ET80-18 0v6-XG-Firewall-Engineer-Student-Handout

Prévia do material em texto

Hi there, this is the XG Firewall Overview module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0
ET801 – XG Firewall Overview
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 1: XG Firewall Overview
Version: 18.0v2
Module 1: XG Firewall Overview - 1
This course is designed for technical professionals who will be demonstrating XG Firewall. It 
provides an overview of the protection XG Firewall provides including major capabilities and core 
configuration concepts. 
This course will take around 3 days to complete. 
About This Course
This course is designed for technical professionals who will be demonstrating 
XG Firewall. It provides an overview of the protection XG Firewall provides 
including major capabilities and core configuration concepts.
• This course will take around 3 days to completeCourse Duration
Module 1: XG Firewall Overview - 4
Prerequisites
There are no prerequisites for this course, however it is 
recommended that students should have the following knowledge 
and experience:
✓Practical knowledge of networking, including subnets, routing, VLANs, and VPNs
✓Experience configuring network security devices
✓Knowledge of fundamental encryption and hashing algorithms and certificates
There are no prerequisites for this course, however, it is recommended that students should have 
the following knowledge and experience: 
• Practical knowledge of networking, including subnets, routing, VLANs, and VPNs
• Experience configuring network security devices
• Knowledge of fundamental encryption and hashing algorithms and certificates
Module 1: XG Firewall Overview - 5
To complete the Sophos Central Engineer certified course, you must complete and pass the online 
assessment that is available in the training portal. 
You will have two and a half hours to complete the assessment, and can take four attempts to pass 
the assessment. The assessment may include questions on both theory and simulations.
You must complete and pass the online assessment if you wish to register for the XG Firewall 
Architect course.
Certification
To complete the Sophos Central Engineer certified course:
Complete and pass the 
assessment in the training portal
You have 2.5 hours to complete 
the assessment
You have 4 attempts to 
pass the assessment
The assessment may include 
questions on the theory or
simulations
Module 1: XG Firewall Overview - 6
When you see this icon you can find additional information in the notes of the student handout.
Additional Information
When you see this icon you can find 
additional information in the notes of the 
student handout
Additional information 
in the notes
Module 1: XG Firewall Overview - 7
A glossary of technical terms used throughout the course can be found in knowledge base article 
118500. https://sophos.com/kb/118500
Glossary of Technical Terms
A glossary of technical terms used throughout the course 
can be found in knowledgebase article 118500
https://sophos.com/kb/118500
Module 1: XG Firewall Overview - 8
This course is split into 12 modules, with simulations interspersed throughout the course to allow 
for practice of the content discussed in the previous modules.
Course Agenda
XG Firewall Overview1
Getting Started with XG Firewall2
Network Protection3
Site-to-Site Connections4
Authentication5
Web Protection6
Application Control7
Email Protection8
Remote Access9
Wireless Protection10
Logging and Reporting11
Central Management12
Module 1: XG Firewall Overview - 9
Reference Environment
LON-GW1.SOPHOS.WWW
WAN IP: 10.1.1.100 (/24)
NY-GW.SOPHOS.WWW
WAN IP: 10.2.2.200 (/24)
Head Office: London
LAN
LON-SRV2.SOPHOS.LOCAL
IP: 172.17.17.20 (/24)
Branch Office: New York
LAN
LON-CLIENT2.SOPHOS.LOCAL
IP: 172.17.17.22 (/24)
STORE.SOPHOS.DMZ
IP: 172.30.30.50 (/24)
LON-INTRANET.SOPHOS.LOCAL
IP: 172.25.25.41 (/24)
LON-DC.SOPHOS.LOCAL
IP: 172.16.16.10 (/24)
LON-INTRANET.SOPHOS.LOCAL
IP: 172.25.25.40 (/24)
NY-SRV.SOPHOS.LOCAL
IP: 192.168.16.30 (/24)
10.1.1.250 (/24)
10.2.2.250 (/24) M
P
LS
10.100.100.65 (/29)
10.100.100.70 (/29)
DMZ
INTRANET
XG Firewalls have the x.x.x.16 address on internal networks
This network diagram shows the environment that is used during the course and the simulations, 
you may find it useful for reference to provide additional context. This diagram can also be found in 
the simulation workbook.
Module 1: XG Firewall Overview - 11
Course Objectives
Once you complete this course, you will be able to:
Explain how XG Firewall protects against security threats
Configure firewall rules, policies and user authentication
Demonstrate threat protection and commonly used features
Perform the initial setup of an XG Firewall and configure the required network settings
Once you have completed this course, you will be able to: 
• Explain how XG Firewall protects against security threats
• Configure firewall rules, policies and user authentication
• Demonstrate threat protection and commonly used features
• Perform the initial setup of an XG Firewall and configure the required network settings
Module 1: XG Firewall Overview - 12
Feedback on our courses is always welcome. 
Please email us at globaltraining@sophos.com with your comments.
TRAINING FEEDBACK
Feedback is always welcome
Please email globaltraining@sophos.com
Module 1: XG Firewall Overview - 13
XG Firewall Overview
Anatomy of Attack
What is XG Firewall?
Zero Trust
Deployment Options
This first module introduces the Sophos XG Firewall including coverage on the deployment options 
available to you. We’ll then guide you through the anatomy of an attack to introduce key security 
technologies in XG Firewall and how they protect against common threats. Lastly, we’ll cover Zero 
Trust, explaining how this mindset helps prevent successful data breaches.
Module 1: XG Firewall Overview - 14
What is XG Firewall?
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Module 1: XG Firewall Overview - 16
What is XG Firewall?
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Next-Gen Firewall
Visibility, Protection, and 
Response
All-in-One Protection
Consolidate, Simplify, & Save
School Protection
Affordable, Simple Compliance 
& Control
SD-WAN & Branch
Retail, Branch Office, ICS & 
SD-WAN
Endpoint Integration
Synchronized Security & 
Automated Response
Public Cloud
Protection for Azure and Hybrid 
Networks
Sophos XG Firewall is a comprehensive network security device, with a zone-based firewall, and 
identity-based policies at its core. 
XG Firewall does not only protect wired networks, but as a wireless controller for Sophos access 
points, can provide secure wireless networking functionality.
Protection is provided through a single cloud-based platform, making day-to-day management of 
all your Sophos products (including XG firewall) easy and scalable.
There are features purpose built to help universities, higher education, K-12, and primary or 
secondary educational institutions overcome key challenges. For example, powerful web filtering 
policies, built-in policies for child safety and compliance.
With XG Firewall and SD-RED you are able to connect sites across yourgeographically-distributed 
network. 
XG Firewall works together with Sophos Central and Intercept X in real time. So when either XG 
Firewall or Intercept X identifies a threat, they work together to provide health and threat 
monitoring, lateral movement protection as well as synchronized application control and 
synchronized user ID. 
XG Firewall can be deployed using preconfigured virtual machines in the cloud where cloud servers 
can be secured, protecting them against hacking attempts.
Module 1: XG Firewall Overview - 17
What is XG Firewall?
W
h
at
 is
 X
G
 F
ir
ew
al
l?
See it
Stop it
Secure it
Expose Hidden Risks
Superior visibility into risky activity, suspicious traffic, and 
advanced threats helps you regain control of your network.
Stop Unknown Threats
Powerful next-gen protection technologies like deep learning 
and intrusion prevention keep your organization secure.
Isolate Infected Systems
Automatic threat response instantly identifies and isolates 
compromised systems on your network and stops threats from spreading.
XG Firewall includes a comprehensive built-in reporting engine, which allows you to easily drill 
down into reports to find the information you need.
It also provides comprehensive next-generation firewall protection that exposes hidden risks, 
blocks unknown threats, and automatically responds to incidents. 
Superior visibility into risky activity, suspicious traffic, and advanced threats helps you regain 
control of your network.
Powerful next-gen protection technologies like deep learning and intrusion prevention keep your 
organization secure.
Automatic threat response instantly identifies and isolates compromised systems on your network 
and stops threats from spreading.
Module 1: XG Firewall Overview - 18
See it
W
h
at
 is
 X
G
 F
ir
ew
al
l?
See it
The control center appears as soon as you sign in. It provides a single screen snapshot of the state 
and health of the security system with its traffic-light style indicators which immediately draw 
attention to what matters most. 
At a glance, you can see your top risks related to heartbeat, apps, payloads, users, threats, 
websites and attacks.
Module 1: XG Firewall Overview - 19
Stop it
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Stop it
Intrusion Prevention System
Web Protection & SSL Inspection
Sandboxing
Advanced Threat Protection
Synchronized SecurityApplication Visibility and Control
Email, DLP, Encryption 
Web Application Firewall
Wireless Protection RED and VPN
Deep learning
Next-Gen Firewall 
XG Firewall analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP 
requests, and IP packets) for sophisticated attacks by using a full suite of protection technologies. 
These include:
• Powerful Sandstorm sandboxing
• Deep learning with artificial intelligence
• Top performing IPS
• Advanced threat and botnet protection
• Web protection with dual AV, JavaScript emulation and SSL inspection
All benefiting from over 30 years of threat intelligence data from Sophos Labs. 
Module 1: XG Firewall Overview - 20
Secure it
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Secure it
Security Heartbeat™
XG Firewall Sophos Central
Phishing 
Email
Internet
XG Firewall
Malware Server
Servers
Ransomware Attack
Infected Host
Devices
Recent threats like Emotet and targeted ransomware, such as Matrix and SamSam, demonstrate 
the ways cybercriminals are constantly changing their tactics to stay effective and profitable. 
The next-gen advancements of XG Firewall and Intercept X, combined with the intelligence of 
Synchronized Security (which we’ll come onto later in the course) and easy management of all 
products within Sophos Central, are essential for maintaining protection and responding quickly to 
any attack.
Module 1: XG Firewall Overview - 21
Deployment Options
D
ep
lo
ym
en
t 
O
p
ti
o
n
s
Module 1: XG Firewall Overview - 22
Deployment Options
D
ep
lo
ym
en
t 
O
p
ti
o
n
s
Virtual
Retail, Branch Office, ICS & 
SD-WAN
Hardware
Visibility, Protection, and 
Response
Cloud
Synchronized Security & 
Automated Response
Software
Consolidate, Simplify, & Save
The Sophos XG Firewall can be deployed in four ways:
• As a hardware device. Sophos XG devices come pre-loaded and ready to go
• As software installed onto Intel compatible hardware
• As a virtual device running on the most common hypervisors, including VMware, Citrix, 
Microsoft Hyper-V and KVM
• And finally, XG Firewall can be deployed into the cloud on Azure and soon Amazon Web Services 
However you choose to deploy XG Firewall it uses the same software and provides the same 
functionality regardless of form-factor.
Module 1: XG Firewall Overview - 23
Supported Virtualization Platforms
https://sophos.com/kb/132088
VMware
• ESXi 6.5.0
Hyper-V
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2008 R2
Xen
• Xenserver 7.3
KVM
• CentOS 7.4.1708
D
ep
lo
ym
en
t 
O
p
ti
o
n
s
Before installing, turn off guest additions and services, and stop automated backups and snapshots
It is important to install XG Firewall on one of the supported virtualization platforms and their 
tested versions shown in article 132088. These platforms have been tested and are known to work 
with the Sophos Firewall Operating System (SFOS). 
Sophos XG Firewall: Supported virtualization platforms: https://sophos.com/kb/132088
Module 1: XG Firewall Overview - 24
XG Firewall is available as a preconfigured virtual machine within the Azure Marketplace. You can 
use Azure Resource Manager templates to speed up deployment, or customize the configuration to 
meet the specific needs of your environment.
Sophos offers two pricing options for XG Firewall on Azure. You can choose between pay-as-you-go 
(PAYG) or bring-your-own-license (BYOL). PAYG allows you to pay only for what you use, so you do 
not have to guess about capacity. There is no minimum commitment and you can stop at any time. 
BYOL allows you to use your existing investment in XG Firewall. When you purchase a 1-, 2-, or 3-
year XG Firewall license, you can use that license in conjunction with Azure.
The Azure cloud let’s you scale as you need. There’s no guessing about capacity, and you can use 
Azure Resource management templates to scale up and down based on user demand for 
applications. 
With Azure’s shared responsibility model, Azure secures the cloud and you are responsible for 
securing your applications and data. XG Firewall can help you with this, and in Azure, you still get 
the full XG Firewall that is the same product you can run on-premises.
Module 1: XG Firewall Overview - 25
Azure
D
ep
lo
ym
en
t 
O
p
ti
o
n
s • Deploy in minutes from Azure Marketplace
• Flexible Pricing – PAYG or BYOL
• Scalable
• Shared responsibility model
• Full XG Firewall
Anatomy of Attack
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Module 1: XG Firewall Overview - 26
We will now look at the protection features offered by Sophos XG firewall. To do this, we will show 
adversary tactics and techniques and how Sophos XG Firewall is able to stop complex attacks at 
each phase of an attack. 
By reviewing these techniques, you will get a better and more reliable understanding of Sophos’ 
ability to stop the attackers techniques at each of the phases.
Module 1: XG Firewall Overview - 27
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Attack Kill Chain
A
n
at
o
m
y 
o
f 
A
tt
ac
k
The first part of the anatomy of acyber attack is reconnaissance and weaponization. Hackers 
usually start by passively researching and gathering information about the target organization, for 
example, email addresses of key players in the organization such as CEOs and company directors. 
During passive reconnaissance the attacker is not touching your network or systems so there is 
nothing to detect.
They may actively look for network ranges, IP addresses, and domain names, using port scanners 
or finding information about the company being sold on the dark web. 
Weaponization is done on the attackers device so there is nothing to detect.
This stage of an attack is defined by the attacker being able to access your estate through an attack 
vector, for example an email, and deliver malware to a specific target. This is sometimes referred 
to as delivering a weaponized bundle to a target.
Module 1: XG Firewall Overview - 28
Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Reconnaissance
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Protecting Against The Delivery of Malware
Attackers will send emails to users asking them to click on a link, or go to a website that is 
compromised. This is referred to as Phishing. Typically in a phishing scam, you and many of your 
colleagues will receive an email that appears to come from a reputable organization and will 
sometimes include attachments which, if opened, can infect a device. Attackers will use social 
engineering tactics over social networks, emails, applications, phone calls, text messages and in 
person to get people to reveal sensitive information. Typically the attack is designed for some of 
the following purposes;
• Phishing credit-card account numbers and passwords
• Hacking private e-mails and chat histories
• Hacking websites of companies or organizations and destroying their reputation
• Computer virus hoaxes
• Convincing users to run malicious code
Many malware infections begin with a user visiting a specifically designed website that exploits 
one or more software vulnerabilities. This can be triggered by a user clicking on a link within an 
email or browsing the Internet. This type of infection will happen silently. 
Genuine websites can be compromised by attackers who place malicious advertisements on the 
site. In other cases traffic to the website may be redirected to the attackers server. The re-directed 
site is designed to look authentic and usually requests a username and password to login. 
You can find out more about social engineering and how it can be prevented by watching the video 
on Sophos’s Naked Security page: https://nakedsecurity.sophos.com/tag/social-engineering/ 
Module 1: XG Firewall Overview - 29
Email Attacks
Your Network
Infiltrate 
Cyber
Criminal
Attacker sends an 
email to the victim
Phishing Website
Attacker collects victims credentials
Data Theft
Attacker users victims credentials to 
access the legitimate website 
Victim 
Victim clicks on the 
email and goes to the 
phishing website
Exploit Kit
• Scans for vulnerabilities on the 
victims computer
• Exploit the vulnerabilities to 
download the exploits malicious 
code onto the system
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
nakedsecurity.sophos.com/tag/social-engineering
XG Firewall protects you by scanning HTTP and HTTPS traffic for unwanted content or malware. 
• Web Filtering provides pre-defined filters that automatically block access to categorized 
websites, such as gambling or pornography
• Live Protection provides real-time lookups to SophosLabs to check for any threats and prevent 
them from infecting the device/network
• Pharming Protection prevents users from being re-directed to fake or compromised websites
• Certificate validation validates websites certificates to ensure legitimacy
• File type filtering is based on MIME type, extension and active content types. This can be used 
to block macro enabled documents for example
• SafeSearch enforcement. SafeSearch is a feature of Google Search that acts as an automated 
filter of pornography and potentially offensive content
The Web Protection feature is customizable, for example, restricting users surfing quota and access 
time allows control over what users can have access to and when. If you wanted to restrict your 
users from being able to access websites that are not business essential you can place a restriction 
in the web policy that blocks access to non-business sites, for example social networking sites. 
Module 1: XG Firewall Overview - 30
Web Protection
Policies allow you to configure 
filters to automatically block 
categorized websites
If a user visits a blocked website 
they will not be able to get to 
the site
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
To protect against email attacks to your network, Email Encryption and Control can be used. 
