict with each other. To prevent this, when installing Sophos Connect it will check for the legacy VPN in the default installation path and display an error if found. If the legacy SSL VPN client has been installed to a non-default location the Sophos Connect installer will not detect it. This may render both VPN clients inoperable due to the conflict. [Additional Information] The default installation path of the legacy SSL VPN client is: C:\Program Files (x86)\Sophos\Sophos SSL VPN) Getting Started with Remote Access VPNs on Sophos Firewall - 10 Simulation: Configure an SSL Remote Access VPN In this simulation you will configure an SSL remote access VPN using the assistant. You will then review the configuration created and test your VPN using the Sophos Connect client. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html In this simulation you will configure an SSL remote access VPN using the assistant. You will then review the configuration created and test your VPN using the Sophos Connect client. [Additional Information] https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html Getting Started with Firewall and NT Rules on Sophos Firewall - 11 IPsec VPN Configuration Quick links to IPsec profile, Sophos Connect client download, and logs At the top of the tab for the IPsec remote access VPN are quick links that provide access to IPsec profiles, the Sophos Connect client download, and logs. Getting Started with Remote Access VPNs on Sophos Firewall - 12 IPsec VPN Profiles IPsec profiles contain the security configuration for the IPsec connection, such as the encryption algorithms that will be supported. Sophos Firewall provides a default profile for remote access; however, you can clone this and create your own to meet your security requirements. Getting Started with Remote Access VPNs on Sophos Firewall - 13 IPsec VPN Configuration Select the IPsec profile Pre-shared keys or digital certificate Select the users and groups that can connect To configure the IPsec remote access VPN, start by enabling it and selecting which interface it will listen for connections on. Select the IPsec profile. The VPN can be authenticated by either pre-shared keys or with a digital certificate. Select the users and groups that will be able to authenticate to use the VPN. Getting Started with Remote Access VPNs on Sophos Firewall - 14 IPsec VPN Configuration IP range to use for the VPN DNS servers You need to configure the IP range that will be used for clients that connect, and optionally you can also assign DNS servers. Getting Started with Remote Access VPNs on Sophos Firewall - 15 IPsec VPN Configuration The advanced configuration can be found at the bottom of the page and allows you to configure split tunneling, two-factor authentication, Security Heartbeat, and other connection settings. Getting Started with Remote Access VPNs on Sophos Firewall - 16 IPsec VPN Configuration Download configuration files Using the buttons at the bottom of the page you can export the configuration for the VPN. Getting Started with Remote Access VPNs on Sophos Firewall - 17 IPsec VPN Configuration Only the .scx contains the advanced settings When you export the configuration from the web admin you will download an archive with two files: • .scx – that includes the advanced settings • .tbg – which only contains the basic configuration and tunnels all traffic back to the Sophos Firewall Getting Started with Remote Access VPNs on Sophos Firewall - 18 IPsec VPN Client Sophos Connect client can be downloaded from the user portal The Sophos Connect client can also be downloaded from the user portal; however, the configuration for the IPsec VPN needs to be provided by the admin. Getting Started with Remote Access VPNs on Sophos Firewall - 19 Sophos Connect Client Import the configuration file for either IPsec or SSL To use the Sophos Connect client you need to import a configuration file. This can be either for the IPsec or SSL VPN. Getting Started with Remote Access VPNs on Sophos Firewall - 20 Sophos Connect Client Connect Login Connection Details You can then connect to the VPN. When the Sophos Connect Client contacts the firewall, you will be prompted to authenticate. Once connected, the details will be shown. Getting Started with Remote Access VPNs on Sophos Firewall - 21 Simulation: Configure an IPsec Remote Access VPN In this simulation you will configure an IPsec remote access VPN. You will then test your VPN using the Sophos Connect client. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html In this simulation you will configure an IPsec remote access VPN. You will then test your VPN using the Sophos Connect client. [Additional Information] https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html Getting Started with Firewall and NT Rules on Sophos Firewall - 22 Deploying Sophos Connect Additional information in the notes Knowledgebase Article KB-000040793 How to Deploy Sophos Connect via Group Policy Object (GPO) 1 Deploy the Sophos Connect MSI via a GPO script 2 Push the configuration as a file in the Windows Settings GPO Open KB-000040793 The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires two elements to be configured. First, you need to add the Sophos Connect MSI via a GPO, or group policy Object, script. Secondly, you need to configure a Windows Settings file to push the configuration to the endpoints. [Additional Information] Details on how to do this are covered in knowledgebase article KB-000040793. https://support.sophos.com/support/s/article/KB-000040793 Getting Started with Remote Access VPNs on Sophos Firewall - 23 Chapter Review The VPN assistant streamlines the configuration of everything required for remote access SSL VPNs The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings are global and apply to site-to-site SSL VPNs The Sophos Connect client supports both IPsec and SSL VPNs and can be downloaded from both the web admin and user portal. The SSL VPN configuration is downloaded in the user portal, whereas the IPsec VPN configuration is downloaded in the web admin Here are the main things you learned in this chapter. The VPN assistant streamlines the configuration of everything required for remote access SSL VPNs. The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings are global and apply to site-to-site SSL VPNs. The Sophos Connect client supports both IPsec and SSL remote access VPNs and can be downloaded from both the web and user portal. The SSL VPN configuration is downloaded in the user portal, whereas the IPsec VPN configuration is downloaded in the web admin. Getting Started with Remote Access VPNs on Sophos Firewall - 28 Getting Started with Remote Access VPNs on Sophos Firewall - 29 Configuring Clientless Access on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW5020: Configuring Clientless Access on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Configuring Clientless Access on Sophos Firewall - 1 Configuring Clientless Access on Sophos Firewall In this chapter you will learn how to create and manage bookmarks for clientless SSL VPN access. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Configuring Remote Access VPNs on Sophos Firewall DURATION 8 minutes In this chapter you will learn how to create and manage bookmarks for clientless SSL VPN access. Configuring Clientless Access on Sophos Firewall - 2 Clientless Access Portal Clientless SSL VPN connections can be found in the user portal and can be used to provide access to internal resources without the need for a VPN client to be installed. They are in the VPN section and will appear below any IPsec and SSL VPNs that have been enabled for the user. This form of remote access is most useful for providing IT staff with access to internal systems without exposing them directly to the Internet. For example, providing access to TELNET, SSH, and RDP, so that IT staff can securely administer key pieces of infrastructure remotely. Other examples for using this include providing special access for a user to a specific machine with RDP, often for accounting or finance, or access to timesheets, client tracking, web-based ticking systems and so forth. Configuring Clientless Access on Sophos Firewall - 3 Configuration Assign bookmarks to users and groups 2 Define the internal resources as bookmarks 1 Configuration for Clientless SSL VPN is done in two parts: • First you create bookmarks, which define the internal resources to be accessed • Then you create policies to assign the bookmarks to users and groups Configuring Clientless Access on Sophos Firewall - 4 Bookmarks Protocols • RDP • TELNET • SSH • FTP/FTPS • SMB • VNC When you create the bookmarks, start by selecting the protocol in the ‘Type’ field, this will change the remaining fields that need to be completed. Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. You can choose to enable automatic login for the bookmark, where you can provide a username and password that will be used to connect to the resource. This will not be the username and password for the person using the bookmark in the user portal. It is important to note that each bookmark represents a session to a resource, so if you wanted to give five people access to a resource, you would create a bookmark for each. You can enable session sharing, which means that two users can use the bookmark at the same time, but there will still only be a single session. Configuring Clientless Access on Sophos Firewall - 5 Bookmark Groups You can also create bookmark groups, which can then be used to assign multiple bookmarks in a policy. Configuring Clientless Access on Sophos Firewall - 6 Clientless Access Select individual users and user groups Once the bookmarks have been created, and optionally added to bookmark groups, they need to be assigned to a specific user or group using a policy. This simple policy has just three settings: • A name for the policy • The users and groups the policy applies to Configuring Clientless Access on Sophos Firewall - 7 Clientless Access Select individual bookmarks and bookmark groups • And the bookmarks that can be used Configuring Clientless Access on Sophos Firewall - 8 Simulation: Configure Clientless SSL VPN Access In this simulation you will configure bookmarks and policies for clientless SSL VPN access. You will then login to the user portal to test your configuration. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/ClientlessVpn/1/start.html In this simulation you will configure bookmarks and policies for clientless SSL VPN access. You will then login to the user portal to test your configuration. [Additional Information] https://training.sophos.com/fw/simulation/ClientlessVpn/1/start.html Getting Started with Firewall and NT Rules on Sophos Firewall - 9 Chapter Review Clientless SSL VPN provides access to internal resources through bookmarks in the VPN section of the user portal Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. Each bookmark is a single session for that resource Policies assign bookmarks to users and groups Here are the main things you learned in this chapter. Clientless SSL VPN provides access to internal resources through bookmarks in the VPN section of the user portal. Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. Each bookmark is a single session for that resource. Policies assign bookmarks to users and groups. Configuring Clientless Access on Sophos Firewall - 12 Configuring Clientless Access on Sophos Firewall - 13 Sophos Firewall Web Protection Overview Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall 4005: Sophos Firewall Web Protection Overview April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Firewall Web Protection Overview - 1 Sophos Firewall Web Protection Overview In this chapter you will learn how Sophos Firewall can provide web protection as a transparent or explicit proxy. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ The multiple layers of protection provided by Sophos Firewall to detect and block attacks DURATION 10 minutes In this chapter you will learn how Sophos Firewall can provide web protection as a transparent or explicit proxy. Sophos Firewall Web Protection Overview - 2 Web Protection Overview Protection Control • Scan for malware with two antivirus engines • Allow, warn, block and quota access to web content • Sophos zero-day protection cloudbased sandbox scanning • Apply rules to users and groups • Scan for potentially unwanted applications • Control content based on categories, file types, URLs and content • Surfing quotas Web Protection on Sophos Firewall can be used to defend against malware and to control user behaviour. Sophos Firewall can scan for malicious content using two antivirus engines, Sophos and Avira, and if additional checking is required, it can leverage zero-day protection, a Sophos cloud-based sandbox solution. In addition to malicious content, you can also choose to block potentially unwanted applications from being downloaded onto your network. You can improve your network security by blocking access to risky websites and applying controls to users’ browsing behaviour. Sophos Firewall comes with several predefined policies to get started that can be further customized to meet your needs. Sophos Firewall Web Protection Overview - 3 Web Protection Overview Transparent Explicit Web filtering on Sophos Firewall can be done either transparently, intercepting traffic as it passes, or as an explicit proxy, where clients are configured to use the Sophos Firewall as their web proxy. Sophos Firewall Web Protection Overview - 4 DPI vs. Web Proxy Filtering DPI ✓ ✓ ✓ ✓ Web Proxy Filtering Port agnostic protocol detection Support for FastPath Decrypts TLS 1.3 traffic Offloads traffic trusted by SophosLabs ✓ Enforce SafeSearch ✓ Apply YouTube restrictions ✓ Explicit proxy mode The DPI (Deep Packet Inspection) engine can perform web filtering for improved performance, however you can still choose to use the legacy web proxy. Let’s take a look at some of the differences between DPI and web proxy filtering. DPI implements proxy-less filtering handled by the IPS (Intrusion Prevention System) engine. It provides port agnostic protocol detection and supports the partial or full offload of traffic flows to the network FastPath. It can decrypt and scan TLS 1.3 traffic and offloads the traffic trusted by SophosLabs. In comparison, you may want to use the web proxy filtering to enforce SafeSearch or YouTube restrictions, or because your clients are configured to use the Sophos Firewall as an explicit proxy. Let’s take a closer look at how the traffic is processed in each of these scenarios. Sophos Firewall Web Protection Overview - 5 Firewall Rule > Security Features The Security Features section of the Firewall Rules provides settings to choose between the DPI Engine and Web Proxy for each individual rule. Sophos Firewall Web Protection Overview - 7 DPI Filtering