The email scanning engine will scan all inbound emails for malicious content. You control what 
emails can be received into your network;
• IP Reputation is enabled allowing you to determine whether you accept, reject or drop emails 
that are sent from known spam senders
• File-Type detection is configured to scan and block specific file types. For example, you can 
block or quarantine any macro enabled files from being received by any senders
The email scanning engine will also detect phishing URLs within e-mails and block those emails 
accordingly. As well as scanning inbound and outbound emails for malicious content, the email 
protection allows you to encrypt emails so that you can send sensitive data securely out of your 
network.
It uses SPX encryption for one way message encryption and recipient self-registration SPX 
password management. This encryption is simple and secure and does not require certificates or 
keys. It also allows users to add attachments to SPX secure replies to allow your users to securely 
send files. 
Email protection also uses our Data Loss Protection (DLP) engine, which automatically scans emails 
and attachments for sensitive data. This is also a key benefit at the last stage of the attack which 
we’ll talk about later in the module.
Module 1: XG Firewall Overview - 31
Email Encryption and Control
Quarantine
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
Cyber Criminal
Email Servers
XF Firewall
Sophos Sandstorm uses next-gen sandbox technology with integrated deep learning, giving your 
organization an extra layer of security against ransomware and targeted attacks. It integrates with 
your XG Firewall and is cloud-delivered, so there’s no additional hardware required. It’s the best 
defense against the latest payload based malware lurking in phishing attacks, spam, and file 
downloads.
Let’s take a look at how Sophos Sandstorm tests for and identifies possible malware.
The Sophos XG Firewall accurately pre-filters traffic using all of the conventional security checks, 
including anti-malware signatures, known bad URLs and so forth, so only previously unseen 
suspicious files are submitted to Sandstorm ensuring minimal latency and end user impact.
If the file is executable or has executable content, the file is treated as suspicious. The XG Firewall 
sends the file hash to Sophos Sandstorm, to determine if it has been previously analyzed.
If the file has been previously analyzed, Sophos Sandstorm passes the threat intelligence to the XG 
Firewall. Here, the file will be delivered to the user’s device or blocked, depending on the 
information provided by Sophos Sandstorm.
The XG Firewall keeps a local cacheof file hashes and the results in a local database to prevent 
unnecessary lookups.
Finally, the XG Firewall uses the detailed intelligence supplied by Sophos Sandstorm to create deep, 
forensic reports on each threat incident.
Module 1: XG Firewall Overview - 32
Sandstorm
Suspect Control Report
Determine Behavior
Sophos Sandstorm
HASH
XG Firewall
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
If the hash has not been seen before, a copy of the suspicious file is sent to Sophos Sandstorm. 
Here, the file is executed and its behavior is monitored. Once fully analyzed, Sophos Sandstorm 
passes the threat intelligence to the XG Firewall which will determine if the file is allowed or 
blocked.
As with previous threats, a report is created for the threat incident.
Module 1: XG Firewall Overview - 33
Sandstorm
Suspect Control Report
Determine Behavior
Sophos Sandstorm
XG Firewall
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
Deep Learning
Millions of Samples Learned 
Model
(Deep 
Learning)
Model trained to determine features of a file
PE File Deep Learning Engine
Malicious
Legitimate
OR
Features of the 
Files Defined
Vendor
Size
Printable Settings
Windows EXE
Documents with macros
PDFs with scripts
Features of the 
Files Labelled
Metadata
Import
Contextual Byte
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
Amongst the layers of protection within our sandbox is something called deep learning, which 
protects against the latest unseen advanced threats like ransomware, cryptomining, bots, worms, 
hacks, breaches, and APTs without using signatures.
Deep Learning uses a set of algorithms that try to replicate the way a human brain would solve a 
problem. By looking at the features of an object, it makes a decision as to what that object is.
Let’s relate this to securing your network. The deep learning model is trained on millions of 
samples of known good and bad files, some examples shown here. It is taught the features (the 
size, compression setting, printable strings, vendor and so forth) of these files which are then 
labelled. The model is then trained to determine the features of a file to create a learned model. 
When a file is then tested with this model, deep learning evaluates portable executable (PE) files 
on a machine at the time of execution within the sandbox. The engine predicts if the file is 
malicious or legitimate based on the file characteristics, which have been learnt from the samples 
the model has been trained on. The prediction is returned and the file is categorized as malicious 
or legitimate. 
Module 1: XG Firewall Overview - 34
Application Control works on several levels to help protect your network, the most obvious of 
these is reducing the attack surface by controlling what applications are allowed. For example, 
users cannot download infected files through peer-to-peer applications if you are blocking them.
Application Control can be used to block:
• Unwanted applications
• Some applications are non-malicious and possibly useful in the right context, but are not 
suitable for company networks. Examples are adware, tools for administering PCs 
remotely, and scanners that identify vulnerabilities in computer systems
• Peer-to-peer networking applications
• P2P applications can contain vulnerabilities. Peer-to-peer applications act as servers as 
well as clients, meaning that they can be more vulnerable to remote exploits
• High risk applications
• Sophos categorizes all applications, this means that you can apply the high risk 
application control policy and it will block all (and any new) application categorized as 
high risk
• For example, proxy and web storage applications are often high risk
• Very high risk applications
• In the same way as for high risk category, the very high rick category allows you block all 
applications classified as very high risk
• An example of these applications would be TOR proxy, SuperVPN and AppVPN
Module 1: XG Firewall Overview - 35
Application Control
Configure Application Rules to restrict 
access to specific applications
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
On average, 60% of application traffic is going unidentified. Static application signatures don’t work 
for custom, obscure, evasive, or any apps using generic HTTP or HTTPS. Synchronized App Control 
on XG Firewall automatically identifies all unknown applications enabling you to easily block the 
apps you don't want and prioritize the ones you do.
What this means is that you can now identify – and deal with – the unknown threats and 
unwanted apps that are running on their network, putting organization at risk and impacting user 
productivity.
Module 1: XG Firewall Overview - 36
Synchronized App Control
A
n
at
o
m
y 
o
f 
A
tt
ac
k
XG Firewall sees app traffic that does not 
match a signature
Automatically categorize and control 
where possible or admin can manually set 
category or policy to apply
Sophos Endpoint shares app name, path and 
even category to XG Firewall for classification
Delivery
Users continue to be the easiest target for attackers but an army of trained, phishing-aware 
employees can provide you with a human firewall against these threats. Let’s look at the next 
stage, Exploitation, which is defined by leveraging a vulnerability to execute code on a victim’s 
machine. An exploit is basically a method or a tool used for abusing software bugs for nefarious 
purposes. 
Module 1: XG Firewall Overview - 37
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Protecting Against Exploits
A
n
at
o
m
y 
o
f 
A
tt
ac
k
By their very nature, web servers need to be accessible from the Internet, but this makes them 
targets for attackers who may be trying to extract data or install malware to compromise other 
users visiting the website.
Attacks can take many forms, including cross site scripting (XSS) attacks, using protocol violations 
and anomalies, cookie signing, SQL injection, or other generic attacks.
Module 1: XG Firewall Overview - 38
Web Server Protection
Attacker
XSS
Protocol Violations
SQL Injection
Generic Attacks
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation
Firewall
Web Servers
Internet
10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010
Sophos XG Firewall includes comprehensive Web Server Protection, which is bundled with 
preconfigured templates to make protecting commonly used web-facing servers like Microsoft 
Exchange as easy as possible. 
Web Server Protection acts as a reverse proxy protecting web servers on the internal network or 
DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic, 
harden forms, sign cookies, and scan for malware.
Web Server Protection can also authenticate incoming connections with a username and password 
before they even reach the web server.
Module 1: XG Firewall Overview - 39
Web Server Protection
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation
XG Firewall
Web Servers
Internet
10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010
XSS
Protocol Violations
SQL Injection
Generic Attacks
Attacker
Vulnerabilities and Exploit Kits can be protected against using Intrusion Prevention Systems (IPS). 
IPS monitors network traffic as it passes through the XG Firewall for malicious activity. It logs the 
activity and attempts to block and prevent the infection and then reports the activity.
Note that Intrusion Preventionis not designed to replace applying software patches to fix bugs and 
security vulnerabilities.
Module 1: XG Firewall Overview - 40
Intrusion Prevention System (IPS)
Endpoint
XG Firewall
Internet
Monitors network traffic for malicious 
activity
Blocks and reports activities to prevent 
network infections
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation
This attack phase is where the installed malware makes a connection to a Command and Control 
server or a C2C server.
In a typical APT lifecycle, the communication with the Command and Control host is a repeated 
process. This allows malware to adapt as more knowledge is gained by the attacker. 
Some of the more complex malware like Emotet includes communication to remote servers for 
further instructions/updates or to upload/download further files.
Module 1: XG Firewall Overview - 41
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACHA
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation and Command and Control Connections
Advanced Threat Protection (ATP) monitors global outgoing traffic. It blocks outgoing network 
traffic attempting to contact command and control servers. This prevents remote access Trojans 
from reporting back to their malicious servers. 
If ATP detects a threat an alert will be recorded and the number of detections shown in the control 
center. The administrator can then check the alert for additional information about the threat such 
as:
• The affected devices IP address
• The affected devices hostname
• The threat and number of times the rule was triggered
• The user and offending process
This process allows the administrator to clean up the threat while the device is isolated, protecting 
the rest of the network from becoming infected. 
Module 1: XG Firewall Overview - 42
Advanced Threat Protection (ATP)
Computers
XG Firewall
Internet
Detects and blocks 
malicious outgoing 
traffic
Globally monitors all 
outgoing traffic
Records an alert in 
the Control Centre of 
the XG Firewall
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Allows isolation of the device 
and threat clean up
Command and 
Control
This stage of the attack anatomy varies depending upon the type of malware, for example a 
ransomware attack will look to encrypt data and demand ransom. Whereas spyware tends to log 
the keystrokes of victims and gain access to passwords or intellectual property.
Next, we’ll review some of the protection components which form part of XG Firewall to detect 
malicious threats.
Module 1: XG Firewall Overview - 43
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Protecting Against Malicious Behavior
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Server Protection and Intercept X can be used to assign every device a health status. In the event a 
device is compromised, they can be automatically isolated from other parts of the network at the 
firewall, as well as blocking network connections between other healthy devices. This limits the 
fallout of a breach or the spread of malware or lateral movement of an attacker. Even on the same 
broadcast domain or network segment where the firewall has no opportunity to block the traffic. 
We’re effectively pushing isolation enforcement out to endpoints so they can help the firewall 
isolate any threats and keep the network secure. This will stop any threat or attacker attempting to 
move laterally.
Automatic Device Isolation 
Servers
Endpoint
Internet
A
n
at
o
m
y 
o
f 
A
tt
ac
k
XG instantly informs all healthy endpoints to 
ignore any traffic from a compromised 
device.
Security Heartbeat™ Infected 
Host
Behaviour
XG Firewall
Module 1: XG Firewall Overview - 44
Email Protection
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Email protection stops data from being leaked outside of the organization by email. You can create 
data control lists from the content control list (CCL). CCLs are based on common financial and 
personally identifiable data types, for example, credit card or social security numbers, postal or 
email addresses. When XG Firewall finds a match for the specified information, it applies the action 
specified in the policy.
Module 1: XG Firewall Overview - 45
Digital security and physical security have many parallels. Think of a building and how it could be 
protected. If you were to build nothing but a giant wall, it may prove difficult to climb over but 
eventually someone will find a way to get over it (or under it).
Now consider a fortress. Armed guards, attack dogs, CCTV, tripwires, barbed wire, motion sensors. 
It may be possible to hop the wall, but you still have many additional hurdles ahead of you.
Single layers are simple to build but are also simple to bypass. Our goal has always been to build 
fortresses so that multiple security elements are present to detect movement across assets and for 
attacks to be detected and stopped.
Module 1: XG Firewall Overview - 46
Summary
A
n
at
o
m
y 
o
f 
A
tt
ac
k
NETWORK PROTECTION
Stop unknown and sophisticated Threats
Advanced networking protection
Automatically responds to incidents
Reconnaissance Weaponization Delivery Exploitation
PRE-BREACH
Installation
Command and 
Control
Behaviour
POST-BREACH
ADVANCED THREAT PROTECTION
Detect and block C&C traffic
APPLICATION CONTROL
Block undesired applications
Proxies, hacking tools, sniffers
Out of date browsers, office apps
MALWARE SCANNING
On-board antivirus engines
Sophos Sandstorm
DATA LOSS PREVENTION
Email
WEB PROTECTION
Prohibited website blocking
INTRUSION PREVENTION
Local Security Authority (LSASS)
Security Account Manager (SAM)
EMAIL PROTECTION
Inbound antivirus and anti-spam scanning 
(with SPF and DKIM)
SPX Email Encryption
SANDSTORM WITH DEEP LEARNING
Time of click URL Protection
WEB SERVER PROTECTION
Blocks known attack techniques
Active Adversary Mitigations
Reverse proxy authentication. 
SYNCHRONIZED SECURITY 
Heartbeat™ links your Sophos endpoints with XG Firewall
Automatic device isolation
Synchronized App Control
Identify Infected Systems
Monitor Network Health
Zero Trust
Ze
ro
 T
ru
st
Module 1: XG Firewall Overview - 47
Traditionally cybersecurity has involved creating a security perimeter and trusting that everything 
inside that perimeter is secure. This is a vulnerable design as once an attacker or unauthorized user 
gains access to a network, that individual has easy access to everything inside the network where 
they can progressively search for the key data and assets that are ultimately the target of their 
attack. 
The corporate network perimeter defensive line no longer exists. With increased attack 
sophistication and insider threats, organizations can’t guarantee that everything on the inside of 
their network can be trusted.
Zero Trust is a relatively new and evolving approach to network design but it's also part of a wider 
mind-set based on the principle of trusting nothing and checking everything. With zero trust, no 
user is trusted, whether inside or outside of the network.
Zero Trust Overview
TrustedZero Trust is a cybersecurity 
mindset based on the principle of 
trust nothing, check everything. 
Ze
ro
 T
ru
st
Module 1: XG Firewall Overview - 48
The rise of remote users who wish to work remotely, and use their own personal devices to access 
corporate data and resources on untrusted networks like coffee shops is increasing.
The use of SaaS apps, cloud platforms and services, leaves some data outside of the corporate 
perimeter. The use of public cloud platforms mean many of the devices or services that once ran 
within the corporate perimeter are now run outside of it. Basically secure every device you have as 
if was connected to the Internet. 
Zero Trust Overview
Trusted
SaaS
Remote Users
Ze
ro
 T
ru
st
Module 1: XG Firewall Overview - 49
Network Segmentation
XG Firewall
Internet
Devices
Sw
it
ch
Applications
Sw
it
ch
Users
Cloud Optix
Managed Threat Response
Server
Phish Threat
Email
Wireless
Intercept X
Encryption
Mobile
Ze
ro
 T
ru
st
On the firewall side, network segmentation or even micro-segmentation around your users, 
devices, apps, networks, and so on provides one of the key benefits of the Zero Trust strategy.
Dynamic policies are at the center of XG, with multiple sources of data available to leverage as part 
of a policy. Identity, time of day, network location, device health, network packet analysis – and 
more – all of these different sources of data can be used in different combinations depending on 
the scenario.
By segmenting your network into smaller and more granular subnets, and securing them together 
through your firewall helps to limit exposure in the event that one segment becomes 
compromised. In practice, it works great, but in some cases it can add unwanted expense, 
infrastructure, management overhead, and impact performance.
It takes a lot of technologies to secure all the resources and assets you’ll have on a network. There 
is no one single vendor, product, or technology that will solve all your problems. But Sophos 
certainly has a huge range of technologies to help you secure multiple resources and assets at the 
same time. 
Server Protection and Intercept X can be used to assign every device a health status. In the event 
one is compromised, the devices can be automatically isolated, as well as blocking network 
connections between devices to limit the fallout of a breach or the spread of malware or lateral 
movement of an attacker.
Our Managed Threat Response (MTR) service can monitor all user activity across the estate and 
identify potentially compromised user credentials.
Module 1: XG Firewall Overview - 50
Sophos Mobile, our UEM solution, can be used to support BYOD or managing all kinds 
of mobiles, laptops, and desktops. Compliance policies can be put in place to ensure 
a strong baseline configuration and any drift will cause that device to have its access 
to resources revoked automatically.
Sophos Central has you covered for all of these. Our cloud-native cybersecurity 
platform orchestrates all of our technologies in a single console, providing you with 
oversight of all technologies in a single place and APIs to wire together any other 
third-party technologies you are using
Module 1: XG Firewall Overview - 50
Lateral Movement Protection
XG Firewall
Internet
Infected Host
Endpoint
Local Area Network
Ze
ro
 T
ru
st
Application Server
Sw
it
ch
As shown in our Anatomy of Attack topic, Lateral Movement Protection, effectively provides an 
adaptive micro-segmentation solution. With Lateral Movement Protection, each individual 
endpoint is effectively on its own segment – able to be isolated in response to an attack or threat –
regardless of the network topology. 