Decrypt HTTPS sophos.com on port 80 sophos.com on port 8080 Content Scan Web Proxy Firewall sophos.com on port 443 Web Policy SSL/TLS Rules Web Policy Content Scan App Control IPS DPI Engine FastPath Using the configuration shown here, all the traffic will be handled by the faster DPI engine for IPS and proxy-less web filtering and SSL decryption on any port for HTTP and HTTPS using port agnostic protocol identification. In this configuration the SSL/TLS inspection rules are used to manage the decryption of secure web traffic. Using the DPI engine allows the Sophos Firewall to offload safe traffic to the FastPath. This is done for traffic that the Sophos Firewall qualifies as being safe, or that matches identities for SophosLabs trusted traffic. Sophos Firewall Web Protection Overview - 8 Web Proxy Filtering Decrypt HTTPS sophos.com on port 80 sophos.com on port 8080 Content Scan Web Proxy Firewall sophos.com on port 443 Web Policy SSL/TLS Rules Web Policy Content Scan App Control IPS DPI Engine FastPath If you enable the web proxy, then HTTP and HTTPS traffic on ports 80 and 443 will be processed by the web proxy for decryption, web policy and content scanning, before being handed to the DPI engine for application control and IPS. HTTP or HTTPS traffic on other ports will still be handled by the DPI engine. The web proxy is also used in explicit proxy configurations. When the web proxy is being used none of the traffic can be offloaded to the FastPath. Sophos Firewall Web Protection Overview - 9 Deploying Sophos Firewall for Web Protection Gateway or mixed mode deployments LAN Zone WAN Zone Internet Sophos Firewall Filter web traffic If the Sophos Firewall is the network gateway or will be replacing an existing gateway, then web filtering can simply be enabled for the traffic passing through it. This deployment scenario is ideal as all traffic must pass through the Sophos Firewall before being allowed out to the Internet. As such, all traffic entering the network must also pass through the Sophos Firewall before reaching clients. By implementing in this fashion, all web traffic can be scanned, decrypted, sent to zero-day protection if needed, and controlled so that users cannot violate company policy, and hackers cannot pass unseen. In this deployment scenario, the Sophos Firewall can be used as both a transparent and explicit proxy. Sophos Firewall Web Protection Overview - 10 Deploying Sophos Firewall for Web Protection Bridge mode deployments Sophos Firewall Firewall Transparently filter web traffic Internet Other networks such as DMZ will not be filtered In scenarios where the Sophos Firewall will not be the primary network gateway there are two deployment options. The first is to add Sophos Firewall to the network in bridge mode, allowing it to transparently filter the web traffic. This is a good solution if the existing edge device will not be replaced. Similarly, to the previous solution, anyone behind the Sophos Firewall will not be able to bypass the filter and will have their traffic inspected. The only exception would be if there were another network, such as a DMZ hosting public servers, behind the edge firewall. Sophos Firewall Web Protection Overview - 11 Deploying Sophos Firewall for Web Protection Explicit proxy deployments Switch Firewall Configure clients to use Sophos Firewall as web proxy Internet Allow web traffic from Sophos Firewall only Sophos Firewall The other option is for the Sophos Firewall to be on the network but not in the direct flow of traffic, and to have the clients configured to use it as an explicit proxy. In this configuration, the Sophos Firewall doesn’t have any control over traffic that is sent directly to the default gateway, and so it is important that the edge device is configured to only allow web traffic from allowed devices, including the Sophos Firewall. Sophos Firewall Web Protection Overview - 12 Transparent vs. Explicit Proxy Transparent Explicit Typically deployed at the gateway Does not require client configuration Client (operating system/browser/application) is unaware the traffic is being filtered Requires client (operating system/browser/application) to be configured with the proxy details Firewall must be configured to only allow web traffic from the proxy to prevent users from circumventing it Users cannot circumvent the filtering The key differences between transparent and explicit proxy web filtering are: In a transparent proxy configuration, the proxy is typically deployed at the Internet gateway and the proxy service is configured to intercept traffic for a specified port. The client (e.g., browser, desktop application etc.) is unaware that traffic is being processed by a proxy. For example, a transparent HTTP proxy is configured to intercept all traffic on port 80/443. This provides a standard enterprise configuration where all clients routed to the Internet will be filtered and protected, no matter what the end users do or change on their machines. An added benefit is a reduction of client-proxy configuration troubleshooting. Transparent proxies also handle mobile and guest devices without any additional configuration. In an explicit proxy configuration, the client is explicitly configured to use a proxy server, meaning the client knows that all requests will go through a proxy. The client is given the hostname, IP address, and port number of the proxy service. When a user makes a request, the client connects to the proxy service and sends the request. The disadvantage of the explicit proxy is that each client must be properly configured to use the proxy. Sophos Firewall Web Protection Overview - 13 Chapter Review DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol detection and supports offload of traffic flows to the network FastPath. It can decrypt and scan TLS 1.3 traffic. When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be processed by the web proxy for decryption, web policy and content scanning before being handed to the DPI engine for application control and IPS If Sophos Firewall is the network gateway, web filtering can be enabled for the traffic passing through it. When it is not the primary network gateway it can operate in bridge mode, transparently filtering the web traffic, or be configured as an explicit proxy Here are the three main things you learned in this chapter. DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol detection and supports the partial or full offload of traffic flows to the network FastPath. It can decrypt and scan TLS 1.3 traffic. When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be processed by the web proxy for decryption, web policy and content scanning before being handed to the DPI engine for application control and IPS. Add Sophos Firewall to the network in bridge mode, allowing it to transparently filter the web traffic. If Sophos Firewall is the network gateway, then web filtering can be enabled for the traffic passing through it. When Sophos Firewall is not the primary network gateway it can operate in bridge mode, allowing it to transparently filter the web traffic, or be configured as an explicit proxy. Sophos Firewall Web Protection Overview - 18 Sophos Firewall Web Protection Overview - 19 Getting Started with Application Control on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW4505: Getting Started with Application Control on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Getting Started with Application Control on Sophos Firewall - 1 Getting Started with Application Control on Sophos Firewall In this chapter you will learn how to configure application control filters and apply them to firewall rules. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ The multiple layers of protection provided by Sophos Firewall to detect and block attacks ✓ Configuring firewall rules DURATION 15 minutes In this chapter you will learn how to configure application control filters and apply them to firewall rules. Getting Started with Application Control on Sophos Firewall - 2 Application Control Overview Cloud Storage Peer-to-Peer Video Streaming Social Media Protect against risky applications Block or limit unproductive applications Guarantee bandwidth for business applications Sophos Firewall Computer Many applications and tools used for day-to-day business are provided through cloud-based services, so ensuring good Internet connectivity to employees is vital. Alongside these business applications are every other type of application and service that can be imagined, many of which are unproductive or can expose users and the company network to risks. Sophos Firewall can protect against risky applications and either block or limit access to unproductive applications, and at the same time guarantee that business applications have the bandwidth they need. Getting Started with Application Control on Sophos Firewall - 3 Application List Applications can be found in: PROTECT > Applications > Application list Sophos Firewall comes with definitions for thousands of known applications, which you can filter and view the details of in PROTECT > Applications > Application list. Getting Started with Application Control on Sophos Firewall - 4 Live Connections Current connections can be monitored in: MONITOR & MANGE > Current activities > Live connections The Live connections page lists all of the current applications making connections through the Sophos Firewall. You can use the link in the ‘Total’ column to get more detailed information about all of the connections for that application. The live connections can be shown by application, username or source IP address, and the page can be optionally set up to automatically refresh to give a real-time view. Getting Started with Application Control on Sophos Firewall - 5 Application Filters Applications can be found in: PROTECT > Applications > Application filter Application filters are sets of rules that can allow or deny access to applications. Unlike web policies, application filter rules are not applied to users and groups, so the application filter will apply to all users for the firewall rule it is used in. Getting Started with Application Control on Sophos Firewall - 6 Creating Application Filters You can optionally select an existing application filter as a template Application filters are created in two stages. First you create the application filter. Here you can optionally select an existing application filter as a template. You save the application filter and if you selected a template the rules will be copied over to the new filter. Getting Started with Application Control on Sophos Firewall - 7 Creating Application Filters You can now add rules to your application filter Drag and drop to reorder You can now open the application filter and start adding rules or edit rules if you selected a template. Please note that the rules are processed in order, and you can rearrange them by dragging and dropping. Getting Started with Application Control on Sophos Firewall - 8 Application Filter Rules For each application filter rule, you select which applications it will apply to, set whether the action for those applications is allow or deny, and optionally select a schedule for when the rule will be active. Selecting the applications in the rule is done by filtering the applications using the criteria provided or using a free-text smart filter. When new applications are added that match the filters they will automatically be included in the rule. You can optionally choose to select individual applications rather than all applications included in the filtered results, in this case newly added applications will not automatically be added to the rule. Getting Started with Application Control on Sophos Firewall - 9 Application Filter Rules Below the selected applications, you can choose whether this rule is to allow or deny them. You can also select when this rule is active based on a schedule. Getting Started with Application Control on Sophos Firewall - 10 Apply an Application Filter Once you have configured your application filter, it needs to be selected in a firewall rule in the ‘Other security features’ section. Getting Started with Application Control on Sophos Firewall - 11 Simulation: Create an Application Filter In this simulation you will create a custom application filter, apply it to a firewall rule, then test the results. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/AppFilter/1/start.html In this simulation you will create a custom application filter, apply it to a firewall rule, then test the results. [Additional Information] https://training.sophos.com/fw/simulation/AppFilter/1/start.html Getting Started with Application Control on Sophos Firewall - 12 Synchronized App Control I don’t recognize this traffic, what application is it from? Sophos Firewall Sophos Central Managed endpoint Custom Business Application Internet This is Custom Business Application, and it is allowed Synchronized app control can identify, classify and control previously unknown applications active on the network. It uses the Security Heartbeat to obtain information from the endpoint about applications that don’t have signatures or are using generic HTTP or HTTPS connections. This solves a significant problem that affects signature-based app control on all firewalls today, where many applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”. Synchronized app control is not supported in active-active high availability deployments. Getting Started with Application Control on Sophos Firewall - 13 Managing Synchronized App Control Synchronized app control is enabled when you register the Sophos Firewall with Sophos Central. In the Control center there is a synchronized application control widget that provides an at-aglance indication of new applications that have been identified. Getting Started with Application Control on Sophos Firewall - 14 Categorizing Identified Applications Identified applications are managed in: PROTECT > Applications > Synchronized Application Control Where possible, Sophos Firewall will automatically classify identified applications and they will be controlled based on the current application filters you have in place. Through the menu for the application you customize the classification. Getting Started with Application Control on Sophos Firewall - 15 Categorizing Identified Applications Here you can see that OneDrive has been assigned to the application category ‘Storage and Backup’. If you were blocking this category but wanted to allow OneDrive, you could choose to move it to another category such as ‘General Business’. Getting Started with Application Control on Sophos Firewall - 16 Synchronized Application Control 1 month 3 months 6 months 9 months 12 months You can configure clean up of the synchronized application control database to remove obsolete applications that are no longer in use; this is done in PROTECT > Central synchronization. You can choose how long to retain applications in the database from 1 month to 12 months. Sophos Firewall will then run a daily check for applications older than the threshold and remove them in batches of 100 every 5 minutes. Applications are also deleted from application filter policies if they were added individually. The time applications are retained for is since they were last detected by synchronized application control. If the application is frequently used, then the last detection date will always be updated, and the application will not be purged. This feature is designed to only purge applications that are no longer in use, and therefore no longer being detected by synchronized application control. Getting Started with Application Control on Sophos Firewall - 17 Simulation: Use Synchronized App Control to Block an Application In this simulation you will reclassify an application detected by synchronized application control, then test that it is blocked. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html In this simulation you will reclassify an application detected by synchronized application control, then test that it is blocked. [Additional Information] https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html Getting Started with Application Control on Sophos Firewall - 18 Application Routing Routing > SD-WAN Routing > Add Applications can be added as a traffic selector for SD-WAN policy Routes. To use this functionality you need to create an application object. An application object is a list of applications selected using the same filtering criteria and options as for application filter rules. In the example here, we have selected remote access applications that have been detected by synchronized application control. Getting Started with Application Control on Sophos Firewall - 19 Cloud Applications OneDrive OneDrive Dropbox Dropbox OneDrive is sanctioned Dropbox is unsanctioned Identify cloud applications being used Classify cloud applications Apply traffic shaping rules Block using application control Sophos Firewall has a lite cloud access security broker, or CASB, implementation, which helps to identify risky behavior by providing insights into what cloud services are being used. You can then take appropriate action by educating users or implementing application control or traffic shaping policies to control or eliminate potential risky or unwanted behavior. For example, if your company has a corporate Microsoft 365 and uses OneDrive for file storage, and one user is consistently uploading data to Dropbox, that could be a red flag that needs further investigation or policy enforcement. This practice of using unsanctioned cloud services is called “Shadow IT”, a term you’ll often hear in association with CASB. Getting Started with Application Control on Sophos Firewall - 20 Cloud Applications in the Control Center In Control center there is a widget that provides a visual summary of cloud application usage by classification. This can be New, Sanctioned, Unsanctioned, or Tolerated. The statistics show the number of cloud applications, and the amount of data in and out. Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can get more detailed information. Getting Started with Application Control on Sophos Firewall - 21 Cloud Applications Cloud applications can be found in: PROTECT > Applications > Cloud applications Here you can see all the cloud applications that have been detected, and filter them by classification and category, and can be sorted either by volume of data or number of users. You can expand each application to see which users have been using it, and how much data they have transferred. Getting Started with Application Control on Sophos Firewall - 22 Classifying and Traffic Shaping For each detected application you can select a classification and a traffic shaping policy. By selecting a classification for the applications, you can then use this to customize reports to show, for example, use of unsanctioned applications on your network. Traffic shaping policies can be applied to either limit or guarantee bandwidth for applications. Getting Started with Application Control on Sophos Firewall - 23 Simulation: Categorize Cloud Applications on Sophos Firewall In this simulation you will review the cloud applications detected by Sophos Firewall and classify them. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/CloudApplications/1/start.html In this simulation you will review the cloud applications detected by Sophos Firewall and classify them. [Additional Information] https://training.sophos.com/fw/simulation/CloudApplications/1/start.html Getting Started with Application Control on Sophos Firewall - 24 Chapter Review Application filters are an ordered list of rules that allow or deny applications based on filter criteria. Application filters need to be applied in a firewall rule Synchronized application control can detect unknown applications using Security Heartbeat. Discovered applications are automatically classified and allowed or blocked based on your application filters. You can also reclassify applications Sophos Firewall can detect cloud applications; these can be classified to report on use of unsanctioned applications on the network Here are the three main things you learned in this chapter. Application filters are an ordered list of rules that allow or deny applications based on filter criteria. Application filters need to be applied in a firewall rule. Synchronized application control can detect unknown applications using Security Heartbeat. Discovered applications are automatically classified and allowed or blocked based on your application filters. You can also reclassify applications. Sophos Firewall can detect cloud applications; these can be classified to report on use of unsanctioned applications on the network. Getting Started with Application Control on Sophos Firewall - 29 Getting Started with Application Control on Sophos Firewall - 30 Application Traffic Shaping on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW4515: Application Traffic Shaping on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Application Traffic Shaping on Sophos Firewall - 1 Application Traffic Shaping on Sophos Firewall In this chapter you will learn how to configure and apply a traffic shaping policy for applications. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Configuring Application Control on Sophos Firewall ✓ Configuring traffic shaping settings DURATION 10 minutes In this chapter you will learn how to configure and apply a traffic shaping policy for applications. Application Traffic Shaping on Sophos Firewall - 2 Traffic Shaping Default Applications can be found in : PROTECT > Applications > Traffic shaping default You can create and apply traffic shaping policies based on applications. Here you can see the applications grouped by their category. You can apply traffic shaping policies to a category of applications. You can also apply policies to individual applications, which will take precedence over any category level traffic shaping policy. Application Traffic Shaping on Sophos Firewall - 3 Traffic Shaping Default Applications can be found in : PROTECT > Applications > Traffic shaping default When you choose to edit an application, you can select a compatible traffic shaping policy that will override any other applied QoS policies for that application. From here, you can also edit or even create new traffic shaping policies for the application. Application Traffic Shaping on Sophos Firewall - 4 Traffic Shaping Policies Traffic shaping policies are configured in : CONFIGURE > System Services > Traffic shaping Traffic shaping policies can either be configured to limit the amount of bandwidth they can use, perhaps to prevent video streaming impacting business, or to guarantee an amount of bandwidth in the case of business-critical applications. As we mentioned in the previous slide, there are several pre-defined traffic shaping policies that ship with the Sophos firewall. As can be seen, they can be associated with standard firewall rules, applied to users, target web categories or applied to an application. Application Traffic Shaping on Sophos Firewall - 5 Traffic Shaping Policies Traffic shaping policies are configured in : CONFIGURE > System Services > Traffic shaping When you add a new traffic shaping policy, it is important to select the correct policy association. This will determine where the policy can be applied in the Sophos firewall. For example, a user policy cannot be applied to an application, and vice-versa. Application Traffic Shaping on Sophos Firewall - 6 Traffic Shaping Policies Traffic shaping policies are configured in : CONFIGURE > System Services > Traffic shaping The rule type determines if we are going to limit or guarantee bandwidth for the selected traffic. Selecting the Limit option is often used when you want to prevent users, applications, or other connections from using too much bandwidth and affecting critical business communications. For example, a limit rule can be created for streaming media to prevent services such as YouTube from consuming too much data. A Guarantee rule is used when you want to ensure that an application or type of traffic has enough bandwidth to function properly, even at the expense of other services. If you have a businesscritical application or system, such as VoIP, we want to ensure that they have the necessary amount of bandwidth to function uninterrupted no matter what. Using the VoIP example, if the bandwidth for calls were suddenly reduced, it could cause stuttering during calls or even disconnects. Imagine how that would look if you were on the line with a customer. Application Traffic Shaping on Sophos Firewall - 7 Traffic Shaping Policies Traffic shaping policies are configured in : CONFIGURE > System Services > Traffic shaping The next settings can be used to determine how much bandwidth to allocate. The upload and download bandwidth can be controlled independently if desired. The amount of bandwidth can be set, and the bandwidth can be controlled per individual (per user, application, connection, etc…) or shared between them. A priority can also be configured for the rule which will determine which traffic gets processed first if there are multiple priorities of traffic in the queue. The highest priority traffic, defined by the lowest number, will always be processed first. Application Traffic Shaping on Sophos Firewall - 8 Traffic Shaping Policies Example Here is an example showing a guarantee rule for a critical business application. In this example, the rule is created with an application policy association and set as type guarantee. Then the priority is set to 1, which is business critical. We want to ensure that any traffic matching this rule is processed before almost all other traffic. Finally, we set our guarantee and limit numbers. As this is an individual rule, and not a shared rule, the bandwidth numbers are set to the minimum and maximum bandwidth needed per user of the application. This does require a good understanding of the applications data needs. After saving the policy, it would need to be applied to the application or application group. Application Traffic Shaping on Sophos Firewall - 9 Applying Traffic Shaping To enable the application traffic shaping, select Apply application-based traffic shaping policy in the firewall rule where you have applied the application filter. Application Traffic Shaping on Sophos Firewall - 10 Simulation: Create an Application Traffic Shaping Policy In this simulation you will configure and apply a traffic shaping policy for applications. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html In this simulation you will configure and apply a traffic shaping policy for applications. [Additional Information] https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html Application Traffic Shaping on Sophos Firewall - 11 Chapter Review You can apply traffic shaping policies to categories of applications as well as individual applications. Traffic shaping policies applied to individual applications will take precedence over traffic shaping policies applied to the category Traffic shaping policies can be created to either limit the amount of bandwidth available to an application or guarantee bandwidth, even at the expense of other services The upload and download bandwidth can be controlled independently and can either be individual to the policy association (user, firewall rule, web category, application), or shared between them Here are the three main things you learned in this chapter. You can apply traffic shaping policies to categories of applications as well as individual applications. Traffic shaping policies applied to individual applications will take precedence over traffic shaping policies applied to the category. Traffic shaping policies can be created to either limit the amount of bandwidth available to an application or guarantee bandwidth, even at the expense of other services. The upload and download bandwidth can be controlled independently and can either be individual to the policy association (user, firewall rule, web category, application), or shared between them. Application Traffic Shaping on Sophos Firewall - 16 Application Traffic Shaping on Sophos Firewall - 17 Introduction to Wireless Protection on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW5505: Introduction to Wireless Protection on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Introduction to Wireless Protection on Sophos Firewall - 1 Introduction to Wireless Protection on Sophos Firewall In this chapter you will learn the three modes of operation that can be used for the wireless networks, the range of access points supported, and which appliances have built-in wireless. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Wireless network communication ✓ Sophos Firewall deployment options DURATION 9 minutes In this chapter you will learn the three modes of operation that can be used for the wireless networks, the range of access points supported, and which appliances have built-in wireless. Introduction to Wireless Protection on Sophos Firewall - 2 Network connections Company laptop access Guest laptop access Wireless Overview Internet Company laptop connected to the company wireless network Guest laptop connected to the guest network Sophos Firewall Access Point Access Point RED Internal computers and servers connected to the network Company laptop connected to the company wireless network With Sophos Firewall you can deploy and manage wireless access points giving you the same control and security features that you have for wireless devices as those that are physically connected to the network. Sophos access points can be used to broadcast multiple wireless networks to keep traffic separated, for example for corporate and guest networks. You are not limited to managing wireless networks in the local office, you can deploy access points in remote offices that are connected to the Sophos Firewall with a RED. Introduction to Wireless Protection on Sophos Firewall - 3 Client Traffic Modes: Bridge to AP LAN Wireless clients Internet Traffic Traffic Traffic Local Network Switch Traffic Sophos Firewall Traffic Management Access point Sophos Firewall supports three different modes of operation for wireless networks; let’s take a look at these client traffic modes, starting with Bridge to AP LAN. The Bridge to APLAN configuration is used when traffic needs to be routed to the network that the access point is directly connected to. With Bridge to AP LAN, the traffic is never sent to the Sophos Firewall by the access point; instead, it simply takes the traffic and drops it right onto the LAN that it is connected to. The Sophos Firewall is only used for management of the AP and to collect logging information from the access point. Introduction to Wireless Protection on Sophos Firewall - 4 Client Traffic Modes: Bridge to VLAN Wireless clients Internet Traffic VLAN X Traffic VALN Z Guest Traffic Local Network VLAN X Trunk port VLAN Z Guest Traffic Tagged traffic VLAN Y Management Traffic Sophos Firewall Managed Switch Access point Next is Bridge to VLAN. In a Bridge to VLAN configuration, wireless traffic is tagged by the access point allowing upstream switches, or the Sophos Firewall, to identify that the traffic is associated to a specific VLAN. This allows the wireless network to extend that VLAN wirelessly. The access point must be connected to a trunk or hybrid port on the switch so that it is able to read the VLAN tags and route the traffic correctly. Again, the Sophos Firewall still communicates with the access point for management and to collect logging, but it may not necessarily be involved in routing the traffic. Please note that to broadcast a bridge to VLAN wireless network, the access point must be configured to use a VLAN for management traffic. The bridge to VLAN options only become available once you have set a VLAN for management. Introduction to Wireless Protection on Sophos Firewall - 5 Client Traffic Modes: Separate Zone Wireless clients Internet Blocked by firewall rule Traffic Traffic Local Network VLAN X VXLAN Switch Sophos Firewall Management Access point Lastly, we have the Separate Zone configuration. Separate zone allows an administrator to segment the wireless traffic without using a VLAN, which is often very useful in smaller environments that may not use managed switches or have a complex network environment but still want to secure wireless traffic, for example, for guest access. With a separate zone configuration, all traffic is fed into a VXLAN tunnel by a wireless interface on the Sophos Firewall. From there, the Sophos Firewall will treat it like any other traffic coming in through an interface. By default, the interface is called wlan<NUMBER>. This traffic must then be routed to any allowed networks, either internally or externally and rules need to be created to allow this traffic. When configuring a separate zone, you may also need to: • Create a DHCP server for the wireless network on that interface • Enable DNS for the zone • Create firewall and NAT rules that include Web protection, IPS policies, and any other security modules to protect the users Introduction to Wireless Protection on Sophos Firewall - 6 Access Point Models APX series access points APX 120 APX 320 APX 530 APX 740 Legacy AP series access points AP 15 AP 55 AP 100 AP 100X Legacy AP series access points are end of sales and are not supported on XGS series appliances Sophos Firewall supports Sophos’ APX series access points that include support for 802.11 ac wave 2 as well as the legacy AP series access points. Please note that the AP series access points are now end of sale and are not supported on XGS series appliances. Introduction to Wireless Protection on Sophos Firewall - 9 Access Point Model Naming MIMO capabilities Example: Next-gen access point Range or model series 2 = 2x2 APX 3 2 3 = 3x3 4 = 4x4 Product Generation 0 To help you understand the range of APX access points let’s take a look at their naming scheme. The APX part of the model name is made up of AP for access point followed by the X. This denotes that this model is next-gen. Any legacy models are referred to as the AP series. The first number in the naming sequence refers to the range or model series, in this example we use 3. The second number denotes the MIMO capabilities of the model, in this example this is 2 for 2x2. The last number is the product generation number, in this example this is 0. This gives you the full name of the model, in this example; APX 320. Introduction to Wireless Protection on Sophos Firewall - 10 Access Point Models – APX Series APX 120 APX 320 APX 530 APX 740 Deployment Indoor, desktop, wall or ceiling mount Indoor; desktop, wall or ceiling mount Indoor; desktop, wall or ceiling mount Indoor; desktop, wall or ceiling mount Maximum Throughput 300 Mbps + 867 Mbps 300 Mbps + 867 Mbps 450 Mbps + 1.3 Gbps 450 Mbps + 1.7 Gbps Multiple SSIDs 8 per radio (16 in total) 8 per radio (16 in total) 8 per radio (16 in total) 8 per radio (16 in total) LAN Interfaces 1x 12V DC-in 1x RJ45 10/100/1000 Ethernet w/PoE 1 x RJ45 connector console serial port 1 x RJ45 10/100/1000 Ethernet w/PoE Support WLAN Standards 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.3af 802.3af 802.3at 802.3at Power over Ethernet Number of Radios MIMO Capabilities 1x 2.4 GHz single band 1x 5 GHz single band 2x2 1 x 2.4 GHz/5 GHz dual-band 1 x 5 GHz single band 1 x Bluetooth low energy (BLE) 2x2 1 x RJ45 connector console serial port 1 x RJ45 10/100/1000 Ethernet Port 1 x RJ45 10/100/1000 Ethernet w/PoE 1 x 2.4 GHz single band 1 x 5 GHz single band 1 x Bluetooth low energy (BLE) 1 x RJ45 Connector console serial port 1 x RJ45 10/100/1000 Ethernet port 1 x RJ45 10/100/1000 Ethernet w/PoE 1 x 2.4 GHz single band 1 x 5 GHz single band 1 x Bluetooth low energy (BLE) 3x3 4x4 The APX series of Access Point models support WLAN Standard 802.11ac Wave 2.0, and all four models are optimized for both wall and ceiling mount and are for indoor use. Please note that the outdoor APX 320X is not supported on Sophos Firewall and requires Sophos Central. This table provides a more technical comparison of these models. Introduction to Wireless Protection on Sophos Firewall - 11 Deployment Guide Basic Connectivity Mixed Browsing High Speed Connectivity Video Conferencing High Speed Connectivity Approximate number of clients: Approximate number of clients: 7-25 (2.4 GHz) Up to 30 (5 GHz) Approximate number of clients: Approximate number of clients: 7-25 7-35+ Small companies Mix of mobile devices Schools & Small Offices Unmanaged endpoints & mobile devices Medium size offices BYOD & COD Mobile devices Large offices & Medium Enterprise Managed Endpoints APX 120 APX 320 APX 530 APX 740 1-15 Now that you know the available access point models, you need to determine which model is best to use based on your environment. We will focus on the APX range for access points. Firstly, let’s split the types of activities wireless is used for into the following categories: • • • • Basic connectivity Mixed browsing High speed connectivity Video conferencing Now, we can assign an approximate number of clients to those categories. • • • • For basic connectivity between 1 – 15 clients per access point is the recommended use For mixed browsing between 7-25 clients per access point and up to 30 clients in dual 5 GHz For high-speed connectivity between 7-25 clients per access point For video conferencing between 7-35+ clients per access point So, let’s apply this to example deployments. • For small companies that require basic coverage using a mixture of mobile devices – basic connectivity will be recommended • For environments such as schools and small offices using entry level endpoints and unmanaged mobile devices – mixed browsing will be recommended • For medium size offices using a mixture of BYOD and corporate owned mobile devices such as iPads – High speed connectivity will be recommended • For large offices and medium enterprise companies using managed endpoints made up of Introduction to Wireless Protection on Sophos Firewall - 12 laptops and mobile devices – video conferencing/high speed will be recommended Introduction to Wireless Protection on Sophos Firewall - 12 Built-In Wireless Deployment XGS 87w Retail/SOHO Desktop XGS 107w Small office Desktop Multiple SSIDs Supported WLAN Standards XGS 116w Small office Desktop XGS 126w Small branch office Desktop XGS 136w Growing branch office Desktop 8 per radio 802.11a/b/g/n/ac 2.4 GHz/5 GHz Number of radios 1 1 MIMO capabilities 2x2:2 2x2:2 1 (2nd WI-FI module available) 2x2:2 3x3:3 3x3:3 In addition to the APX and AP access points, the desktop models of Sophos Firewall are available with a built-in wireless access point that supports either 2.4Ghz or 5Ghz with a single radio. The built-in wireless differs from the external access points by not connecting through a network interface and instead appearing as a local device. The coverage of the built-in wireless can be extended by connecting external Sophos access points to the network. Introduction to Wireless Protection on Sophos Firewall - 13 Chapter Review Sophos Firewall can manage wireless network traffic using three client traffic modes: bridge to AP LAN, bridge to VLAN, and separate zone Sophos Firewall supports the APX series and legacy AP series access points The desktop models of XGS have an internal wireless variant that includes a single radio. Larger desktop models include an option to add a second wireless radio module Here are the main things you learned in this chapter. Sophos Firewall can manage wireless network traffic using three client traffic modes: bridge to AP LAN, bridge to VLAN, and separate zone. Sophos Firewall supports the APX series and legacy AP series access points. The desktop models of XGS have a wireless variant that includes a single radio. Larger desktop models include an option to add a second wireless radio module. Introduction to Wireless Protection on Sophos Firewall - 14 Introduction to Wireless Protection on Sophos Firewall - 15 Deploying Wireless Protection on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW5510: Deploying Wireless Protection on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Deploying Wireless Protection on Sophos Firewall - 1 Deploying Wireless Protection on Sophos Firewall In this chapter you will learn how to deploy access points and configure wireless networks. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Modes of operation that can be used for Sophos Firewall wireless networks ✓ Supported access points ✓ Sophos Firewall appliances that have built-in wireless DURATION 8 minutes In this chapter you will learn how to deploy access points and configure wireless networks. Deploying Wireless Protection on Sophos Firewall - 2 Wireless Networks Configuration deployed to access points to allow clients to connect Define security and authentication requirements Define network parameters Wireless networks are the configuration that access points use to allow clients to connect. They define the security and authentication requirements for devices that want to access the network as well as network parameters such as IP range and gateway. Deploying Wireless Protection on Sophos Firewall - 3 Creating Wireless Networks Visible network name Wireless networks are configured in: PROTECT > Wireless > Wireless networks No encryption WEP Open WPA Personal/Enterprise WPA2 Personal/Enterprise (recommended) Separate Zone Bridge to AP LAN Bridge to VLAN Configuration for separate zone wireless interface Here you can see the main configuration for a wireless network. The main elements are: • The SSID, which is the visible network name that devices will connect to • The security mode, we recommend using WPA2 either with a passphrase or using a RADIUS server to authenticate users by selecting Enterprise • How to route client traffic, either to the same network as the access point, a specific VLAN or directly back to the Sophos Firewall using a separate zone Separate zone configuration is used to create a wireless interface on the Sophos Firewall. The traffic for the wireless network is then routed back to that interface on the Sophos Firewall using a VXLAN. Deploying Wireless Protection on Sophos Firewall - 4 Advanced Settings Additional information in the notes There are also several advanced settings that allow you to control options such as which bands the network is broadcast on, when the network is available and whether clients can see each other on the network. [Additional Information] Fast BSS (Base Service Set) Transition allows the key negotiation and the request for wireless resources to happen concurrently, in order to enable fast and secure handoffs between base stations to deliver seamless connectivity for wireless devices as they move around. This is supported on WPA2 Personal and Enterprise networks only. The clients must also support 802.11r as well. To enable Fast Transition, use the option in the advanced settings of the wireless network configuration. Access points will announce support for both WPA-PSK/Enterprise and FT-PSK/Enterprise, so they can perform normal roaming for clients which are not capable of Fast Transition. Deploying Wireless Protection on Sophos Firewall - 5 Additional information in the notes Access Point Discovery Discovery packet is sent to 1.2.3.4 so it is sent to the default gateway DHCP IP address and gateway Connect to ‘magic IP’ Sophos Firewall Intercept and respond Access Point DHCP can be used to override the magic IP if the Sophos Firewall is not the default gateway Before we jump into deploying access points it is useful to understand how the discovery process works. When an access point is connected to the network it will need a DHCP server to provide it with an IP address, DNS server and gateway. The access point will send a discovery packet to 1.2.3.4, which we refer to as the magic IP. This is a valid Internet address and so will be routed to the default gateway. If the Sophos Firewall is the default gateway, or on the route to the Internet, it can intercept and respond to the discovery packet beginning the registration process. If the Sophos Firewall is not the default gateway or on the route to the Internet, you need to configure a special DHCP option with the IP address of the Sophos Firewall so the access point can find it. There is additional information in the notes regarding this. [Additional Information] If the Sophos Firewall is not in the path to the Internet, for example, it is not the default gateway for the network, then a special