XG Firewall uniquely integrates the health of connected hosts into your firewall rules, enabling you 
to automatically limit access to sensitive network resources from any compromised system until 
it’s cleaned up.
This is made possible by Synchronized Security which is our cross-portfolio approach to analyze 
system and network activity, adapt to scenarios through dynamic policy, and automate complex 
tasks like isolating machines and more.
Module 1: XG Firewall Overview - 51
Summary
There is no ‘inside’ the 
network
Trust nothing, verify 
everything
Security should 
adapt in real-time
Pretend you’re running your business from a coffee shop and all your devices are 
connected directly to the Internet.
Assume attackers are on both the inside and the outside and persist at all times. 
No user or device should be automatically trusted.
Identify. Control. Analyze. Secure.
Security policies should be dynamic and automatically change based on insight 
from as many sources of data as possible.
Ze
ro
 T
ru
st
At it’s essence, there’s a few major concepts for Zero Trust that you should keep in mind along your 
journey.
There is no “inside” the network. Pretend that you’re running your entire business from an 
untrusted location like a coffee shop and that all your devices are connected directly to the most 
dangerous of all networks - the public internet. By imagining this as the reality, we are forced to 
apply security in ways where we can’t rely on being behind a traditional corporate perimeter.
There will always be corporate “trusted” networks for administration and in-house systems but the 
goal is to keep ordinary users off of these networks, using app proxies and other technologies, 
drastically reducing the attack surface. 
Next, trust nothing, verify everything. Assume that there are attackers both on the inside of your 
networks and on the outside and they are there all the time, constantly trying to attack. No user or 
device should be automatically trusted. By imagining we’re under constant attack from every 
direction, we are pushed to build rock-solid authentication and authorization to the resources, 
layer the defenses, and constantly monitor and analyze everything happening across the estates.
Lastly, security should adapt in real-time. The security policies we put in place to achieve Zero Trust 
should be dynamic and automatically change based on insight from as many sources of data, from 
as many different technologies as possible. A static policy like THIS USER on THIS DEVICE can 
access THIS THING won’t protect you if that device has been compromised while that user is on it. 
If your policy also took into account device health, such as the identification of malicious 
behaviors, your policy could use this to dynamically adapt to the situation with zero effort from an 
admin. Our Synchronized Security products can share the unique insights they each have with one 
another, which enables us to have adaptive, dynamic policies, taking advantage of all these insights 
Module 1: XG Firewall Overview - 52
so that a policy is never static and easily circumnavigated.
Much of this is just good security policy and best practices which you may already be 
doing. Additionally, if you’ve prepared for GDPR, you’ve done a lot of this work 
already.
Module 1: XG Firewall Overview - 52
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
List the deployment options available for the XG Firewall
Identify the features of the XG Firewall and how the protect against common threats
Module Review
Now that you have completed this module, you should be able to:
Module 1: XG Firewall Overview - 53
Hi there, this is the Getting Started with XG Firewall module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall v18.0
ET801 – Getting Started with XG Firewall
July 2020
Version: 18.0v3
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks ofSophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall v18.0
Module 2: Getting Started with XG Firewall
Version: 18.0v3
Module 2: Getting Started with XG Firewall - 61
Getting Started with XG Firewall
Navigation and Management
• Navigating the WebAdmin
• Managing Objects
• Profiles
Interfaces and Routing
• Zones
• Interfaces
• Routing
DNS and DHCP
• Configuring DNS
• DHCP servers
• DHCP relay
Deployment and Setup
• Deployment options
• Console and WebAdmin
• Initial setup wizard
Device Access and 
Administration
• Device access
• Certificates
Common Deployment 
Scenarios
• Gateway, bridge and mixed mode
• Web server protection
In this module you will learn how to connect and configure an XG Firewall with the basic settings 
necessary to get up and running. You will begin to manage the XG Firewall with the WebAdmin and 
learn about the core concepts and objects ready to configure rules and policies in later modules.
Module 2: Getting Started with XG Firewall - 62
Common Deployment Scenarios
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Module 2: Getting Started with XG Firewall - 64
Gateway Mode
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
LAN zone DMZ zone
WAN zone
Internet
Port B
Port A Port C
Let’s take a minute to look at some of the most common ways it is deployed. 
The most common scenario is where you are looking to replace an aging firewall and need to 
protect your internal network. The XG Firewall is deployed to handle both the core routing and as 
the first-line of defense against network threats.
This is shown here with the XG Firewall in gateway mode. Port A is configured for the LAN zone, 
Port B for the WAN, and Port C for the DMZ. Any network threats trying to go to either the LAN or 
the DMZ zone will be stopped by the XG Firewall. 
This is the type of deployment we will be focusing on in this course.
Module 2: Getting Started with XG Firewall - 65
Port CPort A
WAN zone
Internet
Bridge Mode
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Existing Firewall 
+ Synchronized Security
+ Intrusion Prevention
+ Advanced Threat Protection
+ Bridging LAN and DMZ zones
LAN zone DMZ zone
Port B
Another common type of deployment is where there is an existing firewall that handles the WAN 
connectivity that is not going to be replaced. This is often done to add additional protection 
capabilities not offered by the existing firewall.
So that you do not need to change the IP address schema of the network the XG Firewall can be 
deployed in bridge mode, which is also known as transparent mode or inline mode.
In this mode the clients on the network are unware of the XG Firewall and traffic passes through 
without the IP address being changed, but still allowing XG Firewall to scan for and protect against 
threats.
Module 2: Getting Started with XG Firewall - 66
Port CPort A
WAN zone
Internet
Web Application Firewall
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Existing Firewall 
LAN zone DMZ zone
Port B
Web Server App ServerFile Server Database
Buffer Overflows
Privilege escalation
SQL injection
+ Web Application Firewall
XG Firewall may also be added to a network to protect web applications. There are often many 
components that make up a web application, including web servers, databases, file servers and so 
forth, but this means that there are also a wide range attacks that can be launched at them.
In the example here, the XG Firewall can protect the web application from common attacks 
including buffer overflows and SQL injection.
Module 2: Getting Started with XG Firewall - 67
Port C
Port B
WAN zone
Internet
Discover Mode
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Existing Firewall 
LAN zone DMZ zone
Port A
Port D
Discover mode enabled port
Port A
Management port
+ Port Mirroring
+ Security Audit Report 
Switch
The last type of deployment we will look at is generally used for evaluating the capabilities of XG 
Firewall without the need to make any changes to the network. 
In this example, the XG Firewall is connected to a port on the switch that has port mirroring 
enabled, so that a copy of all the traffic is sent to the XG Firewall.
While the XG Firewall cannot influence the live traffic on the network, it can log and report on 
what is sees, and from this you can see the additional protection it can add to the network.
This is called discover mode.
Module 2: Getting Started with XG Firewall - 68
Deployment and Setup
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Module 2: Getting Started with XG Firewall - 69
Connecting the XG Firewall to the Network
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
SOPHOS
Protection
1/LAN
The default LAN port to connect 
to for initial configuration
2/WAN
The default WAN port
A different port can be selected in 
the initial setup wizard
To setup the XG Firewall you need to start by connecting to power and then connecting the LAN 
port and WAN ports.
On hardware XG Firewalls the default LAN and WAN ports will be marked. On software and virtual 
XG Firewalls these will be the first and second network cards.
You will have the option to modify these ports either during the initial setup or once the setup is 
complete.
Module 2: Getting Started with XG Firewall - 70
Command Line Interface (CLI)
Additional information 
in the notes
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
SSH Console
Default credentials:
• Username: admin
• Password: admin
These credentials are changed as part of the 
initial setup wizard
Although the XG Firewall is managed through a web interface, it also has a command line interface 
(CLI) that is accessible through SSH, a console connection, or you could use a monitor and 
keyboard to physically connect to the terminal. 
You may want to use the CLI to change the IP address of the management port to be in your LAN IP 
range so that you can connect to the WebAdmin to complete the initial setup wizard.
To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is 
‘admin’; you change this as part of the initial setup wizard.
In the slide notes you can find the parameters for a console connection.
Console connection parameters:
• baud rate or speed: 38,400
• Data bits: 8
• Stop Bits: 1
• Parity and Flow Control: None or 0
Module 2: Getting Started with XG Firewall - 71
WebAdmin
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Default IP address: 172.16.16.16 (/24)
Port: 4444
WebAdmin URL: https://DeviceIP:4444
Sophos XG Firewall is configured and managed through a web interface. By default, the device’s IP 
address will be 172.16.16.16 and the WebAdmin on a Sophos XG firewall runs on port 4444. So to 
connect to the WebAdmin interface you would need to connect to HTTPS://172.16.16.16:4444 on 
a brand new device.
Note: you will receive a certificate error when connecting to the XG Firewall as it is using an 
untrusted self-signed certificate.
Module 2: Getting Started with XG Firewall - 72
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Set a new admin password
Update the firmware
Agree to the licence
Optionally:
• Restore a backup 
configuration
• Connect as high-
availability spare
We will now walk through the initial setup of an XG Firewall.
On the first page you set a new admin password and accept the terms and conditions. Note that if 
you are configuring this on behalf of someone else, they mustaccept the terms and conditions.
By default the XG Firewall will download and install the latest firmware as part of the initial setup, 
however you can deselect this to postpone it until later.
You also have the option to restore a configuration backup or connect the XG Firewall as an 
auxiliary device to a high-availability pair. Both of these options will provide a different initial setup 
to the full one we are going to show here.
Module 2: Getting Started with XG Firewall - 73
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Configure the Internet 
connection
This step is skipped if the 
WAN port is configured by 
DHCP
The XG Firewall requires an Internet connection for registration and, if selected, downloading the 
latest firmware.
You can choose which port to configure the WAN connection on, then you need to specify the IP 
address, subnet, DNS server and gateway. When you save these settings the XG Firewall will test 
the connectivity then allow you to continue with the initial setup.
Note that if the WAN port is connected to a network that provides DHCP this step will be skipped.
Module 2: Getting Started with XG Firewall - 74
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Enter a hostname
Set the time zone
You can enter a hostname for your XG Firewall and optionally modify the automatically selected 
time zone.
Module 2: Getting Started with XG Firewall - 75
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Register the XG Firewall
Enter the serial number, 
this is prefilled on hardware 
devices
Optionally:
• Start a trial
• Migrate a UTM license
• Defer registration
The next step is to register the XG Firewall.
If you have a serial number you can enter it to register your firewall. On hardware XG Firewalls this 
will be prefilled.
You also have the option to migrate an exiting UTM license, start a trial or defer the registration for 
30 days.
Deferring the registration can be useful if you are preparing an XG Firewall prior to taking it onsite. 
Note that when registration is deferred there are a number of features that you are unable to use.
To complete the registration you need to login with your Sophos ID, and then the XG Firewall will 
synchronize the license.
Module 2: Getting Started with XG Firewall - 76
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Configure the LAN network
Select which ports to bridge 
together to create the LAN
Select the gateway
Configure the IP address
Optionally enable DHCP
You have the option to configure the local network configuration, which is different depending on 
whether you are deploying a hardware or virtual or software XG Firewall. We will start by looking 
at hardware devices.
Here you can select which ports to use for the LAN, and all ports selected will be used to create a 
single bridged LAN interface.
You can select the gateway for the LAN network to either be the XG Firewall, or an existing 
gateway, in which case the LAN will be bridged to the WAN.
You can configure the IP address for the XG Firewall, and optionally enable DHCP. Note that DHCP 
cannot be enabled if the XG Firewall is bridging the LAN and WAN.
Module 2: Getting Started with XG Firewall - 77
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Configure the LAN network
Select the LAN port
Select the gateway mode
Configure the IP address
Optionally enable DHCP
For virtual and software devices the configuration is very similar, except instead of selecting ports 
to create a LAN bridge interface you select a single LAN port.
Module 2: Getting Started with XG Firewall - 78
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Enable protection in the 
default outbound firewall 
rule
As part of the initial setup wizard the XG Firewall will create a default firewall rule for outbound 
traffic. Here you have the option of enabling various security options for that firewall rule.
• Protect users from network threats will enable an IPS policy
• Protect users from the suspicious and malicious websites will enable a web policy
• Scan files that were downloaded from the web for malware will enable malware scanning
• And Send suspicious files to Sophos Sandstorm will enable Sandstorm scanning. This requires 
‘Protect users from the suspicious and malicious websites’ to be enabled
Module 2: Getting Started with XG Firewall - 79
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Enter an email address and 
sender for notifications
Optionally specify an 
internal mail server for 
notifications
Optionally enable 
automatic backups and 
enter an encryption 
password
The last piece of configuration is for notifications and backups.
Here you configure recipient and sender email addresses for notifications. You can optionally 
choose to configure an internal email server to use for sending these.
You can also enable automatic backups, and to use this you need to set an encryption password for 
the backup files.
Module 2: Getting Started with XG Firewall - 80
Navigation and Management
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Module 2: Getting Started with XG Firewall - 81
WebAdmin: Control Center
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
When you first login to the WebAdmin you are presented with the Control Center, which provides a 
live view of what is happening on the XG Firewall allowing you to quickly identify anything that 
requires your attention.
The Control Center is broken down into six main areas:
• System
• Traffic insight
• User and device insight
• Active firewall rules
• Reports
• And Messages
System
Status icons for the XG Firewall’s health and services. Each item can be clicked to get more detailed 
information.
Traffic insight
Provides an at a glance overview of what is happening on the network and the traffic being 
processed.
User and device insight
Shows the status of users and devices being protected by XG Firewall. This section includes the 
User Threat quotient, which is a risk assessment of users based on their behaviour.
Active firewall rules
Displays the usage of firewall rules by type. Below the graph you can see the state of firewall rules 
Module 2: Getting Started with XG Firewall - 82
over the last 24 hours. Clicking these will take you to the firewall rules filtering for the 
selected type of rule.
Reports
Access to commonly used reports. These can either be opened by clicking on the 
name of the report or downloaded using the icon to the right of each. It shows when 
the report was last updated and the size of the file.
Messages
Alerts or information for the administrator including security warnings and new 
firmware updates. Messages are clickable to access the relevant configuration.
Module 1: XG Firewall Overview - 82
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t Information on current activity, 
reports and diagnostic tools
Down the left-hand side is the main menu for navigating the XG Firewall. This is divided into four 
sections:
MONITOR & ANALYZE, provides access to information, including the current activity on the XG 
Firewall, reports and diagnostic tools.
Module 2: Getting Started with XG Firewall - 83
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Configure rules policies and settings 
related to protection features
PROTECT, for configuring the rules, policies and settings related to protection features.
Module 2: Getting Started with XG Firewall - 84
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Setup connectivity, routing, 
authentication and global settings
CONFIGURE, where you setup connectivity, routing, authentication and global settings.
Module 2: Getting Started with XG Firewall - 85
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Device access settings, objects and 
profiles that are used in rules and 
policies
SYSTEM, which houses the device access settings, aswell as objects and profiles that are used 
within rules and policies.
Module 2: Getting Started with XG Firewall - 86
WebAdmin: Tabbed Navigation
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Each section that is accessible from the main menu is further broken down into tabs for accessing 
each area of configuration.
On some screens additional less frequently used tabs can be accessed using the ellipses on the 
right-hand side of the tabs.
Module 2: Getting Started with XG Firewall - 87
WebAdmin: Advanced Settings
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Display additional settings for 
reports and VPNs
In the Reports and VPN sections there are additional Show Report Settings and Show VPN Settings 
options that allow you to access some of the less often used options related to reports and VPNs.
When the settings are accessed, the screen will flip to the additional options. You can identify 
when you are on this screen by the yellow title bar at the top of the page.
Module 2: Getting Started with XG Firewall - 88
WebAdmin: Admin Drop-Down Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Found in the top-right is the admin menu. Here you can reboot, shutdown, lock and logout of the 
XG Firewall. This menu also provides links to the support website, the XG licensing page and web-
based access to the console.
Module 2: Getting Started with XG Firewall - 89
WebAdmin: Help
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Found on every screen on the XG firewall is a context sensitive link to the online help file.
When clicked, it opens a separate window. This online version of the XG help is fully interactive and 
can be browsed by selecting the various menu items in the left side menu. It can also be searched 
for by keywords and when a search result is selected it will load the appropriate section within the 
help file.
http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/index.html
Module 2: Getting Started with XG Firewall - 90
WebAdmin: Log Viewer
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Next to the help link is the Log viewer, which opens in a new window to provide access to all of 
the log files. 
In the ‘Log viewer’ you can filter the logs and perform context sensitive actions. We will explore 
this in more detail throughout the course.
Module 2: Getting Started with XG Firewall - 91
How-to Guides
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
The last item in the top-right is the how-to guides. This links you to a library of videos on our 
website that demonstrate how to perform common tasks on the XG Firewall.
Module 2: Getting Started with XG Firewall - 92
Objects
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t Objects are the building blocks for rules and policies
Define hosts, networks, services, groups and profiles
Can be created inline when configuring rules and policies
The XG Firewall uses objects as the building blocks for the configuration of rules and policies. By 
defining reusable objects once for things such as hosts, services and networks, it can speed up 
configuration, and simplify future changes by having a single place to make a change.
Objects can be created and edited ahead of time, but they can also be created inline when 
configuring protection features. This means that you do not have to navigate away from what you 
are configuring to create an object, you will have the option to create it where you need it.
There are two types of object – hosts and services, and profiles. These can be found in the SYSTEM
section on the XG Firewall.
Module 2: Getting Started with XG Firewall - 93
Hosts
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
IP version and host type cannot be 
changed after it has been created
IP host groups can be used to group IP 
host objects for IP addresses, networks 
and IP ranges, but not IP lists
IP MAC FQDN
IP host objects can represent a single IP address, a subject, a range of IP addresses or a list of IP 
address, for either IPv4 or IPv6.
The object has a name and then must be configured by IP version (IPv4 or IPv6) and a type. Note 
that the IP version and type cannot be modified after the object has been created.
You then provide the data for the type of object you selected. Note that IP address lists are comma 
separated.
IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but 
not IP lists.
Module 2: Getting Started with XG Firewall - 95
Hosts
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Type cannot be changed after it has been 
created
Lists are comma separated
IP MAC FQDN
MAC host objects can be created for individual MAC addresses or MAC address lists.
The MAC host object has a name and then must be configured for a specific type, MAC address or 
MAC list, this cannot be changed once the object has been saved.
MAC address lists are comma separated.
Module 2: Getting Started with XG Firewall - 96
Hosts
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Supports wildcard prefix to resolve sub-
domains
Can be grouped with FQDN host groups
IP MAC FQDN
FQDN hosts are used to define fully qualified domain names.
FQDN host objects can include a wildcard prefix to resolve sub-domains, for example, 
*.sophos.com.
FQDN host groups allow you create a collection of FQDN host objects to further simplify using 
objects in rules and policies.
Module 2: Getting Started with XG Firewall - 97
Services
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Service based on TCP and UDP ports
Service based on IP protocol numbers
Service based on ICMP 
types and codes
Service objects can be created for:
• TCP and UDP based on protocol, source and destination port
• IP based on protocol number
• ICMP and ICMPv6 based on the ICMP type and code
Each service object is for a single type, and can contain one or more definitions.
You can also create groups of service objects.
Module 2: Getting Started with XG Firewall - 98
Country Groups
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
The XG Firewall maintains a geo IP database that maps IP addresses to countries, and this is 
automatically updated with the pattern definitions.
There are a number of predefined country groups that ship with the XG Firewall, which can be 
edited. You can also create custom groups of countries.
Module 2: Getting Started with XG Firewall - 99
Schedule
• Defines a period of time
• Recurring or one-off
Access time
• Allow or deny action for a schedule
Profiles
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Surfing quota
• Browsing time restrictions
• Recurring or one-off
Decryption
• Settings for TLS decryption
Device access
• Roles for administrators
Network traffic quota
• Bandwidth restrictions
• Separate upload/download or combined
Profiles are a collection of settings that can be defined and used when configuring protection 
features. There are profiles for:
• Schedule, which defines a period of time, either recurring or one-off
• Access time, that defines an allow or deny action for a schedule
• Surfing quota, which defines either recurring or one-off restrictions for browsing time
• Network traffic quota, for upload and download bandwidth quota restrictions
• Decryption, for controlling the decryption of TLS traffic
• And Device access, which defines access roles for admins logging into the WebAdmin
Module 2: Getting Started with XG Firewall - 100
Interfaces and Routing
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Module 2: Getting Started with XG Firewall - 101
DMZ
Zones
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
XG Firewall
LAN 1
LAN 2
LAN Zone
Hosted Servers Zone
Internet
WAN Zone
The XG Firewall is a zone-based firewall, and it is important to understand what a zone is before we 
proceed to look at interfaces and routing.
When we talk about zones on the XG Firewall, we mean a logical group of networks where traffic 
originates or is destined to. 
Each interface is associated with asingle zone, which means that traffic can be managed between 
zones rather than by interface or network simplifying the configuration.
Note that interfaces and zones are not equivalent; multiple interfaces can be associated with a 
zone and each zone can be made up of multiple networks.
Module 2: Getting Started with XG Firewall - 102
Zones
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Zones are created and managed in:
CONFIGURE > Network > Zones
The XG Firewall comes with five default zones, these are:
• LAN – this is the most secure zone by default and is for your internal networks
• WAN – this zone is used for external interfaces that provide Internet access
• DMZ – this zone is for hosting publicly accessible servers
• VPN – this is the only zone that does not have a physical port or interface assigned to it. When a 
VPN is established, either site-to-site or remote access, the connection is dynamically added to 
the zone and removed when disconnected
• WiFi – this zone is for providing security for wireless networks
With the exception of the VPN zone, the default zones can be customized.
Zones are managed and created in CONFIGURE > Network > Zones.
Module 2: Getting Started with XG Firewall - 103
Creating Zones
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g Choose whether this is a LAN or 
DMZ zone
Access for managing the XG 
Firewall
Client authentication services
Network services
Other services provided by the 
XG Firewall
Let’s take a look at how you can create your own zones.
When you create a custom zone you can choose between two types of zone, LAN or DMZ, which is 
used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type 
zones as there can only be one of each of these.
You then customize the zone to define which services the XG Firewall provides and will be 
accessible, this is broken down into four categories:
• Admin services, for accessing and managing the XG Firewall
• Authentication services, for user authentication
• Network services, for PING and DNS
• And Other services, which controls access to things like the web proxy, wireless access point 
management, user portal and so forth
Module 2: Getting Started with XG Firewall - 104
Configuring Interfaces
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Interfaces are configured in:
CONFIGURE > Network > Interfaces
Interfaces have to be assigned to a zone
Interfaces can be given a friendly name
Interfaces can be configured for IPv4 or 
IPv6 or both
Now that you know how to create zones we will look at configuring interfaces.
By default interfaces are named after their hardware device ID, however you can give them a 
friendly name to make identifying them easier.
To begin configuring the network settings you have to assign the interface to a zone, this will 
determine what IP configuration can be set, as only interfaces in the WAN zone are configured with 
a gateway.
You can configure interfaces with IPv4 or IPv6 or both, either statically or by DHCP. IPv4 
configuration also supports configuration via PPPoE.
Module 2: Getting Started with XG Firewall - 107
Interfaces Types
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 
bridged interface for seamless communication between interfaces
ALIAS: An additional IP address added to an interface
VLAN: A virtual LAN interface created on an existing XG interface, used when the XG Firewall 
needs to perform inter-VLAN routing or tagging
LAG: A groups of interfaces acting as a single connection which can provide redundancy and 
increased speed between two devices
RED: Used to connect Sophos’ Remote Ethernet Devices back to the XG Firewall
As well as being able to configure the network adapters in the XG Firewall, there are a number of 
other interface types that can be created. These are:
• Bridge
• Alias
• VLAN
• LAG
• RED
Module 2: Getting Started with XG Firewall - 108
TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard 
routing to be used to send traffic over the VPN
Interfaces Types
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
WIFI: A wireless network where traffic is routed back to the XG Firewall from the access 
point instead of directly onto the network the access point is connected to
Additionally, you can create wireless interfaces and IPsec interfaces. 
These two interface types are created as part of configuring other functionality on the XG Firewall, 
IPsec VPNs and wireless networks using separate zone configuration.
Tunnel interfaces are created using a type of IPsec VPN, that allows standard routing to be used to 
send traffic over the VPN.
WIFI interfaces are created when a wireless network routes traffic back to the XG Firewall using 
separate zone configuration instead of to either the physical LAN the access point is connected to 
or a VLAN.
These will be covered in more detail later in this course.
Module 2: Getting Started with XG Firewall - 109
WAN Link Manager
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
WAN link manager configured in:
CONFIGURE > Network > WAN link 
manager
Gateway type: Active or Backup
Failover and failback 
behaviour
Rules for detecting failed active 
gateways
The WAN Link Manager provides an at a glance view of the status of your WAN gateways. If you 
have multiple gateways you can configure them to be either active or backup, and for backup 
gateways configure the failover rules and behaviour.
Module 2: Getting Started with XG Firewall - 110
Routing
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Additional information 
in the notes
Configurable 
route 
precedence
SD-WAN Policy Routes
Static Routes
VPN Routes
Default Route (WAN Link Manager)
Directly 
Connected 
Networks
Dynamic 
Routing 
Protocols
Unicast 
Routes
P
re
ce
d
e
n
ce
One of the primary functions of a firewall is routing packets from one network to another. The XG 
Firewall supports multiple methods for building and dynamically controlling the routing, which fall 
into three main types of route; SD-WAN policy routes, VPN routes, and static routes, and these are 
processed in order.
Policy routes make decisions based on the properties of the traffic, such as source, destination and 
service.
VPN routes are created automatically when VPN connections are established with the XG Firewall.
Static routes define the gateway to use based on the destination network. This includes directly 
connected networks and routes added by dynamic routing protocols.
When no other routing rule has been matched the XG Firewall will send the packets on the default 
route, which is the gateway derived from load balancing configuration across active gateways.
Note that the precedence of policy routes, VPN routes and static routes can be modified on the 
command line.
[Additional Information]
The command for modifying the route precedence is: system route_precedence
The precedence within static routes is dependent on the 
specificity of the route and the distance metric. The more 
specific the route the higher the precedence, and the lower the 
distance the higher the precedence.
Module 2: Getting Started with XG Firewall - 111
Static Routes
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Network that is not directly connected to 
the XG Firewall
Gateway and interface to use to route the 
traffic
Static routes are configured in:
CONFIGURE > Routing > Static routes
Let’s take a look at an example of a static route.
If you have a network that is not directly connected to the XG Firewall, the XG Firewall would send 
traffic destined for it to the default gateway.
If the traffic needs to take a different route, you can use a static route. Here you define the 
network where the traffic is destined, and you define what IP address the traffic should be sent to 
and via which interface.
Module 2: Getting Started with XG Firewall - 112
SD-WAN Policy Routes
In
te
rf
ac
es
 a
n
dR
o
u
ti
n
g
SD-WAN policy routes are configured in:
CONFIGURE > Routing > SD-WAN policy routes
SD-WAN policy routes are very similar, except they can select traffic for routing on a much wider 
set of properties, and you can define more advanced routing options.
You can select the traffic you want to route based on:
• The interface it arrives at the XG Firewall on
• The source and destination networks
• The service
• DSCP marking
• User
• And application
Module 2: Getting Started with XG Firewall - 113
SD-WAN Policy Routes
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
SD-WAN policy routes are configured in:
CONFIGURE > Routing > SD-WAN policy routes
In the ‘Routing’ section you can define a primary and backup gateway for the traffic. If you always 
want the traffic to be routed via a specific gateway and no other, you can optionally enable 
override gateway monitoring decision. This means the routing will not failover to an alternative 
gateway even if it is unavailable.
Module 2: Getting Started with XG Firewall - 114
Gateways
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Gateways are configured in:
CONFIGURE > Routing > Gateways
You can configure the gateways you want to use with SD-WAN policy routes in CONFIGURE > 
Routing > Gateways. This page shows all of your gateways, including those configured on WAN 
interfaces.
Module 2: Getting Started with XG Firewall - 115
DNS and DHCP
D
N
S 
an
d
 D
H
C
P
Module 2: Getting Started with XG Firewall - 116
DNS Settings
D
N
S 
an
d
 D
H
C
P
DNS is configured in:
CONFIGURE > Network > DNS
Select how XG Firewall 
obtains DNS servers
Set up to three 
DNS servers for 
IPv4 and IPv6
The XG Firewall needs to be able to resolve hostnames and IP addresses. During the initial setup 
you will have set a DNS server, this can be modified in CONFIGURE > Network DNS.
Here you can set how XG Firewall obtains its DNS server and set up to three DNS servers statically 
for IPv4 and IPv6.
Module 2: Getting Started with XG Firewall - 117
DNS Server
D
N
S 
an
d
 D
H
C
P
Preference between IPv4 and IPv6 DNS 
servers
DNS records hosted by the XG Firewall
XG Firewall also acts as a DNS server using its configured DNS servers to resolve and respond to 
requests. You can set how the XG Firewall handles the preference between IPv4 and IPv6 lookups.
You can also configure DNS records on the XG Firewall itself. These can include a reverse lookup 
from the IP address back to the hostname.
Module 2: Getting Started with XG Firewall - 118
DNS Request Routes
D
N
S 
an
d
 D
H
C
P
Set the DNS server to use to lookup hosts in the sophos.local domain
Set the DNS server to use to lookup IP addresses in the network 172.16.16.0/24
If the XG Firewall is configured to use your ISPs DNS servers so that it can resolve hosts on the 
Internet, you can override this for specific domains and networks by configuring DNS request 
routes.
A DNS request route defines what DNS server should be used to lookup hosts in the selected 
domain. Request routes can also be created for reverse lookups to define what DNS server should 
be used to lookup IP addresses in the selected network.
Module 2: Getting Started with XG Firewall - 119
Dynamic DNS
D
N
S 
an
d
 D
H
C
P
Dynamic DNS is configured in:
CONFIGURE > Network > Dynamic DNS
If your ISP assigns your IP through DHCP you can use a dynamic DNS provider to host a DNS record 
for this IP address, and have the XG Firewall update the IP address associated with it.
To configure dynamic DNS you enter the hostname and select the WAN interface it should resolve 
to. You then need to select your provider and enter your login details.
The Sophos dynamic DNS provider is free. You will need to use the format 
<hostname>.myfirewall.co.
Module 2: Getting Started with XG Firewall - 120
DHCP Server
D
N
S 
an
d
 D
H
C
P
DHCP is configured in:
CONFIGURE > Network > DHCP
Each DHCP server is assigned to an interface
The range of IP address it will lease
The XG Firewall can provide DHCP to any networks that are connected to it. Each DHCP server you 
configure on the XG Firewall can be either IPv4 or IPv6, and is bound to an interface.
Module 2: Getting Started with XG Firewall - 121
DHCP Relay
D
N
S 
an
d
 D
H
C
P
The interface where the clients are located
The IP address of the DHCP server to relay 
requests for
The XG Firewall can also act as a DHCP relay, passing DHCP requests between clients and the DHCP 
server.
Module 2: Getting Started with XG Firewall - 122
Device Access and Administration
D
ev
ic
e 
A
cc
es
s 
an
d
 A
d
m
in
is
tr
at
io
n
Module 2: Getting Started with XG Firewall - 123
Device Access
D
ev
ic
e 
A
cc
es
s 
an
d
 A
d
m
in
is
tr
at
io
n
Device Access is configured in:
SYSTEM > Administration > Device Access
When you create a zone you can configure which services it can access on the XG Firewall, this can 
also be managed on the Device Access page for all zones.
Module 2: Getting Started with XG Firewall - 124
Local Service ACL Exceptions
D
ev
ic
e 
A
cc
es
s 
an
d
 A
d
m
in
is
tr
at
io
n
You may not always want to enable or disable a service for a whole zone, in which case you can 
create a local service ACL exception rule.
In the example shown here, we are allowing access to the WebAdmin and SSH in the WAN zone, 
but only from the public IP address of the head office.
Module 2: Getting Started with XG Firewall - 125
SSH Public Key Authentication
D
ev
ic
e 
A
cc
es
s 
an
d
 A
d
m
in
is
tr
at
io
n
Additional information 
in the notes
• Authenticate SSH access using keys
• Supported
• Algorithms: RSA, DSA, ECDSA
• Key lengths: 1024, 2048, 4096
• Logged in
• /log/sshd.log
The admin user can be authenticated using public key authentication for SSH access. This provides 
a mechanism that can be used to provide access without needing to share the admin password, 
and it can be used to provide access to multiple users by uploading their public keys.
The XG Firewall supports RSA, DSA and ECDSA keys of 1024, 2048 and 4096 bits in length.
Keys can be created using a tool such as PuTTY Key Generator on Windows, or ssh-keygen on Linux.
Here you can see a key that has been generated using PuTTY.
The public key displayed here is uploaded to the XG Firewall.
The private key is then saved for the user connecting to authenticate themselves.
When the SSH connection is authenticated using keys, the thumbprint of the key is logged with the 
IP address that the connection was initiated from.