DHCP option to select the target Sophos Firewall is required: { OPTION_IP , 0xEA }, /* wireless-security-magic-ip */ By default, the Sophos Firewall will configure and pass this option if it is configured as a DHCP server for the network. When a Sophos AP is connected to the network, the AP uses DHCP request broadcasts. The AP acting as a DHCP client uses a Parameter Request List in its DHCP Discover message which requests certain parameters from the DHCP server. If the DHCP server provides the special parameter, code Deploying Wireless Protection on Sophos Firewall - 6 234, wireless-security-magic-ip, it will be used as the IP address to connect to when starting the control connection. For more information see KB-000034799. https://support.sophos.com/support/s/article/KB-000034799 Deploying Wireless Protection on Sophos Firewall - 6 Deployment 1 Connect the access point to the network 2 Navigate to PROTECT > Wireless > Access points 3 Accept the pending access point 4 Assign wireless networks to broadcast Once you have connected an access point to the network and the discovery process has taken place you need to navigate to PROTECT > Wireless > Access points in the WebAdmin. In the pending access points section, you will see any access points that have been discovered. You need to accept the access point before it will be managed by the Sophos Firewall. Please note that the access point may go offline after being accepted. This is normal as it may perform a firmware upgrade directly after being accepted, in order to match the firmware of the firewall. This normally takes between 5 – 10 minutes. Deploying Wireless Protection on Sophos Firewall - 7 Access Points External access point Built-in wireless When working with built-in wireless on a Sophos Firewall, there is no need to accept the built-in access point. It is a local device that is always active when the wireless protection feature is active on the device. It is named LocalWifi0, and the name cannot be modified. Deploying Wireless Protection on Sophos Firewall - 8 Broadcasting Wireless Networks Assign wireless networks to access points Use access point groups to assign wireless networks When you accept an access point you can select which wireless networks it will broadcast. Alternatively, you can assign the access point to a group and use the group to manage which wireless network the member access points will broadcast. Sophos access points can broadcast up to 8 wireless networks per radio. Almost all access point models have 2 radios and so can broadcast up to 16 networks. However, in most scenarios you will want to broadcast the wireless networks on both 2.4Ghz and 5Ghz so you can effectively use up to 8 networks per access point. Deploying Wireless Protection on Sophos Firewall - 9 DNS and DHCP Remember, for the Sophos Firewall to respond to DNS requests from devices connected to the wireless network it must be enabled for the zone that network is in. This is done in SYSTEM > Administration > Device access. When creating a wireless network where there is no DHCP server, this is usually the case for guest networks or where you have used a separate zone configuration, you will most likely want to create a DHCP server on the Sophos Firewall. Deploying Wireless Protection on Sophos Firewall - 10 Simulation: Deploying an Access Point In this simulation you will deploy an access point on Sophos Firewall. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/DeployAp/1/start.html In this simulation you will deploy an access point on Sophos Firewall. Deploying Wireless Protection on Sophos Firewall - 11 Chapter Review Access points send discover packets to 1.2.3.4, which as an Internet routable address sent to the default gateway, assumed to be the Sophos Firewall. This can be overridden by DHCP if Sophos Firewall is not the default gateway Access points will appear as pending in the web admin until they are accepted by an administrator Wireless networks define security and authentication requirements as well as network parameters. Wireless networks need to be assigned to access points to start broadcasting Here are the three main things you learned in this chapter. Access points send discover packets to 1.2.3.4, which as an Internet routable address sent to the default gateway, assumed to be the Sophos Firewall. This can be overridden by DHCP if Sophos Firewall is not the default gateway. Access points will appear as pending in the web admin until they are accepted by an administrator. Wireless networks define security and authentication requirements as well as network parameters. Wireless networks need to be assigned to access points to start broadcasting. Deploying Wireless Protection on Sophos Firewall - 14 Deploying Wireless Protection on Sophos Firewall - 15 Creating Hotspots on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW5530: Creating Hotspots on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Creating Hotspots on Sophos Firewall - 1 Creating Hotspots on Sophos Firewall In this chapter you will learn the three types of hotspot that you can create on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Deploying wireless networks on Sophos Firewall DURATION 8 minutes In this chapter you will learn the three types of hotspot that you can create on Sophos Firewall. Creating Hotspots on Sophos Firewall - 2 Type of Hotspot Terms of acceptance Password of the day Voucher Hotspots can be used to provide a number of functions depending on how it is configured. There are three hotspot types: • Terms of use acceptance, where users have to agree to a set of terms before getting access through the hotspot • Password of the day, a password needs to be provided by users and it is generated daily • Voucher, each user has their own voucher for access that can be used to limit access time or data allowance Hotspots are accessed after the device is connected to the network and do not replace the security mode selected for wireless networks. They are deployed to interfaces on the Sophos Firewall, whether that is a physical port or a wireless interface from a separate zone. This means that hotspots are not limited to being used with wireless networks or Sophos access points. Users can only access the hotspot to authenticate, and resources defined in the walled garden hotspot settings until they are authenticated. Once authenticated, network access is controlled by firewall rules. Creating Hotspots on Sophos Firewall - 3 Creating Hotspots Any interface not in the WAN zone Policies to apply to traffic from the hotspot To configure a hotspot, start by selecting which interfaces it will apply to; this can be any interface that is not in the WAN zone. You can select policies to apply to the traffic coming from the hotspot. You will see where these are used later. Creating Hotspots on Sophos Firewall - 4 Creating Hotspots Force HTTPS for authenticating with the hotspot Terms of acceptance Password of the day Voucher When users access the hotspot using HTTP you can choose to redirect to HTTPS. You need to select the hotspot type, each of which will have some associated configuration. For voucher and password hotspots you need to select administrative users. These are users that can manage the vouchers and password for the hotspot in the user portal. Note that these users do not have to be administrators on the firewall. Creating Hotspots on Sophos Firewall - 5 Creating Hotspots Terms can be enabled for password of the day and voucher hotspots Customize the look of the hotspot If you are using a password of the day or voucher hotspot you can still enable a terms of use that has to be accepted. You can optionally redirect users to a specific URL after they have authenticated with the hotspot, and you can customize the look of the hotspot. Creating Hotspots on Sophos Firewall - 6 Firewall and NAT When you save the hotspot, a firewall rule and linked NAT rule will be created. In the firewall rule, the policies that you selected when creating the hotspot will be applied. Creating Hotspots on Sophos Firewall - 7 Voucher Definitions For voucher-based hotspots you can define different vouchers. All vouchers must have a validity period but can also include time and data quotas. Creating Hotspots on Sophos Firewall - 8 Creating Vouchers Vouchers are created for hotspots in the user portal by the administrative users selected in the hotspot configuration. To generate vouchers, select the hotspot, the voucher definition, and the number of vouchers to create. You can optionally choose to print the vouchers with a QR code, and this will generate a PDF you can print. Creating Hotspots on Sophos Firewall - 9 Creating Vouchers Once vouchers have been created you can view and manage them at the bottom of the page. Creating Hotspots on Sophos Firewall - 10 Managing Passwords Similarly, when using a password of the day, this can be managed through the user portal by the selected administrative users. Here you can view the current password for a hotspot and generate a new password. Creating Hotspots on Sophos Firewall - 11 Hotspot Settings Automatically delete expired vouchers Select the certificate for the hotspot There are some hotspot specific settings where you can: • Delete expired vouchers from the database after a given time period • Select a certificate for the hotspot to use for authentication Creating Hotspots on Sophos Firewall - 12 Hotspot Settings Limit access to internal resources through the hotspot Download templates for customizing the hotspot and vouchers Further down on the hotspot settings page you can configure a walled garden. This is the set of resources that devices can access without authentication to the hotspot. At the bottom of the page, you can download sign-in page templates and voucher templates and change them to suit your branding and security requirements. For the voucher template we support PDF version 1.5 and later. Creating Hotspots on Sophos Firewall - 13 Chapter Review There are three types of hotspot: terms of acceptance, voucher, and password of the day. Terms can optionally be enabled for voucher and password hotspots Voucher-based hotspots require voucher definitions that specify the validity period and can optionally also have time and data quotas Vouchers and passwords can be managed in the user portal by the administrative users selected in the hotspot configuration Here are the main things you learned in this chapter. There are three types of hotspot: terms of acceptance, voucher, and password of the day. Terms can optionally be enabled for voucher and password hotspots. Voucher-based hotspots require voucher definitions that specify the validity period and can optionally also have time and data quotas. Vouchers and passwords can be managed in the user portal by the administrative users selected in the hotspot configuration. Creating Hotspots on Sophos Firewall - 18 Creating Hotspots on Sophos Firewall - 19 Managing Logs and Notifications on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW8015: Managing Logs and Notifications on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Managing Logs and Notifications on Sophos Firewall - 1 Managing Logs and Notifications on Sophos Firewall In this chapter you will learn how to configure logs and notifications, and how to access logs on Sophos Firewall. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and managing Sophos Firewall using the WebAdmin DURATION 7 minutes In this chapter you will learn how to configure logs and notifications, and how to access logs on Sophos Firewall. Managing Logs and Notifications on Sophos Firewall - 2 Logging Access to real-time logs using the log viewer Up to 5 Add up to 5 external syslog servers Manage which events are logged Sophos Firewall provides access to real-time logs in the WebAdmin so you can easily monitor the impact of changes and troubleshoot issues. Log data can also be reported to external syslog servers, and there is granular control over which events are logged. Managing Logs and Notifications on Sophos Firewall - 3 Log Viewer Select log Customize columns Available on the top right of every page, the Log viewer link opens a new window with the live log view for Sophos Firewall. In the default column view the log viewer will display a single log, and you can use the drop-down menu to select which log is displayed. You can customize which columns are displayed, selecting up to 20, with time, log component and action being mandatory. Managing Logs and Notifications on Sophos Firewall - 4 Log Viewer Free text search Export data to a CSV file Apply structured filters You can apply structured filters to the logs and perform free text searches, in both cases the matching terms will be highlighted. At any time, you can choose to export the data to a CSV file. Managing Logs and Notifications on Sophos Firewall - 5 Log Viewer Hover to see more detailed information By hovering your mouse over the log entry, you can also see more detailed information. Managing Logs and Notifications on Sophos Firewall - 6 Log Viewer By clicking on data in the logs you will get context sensitive actions. You will always have the option to filter using the data either as a structured filter or free text search, but in many cases, you will also be able to edit rules and policies or create new configuration. The example here includes the option to create an objectionable custom URL category including this data, because it was allowed. If it had been blocked the option would have been to create an acceptable custom URL category. Managing Logs and Notifications on Sophos Firewall - 7 Log Viewer Switch between column and unified log view Select multiple logs You can switch to the detailed unified log view using the buttons at the top. This view has the same searching and filtering options as the standard view but can aggregate the logs from multiple modules. By default, when you switch to this view, all the logs will be shown. You can use the drop-down menu to select which modules you want to view the logs for. When you click the links for firewall rules and policies, the parent WebAdmin window will automatically navigate to that location, making it quicker and easier to review the relevant configuration for a log entry. Managing Logs and Notifications on Sophos Firewall - 8 Syslog Syslog servers are configured in: CONFIGURE > System services > Log settings In addition to the local real-time logs, Sophos Firewall can be configured to log up to 5 external syslog servers, usually on UDP port 514, although this can be customized. In the syslog server configuration, you can select which facility you want to log for: • DAEMON, which includes information from services running on the firewall • KERNEL, for the kernel log • LOCAL0 – LOCAL7, for information from a specific log level • USER, for logging based on users who are connected to the server You can also select the severity of the events you want to log. The firewall will log all events for the selected level and above. So, if you select CRITICAL it will also log ALERT and EMERGENCY events. There are two logging formats that can be selected: • Central Reporting Format, which is a standard syslog format and is used to log to Sophos Central • Device Standard Format, which is a proprietary format and is used when logging to iView Managing Logs and Notifications on Sophos Firewall - 9 Log Configuration Select events to log You can enable and disable specific event types within each module or the entire module itself, and this can be done independently for local logging, Sophos Central and each syslog server. Managing Logs and Notifications on Sophos Firewall - 10 Firewall Log Suppression Repeated entries in the firewall log can be suppressed to make them less noisy and easier to read. Only consecutive, identical events will be suppressed, and firewall log entries have a new field to show how many occurrences there have been of that entry. Managing Logs and Notifications on Sophos Firewall - 11 Retrieving Log Files Additional information in the notes Upload a file from Sophos Firewall using FTP ftpput –u <username> -p <password> host ip <Remote file name> <Local file name> Upload a file from Sophos Firewall using SCP scp <Local file name> <username>@<host>:/path/to/remote/file There may be a time when files need to be copied to or from the Sophos Firewall. For example, you may want to copy some log files off the device in order to retain them for an extended period. You can do this using either ftpput or scp with the commands shown here. [Additional Information] To use FTP, you can use the following commands in advanced shell: • Get file : ftpget –u <username> -p <password> host ip <Local file name> <Remote file name> • Put file : ftpput –u <username> -p <password> host ip <Remote file name> <Local file name> To use SCP, you can use the following command in the advanced shell: • scp <local file name> <username>@<host>:/path/to/remote/file Managing Logs and Notifications on Sophos Firewall - 12 Notifications Email SYSTEM > Administration > Notification settings • Configure email server settings • Set email addresses • Select management interface address SNMP SYSTEM > Administration > SNMP • Enable SNMP agent • Create SNMPv3 users and traps • Create SNMPv1 and v2c community and traps CONFIGURE > System settings > Notification list • Enable and disable email and SNMP notifications globally • Select which notifications to send for email and SNMP Sophos Firewall can send notifications by email, SNMP or both. There are two steps to configuring this: 1. Configure the notification method, email or SNMP 2. Select which notifications you want to send via email and SNMP Managing Logs and Notifications on Sophos Firewall - 13 Email Optionally configure an email server to use for sending notifications Select which interface admins receiving the notifications will be using to access the Sophos Firewall During the initial setup you configure some basic settings for email alerts so that you will receive notifications for new firmware and when the status of gateways change. You can further modify the email settings in SYSTEM > Administration > Notification settings. Managing Logs and Notifications on Sophos Firewall - 14 SNMP Enable and configure the SNMP agent Create SNMP traps SNMP can be configured in SYSTEM > Administration > SNMP. Here you enable and configure the SNMP agent on Sophos Firewall and create SNMPv3 users and traps and SNMP communities and traps for v1 and v2c. Managing Logs and Notifications on Sophos Firewall - 15 Notification list Globally enable and disable notifications for email and SNMP Select which notifications to send or email and SNMP Once email and SNMP are configured go to CONFIGURE > System services > Notification list. You can globally enable and disable notifications for email and SNMP, and separately control which notifications are sent via each channel. Managing Logs and Notifications on Sophos Firewall - 16 Chapter Review Access the log viewer using the link in the top-right from every page of the WebAdmin. Here you can select which logs to view, filter the logs, customize the columns, and click on fields to access and modify policies You can select which events Sophos Firewall will log, and optionally choose to suppress identical firewall events. Sophos Firewall supports up to five external syslog servers to ties into your existing reporting systems You can enable email and SNMP notifications from Sophos Firewall, and you can select which events to log independently for each protocol Here are the main things you learned in this chapter. Access the log viewer using the link in the top-right from every page of the WebAdmin. Here you can select which logs to view, filter the logs, customize the columns, and click on fields to access and modify policies. You can select which events Sophos Firewall will log, and optionally choose to suppress identical firewall events. Sophos Firewall supports up to five external syslog servers to tie into your existing reporting systems. You can enable email and SNMP notifications from Sophos Firewall, and you can select which events to log independently for each protocol. Managing Logs and Notifications on Sophos Firewall - 21 Managing Logs and Notifications on Sophos Firewall - 22 Running and Customizing Reports on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW8005: Running and Customizing Reports on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Running and Customizing Reports on Sophos Firewall - 1 Running and Customizing Reports on Sophos Firewall In this chapter you will learn to run, customize, and schedule reports. RECOMMENDED KNOWLEDGE AND EXPERIENCE We recommend that you have the knowledge up to and included in the previous modules. DURATION 7 minutes In this chapter you will learn to run, customize, and schedule reports. Running and Customizing Reports on Sophos Firewall - 2 Reporting Built-in Reporting • Preconfigured dashboards for traffic, security, executive reports and user threat quotient (UTQ) • Preconfigured and custom reports • Compliance focused reports for common standard including HIPAA and PCI • Export or schedule reports to be sent via email Central Firewall Reporting • Last 7 days of data available in Sophos Central • Access to reports and logs Sophos Firewall has built-in reporting, which provides a comprehensive view of what is happening on your network. There are preconfigured dashboards and reports that you can refine and drill down into in order to get the exact information you are looking for. Reports can also be exported or scheduled to be sent via email. In addition to the built-in reporting the Sophos Firewall can send report and log data to Sophos Central. Please note that reporting is not available on the XG86 and XG86w models. Running and Customizing Reports on Sophos Firewall - 3 Reports Here you can see an example report that has a filter applied. Filters can be quickly added by clicking on the fields of the charts, and you can add multiple filters to build the report you need. Running and Customizing Reports on Sophos Firewall - 4 Bookmarks Once you have the report showing the data you want, you can create a bookmark to save the report so you can quickly access it again in the future. Running and Customizing Reports on Sophos Firewall - 5 Bookmarks Bookmark group When you add the bookmark, you can select a bookmark group; these are used to organize and access bookmarks. Once the first bookmark has been created, a new tab will be created called Bookmarks. By clicking the Bookmarks tab, you can see all your reports. Running and Customizing Reports on Sophos Firewall - 6 Application Risk Meter • Risk factor based on analysis of traffic • Displayed on all application reports Sophos Firewall has a couple of powerful reporting tools to help you identify risky applications and users. In the Applications & web reports tab in the User app risks & usage reports you will see the application risk meter, which provides a risk assessment based on an analysis of traffic flowing through the network. The score can identify whether you need to tighten your security or investigate the actions of users. The risk meter ranges from 1 being low risk and 5 being the highest risk. Running and Customizing Reports on Sophos Firewall - 7 User Threat Quotient • Identify risky or malicious users • Based on web usage Sophos Firewall also calculates a metric called User Threat Quotient (UTQ). The UTQ is based on a user’s web usage data and is intended to help you quickly identify users that are risky or malicious or who perform naïve actions such as responding to spear phishing attempts. This can minimize the effort required to identify users that need to be educated on how to work securely and provides clear visibility into the risks posed by your organization’s users. Running and Customizing Reports on Sophos Firewall - 8 Compliance Reports Regulatory compliance has become a priority for many organizations, normally requiring overwhelming effort, time and cost in the form of retrieval and storage of logs and reports from multiple devices. Correlating the vast number of logs and reports to complete the compliance picture is a complicated and time-consuming task. Sophos Firewall reporting is compliance-ready, making it easy for you to view and manage compliance-based reports. It provides reports based on criteria for compliance standards such as: • HIPAA (Health Insurance Portability and Accounting Act) • GLBA (Gramm-Leach Biley Act) • SOX (Sarbanes-Oxley) • PCI (Payment Card Industry) • FISMA (Federal Information Security Management Act) • And several more… Running and Customizing Reports on Sophos Firewall - 9 Custom Reports On the Custom tab you can configure customized reports for web, email, FTP, users and web servers. Depending on which report you select you can change options including the report type, fields to search and specific data to search for. You may want to use this additional control to further investigate the actions of a user identified as risky by the UTQ. Running and Customizing Reports on Sophos Firewall - 10 Report Scheduling In the report settings section, you can control various options including scheduling reports, data retention and managing your bookmarks. Report settings are accessed using the button in the top-right above the tabs in the Reports section. This will toggle between report settings and reports. You can schedule reports to be sent via email for any of the included reports, or any bookmarks that you create. Please note that emailed reports will contain a maximum of 50 records. Running and Customizing Reports on Sophos Firewall - 11 Data Management Over time Sophos Firewall will store a lot of data, so it is important to configure the retention period to allow old data to be purged. If your device is running low on disk space, it is also possible to perform a manual purge from specific report modules or all report modules for a specific date period. This is done in Reports > Reports settings > Manual purge. Running and Customizing Reports on Sophos Firewall - 12 Simulation: Run and Filter a Report In this simulation you will run a report and filter it to customize the view. You will then create a bookmark for the report and schedule an executive report to be sent by email. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/RunReports/1/start.html In this simulation you will run a report and filter it to customize the view. You will then create a bookmark for the report and schedule an executive report to be sent by email. Getting Started with Firewall and NT Rules on Sophos Firewall - 13 Additional information in the notes Zero-Day Protection Reports View Report Continue Threat intelligence reports for files that have been referred to zero-day protection are accessed from MONITOR & ANALYZE > Zero-day protection > Downloads and attachments. Here you can check the status of files that are being checked by Sandstorm, manually release a file, or view the detailed report. Sandstorm activity is grouped by file. You can expand the file to see the events related to it, including the user and IP address and source, which can be a website or email. Click the button to review an example report, then click Continue when you are ready to proceed. [Additional Information] https://training.sophos.com/fw/activity/ThreatReport/1/ThreatReport.html Running and Customizing Reports on Sophos Firewall - 14 Chapter Review Sophos Firewall includes many built-in reports, including for compliance. You can quickly filter these reports by selecting fields in the charts. Once you have customized the report you can create a bookmark, and optionally schedule it to be sent via email Sophos Firewall includes metrics such as the application risk meter and user threat quotient (UTQ) to help you identify risks on the network Threat intelligence reports for files that have been referred to zero-day protection are accessed from MONITOR & ANALYZE > Zero-day protection > Downloads and attachments Here are the main things you learned in this chapter. Sophos Firewall includes many built-in reports, including for compliance. You can quickly filter these reports by selecting fields in the charts. Once you have customized the report you can create a bookmark, and optionally schedule it to be sent via email. Sophos Firewall includes metrics such as the application risk meter and user threat quotient (UTQ) to help you identify risks on the network. Threat intelligence reports for files that have been referred to zero-day protection are accessed from MONITOR & ANALYZE > Zero-day protection > Downloads and attachments. Running and Customizing Reports on Sophos Firewall - 17 Running and Customizing Reports on Sophos Firewall - 18 Managing Sophos Firewall in Sophos Central Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW8505: Managing Sophos Firewall in Sophos Central April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Managing Sophos Firewall in Sophos Central - 1 Managing Sophos Firewall in Sophos Central In this chapter you will learn how to manage Sophos Firewalls in Sophos Central, including creating and managing groups, VPN orchestration, and managing backups and firmware updates. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and managing Sophos Firewall using the WebAdmin ✓ Using Sophos Central as a cloud management solution DURATION 10 minutes In this chapter you will learn how to manage Sophos Firewalls in Sophos Central, including creating and managing groups, VPN orchestration, and managing backups and firmware updates. Managing Sophos Firewall in Sophos Central - 2 Central Firewall Management Overview Remotely access the web admin of managed Sophos Firewalls Manage configuration of groups of Sophos Firewalls No additional license required for basic management You can enable management of Sophos Firewall in Sophos Central, this allows you to access the web admin from anywhere without needing to enable access for the external networks. If you have multiple Sophos Firewalls you can also create groups and centrally manage the configuration. This powerful functionality will be included with your Sophos Firewall, so no additional Sophos Central license will be required. Managing Sophos Firewall in Sophos Central - 3 Enabling Central Management on Sophos Firewall SYSTEM > Sophos Central To start managing a Sophos Firewall in Sophos Central, the Sophos Firewall needs to be registered with Sophos Central and the option Manage from Sophos Central must be enabled in Sophos Central services. This can be found in SYSTEM > Sophos Central. Managing Sophos Firewall in Sophos Central - 4 Accepting Management in Central Firewall Management > MANAGE > Firewalls Once you have enabled Central management on Sophos Firewall you need to login to Sophos Central and accept the management services in Firewall Management > MANAGE> Firewalls. Managing Sophos Firewall in Sophos Central - 5 Managing a Single Firewall You can now add a label to the Sophos Firewall to help you identify it and manage your firewall. Managing Sophos Firewall in Sophos Central - 6 Managing a Single Firewall Real-time access to the WebAdmin of managed Sophos Firewalls By selecting to Manage Firewall you are logged into the web admin of the Sophos Firewall as the admin user. This provides real-time access to the WebAdmin from anywhere without having to enable access on the WAN zone. The only way that you can tell it is not the local WebAdmin is the URL and the option to go back to firewall management in Sophos Central. Managing Sophos Firewall in Sophos Central - 7 Firewall Groups Firewalls can also be grouped to simplify management. Here you can see a firewall that has not been added to a group yet in the ‘Ungrouped’ section, and a firewall in the ‘UK Firewalls’ group. Managing Sophos Firewall in Sophos Central - 8 Creating Groups Sophos Firewalls are not assigned a group by default, so you can either edit an existing group to add them or create a new group. When you create a new firewall group in Sophos Central, you can choose to import an existing configuration from a managed firewall or use the Sophos default configuration for that group. Managing Sophos Firewall in Sophos Central - 9 Central Managed Sophos Firewall Once a Sophos Firewall has been added to a group and synchronized, a banner message will be displayed warning you that local changes to configuration may result in a conflict. Managing Sophos Firewall in Sophos Central - 10 Managing Group Policies To manage the configuration select Manage Policy from the menu for the group. You can create and configure a group before you start adding the Sophos Firewalls to it. Managing Sophos Firewall in Sophos Central - 11 Managing Group Policies Local rules on Sophos Firewall are only overwritten when a rule with the same name is created in Sophos Central Here you can see that the configuration looks the same as in the web admin. When creating new firewall rules, note that local rules on the Sophos Firewall are only overwritten when a rule with the same name is created in Sophos Central. Rules created locally on the Sophos Firewall do not appear here and are not managed or removed. Managing Sophos Firewall in Sophos Central - 12 Dynamic Objects You can create dynamic objects in Central Firewall Management to make it possible to create configurations that will work across devices where there is variation in how they are setup. You can create dynamic objects for zones and interfaces. In the example here, we are creating a dynamic zone called Development. By default, this maps to a zone called Development, but this is overridden for lon-gw1.sophos.www, where it will map to a zone called Dev. Managing Sophos Firewall in Sophos Central - 13 Dynamic Objects Here is an example where the dynamic zone object is being used in a firewall rule in Central Firewall Management. Managing Sophos Firewall in Sophos Central - 14 Dynamic Objects By clicking the Usage References, you can see which groups are using the dynamic object, and where in the policy configuration. Managing Sophos Firewall in Sophos Central - 15 VPN Orchestration SOPHOS CENTRAL Configuration Configuration SOPHOS FIREWALL SOPHOS FIREWALL VPN Connection • • • • Firewalls require a license with Central Orchestration Firewalls must be v18.5 MR 1 or later You need at least two firewalls Firewalls that are in an SD-WAN connection group can’t be used in other connection groups You can configure a VPN orchestrated SD-WAN network in Sophos Central using SD-WAN connection groups. Before you create your connection groups, you need to know the following: • You must choose firewalls with a Central Orchestration license and running Sophos Firewall 18.5 MR1 or later. • To create a connection group, you need to choose at least two firewalls. • Firewalls that are in an SD-WAN connection group can't be used in other connection groups Managing Sophos Firewall in Sophos Central - 16 SD-WAN Connection Groups 1/7 The connection of SD-WAN connection groups is done in broadly three steps: • Select the firewalls • Define the resources that should be accessible over the VPNs • Select the local networks that will take part in the VPN orchestration To get started creating a new connection group, enter a name for the group and select the firewalls you want to use. You need to select at least two firewalls. Managing Sophos Firewall in Sophos Central - 17 SD-WAN Connection Groups 2/7 Next, you add your resources. You can add multiple resources and you can also edit any resources that you added earlier. For each resource you want to add: • Select the firewall with the resource that you want to share across the group • Enter the IP address or network range of the resource you want to share • And choose the service type and ports. Resources can be TCP, UDP, IP, or ICMP Managing Sophos Firewall in Sophos Central - 18 SD-WAN Connection Groups 3/6 You can optionally also select to turn on ‘Automatically create firewall rules’. When you do this, there are additional options that allow you to limit access to authenticated users and enable and configure Synchronized Security. Managing Sophos Firewall in Sophos Central - 19 SD-WAN Connection Groups 4/7 For each of the firewalls in the group, you need to select the local networks that will be allowed to access the shared resources in the groups. If there are any conflicts they will be highlighted on this page and will need to be resolved before you can proceed. Managing Sophos Firewall in Sophos Central - 20 SD-WAN Connection Groups 5/7 To resolve issues, you can enable or disable subnets, attach NAT addresses to existing subnets, and attach custom networks to the firewall. You can also: • Choose a WAN link. • Choose a backup gateway. • Change the XFRM interface IP addresses. • And override a gateway address. For example, you can fix a name conflict by renaming. Or you can fix subnet conflicts by choosing NAT. Or you can override the gateway address to fix a conflict. Managing Sophos Firewall in Sophos Central - 21 SD-WAN Connection Groups 6/7 Here you can see that the SD-WAN connection group has ben created and the firewalls configured. Managing Sophos Firewall in Sophos Central - 22 SD-WAN Connection Groups If you login to one of the firewalls you can see the VPN connection that has been created. Managing Sophos Firewall in Sophos Central - 23 7/7 Task Queue When you make a change to the configuration a new task is created, and you can see which Sophos Firewalls it is being applied to and track the progress. Managing Sophos Firewall in Sophos Central - 24 Tsk Queue By clicking on the status link for a gateway you can see the JSON for the configuration changes that are being made on the firewall. Managing Sophos Firewall in Sophos Central - 25 Schedule Firmware Firmware updates can be applied to groups of firewalls. All firewalls in the group that need a firmware update will be displayed in the list and you can select the ones to be updated. Updates can either be applied immediately or based on a schedule. Managing Sophos Firewall in Sophos Central - 26 Backups You can schedule firewalls to save backups to Sophos Central daily, weekly, or monthly. Note that backups take place at 8am. You also need to add which firewalls you want the backup schedule to apply to. Managing Sophos Firewall in Sophos Central - 27 Backups Pinned backup Sophos Central will store the five most recent backups for each device. If you want to keep one backup permanently you can pin it. You can only have one pinned backup per device, and if there is already a pinned backup it will be replaced. You can also choose to manually start a backup for the selected firewall immediately by clicking Generate Backup. Managing Sophos Firewall in Sophos Central - 28 Simulation: Manage Sophos Firewall in Sophos Central In this simulation you will add a Sophos Firewall to Sophos Central, assign it to a group, and push configuration changes to the firewall, including using VPN orchestration. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/CentralManagement/1/start.html In this simulation you will add a Sophos Firewall to Sophos Central, assign it to a group, and push configuration changes to the firewall, including using VPN orchestration. [Additional Information] https://training.sophos.com/fw/simulation/CentralManagement/1/start.html Getting Started with Firewall and NT Rules on Sophos Firewall - 29 Zero-Touch Deployment Create Configuration Send Configuration Create USB Boot Sophos with USB Use the setup wizard in Sophos Central Optionally, email the configuration to another location Copy the configuration to a USB drive Plug the USB drive into the Sophos Firewall and start it up + Zero-touch configuration files can only be created for unregistered hardware serial numbers Zero-touch deployment enables even a non-technical person to connect and configure a remote Sophos Firewall and get it connected into Sophos Central. An administrator can add the new firewall in Central and step through the initial setup wizard before the Sophos device is installed. They can then download the configuration or email it to another location, so it can be copied to a USB stick. The stick is then plugged into the Sophos Firewall device when it is first fired up, setting its initial configuration, after which it can be fully managed from Sophos Central. For power users, the config file can be edited and customized further. Zero-touch configuration files can only be created for unregistered hardware serial numbers. Managing Sophos Firewall in Sophos Central - 30 Chapter Review All licenses include Central Management for Sophos Firewall, including; real-time remote access to the web admin, scheduling of firmware updates and backups, firewall configuration management using groups You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SDWAN connection groups. This requires Central Orchestration as part of the license Zero-touch deployment enables even a non-technical person to connect and configure a remote Sophos Firewall and get it connected into Sophos Central. Zero-touch configuration files can only be created for unregistered hardware serial numbers Here are the three main things you learned in this chapter. All licenses include Central Management for Sophos Firewall, including; real-time remote access to the web admin, scheduling of firmware updates and backups, firewall configuration management using groups. You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN connection groups. This requires Central Orchestration as part of the license. Zero-touch deployment enables even a non-technical person to connect and configure a remote Sophos Firewall and get it connected into Sophos Central. Zero-touch configuration files can only be created for unregistered hardware serial numbers. Managing Sophos Firewall in Sophos Central - 35 Managing Sophos Firewall in Sophos Central - 36 Firewall Reporting in Sophos Central Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW8510: Firewall Reporting in Sophos Central April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Firewall Reporting in Sophos Central - 1 Firewall Reporting in Sophos Central In this chapter you will learn how to enable Sophos Firewall reporting in Sophos Central, and how to run reports. RECOMMENDED KNOWLEDGE AND EXPERIENCE ✓ Navigating and managing Sophos Firewall using the WebAdmin ✓ Using Sophos Central as a cloud management solution DURATION 6 minutes In this chapter you will learn how to enable Sophos Firewall reporting in Sophos Central, and how to run reports. Firewall Reporting in Sophos Central - 2 Central Firewall Reporting Overview Dashboards and reports available in Central View and filter logs from the Sophos Firewall Last 7 days of data available in Central Central Firewall Reporting Advanced license Central Firewall Reporting provides access to dashboards and reports in Sophos Central for each of your Sophos Firewalls. You can also view and filter logs. The last 7 days of data is available in Sophos Central updated on a first in, first out (FIFO) basis. This means that the oldest data is always replaced with the most current data. You can increase the amount of reporting data that can be stored, and for how long, using Central Firewall Reporting Advanced licenses. These licenses also unlock additional reporting features. We will start by looking at the free firewall reporting. Firewall Reporting in Sophos Central - 3 Enabling Central Firewall Reporting SYSTEM > Sophos Central To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos Central and the option Send logs and reports to Sophos Central must be enabled in Sophos Central services. This can be found in SYSTEM > Sophos Central. Once enabled, data should start appearing in Sophos Central within around 10 – 15 minutes. Firewall Reporting in Sophos Central - 4 Managing Central Firewall Reporting Syslog server created for Central Firewall Reporting Manage the data uploaded too Central Enabling Central reporting creates a syslog server for uploading the data to Central in CONFIGURE > System services > Log settings. Here you can also customize the data that is uploaded to Central in the Log settings section. Firewall Reporting in Sophos Central - 5 Report Hub Click the summary buttons to see more details below Select the firewall by label or serial number In the Report Hub, you first need to select the firewall, either by label or by serial number if you have not added a label. These are organized into groups. You can click on the summary buttons in each section and the information below will be updated to show more detail. Where available, a View Report link