Example log extract: /log/sshd.log:
[10269] Jul 20 09:20:45 Child connection from 172.16.16.10:49634
[10269] Jul 20 09:20:45 Pubkey auth succeeded for 'admin' with key sha1!! 
cb:10:6e:38:37:27:e5:66:90:41:8a:36:c9:ae:53:ce:52:51:ca:05 from 172.16.16.10:49634
Module 2: Getting Started with XG Firewall - 126
Certificates
D
ev
ic
e 
A
cc
es
s 
an
d
 A
d
m
in
is
tr
at
io
n
Upload a certificate signed by a trusted CAUpload
Create a self-signed certificate that will be signed by the ‘Default’ 
signing CA
Generate Self-Signed
Create a certificate signing request that will be signed by a trusted CAGenerate CSR
Default ApplianceCertificate: Used for Admin Portal, User Portal and SSL VPN
Add certificate to XG Firewall:
The XG Firewall comes with a default certificate called ‘ApplianceCertificate’, this is used to provide 
HTTPS for the Admin Portal, User Portal and SSL VPNs. The common name on this certificate is the 
serial number of the appliance, which means that you will almost certainly get a certificate error 
when you login.
Certificates can be added to the XG Firewall, and can then be selected to be used in place of the 
default ‘ApplianceCertificate’. There are three options for doing this:
Upload a certificate that has been signed by an external trusted certificate authority. This could be 
a third party company such as GlobalSign or an internal enterprise certificate authority. To upload a 
certificateyou need to provide the certificate, private key, and the passphrase for decrypting the 
private key.
Generate a self-signed certificate. This will be generated and signed by the XG Firewalls own 
‘Default’ signing certificate authority.
The third option is to generate a CSR and download it along with the private key and passphrase. 
This is a signing request for a certificate that can be signed by either a third party company or an 
internal enterprise certificate authority. Once you have the certificate you can then upload it to the 
XG Firewall.
Module 2: Getting Started with XG Firewall - 127
• Includes certificates for common 
trusted Internet root CAs
• Upload certificate for additional CAs
Verification CA
• Two default signing CAs
• Default: Used for creating 
certificates
• SecurityApplicance_SSL_CA: Used 
for HTTPS scanning and email 
TLS/SSL connections
• Upload additional CAs
• Provide certificate and private key
• Can be selected for use in Web and 
Email protection
• Downloadable CRL
Signing CA
Certificate Authorities
D
ev
ic
e 
A
cc
es
s 
an
d
 A
d
m
in
is
tr
at
io
n
The XG Firewall comes preconfigured with the certificates for common trusted Internet root 
certificate authorities; these are used to verify the certificates of devices the XG Firewall connects 
to. You can also upload additional CA certificates that you want to trust, such as an internal 
enterprise CA that signs the certificates for your internal servers.
The XG Firewall also acts as a certificate authority, and so comes with two signing CAs.
The ‘Default’ signing CA is used for signing server certificates.
The ‘SecurityAppliance_SSL_CA’ is used for creating the certificates used in HTTPS web scanning 
and securing TLS/SSL email connections.
You can upload additional signing CAs by providing the private key with the CA certificate when you 
upload it. These CAs can then be selected for use in Web and Email Protection.
The Email CAs can be separately selected for SMTPS and IMAPS & POPS. This is done in EMAIL > 
General settings.
The Web CA for HTTPS scanning can be selected in Web > Protection.
Module 2: Getting Started with XG Firewall - 128
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Navigate the WebAdmin and manage objects
Configure an XG Firewall using the initial setup wizard
Module Review
Now that you have completed this module, you should be able to:
Configure DNS and DHCP on the XG Firewall
Configure networking including zones, interfaces and routing
Manage device access and certificates
Module 2: Getting Started with XG Firewall - 129
Module 2 Simulations
• Complete the following simulation tasks for Module 2
▪ Task 2.1: Use the initial setup wizard to configure XG Firewall
▪ Task 2.2: Create definitions
▪ Task 2.3: Configure DNS request routes
▪ Task 2.4: Import CA certificates
▪ Task 2.5: Configure zones and interfaces
▪ Task 2.6: Configure static routes
Use the Simulation Workbook to view details of each 
task and access the simulations
Complete the following simulation tasks for Module 2
• Task 2.1: Use the initial setup wizard to configure XG Firewall
• Task 2.2: Create definitions
• Task 2.3: Configure DNS request routes
• Task 2.4: Import CA certificates
• Task 2.5: Configure zones and interfaces
• Task 2.6: Configure static routes
Module 2: Getting Started with XG Firewall - 136
Hi there, this is the network protection module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET803 – Network Protection
July 2020
Version: 18.0v3
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 3: Network Protection
Version: 18.0v3
Module 3: Network Protection - 139
Network Protection
TLS Decryption
• Creating TLS inspections rules
• Configuring TLS inspection settings and 
decryption profiles
Web Server Protection
• Creating basic web application firewall 
rules
Intrusion Prevention
• Creating IPS policies
• Configuring spoof protection and 
denial of service (DoS) protection
Firewall Rules and NAT
• Creating and managing firewall and 
NAT rules
Security Heartbeat
• Enabling and configuring security 
heartbeat
Advanced Threat Protection
• Enabling and configuring ATP
• Viewing ATP alerts and reports
In this module you will learn how to create and configure the different rules and policies that can 
be used to protect your network.
Module 3: Network Protection - 140
Firewall Rules and NAT
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Module 3: Network Protection - 142
Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
The first rule to match is used
If there is no matching firewall rule the traffic is dropped 
and logged
Firewall and NAT rules are processed in order
In this section we will cover firewall and NAT rules, the two things that are generally required to 
allow network traffic through XG Firewall.
There are three key things to remember when configuring firewall and NAT rule sets:
• Rules are processed in order from top to bottom
• The first rule to match is used
• If there is no matching firewall rule the traffic is dropped and logged
For NAT rules, if there is no matching rule then no NATing will be applied to the traffic. Unlike with 
firewall rules, traffic is not blocked when no NAT rules is matched. 
Module 3: Network Protection - 143
Creating Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Rule Properties
Let’s start by taking a look at how to create a basic firewall rule. In this example we will create a 
rule that allows web traffic from computers on the network out to the Internet.
In the top section you configure the properties including the rule position, group, action and 
whether to log traffic for the rule.
By default XG Firewall will try to place the rule in the most appropriate group based on the 
configuration of source and destination zone, and the type of firewall rule.
Module 3: Network Protection - 144
Creating Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Matching Criteria
The matching criteria for the firewall rule covers source and destination zones and network, 
services and the ability to schedule when the rule will be active.
You can also match on users and groups, but this will be covered in the authentication module, for 
the moment we will just consider a network firewall rule.
Module 3: Network Protection - 145
Creating Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Exclusions
You can exclude specific zones, networks and services from being matched by the firewall rule. This 
simplifies creating firewall rules where there are exceptions.
Module 3: Network Protection - 146
Creating Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Linked NAT
You can create NAT rules that are linked to firewall rules. Here you only need to configure the 
source NAT as all of the sources, destinations and services will have the same matching criteria as 
the firewall rule.
Linked NAT rules are primarily designed to ensure asmooth migration from earlier versions of XG 
Firewall where the NAT configuration was done as part of the firewall rule. To get the full benefit of 
XG Firewall we would recommend not creating new linked NAT rules.
We will cover NAT configuration in more detail shortly.
Module 3: Network Protection - 147
Creating Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Security Features
At the end of the firewall rule you can enable security features and select policies for web filtering, 
Security Heartbeat, IPS, application control and more.
Module 3: Network Protection - 148
Managing Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Now that you have seen how to create a firewall rule, let’s take a moment to look at how you can 
manage the firewall rules.
You can see the key details such as source, destination and service for each of the firewall rules, 
and where a field is truncated you can hover your mouse over it to see the full contents. On the 
right you can see which features have been enabled within the firewall rule, and if you hover over 
this you can see a full summary of the rule.
Module 3: Network Protection - 149
Managing Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T Red octagon for drop/reject rules
Web server protection firewall rule
Network rule
Rule group
Grey for disabled rules
User rule
Green for allow rules
Rule position Rule ID
There are two numbers for each firewall rule, the first is the rule position, and this will be updated 
if you move a rule, which can be done by dragging and dropping them. Each rule has an ID, this is 
its unique reference and will not change. The important thing to note is that the rule ID does not 
reflect the rule position, they can be, and usually will be different.
You will notice that firewall rules use different icons, green icons for allow rules, red for drop or 
reject, and grey for disabled.
Each icon also shows what type of rule it is:
• Web server protection firewall rule, for protecting web servers
• Network rule, where traffic is matched only on network properties
• User rule, where the XG Firewall also matches on user identity
Module 3: Network Protection - 150
Managing Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Along the top of the Firewall rules tab are common filters that can be applied using the drop-down 
menus. You can also add more detailed filters based on any field in the firewall rule.
Module 3: Network Protection - 151
Managing Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
On the right-hand side of each rule is an ellipses menu that provides additional controls, including:
• Resetting the data counter for the rule, which can be useful when troubleshooting
• Moving the rule to a specific position
• Cloning the rule
• Adding a new rule above or below it
• Add the rule to a group or detaching it from a group
• Deleting, enabling or disabling the rule
Module 3: Network Protection - 152
Managing Firewall Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T Any
User/network
Network
User
WAF 
When we looked at creating a firewall rule we said that XG Firewall will try to add the rule to the 
most appropriate group based on the configuration you select.
To add a new group use the option from the ellipses menu. Here you can configure the matching 
criteria that will be used for assigning rules to groups automatically.
Module 3: Network Protection - 153
NAT Rules
You can create a linked NAT 
rule that matches on the 
same criteria as the firewall 
rule it is linked to
We recommend configuring 
NAT rules independently 
using the NAT table
NAT rules still require 
firewall rules to allow traffic
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
As we mentioned earlier, you can create linked NAT rules for source NATing from within the firewall 
rule configuration, however, this is primarily designed to support the migration of configuration 
from version 17.5. We recommend configuring NAT rules independently using the NAT table to 
support more powerful and flexible configuration scenarios, including SNAT (source NAT) and DNAT 
(destination NAT) in a single rule.
Note that NAT rules still require a firewall rule to allow the traffic!
You generally need far fewer NAT rules than firewall rules, so creating them separately allows you 
to simplify your configuration. In simple environments you may only need a single blanket 
outbound masquerading rule rather than having it configured individually in each firewall rule.
Module 3: Network Protection - 154
Managing NAT Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Video on using NAT
In the NAT tab you can manage the NAT ruleset, reorder the rules and see how many connections 
each of the rules have translated.
From the menu for each rule you can reset the usage counter, and in the case of linked NAT rules, 
unlink them from their associated firewall rule.
When adding NAT rules you can either create a NAT rule, or for DNAT scenarios use the server 
access assistance to create both the firewall rule and NAT rules.
There is also a button at the top of the page to a video that explains NAT configuration in depth.
Module 3: Network Protection - 155
Configuring NAT Rules
Matching criteria
Translations
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Override source translation for 
specific outbound interfaces
Matching criteria
Within the NAT rule, you configure the matching criteria on the original source, destination and 
service, and any translations that need to be made. This design allows you to configure the NATing
of source, destination, service, and interface in a single rule.
You can also match on the inbound and outbound interfaces.
By enabling the option Override source translation for specific outbound interfaces you can select 
different source NATs based on the outbound interface all within a single rule.
At the bottom of the NAT rule you can optionally choose to create a:
• Loopback policy: when internal user wants to access an internal server using its public 
hostname or IP address
• Reflexive policy: allows traffic to traverse the NAT in the opposite direction
In the Advanced section are the load-balancing settings for the NAT rule. This can only be 
configured when the destination is an IP range.
Module 3: Network Protection - 156
WAN: Port2
DMZ: Port6
LAN: Port1
LAN: VLAN33
Masquerading SNAT Scenario
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Let’s consider the scenario here where we want to perform a masquerading SNAT on all of the 
traffic going out on WAN Port2. We can create a single NAT rule for this.
Module 3: Network Protection - 157
Default SNAT Rule
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Translation
Matching criteria
Here you can see the default SNAT rule that satisfies the scenario. The rule matches on the 
outbound interface and applies the MASQ NAT policy to the source address.
MASQ is the default masquerading policy and will change the source IP address to be the same as 
the interface the traffic is leaving through.
Module 3: Network Protection - 158
XG Firewall
ServerClient
IP address of #Port2
Port: 80
IP address: 172.30.30.50
Zone: DMZ
DNAT Scenario
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Another common use case is using destination NAT (DNAT) to publish an application to the 
Internet, to do this you will use a network firewall rule to allow the traffic and a NAT rule to 
perform the destination translation.
If we look at an example, we might have a web-based application on an internal server in the DMZ 
that we want to publish on an public IP address assigned on the WAN port, this is #Port2.
When the user connects to port 80 using the public IP address we want to change the destination 
to the internal server.
Module 3: Network Protection - 159
Server Access Assistant (DNAT)
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Let’s have a look at using the server access assistant to create a DNAT and firewall rule for this 
scenario.Start by selecting the internal server, or enter the IP address and an IP host object will be created 
for it.
Choose the interface that users will connect to when accessing the internal server.
Alternatively you can enter the IP address that users will be connecting to and an IP host object will 
be created for it.
Module 3: Network Protection - 160
Server Access Assistant (DNAT)
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Select the services you want to access on the internal server and the source networks allowed.
Module 3: Network Protection - 161
Server Access Assistant (DNAT)
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Review the summary of the configuration selected then click Save and finish.
Module 3: Network Protection - 162
Firewall Rule
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Zone of internal 
server
Interface on the 
XG Firewall
Here you can see the firewall rule created by the server access assistant. 
Note that the destination zone is the zone the internal server is in, and the destination network is 
the interface on the XG Firewall that the user will connect to.
You can edit this firewall rule and enable additional protection such as IPS.
Module 3: Network Protection - 163
DNAT Rules
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Here you can see the three NAT rules created by the server access assistant, the DNAT rule, the 
loopback rule and the reflexive rule.
You can further modify the DNAT rule. For example, you may also want to translate the port.
Module 3: Network Protection - 164
Reflexive Policy Loopback Policy
app.sophostraining.xyz
Application
Server
Internal
User
Internal
User
Application
Server
app.sophostraining.xyz
SNAT 
(Masquerade)
SNAT
Fi
re
w
al
l R
u
le
s 
an
d
 N
A
T
Reflexive and Loopback Policies
Reflexive rules create an SNAT from internal sources, for example, from a protected server to the 
Internet. In our previous example it would effectively create a masquerading rule for traffic from 
the application server.
Loopback rules are used when internal users use the public IP address or hostname to access a 
resource, and it performs an SNAT on the connection.
Note that these can only be created automatically when creating new NAT rules and not when 
editing.
Module 3: Network Protection - 165
TLS Decryption
TL
S 
D
ec
ry
p
ti
o
n
Module 3: Network Protection - 166
SSL/TLS Inspection Rules
SSL inspection engine that is 
port and application agnostic
SSL policy is separate from 
firewall policies
Decrypted packets are sent 
to IPS, application control, 
web filtering and antivirus
TL
S 
D
ec
ry
p
ti
o
n
The SSL inspection engine in XG Firewall is port and application agnostic, it doesn’t know or care 
about what higher level applications are being used. 
The SSL policy for the inspection engine is separate from firewall rules, this allows you to create 
and apply policies to traffic without the complexity of having to consider the ordering and 
matching of firewall rules.
The SSL inspection engine sends decrypted packets to IPS, application control, web filtering and 
antivirus for checking. 
Module 3: Network Protection - 167
SSL/TLS Inspection Rules
TL
S 
D
ec
ry
p
ti
o
n
Here you can see a set of SSL/TLS inspection rules.
The first excludes specific websites from being decrypted and uses two lists, a local list where you 
can add websites to exclude, and a list managed by Sophos of websites where we know SSL 
inspection causes problems. An example of when this may happen is where there is mutual 
authentication by the server and the client or application. These two lists of websites can be 
viewed in PROTECT > Web > URL Groups, and in the case of the Local TLS exclusion list you can 
edit it. Note that the Sophos managed list is fixed in v18 but will be dynamic in the future.
Module 3: Network Protection - 168
SSL/TLS Inspection Rules
TL
S 
D
ec
ry
p
ti
o
n
I have created the next three rules which do the following:
• Enforce strict decryption for users in finance or the board
• Applies a more relaxed and compatible policy to specific domains that require it
• Decrypt all other LAN to WAN traffic and block insecure SSL
Module 3: Network Protection - 169
SSL/TLS Inspection Settings
TL
S 
D
ec
ry
p
ti
o
n
From the top of the SSL/TLS inspection rules tab you can open the SSL/TLS inspection settings; 
these are generic engine-based settings that will apply globally to all rules.