will also be displayed to take you directly to the full report. Firewall Reporting in Sophos Central - 6 Report Generator Select report In the Report Generator you can access and customize the prebuilt reports. Firewall Reporting in Sophos Central - 7 Report Generator Click data to apply filters Click links to apply filters By clicking on the data in the chart or the links in the table below you can apply filters to the report. Firewall Reporting in Sophos Central - 8 Report Generator Manually enter filters You can also manually enter filters. When you click in the ‘Query’ field you will see the fields that you can select to filter on. Firewall Reporting in Sophos Central - 9 Report Generator Customize chart type • • • • • Bar chart Horizontal bar chart Pie chart Line chart Stack-area chart Customize the fields for the chart You can customize the graphs in each report by selecting the type of chart and the fields that you want displayed. Firewall Reporting in Sophos Central - 10 Report Generator Customize the columns in the table You can also select which columns you want to appear in the table. Firewall Reporting in Sophos Central - 11 Logs Select columns Click links to apply filters Manually enter filters In the ‘Log Viewer & Search’ report you will see the logs from the Sophos Firewall. Just like for the reports you can click on the links to add filters, or you can add them manually. In the top-right you can select which columns are shown and switch between the column view and log view. Firewall Reporting in Sophos Central - 12 Central Firewall Reporting (CFR) Advanced Central Firewall Reporting Advanced Enhancements https://community.sophos.com/sophos-xg-firewall/b/blog/posts/new-enhancements-to-central-firewall-reporting To unlock more features in Central Firewall Reporting, you can add a CFR Advanced license to your Central account. Once applied it will appear on the licensing page, that can be opened from the admin menu in the top-right. To get started with the new features, you first need to assign the licenses to the firewalls; click Manage next to the Central Firewall Reporting license. [Additional Information] https://community.sophos.com/sophos-xg-firewall/b/blog/posts/new-enhancements-to-centralfirewall-reporting Firewall Reporting in Sophos Central - 13 Central Firewall Reporting (CFR) Advanced Licenses provide 100 GB of storage each. Use the plus and minus buttons next to each device to apply the licenses then click Save. Once you have applied licenses to a device, you have additional options to manage the license, including associating it with a replacement, reclaiming the license, and deleting the data. Firewall Reporting in Sophos Central - 14 Central Firewall Reporting (CFR) Advanced With CFR Advanced licenses you can start reporting on multiple firewalls in a single report. You can do this from the group’s menu. Firewall Reporting in Sophos Central - 15 Central Firewall Reporting (CFR) Advanced You can also select multiple firewalls that have CFR Advanced licenses directly on the Report Hub and Report Generator pages. Firewalls that do not have CFR licenses can only be selected for reporting on their own. Firewall Reporting in Sophos Central - 16 Central Firewall Reporting (CFR) Advanced CFR Advanced licenses unlock the ability to create report templates, and optionally configure automatic scheduled exports as PDF, CSV or HTML. The exports can be sent via email notification and can either be included as a link or an attachment. Firewall Reporting in Sophos Central - 17 Central Firewall Reporting (CFR) Advanced In the Report Generator you will notice that the Saved Templates, Scheduled Exports and Queue tabs are unlocked. From the Saved Templates tab, you can edit the settings of your template and launch it. Firewall Reporting in Sophos Central - 18 Central Firewall Reporting (CFR) Advanced The Scheduled Exports tab stores your exported reports and makes them available for download for 90 days. The Queue tab is for reports that take a long time to generate. Firewall Reporting in Sophos Central - 19 Simulation: Central Firewall Reporting In this simulation you will run reports for Sophos Firewall in Sophos Central. LAUNCH SIMULATION CONTINUE https://training.sophos.com/fw/simulation/CentralReporting/1/start.html In this simulation you will run reports for Sophos Firewall in Sophos Central. [Additional Information] https://training.sophos.com/fw/simulation/CentralReporting/1/start.html Getting Started with Firewall and NT Rules on Sophos Firewall - 20 Chapter Review Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos Central. You can filter logs and reports from Sophos firewall, and create customized reports To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos Central and the option Send logs and reports to Sophos Central must be enabled. You can customize the data that is uploaded in the log settings Each CFR Advanced license includes 100GB of data storage, and enables reporting on multiple firewalls, saving templates, and scheduling reports Here are the main things you learned in this chapter. Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos Central. You can filter logs and reports from Sophos Firewall and create customized reports. To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos Central and the option ‘Send logs and reports to Sophos Central’ must be enabled. You can customize the data that is uploaded in the log settings. Each CFR Advanced license includes 100GB of data storage, and enables reporting on multiple firewalls, saving templates, and scheduling reports. Firewall Reporting in Sophos Central - 25 Firewall Reporting in Sophos Central - 26 How To Find Help from Sophos Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW9915: How to Find Help from Sophos April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. How to Find Help from Sophos - 1 How To Find Help from Sophos Once you have completed this chapter, you will be able to find help for your Sophos products. RECOMMENDED KNOWLEDGE AND EXPERIENCE There is no recommended knowledge or experience prior to completing this chapter. You will understand how you can keep up with the latest news and alerts from Sophos. DURATION 8 minutes Once you have completed this chapter, you will be able to find help for your Sophos products. You will understand how you can keep up with the latest news and alerts from Sophos. How to Find Help from Sophos - 2 How to Find Help sophos.com/support Should you need support for an issue, navigate to sophos.com/support to access documentation, downloads, training and support packages. The overview page gives you quick access to the support portal, to chat with our support agents or to engage with Sophos via twitter. Clicking Go to Support Portal will re-direct you to the support portal. There are four primary places where you can find additional information and support for Sophos products. How to Find Help from Sophos - 3 Documentation https://www.sophos.com/support/documentation Documentation, including product user guides, release notes, pocket guides, and other useful information. How to Find Help from Sophos - 4 Knowledge Base Articles https://support.sophos.com Knowledgebase, for technical documents on specific configurations and issues. How to Find Help from Sophos - 5 Sophos Community Additional information in the notes https://community.sophos.com Sophos Community. You can reach our dedicated community staff for help, as well as participating in discussions and receiving assistance. This is a forum that allows you to raise questions, share knowledge and discuss your experiences with our products. [Additional Information] Twitter Support: https://twitter.com/sophossupport Reddit: https://www.reddit.com/r/sophos/ Spiceworks: https://community.spiceworks.com/security/sophos How to Find Help from Sophos - 6 SophosLabs https://sophos.com/labs Provides the latest information about security threats SophosLabs provides access to an inside look into our reports, real-time data and our threat reports. How to Find Help from Sophos - 7 Threat Information Additional information in the notes https://sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware.aspx SophosLabs keeps a library of all known threats. You can search for a threat and view important information such as a threats characteristics or how it spreads. The threat library also includes suggested instructions on how to remove a threat. [Additional Information] https://sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware.aspx How to Find Help from Sophos - 8 Sophos Technical Videos https://techvids.sophos.com Sophos provides a series of technical videos that cover configuration tasks, self-help, remediation and how-to videos for common issues. All videos are categorized by product which allows you to find the video you need. How to Find Help from Sophos - 9 Additional information in the notes Sophos Support https://support.sophos.com Central Firewall Management If you have a critical case, raise this using the support portal and follow up with Sophos Support using your case number Select to raise either a Customer Care case or a Technical Support case Support cases are opened through the support portal at sophos.com/support. You need to login with your Sophos ID, if you don’t have one you can create one. From the support portal you can create a Customer Care case for issues such as: • Access and Support Portal issues • Licensing and Ordering • Updating Contacts • Multifactor Authentication Resets Or you can create a Technical Support case. Sophos Technical Support provides comprehensive support through highly trained technical support representatives: • 24X7 Multi-channel Support • Advanced Hardware replacement for appliances • Automatic software downloads and updates For critical cases, first create a case through the support portal, then, once you have received the automated case number, follow up with a call to technical support. [Additional Information] TechVids – How to use the Sophos Support Portal to raise a support case: https://techvids.sophos.com/watch/yBi5NcvMQTBNWVyunmm4u1 Sophos Firewall v19.0 Engineer Delta - 10 Sophos Support Include any errors and symptoms Include the steps to reproduce the issue Include all troubleshooting steps completed Include all logs and additional information gathered If you do need to raise a support case, it is important to be specific and provide all the information you have about the issue. This enables our support team to assist you as quickly as possible. When raising a support case, you should include: • • • • • Any error messages displayed Details of all symptoms experienced Detailed steps of how to reproduce the issue Any troubleshooting steps you have taken to resolve the issue And, supporting log files and any output of any commands run How to Find Help from Sophos - 11 Additional information in the notes Sophos Alerts and News SMS NOTIFICATION SERVICE RSS FEED SOPHOS NEWS TWITTER NAKEDSECURITY We want to make sure you are aware of everything we are doing with our products, from tips to updates and improvements. You can keep up to date with the latest alerts and news by visiting our blog sites for our Sophos community, Sophos News and NakedSecurity. You can also subscribe to our Central status page for email and SMS alerts, follow Sophos on Twitter and subscripe to our RSS feed. If a high profile incident happens, we publish advisory banners to our support and community pages linking to applicable documentation, knowledge base articles and additional information. [Additional Information] Further information about how to contact your support team, get alerted and be informed can be found in knowledge base article KB-000038559. https://support.sophos.com/support/s/article/KB000038559 How to Find Help from Sophos - 12 Additional information in the notes Sophos News news.sophos.com Sophos News publishes the latest news about Sophos, our products and the latest information for reporters who want to write about Sophos. How to Find Help from Sophos - 13 SMS Notification Service Additional information in the notes sms.sophos.com Product name, brief description of the issue and a link to get more information The Sophos SMS Notification Service is a free of charge service that provides proactive SMS alerting for Sophos products and services. You’re immediately prompted in the event an issue arises, so you’ll know exactly what’s going on, what the impact is, and how to fix it. You can sign up for the service and select the products for which you would like to receive alerts. You will then receive instant notifications on technical issues or product updates. The SMS message will contain the product name and a link to a knowledge base article on our support pages where you can find more detail. [Additional Information] Sign up for SMS Alerts: https://sms.sophos.com FAQ: https://sophos.com/medialibrary/pdfs/support/sophos-sms-faq.pdf How to Find Help from Sophos - 14 Really Simple Syndication (RSS) Feeds Additional information in the notes http://sophos.com/company/rss-feeds Really Simple Syndication is a format for delivering regularly changing web content. We syndicate content such as our latest news, product advisories and virus alerts as RSS feeds that you can load into your news reader. [Additional Information] RSS feeds: http://sophos.com/company/rss-feeds How to Find Help from Sophos - 15 Additional information in the notes Twitter http://twitter.com/sophossupport At Sophos, we use Twitter to help educate and connect with partners, customers and interested prospects. When we send out alerts via social media it allows channel followers and Twitter users searching for #sophos to find out the latest information. Follow us to hear about community solutions, news articles, the latest product releases and hot issues. [Additional Information] Twitter support: http://twitter.com/sophossupport How to Find Help from Sophos - 16 Additional information in the notes NakedSecurity http://nakedsecurity.sophos.com NakedSecurity is Sophos’ award winning threat news room, giving you news, opinions, advice and research on cyber security issues and the latest threats. [Additional Information] http://nakedsecurity.sophos.com How to Find Help from Sophos - 17 Chapter Review Help can be found by navigating to sophos.com/support Contact Sophos support via the support portal, live chat and Twitter Stay up to date with Sophos news and alerts by joining the Sophos Community, signing up for news alerts using SMS or RSS Here are the main things you learned in this chapter: Help can be found by navigating to sophos.com/support. Contact Sophos support via the support portal, live chat and Twitter. Stay up to date with Sophos news and alerts by joining the Sophos Community, signing up for news alerts using SMS or RSS. How to Find Help from Sophos - 22 How to Find Help from Sophos - 23