There are three sections:
• The certificate authorities to use for resigning RSA and EC certificates
• How to handle non-decryptable traffic, this is either insecure traffic that is not supported by 
SSL/TLS decryption, or what to do if the XG Firewall reaches its connection limit. The connection 
limit is a fixed value based on the model of the XG Firewall
• TLS 1.3 compatibility. TLS 1.3 is still fairly new and not widely adopted, so there is an option to 
either decrypt as TLS 1.3 or to downgrade to TLS 1.2
Module 3: Network Protection - 170
SSL/TLS Inspection Rules
• Decrypt
• Do not decrypt
• Deny
Certificate, protocol 
and cipher settings 
Match on categories 
and websites
Match on 
synchronized security 
identified 
applications
Matching criteria the 
same as firewall 
rules
TL
S 
D
ec
ry
p
ti
o
n
Let’s take a look at how you would configure a rule.
SSL/TLS inspection rules can be configured to:
• Decrypt matched traffic, when you want to scan the contents
• Not decrypt matched traffic, when it will cause problems with the site or application
• Deny the matched traffic
Each rule has a decryption profile that is a collection of certificate, protocol and cipher settings. We 
will look at decryption profiles in more detail shortly.
The matching criteria for SSL/TLS inspection rules is the same as for firewall rules, but with the 
addition of being able to match on categories of websites and synchronized security identified 
applications.
Module 3: Network Protection - 171
Decryption Profiles
TL
S 
D
ec
ry
p
ti
o
n
Decryption profiles are configured in:
SYSTEM > Profiles > Decryption profiles
Decryption profiles are a collection of settings that are applied by a rule-by-rule basis.
There are three default decryption profiles provided:
• Maximum compatibility, this is the most relaxed profile and is focused on trying to ensure 
restrictions do not cause any unexpected problems
• Block insecure, this blocks known weak protocols and ciphers
• Strict compliance, is for people that need to meet more strict compliance standards such as PCI
Module 3: Network Protection - 172
Decryption Profiles
TL
S 
D
ec
ry
p
ti
o
n
You can also create your own custom decryption profiles, either from scratch or by cloning an 
existing profile.
There are three main sections to the profile:
• Re-signing certificate authority, which can either use the CAs defined in the SSL/TLS settings, or 
they can be overridden
• Non-decryptable traffic, where you can specify a different set of actions from the SSL/TLS 
settings
Module 3: Network Protection - 173
Decryption Profiles
TL
S 
D
ec
ry
p
ti
o
n
• Enforcement rules, where you can block specific protocols, ciphers and certificate errors. These 
can be used to enforce security settings to meet compliance criteria
Module 3: Network Protection - 174
Catch-all TLS Rule Example
TL
S 
D
ec
ry
p
ti
o
n
In this example we create a catch-all TLS inspection rule for traffic going to the WAN zone from the 
client networks.
Start by giving the rule a descriptive name, set the rule position and select the action.
Select a decryption profile, that defines the resigning CAs, acceptable ciphers and how to handle 
non-decryptable traffic.
Configure the source and destination settings in the same way that you would for a firewall rule, in 
this case to select traffic from clients to the Internet.
You can optionally further restrict the rule to apply to specific applications and websites.
Module 3: Network Protection- 175
Web Server Protection
W
eb
 S
er
ve
r 
P
ro
te
ct
io
n
Module 3: Network Protection - 176
Web Server Protection
W
eb
 S
er
ve
r 
P
ro
te
ct
io
n
XG Firewall
Web ServerClient
WAN address of XG Firewall
IP address of web server
Zone: DMZ
Protect against attacks and exploits, harden 
forms, sign cookies and scan for malware
By their very nature, web servers need to be accessible from the Internet, but this makes them 
targets for attackers who may be trying to extract data or install malware to compromise other 
users visiting the website.
Web Server Protection acts as a reverse proxy protecting web servers on the internal network or 
DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic, 
harden forms, sign cookies and scan for malware.
Web Server Protection can also authenticate incoming connections with a username and password 
before they even reach the web server.
Module 3: Network Protection - 177
Configuration
W
eb
 S
er
ve
r 
P
ro
te
ct
io
n
Define a web server to 
protect, either HTTP or 
HTTPS
Control which security 
functions are enabled
Optionally authenticate 
users before they reach 
the server
Web server protection is made up of several parts:
• Web servers define a server to protect for either HTTP or HTTPS
• Protection policies control which security functions are enabled
• Optionally you can create authentication policies to authenticate users before they even reach 
the web server
• Web application firewall rule, which brings this configuration together
Module 3: Network Protection - 178
Web Application Firewall Rules
W
eb
 S
er
ve
r 
P
ro
te
ct
io
n
To create a web application firewall rule, start creating a firewall rule as normal, then in the ‘Action’ 
field select Protect with web server protection.
Module 3: Network Protection - 179
Web Application Firewall Rules
W
eb
 S
er
ve
r 
P
ro
te
ct
io
n
Server to be protected
Access control
Protection options
Exceptions and advanced options
In the web application firewall rule you:
• Select the web server to protect
• Configure access control settings, this includes allowed and blocked clients and networks and 
optionally selecting an authentication policy
• Select the protection, IPS and traffic shaping policies
• Configure exceptions and enable advanced options for compatibility
Module 3: Network Protection - 180
Intrusion Prevention
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
Module 3: Network Protection - 181
Intrusion Prevention Overview
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
Spoof protection
DoS protection
IPS policies
Intrusion prevention on XG Firewall has three parts:
• IPS policies that can are applied to firewall rules to protect against exploits and malformed 
traffic
• DoS protection, which drops traffic that is maliciously trying to prevent legitimate traffic from 
being able to access services
• Spoof protection, which drops traffic that is trying to pretend to come from a different MAC or 
IP address to bypass protection
Module 3: Network Protection - 182
IPS Policies
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
IPS policies are configured in:
PROTECT > Intrusion prevention > IPS policies
Let’s start with IPS policies.
XG Firewall comes with a number of predefined IPS policies, which can be found in PROTECT > 
Intrusion prevention > IPS policies. These policies cover most of the everyday scenarios that you 
would encounter on an average network.
Module 3: Network Protection - 183
IPS Policies
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
Optionally clone rules from an existing IPS policy
Maximum 15 characters
When you create a new IPS policy you give it a name, limited to fifteen characters, and a 
description. You can then optionally select to clone the rules from an existing policy. You have to 
save the policy at this point so that if you have selected to clone rules they can be added. You can 
then edit the policy.
Module 3: Network Protection - 184
IPS Policies
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
Drag and drop to order rulesets
The policy is an ordered list of rulesets, with each line defining an action for one or more rules.
Module 3: Network Protection - 185
IPS Policies
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
Free-text filter
All filtered signatures or 
selected signatures only
Recommended action for the signature
When you add or edit a rule you can quickly and easily select the desired IPS patterns by category, 
severity, platform, and target type, with support for persistent smart filter lists that will 
automatically update as new patterns are added that match the selected criteria.
For example, you can use the smart filter to select all signatures that relate to a specific 
application.
You can choose to include all of the signatures returned by the filters or only selected signatures. 
Note that if you choose only selected signatures the rule cannot update the included signatures 
automatically.
At the bottom of the rule you can select the action you want to take. One of these actions is 
‘Recommended’. You will notice that each signature has a recommended action associated with it 
that can be used, or you can override this with the action applied to the rule.
The XG Firewall includes the Talos commercial IPS signature library from Cisco. We augment the 
Talos library with additional signatures as required to ensure optimal intrusion protection. 
For those wondering, Talos is a highly respected network security analysis group working around 
the clock to respond to the latest trends in hacking, intrusions, and malware… just like our own 
SophosLabs. So this is a great partnership that bolsters our IPS protection and also provides more 
granular IPS policy controls.
Module 3: Network Protection - 186
Spoof Protection
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
Drop if source IP does not 
match an entry on the 
firewalls routing table
Drop packets that are not 
from a trusted MAC address
Drop packets if source IP and 
MAC do not match trusted 
MAC address
If spoof protection is misconfigured you 
can lock yourself out of the XG Firewall
In addition to the protection that can be configured in IPS policies, there are denial of service (DoS) 
and spoof protection services that can be enabled.
We will start with the spoof protection, which has three modes of protection that can be enabled 
per-zone.
• IP spoofing – packets will be dropped if the source IP address does not match an entry on the 
firewalls routing table
• MAC filter – packets will be dropped if the source MAC address is not configured as a trusted 
MAC
• IP-MAC pair filter – packets will be dropped if the IP and MAC do not match with any entry in 
the IP-MAC trusted list
The MAC filter cannot be enabled until at least one entry is added to the trusted MAC list.
In addition to these three modes, there is the option to restrict unknown IP on Trusted MAC. With 
this option enabled, any traffic from an unknown IP address on a trusted MAC address is dropped.
Note, if spoof protection is misconfigured you can lock yourself out of the XG Firewall.
Module 3: Network Protection - 187
Denial of Service (DoS) Protection
In
tr
u
si
o
n
 P
re
ve
n
ti
o
n
DoS protection is applied globally to all
traffic passing through the XG Firewall
A denial of service (DoS) attack is a method that hackers use to prevent or deny legitimate users’ 
access to a service. DoS attacks are typically executed by sending many request packets to a 
targeted server, which floods the server’s resources making the system unusable. Their goal is not 
to steal the information, but to disable or deprive a device or network so that users no longer have 
access to the network services/resources.
All servers can handle traffic volume up to a maximum, beyond which they become disabled. 
Attackers send a very high volume of redundant traffic to a system so it cannot keep up with the 
bad traffic and allow permittednetwork traffic. The best way to protect against a DoS attack is to 
identify and block such redundant traffic.
Here we can see the configuration for a SYN flood attack. You can set the allowed packet rate per 
minute for each source and destination, as well as a burst rate for each source and destination in 
packets per second. 
When the burst rate is crossed, Sophos XG Firewall considers it as an attack and provides DoS
attack protection by dropping all of the excess packets from the particular source or destination. 
The firewall will continue to drop the packets until the attack subsides. Because the device applies 
threshold values per IP address, only traffic from the particular source or destination will be 
dropped. The rest of the network traffic will continue to be processed as normal.
Note that DoS protection is applied globally to all traffic passing through the XG Firewall.
Module 3: Network Protection - 188
Security Heartbeat
Se
cu
ri
ty
 H
ea
rt
b
ea
t
Module 3: Network Protection - 189
Security Heartbeat
Se
cu
ri
ty
 H
ea
rt
b
ea
t
Intelligent communication between Sophos Central 
managed endpoints and XG Firewall
Regular heartbeat sent to XG Firewall with current 
status
Notification sent to XG Firewall when events occur
XG Firewall can request additional information from the 
endpoint about processes accessing the network
The Security Heartbeat provides intelligent communication between endpoints that are managed 
in Sophos Central and the XG Firewall so that they can coordinate their response to threats.
The computer sends a small regular heartbeat to the XG Firewall to identify itself and show that it 
is still active and protected.
When an event occurs, such as a malware detection, information about the event is shared with 
the XG Firewall.
The computer announces its health status to the XG Firewall, which can be either GREEN, YELLOW 
or RED.
If the XG Firewall detects an advanced attack, it can request additional details from the endpoint 
such as the process name.
The XG Firewall can use the heartbeat and health information from endpoints to control access to 
hosts and networks.
Module 3: Network Protection - 190
Security Heartbeat Status
Se
cu
ri
ty
 H
ea
rt
b
ea
t
No risk – no action is required
Endpoint Agent is running
No active or inactive malware
No PUAs detected
Medium risk – action may be required
Endpoint Agent is running
Inactive malware detected or PUA detected
Endpoint Agent is out of date
High risk – action is required
Endpoint Agent may not be running/devices may not be protected
Active malware or malware not cleaned up, malicious network traffic (e.g., to a known 
command and control network), or communication to a known bad host
Here you can see what each heartbeat status means.
If a computer has a GREEN status, this means that the Endpoint Agent is running (so the computer 
is protected) and no active or inactive malware or PUAs (Potentially Unwanted Applications) have 
been detected.
If the computer has a YELLOW status, the Endpoint Agent is running so the computer is still 
protected, but inactive malware or a PUA has been detected. It can also indicate that the endpoint 
agent is out of date
When a computer has a RED status, it can indicate that the Endpoint Agent may not be running, so 
the computer may not be protected. Alternatively, it could mean that active malware has been 
detected or malware that has not been cleaned up, malicious network traffic has been detected, or 
communication to a known bad host.
Module 3: Network Protection - 191
How Security Heartbeat Works?
Se
cu
ri
ty
 H
ea
rt
b
ea
t
XG FirewallComputer
Sophos
Central
The computer must be managed by 
Sophos Central
The XG Firewall registers with Sophos 
Central and gets a list of managed 
computers
The computer establishes a two-way 
communication channel with the XG 
Firewall
Computers must be connected to the local network or to the XG Firewall via a VPN
Sophos Central brokers the trust between computers that it manages and XG Firewalls that are 
registered with it. Sophos Central will provide the certificates required to the computers and XG 
Firewall to be able to communicate.
The computer will initiate a connection to the XG Firewall, and if it is a computer that is managed 
by the same Sophos Central account a two-way communication channel is established.
Note that Security Heartbeat is only supported when computers are connected to the local 
network, or to the XG Firewall via a VPN. Security Heartbeat is not supported in the WAN zone.
Module 3: Network Protection - 192
How Security Heartbeat Works?
Se
cu
ri
ty
 H
ea
rt
b
ea
t
Laptop
Internet
ServersComputers
PROTECTED PROTECTED
XG Firewall
Let’s look at what would happen if malware is detected on a computer with Security Heartbeat.
When malware is detected on the computer, Security Heartbeat will send event information and its 
new health status to the XG Firewall.
The XG Firewall can then prevent the compromised computer from connecting to other computers 
or servers, protecting them from possible infection.
Once the Sophos Endpoint Agent has cleaned up the malware; Security Heartbeat will send its 
updated health status to the XG Firewall, and the XG Firewall can allow it to access hosts and 
networks as normal.
In this example XG Firewall can protect computers where the traffic has to pass through the XG 
Firewall, but what about where computers are connected via a switch?
Module 3: Network Protection - 193
Lateral Movement Protection
Se
cu
ri
ty
 H
ea
rt
b
ea
t
Laptop A Laptop B Laptop C
XG Firewall
Switch
PROTECTED PROTECTED
XG Firewall shares the MAC address of 
computers with a red health status
Additional information 
in the notes
This is where lateral movement protection comes in.
Let’s consider the same scenario, but this time look at the computers that are connected to the 
same section of network as the laptop that has detected malware. The computers on this section 
of the network can communicate with each other without the traffic passing through the XG 
Firewall.
In this scenario when the XG Firewall receives a red health status for laptop B it shares the MAC 
address of laptop B with all of the endpoints it has a heartbeat with.
The computers can use the MAC address to drop traffic from the computer with the RED health 
status. This is done by the Sophos Central software and has to be enabled in Sophos Central.
Currently, only Windows endpoints will drop traffic based from computers with a red health status.
It is important to note that because this relies on the other computers being able to see the MAC 
address of computer with a red health status, this would not work if we replaced the switch with a 
router.
[Additional Notes]
Lateral movement protection is enabled and configured in Sophos Central in Global Settings > 
Reject Network Connections.
Module 3: Network Protection - 194
Red Health Status from XG Firewall detection
Se
cu
ri
ty
 H
ea
rt
b
ea
t
XG Firewall
Laptop
1. XG Firewall detects call 
home or IPS rule is 
triggered
3. Endpoint reports back 
additional information to 
the XG Firewall
R
ed
 h
ea
lt
h
 s
ta
tu
s
P
ro
ce
ss
 
in
fo
rm
at
io
n
2. XG Firewall sends 
message to endpoint to 
change its health status to 
red
So far we have only looked at the red health status being triggered by something being detected 
on the endpoint, but the XG Firewall can also inform the endpoint when it has detected something 
that requires the laptop to have a red health status. This can be either a call home to a command 
and control server or because the endpoint has triggered an IPS rule.
Module 3: Network Protection - 195
Configuring Security Heartbeat
Se
cu
ri
ty
 H
ea
rt
b
ea
t
Register XG Firewall with Sophos Central
PROTECT > Central synchronization
To start using Security Heartbeat the XG Firewall needs to be registered with the same Sophos 
Central accountthat is used to manage the protection on the computers.
Once enabled you can optionally configure which zones you want to detect missing heartbeats for. 
A missing heartbeat is a computer that has established a heartbeat in the past but is no longer 
sending a heartbeat. This could indicate that the protection software has been disabled.
Module 3: Network Protection - 196
Configuring Security Heartbeat
Se
cu
ri
ty
 H
ea
rt
b
ea
t
Select Security Heartbeat restrictions in firewall rules
• Source and destination-based rules
• Set the minimum health status
• Optionally require a heartbeat
With the XG Firewall registered with Sophos Central, endpoints will start to establish a heartbeat. 
There will be a short delay before this happens while they download the required certificates.
For the XG Firewall to start controlling network access based on a computer’s heartbeat status you 
need to enable the restrictions in your firewall rules.
Restrictions can be configured for either the source, destination or both, and are configured to set 
the minimum require health status; green, yellow or no restriction.
You can optionally require computers to have a heartbeat. This means that any device not running 
Sophos Central will not be able to meet the requirement. This can be used to block unknown 
devices on the network.
Note that destination restrictions cannot be applied to computers in the WAN zone.
Module 3: Network Protection - 197
Advanced Threat Protection
A
d
va
n
ce
d
 T
h
re
at
 P
ro
te
ct
io
n
Module 3: Network Protection - 198
Advanced Threat Protection (ATP) Overview
A
d
va
n
ce
d
 T
h
re
at
 P
ro
te
ct
io
n
Detect compromised devices on your network
Block access to command and control servers
Uses data from all enabled services on XG Firewall
If you have a compromised device on your network the Advanced Threat Protection (ATP) on the 
XG Firewall can help to detect it when it tries to contact the Internet. ATP is a global configuration 
that monitors traffic and data from all enabled services on the XG Firewall, including DNS and web 
requests, to detect and block access to command and control servers.
Module 3: Network Protection - 199
Configuring Advanced Threat Protection
A
d
va
n
ce
d
 T
h
re
at
 P
ro
te
ct
io
n
Log and drop
Log only
Exclusions
Inspect untrusted content
Inspect all content
ATP is configured through a simple policy in PROTECT > Advanced threat > Advanced threat 
protection.
You can choose to only log, or to log and drop traffic. ATP is applied globally, so if you need to 
exclude specific devices or networks this can be done here. 
In the advanced settings you can choose whether ATP inspects untrusted content, this is the 
default option, or all content. Inspecting all content may have an impact on performance.
Module 3: Network Protection - 200
Advanced Threat Protection Alerts
A
d
va
n
ce
d
 T
h
re
at
 P
ro
te
ct
io
n
Control Center
There is a widget for ATP alerts on the XG Firewall Control Center. Clicking this widget will display a 
card for ATP detections that summarizes the sources and threats detected. From here there is a 
shortcut to the full ATP report.
Module 3: Network Protection - 201
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Module Review
Now that you have completed this module, you should be able to:
Create and manage firewall and NAT rules
Create TLS inspection rules and profiles
Create basic web application firewall rules
Create IPS policies and configure spoof protection and denial of service (DoS) protection
Enable and configure Security Heartbeat and Advanced Threat Protection (ATP)
Module 3: Network Protection - 202
Complete the following simulation tasks for Module 3
• Task 3.1: Configure logging
• Task 3.2: Create firewall rules
• Task 3.3: Install the SSL CA certificates
• Task 3.4: Install Sophos Central
• Task 3.5: Migrate linked NAT rules
• Task 3.6: Publish a server using DNAT
• Task 3.7: Protect a server using the web application firewall
• Task 3.8: Configure IPS policies
• Task 3.9: Enable Advanced Threat Protection
• Task 3.10: Enable denial-of-service and spoof protection
• Task 3.11: Configure Security Heartbeat
Module 3 Simulations
• Complete the following simulation tasks for Module 3
▪ Task 3.1: Configure logging
▪ Task 3.2: Create firewall rules
▪ Task 3.3: Install the SSL CA certificates
▪ Task 3.4: Install Sophos Central
▪ Task 3.5: Migrate linked NAT rules
▪ Task 3.6: Publish a server using DNAT
▪ Task 3.7: Protect a server using the web application firewall
▪ Task 3.8: Configure IPS policies
▪ Task 3.9: Enable Advanced Threat Protection
▪ Task 3.10: Enable denial-of-service and spoof protection
▪ Task 3.11: Configure Security Heartbeat
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 3: Network Protection - 210
Hi there, this is the site-to-site connections module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET804 – Site-to-Site Connections
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Module 4: Site-to-Site Connections - 213
Sophos Certified Engineer
XG Firewall 18.0
Module 4: Site-to-Site Connections
Version: 18.0v2
In this module you will learn how to deploy and configure the three main branch connectivity 
options that the XG Firewall provides: SSL VPNs, IPsec VPNs and Remote Ethernet Devices.
Module 4: Site-to-Site Connections - 214
Site-to-Site Connections
SSL VPN
• Overview
• Configuration
IPsec VPN
• IPsec VPN policy
• Wizard
• Configuration
Remote Ethernet Device (RED)
• Deployment
• Deployment modes
• Models
Site-to-Site Connections
• Site-to-site options
• VPNs
• VPN zone
Module 4: Site-to-Site Connections - 216
Site-to-Site Connections
Si
te
-t
o
-S
it
e 
C
o
n
n
ec
ti
o
n
s
XG Firewall provides branch office connectivity through common site-to-site VPNs or using our 
Remote Ethernet Devices (REDs).
Site-to-site VPNs can be used to create an encrypted tunnel between two XG Firewalls, or between 
the XG Firewall and another device that supports compatible protocols. 
Remote Ethernet Devices are small hardware devices that are connected in branch offices that can 
transparently extend the network between sites with a layer-2 connection. REDs are plug and play, 
and don’t require any technical expertise to connect on the remote site.
Module 4: Site-to-Site Connections - 217
Site-to-Site Connections
Si
te
-t
o
-S
it
e 
C
o
n
n
ec
ti
o
n
s
Site-to-Site VPN Remote Ethernet Device (RED)
✓ Connection between two XG 
Firewalls
✓ Connection can be made to third-
party firewalls
✓ More efficient use of bandwidth 
(depending on protocol)
✓ Connection between an XG Firewall 
and a small hardware device
✓ Plug and play with no technical 
expertise required onsite
✓ Can transparently extend the 
network between sites
XF Firewall supports creating site-to-site VPNs over either SSL or IPsec.
SSL site-to-site VPNs are simple to configure, providinga quick and effective way to connect branch 
offices.
IPsec on the other hand is more bandwidth efficient, and can be more secure if configured 
correctly. IPsec can also be used to connect with third-party devices, but can be more complex to 
setup.
Module 4: Site-to-Site Connections - 218
Site-to-Site VPNs
Si
te
-t
o
-S
it
e 
C
o
n
n
ec
ti
o
n
s
• HTTPS (TLS)
• Port 8443 (can be changed)
• Digital certificates for authentication
• UDP port 500
• IP protocols 50 & 51
• Pre-shared key, RSA key or digital certificates 
for authentication
• Tunnel mode for site-to-site connections
✓ Simple configuration
✓ Effective site-to-site connectivity
✓ Can be more secure if configured correctly
✓ More bandwidth efficient
✓ Supports failover groups
✓ Compatibility with third-party devices
SSL IPsec
Site-to-site VPNs that are created are automatically added to the VPN zone. This is a special zone 
that has no physical interfaces and cannot be edited. All VPN connections, whether they are site-
to-site or remote access are always in this zone.
RED connections can be configured to be in any zone.
Module 4: Site-to-Site Connections - 219
VPN Zone
Si
te
-t
o
-S
it
e 
C
o
n
n
ec
ti
o
n
s
Module 4: Site-to-Site Connections - 220
SSL VPN
SS
L 
V
P
N
SSL site-to-site VPNs are implemented using a client/server configuration where each end of the 
tunnel has a distinct role. The client end will always initiate the connection to the server, and the 
server will always respond to client requests. This is different from IPsec where normally either end 
can initiate a connection.
Module 4: Site-to-Site Connections - 221
SSL VPN
SS
L 
V
P
N
Head Office XG Firewall
Server for SSL VPN
Branch Office XG Firewall
Client for SSL VPN
Client initiates connection 
with server
Site with dynamic public IP addressSite with static public IP address
The configuration is done in three steps:
1. On the server create a connection by selecting the networks that will be local and remote to 
the server
2. Download the configuration file
3. On the client site, create a connection by uploading the configuration file
You will configure a site-to-site VPN as part of the labs for this module.
Module 4: Site-to-Site Connections - 222
Creating an SSL VPN
SS
L 
V
P
N
SSL VPNs are configured in:
CONFIGURE > VPN > SSL VPN (site-to-site)
Configure server1 Download configuration2 Upload on client3
Module 4: Site-to-Site Connections - 223
IPsec VPN
IP
se
c 
V
P
N
IPsec VPNs require a matching set of algorithms and settings on both ends for a tunnel to be 
successfully created. On the XG Firewall these are configured in IPsec VPN policies.
There are a number of preconfigured policies that ship with the XG Firewall, but these can be 
cloned and modified to meet your requirements. This may be necessary to meet compliance 
criteria, or to create a VPN with a third-party device.
Module 4: Site-to-Site Connections - 224
IPsec VPN Policies
IP
se
c 
V
P
N
Security parameters used to establish and maintain the VPN connection
Both sides of the VPN must allow the same settings
There are a number of policies provided out-of-the-box
IPsec VPN policies are configured in:
CONFIGURE > VPN > IPsec VPN policies
Once you have your policy configured you can create your VPN. To simplify this the XG Firewall 
includes an optional wizard that will walk you through the steps necessary to create the VPN, 
providing additional descriptions on the left.
Module 4: Site-to-Site Connections - 225
IPsec VPN Wizard
IP
se
c 
V
P
N
Step-by-step guide for creating 
IPsec VPNs
IPsec VPN policies are configured in:
CONFIGURE > VPN > IPsec Connections
Additional information about the 
configuration shown on the left
Let’s take a look at the configuration of a VPN that has been configured.
In the General settings you can choose between IPv4 or IPv6 and whether the XG Firewall should 
only respond to VPN requests or try to initiate them.
When you are creating a new VPN you can also optionally choose to have the XG Firewall 
automatically create firewall rules, although these will be fairly general and should be reviewed.
Module 4: Site-to-Site Connections - 226
Creating an IPsec VPN
IP
se
c 
V
P
N
1
In the Encryption section you select the VPN policy you have created and configure the 
authentication type, which can be either preshared key, RSA key or digital certificate.
Module 4: Site-to-Site Connections - 227
Creating an IPsec VPN
IP
se
c 
V
P
N
2
In the Gateway settings you configure the interface the XG Firewall will use for the VPN and where 
it will be connecting to. If the remote side has a dynamic IP address a wildcard can be used, 
however this also means the XG Firewall cannot initiate the connection as it does not know where 
to connect to.
IPsec VPNs require an ID, which can be based on DNS, IP address, email address, or an X.509 
certificate name.
Finally, you need to define which networks will be available over the VPN. That is, the local 
networks that remote devices will be able to access, and the remote networks you expect to be 
able to access over the VPN.
Module 4: Site-to-Site Connections - 228
3Creating an IPsec VPN
IP
se
c 
V
P
N
You can create an IPsec tunnel between two XG Firewalls without defining the local and remote 
networks by creating tunnel interfaces. When you do this, the XG Firewalls will establish a 
connection, but all of the networking, interface IP addresses, routing and so forth, are all done 
using standard configuration.
Module 4: Site-to-Site Connections - 229
Route-Based VPN
172.16.16.0/24
XG FirewallXG Firewall
172.20.77.0/24 192.168.16.0/24 192.168.2.0/24
xfrm tunnel interface
IP
se
c 
V
P
N
Let’s look at how you can configure this. We will look at the configuration for one side of the 
tunnel, however this will need to be done on both ends.
The first step is to create the tunnel interfaces. This is done by creating a new IPsec configuration, 
but instead of site-to-site, select Tunnel interface for the connection type.
You will notice that when you select tunnel interface the IP version automatically changes to Dual, 
as tunnel interfaces support both IPv4 and IPv6.
Module 4: Site-to-Site Connections - 230
Creating the VPN Tunnel Interfaces
Select the Tunnel interface 
connection type
IP
se
c 
V
P
N
When configuring the local and remote gateways you do not specify the local and remote networks 
for tunnel interfaces, however, you must set the remote gateway address. Unlike IPsec VPNs, you 
cannot use a wildcard for the remote gateway address even if the tunnel interface is configured to 
respond only.
Module 4: Site-to-Site Connections - 231
Creating the VPN Tunnel Interfaces
You cannot use a wildcard when 
creating tunnel interfaces
You do not specify the local and 
remote networks for tunnel 
interfaces
IP
se
c 
V
P
N
Once you have saved the IPsec connection you will see a new interface has been created for it. The 
interface will be bound to the physical interface selected when you created the IPsec connection.
The interface itself is configured in the same way as any other interface, however you cannot 
configure the zone. Tunnel interfaces are always in the VPN zone.
You must ensure that the tunnel interfaces at each end of the tunnel are in the same subnet.
Module 4: Site-to-Site Connections - 232
Configuring the Tunnel Interfaces
Tunnel interfaces are always in 
the VPN zone
IP
se
c 
V
P
N
Routing can be configured using static routes, SD-WAN policy routes and dynamic routing.
Module 4: Site-to-Site Connections - 233
Routing
Configure routes to send the traffic over the tunnel
Supports static routes, SD-WAN policy routes and dynamic routing
IP
se
c 
V
P
N
Module 4: Site-to-Site Connections - 234
Remote Ethernet Device (RED)
R
em
o
te
 E
th
er
n
et
 D
ev
ic
e 
(R
ED
)
Sophos Remote Ethernet Devices or RED provide a simple way to connect remote sites toa central 
network securely, by creating a layer-2 tunnel. Installing the RED device on-site requires no 
configuration or technical expertise. RED connections use a small hardware RED device at the 
remote location and all configuration for that device is done locally at the XG firewall.
At the remote location, the RED requires:
• A power connection
• A network connection
• A DHCP server to provide an IP address, DNS server and default gateway
• Port 3400 TCP
• Port 3410 UDP
Note: you can use legacy RED 10 devices, and these require UDP port 3400 instead of port 3410.
Module 4: Site-to-Site Connections - 235
RED Overview
R
em
o
te
 E
th
er
n
et
 D
ev
ic
e 
(R
ED
)
• Plug and play branch office connectivity
• No technical expertise required onsite
• Creates a layer-2 tunnel to XG Firewall
Port Purpose
TCP:3400
UDP:3410
Control
TLS authenticated with a mutual x.509 
certificate check
Data
Encapsulated traffic using AES-256 encryption 
and SHA1-HMAC authentication
Additional information 
in the notes
Let’s take a look at how you deploy a RED.
You configure the RED on the XG Firewall. You need to provide the publicly resolvable hostname 
the RED will connect to and the IP address and netmask of the RED interface that will be created 
on the XG Firewall. You also enter the 15 character RED ID that is printed on a sticker on the base 
of the RED. This is used to tie the configuration to the device.
The Sophos XG Firewall then sends the configuration to the cloud-based provisioning server.
Next, the RED is plugged in at the remote office and gets an IP address, DNS server and gateway 
from the local DHCP server.
The RED connects to the provisioning server with its ID, and the provisioning server sends back the 
configuration that the RED needs to connect to the Sophos XG Firewall at the central office. The 
provisioning server is no longer used from this point forward.
Finally, the RED establishes a layer-2 tunnel to the Sophos XG Firewall using TCP port 3400 and 
UDP port 3410.
Module 4: Site-to-Site Connections - 236
RED Deployment
R
em
o
te
 E
th
er
n
et
 D
ev
ic
e 
(R
ED
)
RED Provisioning Service: 
red.astaro.com
Head Office
Router
1. Configure RED device
3. Deploy RED device
4. Receive
local IP 
(DHCP)
RED
XG Firewall
7. Establish Layer-2 Tunnel
REDs can be deployed in three modes.
In Standard/Unified mode the remote network is managed by the XG Firewall, which serves as the 
DHCP server and default gateway for all clients connecting through the RED. All traffic generated 
on the remote network is sent through the RED to XG Firewall.
In Standard/Split mode the XG Firewall still manages the remote network, acting as the DHCP 
server and default gateway. However, in this configuration only traffic to defined networks is sent 
through the RED to XG Firewall, and all other traffic is sent directly to the Internet.
In Transparent/Split mode the XG Firewall doesn’t manage the remote network, but is a member 
of it. The Firewall gets its IP address from a DHCP server running on the remote network. Only 
traffic to defined networks is sent through the RED to XG Firewall, and all other traffic is sent 
directly to the Internet. As this mode of deployment does not require any re-addressing it is an 
easy way to connect networks following an acquisition or similar.
In the case of Standard/Split and Transparent/Split deployment modes, the XG Firewall does not 
provide any web filtering or other security to clients on the remote network.
Please note that you still need to create security policies, in order for the computers connected to 
the remote network to be able to interact with computers on the central office network.
Module 4: Site-to-Site Connections - 237
RED Deployment Modes
R
em
o
te
 E
th
er
n
et
 D
ev
ic
e 
(R
ED
)
Default GW
DHCP Server DHCP Client
Standard/Unified Standard/Split Transparent/Split
Traffic routed over RED tunnel
Traffic routed directly to the Internet
Default GW
DHCP Server
Default GW
DHCP Server
The configuration required when deploying REDs in the different modes is slightly different and is 
summarised in this table.
Module 4: Site-to-Site Connections - 238
Configuring RED in Different Deployment Modes
R
em
o
te
 E
th
er
n
et
 D
ev
ic
e 
(R
ED
)
Standard/Unified Standard/Split Transparent/Split
Zone for the RED interface on the XG Firewall 
IP address for the RED interface on the XG Firewall Static Static DHCP
DHCP server for the remote network Optional Optional No
Split networks (Networks that are access through the 
RED from the remote site)
 
Split DNS server (DNS server for the split networks) 
Split domains (Domains that are access through the RED 
from the remote site)

MAC address filtering Optional
Tunnel compression Optional
There are three models of RED, starting with the RED 15, which is suitable for small sites. All REDs 
feature gigabit connections and at least one USB port that can be used to provide backup 
connectivity using UMTS.
The RED 15w has all the features of the RED 15, and also includes a built-in wireless access point.
The RED 50, which is designed for larger sites and includes advanced features including:
• Two WAN ports that can be configured for load balancing or failover
• The ability to configure the LAN ports in either switch mode or for VLANs
• Two USB ports
The number of users that can be used with all of the RED models is unlimited, and the model 
selected is driven by the maximum throughput and other features.
Note: The legacy RED 10 that ceased sale on 1st November 2015 can still be used with Sophos XG 
Firewall.
Module 4: Site-to-Site Connections - 239
RED Models
R
em
o
te
 E
th
er
n
et
 D
ev
ic
e 
(R
ED
)
RED 15 RED 15 W RED 50
Maximum users Unrestricted Unrestricted Unrestricted
Maximum throughput 90 Mbit/s 90 Mbit/s 360 Mbit/s
LAN ports 4 x Gbit 4 x Gbit 4 X Gbit
WAN ports 1 x Gbit 1 X Gbit 2 x Gbit
USB ports 1 1 2
Hardware accelerated encryption x x ✓
Configure VLANs on LAN ports x x ✓
Data compression ✓ ✓ ✓
Built-in wireless access point x ✓ x
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Module 4: Site-to-Site Connections - 240
Configure an SSL site-to-site VPN
Explain the site-to-site connectivity options that the XG Firewall supports
Module Review
Now that you have completed this module, you should be able to:
Deploy a Remote Ethernet Device (RED)
Configure an IPsec site-to-site VPN
Complete the following simulation tasks for Module 4
• Task 4.1: Create an SSL Site-to-Site VPN
• Task 4.2: Create an IPsec Site-to-Site VPN
• Task 4.3: Deploy a Remote Ethernet Device (RED)
Module 4: Site-to-Site Connections - 247
Module 4 Simulations
• Complete the following simulation tasks for Module 4
▪ Task 4.1: Create an SSL Site-to-Site VPN
▪ Task 4.2: Create an IPsec Site-to-Site VPN
▪ Task 4.3: Deploy a Remote Ethernet Device (RED)
Use the Simulation Workbook to view details of each 
task and access the simulations
Hi there, this is the authentication module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET805 – Authentication
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any timewithout notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 5: Authentication
Version: 18.0v2
Module 5: Authentication - 250
Authentication
Users and Groups
• Types of user
• Clientless and guest users
• Groups
Authentication Methods
• Synchronized User Identity
• Web authentication and STAS
• Agent and Chromebook authentication
Using Authentication
• Rules and policies
• VPN and routing
• User portal and WebAdmin
Authentication Overview
• Local authentication
• Authentication servers
• Service authentication
One-Time Passwords
• One-time passwords overview
• Configuration
• Tokens
XG Firewall is an identity-based firewall, which means it can apply identity to the traffic that is 
passing through it allowing for more granular control.
In this module you will learn how to configure the most common types of authentication available 
on XG Firewall and see where the user identity can then be used.
Module 5: Authentication - 251
Authentication Overview
A
u
th
en
ti
ca
ti
o
n
 O
ve
rv
ie
w
Module 5: Authentication - 253
Authentication Overview
A
u
th
en
ti
ca
ti
o
n
 O
ve
rv
ie
w Network
Access
Routing
Web
Filtering
Application
Control
Leveraging the XG Firewall’s authentication capabilities provides the opportunity to control access 
to network resources, filter websites, route traffic, control applications and more. You can also get 
detailed reporting on user activity and identify high-risk users.
Module 5: Authentication - 254
Local Authentication
A
u
th
en
ti
ca
ti
o
n
 O
ve
rv
ie
w
Users can be created manually or imported using a CSV file
Choose between user and administrator
Users inherit policies from groups they are assigned to
Best suited to small organizations
Authentication can be done locally on the XG Firewall, although it is more commonly configured to 
use external authentication sources.
You can add users to the XG Firewall manually or import via a CSV, and these can be either users or 
administrators. The difference is that administrators have a profile associated to them that controls 
their administrative access to the XG Firewall.
Users can be manually assigned to a group, and will inherit policy settings that can be overridden 
per-user.
Local authentication is best suited to organizations that are small in size and do not have an 
existing directory service in place, or when guest users need access in authentication-enabled 
networks.
Module 5: Authentication - 255
Authentication Servers
A
u
th
en
ti
ca
ti
o
n
 O
ve
rv
ie
w
Supported authentication servers
• Active Directory
• eDirectory
• RADIUS
• TACACS+
• LDAP/S
• OpenLDAP
• Apple Directory
• Other standard LDAP directories
The Sophos XG Firewall can also be configured to authenticate with external servers such as:
• Active Directory
• Novell eDirectory
• LDAP / LDAPS
• RADIUS Server
• TACACS+
Using LDAP or LDAPS, Sophos XG Firewall can authenticate using OpenLDAP, Apple Directory or any 
other standard LDAP directory.
Module 5: Authentication - 256
Service Authentication
A
u
th
en
ti
ca
ti
o
n
 O
ve
rv
ie
w
Authentication services are configured in:
CONFIGURE > Authentication > Services
You need to enable authentication servers for services on the XG Firewall, these are:
• Firewall
• User portal
• VPN
• Administrator
• SSL VPN
Enabled authentication servers are processed from top to bottom and can be reordered by 
dragging and dropping the servers in the list.
To simplify the configuration for services, you can optionally choose to set it be the same as the 
firewall authentication so that it will mirror those settings and any changes you make to it.
Module 5: Authentication - 257
Users and Groups
U
se
rs
 a
n
d
 G
ro
u
p
s
Module 5: Authentication - 258
Types of User
U
se
rs
 a
n
d
 G
ro
u
p
s
Temporary users authenticated with a system generated 
username and password
Locally authenticated
Guest Users
Authenticated by IP address
Locally authenticated
Clientless Users
Authenticate with a username and password
Can be locally or externally authenticated
Users
The XG Firewall has three types of user;
Standard users that authenticate with a username and password. They can be authenticated locally 
by the XG Firewall or using an external authentication server such as Active Directory.
Clientless users do not authenticate using a username and password, but instead are identified 
purely by their IP address. Clientless users are always authenticated locally by the XG Firewall. 
Typically you would use clientless users to control network access for servers or devices such as 
printers and VoIP phones.
The final type of user is a guest user. These are users that are given temporary network access, 
usually to access the Internet. They authenticate with a username and password that are 
generated by the XG Firewall and are always authenticated locally.
Module 5: Authentication - 259
Creating Clientless Users
U
se
rs
 a
n
d
 G
ro
u
p
s
Clientless users are managed in:
CONFIGURE > Authentication > Clientless users
Here you can see an example of two printers being added as a clientless users. You give the devices 
a name, specify the IP address and select which group they will be a member of. You will use the 
group in the firewall rules to then control the network access the devices have.
Clientless users can also be added in bulk by specifying a range of IP addresses and selecting the 
group they will be a member of. You can edit the details for each IP address after adding them.
Module 5: Authentication - 260
Creating Guest Users
U
se
rs
 a
n
d
 G
ro
u
p
s
Guest users are managed in:
CONFIGURE > Authentication > Guest users
You can create guest users either individually, shown on the left, or in bulk, shown on the right.
There are two main options when creating guest users:
1. How long the credentials will be valid for
2. And whether the time will start as soon as the user is added or when the user first logs in
Here you can see two guest users, the first created individually and the second in bulk. Using the 
Print option you can print the credentials for multiple selected users.
Module 5: Authentication - 261
Creating Guest Users
U
se
rs
 a
n
d
 G
ro
u
p
s
Guest users settings are managed in:
CONFIGURE > Authentication > Guest user settings
All guest users are created with the same settings that can be managed in CONFIGURE > 
Authentication > Guest user settings.
Here you can set the group that the user will be added to and the password complexity.
Optionally you can also integrate the XG Firewall with an SMS gateway to allow guest users to 
register for their own access details. This can save significant time where there are large volumes 
of guest users such as in hotels and airports.
Module 5: Authentication - 262
Groups
U
se
rs
 a
n
d
 G
ro
u
p
s
Groups are managed in:
CONFIGURE > Authentication > Groups
Now that we’ve looked at the different types of users, we’ll look at groups. There are two types of 
groups, normal and clientless, for their respective user types.
A group is a collection of users with common policies and can be used to assign access to 
resources. The user will automatically inherit all of the policies added to the group. 
Examples of policies that can be applied to groups include:
• Surfing Quota 
• Access Time
• Network Traffic
• Traffic Shaping
These are configured in SYSTEM > Profiles.
You should note that by default, users will inherit their assigned group’s policies. To adjust a 
group’s assigned policies, select a policy from the list of available policies while editing or creating 
a new group. You can also create a new policy directly from the group page. In the case of SSL 
VPN’s, if a user does not have access to the SSL VPN then select ‘No Policy Applied’.Module 5: Authentication - 263
Group Import from Active Directory
U
se
rs
 a
n
d
 G
ro
u
p
s
When using Active Directory as an authentication server, users will be created on the XG Firewall 
and assigned to a group when they first successfully login. To use Active Directory groups, use the 
import wizard before users login and they will be assigned to their associated Active Directory 
group.
Note: XG Firewall does not support nested groups, and if a user is a member of multiple groups, 
they will be added to the first one they match. Users can only be a member of a single group.
Module 5: Authentication - 264
Authentication Methods
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Module 5: Authentication - 265
Authentication Methods
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Captive Portal
Authentication Agent
Hotspot
Clientless Users
Single Sign-On (SSO)
• Synchronized User Identity
• Sophos Transparent Authentication Suite (STAS)
• Sophos Authentication for Terminal Clients (SATC)
• SSO Client
• VPN
• RADIUS
• Web Authentication (NTLM and Kerberos)
P
re
ce
d
e
n
ce
The Sophos XG Firewall supports five main methods for authenticating users, these are:
• Hotspot
• Clientless Users
• Single Sign-On (SSO)
• Authentication Agent
• Captive Portal
This is the order in which authentication is checked for users. Throughout the rest of this section 
we will take a look at some of the most common forms of authentication in more detail.
Module 5: Authentication - 266
Synchronized User Identity
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Security Heartbeat™
Active Directory Server
XG Firewall
Internet
Sophos
Endpoints
XG gets user ID from 
endpoints that are on an 
Active Directory domain 
automatically
Let’s start by looking at Synchronized User Identity as it is enabled by default for all Windows 
endpoints that establish a Security Heartbeat with the XG Firewall.
Synchronized User Identity leverages the presence of Sophos on the Windows endpoints to 
simplify transparent user authentication with the firewall by sharing the user’s identity through the 
Security Heartbeat connection. This makes authentication seamless, without having to deploy 
additional agents onto domain controllers.
Note that for multi-user systems like terminal servers you should use SATC (Sophos Authentication 
for Thin Clients). This solution also doesn’t support non-managed devices or servers.
Module 5: Authentication - 269
Synchronized User Identity
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Add an Active Directory authentication server on XG Firewall1
Import groups from Active Directory into the XG Firewall2
Enable Active Directory server in Firewall authentication 
methods3
Computers with a Security Heartbeat™ will synchronize the 
user details4
For Synchronized User Identity to work you will need to have added an Active Directory 
authentication server on the XG Firewall and imported the groups using the wizard.
The Active Directory authentication server must be enabled as an authentication source for the 
firewall in CONFIGURE > Authentication > Services.
With this done, all Windows endpoints with a heartbeat to the XG Firewall will be authenticated 
transparently.
Module 5: Authentication - 270
Disabling Synchronized User Identity
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Sophos Firewall
===============
(C) Copyright 2000-2020 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.
For End User License Agreement - http://www.sophos.com/en-us/legal/sophos-end-
user-license-agreement.aspx
NOTE: If not explicitly approved by Sophos support, any modifications
done through this option will void your support.
XG135_XN02_SFOS 18.0.0# touch /content/no_userid
XG135_XN02_SFOS 18.0.0# service access_server:restart -ds nosync
200 OK
XG135_XN02_SFOS 18.0.0#
Synchronized User Identity will work by default if the prerequisites are satisfied, however if you 
want to disable it this can be done via the console by creating the file /content/no_user_id. 
Removing this file will re-enable Synchronized User ID again however, you do need to restart the 
authentication service for this change to take effect.
Module 5: Authentication - 271
Web Authentication
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Unknown user tries to visit a webpage
Redirect to URL served by XG and send an 
HTTP_AUTH challenge so the browser responds 
with the user credentials
Respond with a PROXY_AUTH challenge so the 
browser responds with the user credentials
User is recorded 
against the IP 
address for future 
transactions
Transparent web filtering
Direct proxy mode
Additional information 
in the notes
If user authentication is only required for web filtering XG Firewall can use a proxy challenge to 
authenticate Active Directory users with NTLM or Kerberos.
Let’s start by looking at what happens when an unknown user tries to visit a web page, there are 
two scenarios:
1. For transparent web filtering the XG will redirect to a URL served by the XG and send a 
HTTP_AUTH challenge so that the browser responds with the credentials
2. In the case of direct proxy mode, the XG Firewall can respond with a PROXY_AUTH challenge so 
that the browser responds with the user credentials
In both cases the user is recorded against the IP address for future transactions.
Additional notes:
Kerberos is more secure and has lower overheads than NTLM:
• NTLM requires an additional response round-trip between XG and the browser
• NTLM requires a lookup between XG and the challenge/domain controller for every 
authentication event
To avoid clients seeing a popup for authentication we would recommend configuring XG Firewall as 
an explicit proxy in the browser using the internal hostname of the XG that is in the domain. The 
default proxy port is 3128, but this can be changed in PROTECT > Web > General settings.
Module 5: Authentication - 272
Web Authentication
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Browser can now respond 
with Kerberos or NTLM
Captive portal appearance
Enable AD SSO on the Device 
Access page
To use Active Directory SSO (NTLM and Kerberos) it must be enabled per-zone on the Device 
Access page. AD SSO has replaced NTLM as an authentication service on the Device Access page. 
With this option enabled, if you have an authentication server configured, AD SSO will be tried 
before the captive portal is displayed.
The Captive portal tab has been replaced with Web authentication and now combines the AD SSO 
configuration and captive portal behaviour and appearance settings. The page is laid out to better 
follow the authentication flow:
• Try to authenticate the user using NTLM and/or Kerberos
• If authentication fails then display the captive portal with this configuration
Module 5: Authentication - 273
Web Authentication
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Will try NTLM and Kerberos as per the web 
authentication configuration and fall back to 
the captive portal
In the firewall rules, the option to ‘Use web authentication for unknown users’ will try to 
authenticate the user using NTLM or Kerberos based on the configuration you have selected, and 
then fall back to using the captive portal.
Module 5: Authentication - 274
Sophos Transparent Authentication Suite (STAS)
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
• Uses an agent installed onto domain controllers
• Requires one STAS installation serving each domain controller
• Provides SSO without a client on the endpoints
• Supports IPv4 only
Lucy Fox logs into the 
domain from a computer 
with the IP address 
10.1.1.1
The domain controller 
writes the login details to 
the event log with ID 4768
XG Firewall logs in Lucy Fox and maps traffic from 
10.1.1.1 to the user
STAS notifies the XG Firewall 
of the login onport 6060
The Sophos Transparent Authentication Suite, or STAS, provides transparent SSO authentication for 
users without requiring a client on the endpoint. It employs an agent on the Microsoft Active 
Directory domain controller or a member server that monitors and stores authentication activity 
and sends authentication information to XG Firewall. There must be a STAS installation serving all 
domain controllers to ensure that all logon events can be monitored. It is important to note that 
the STAS software only works with Microsoft Active Directory, and only works with IPv4.
Note: the SSO Client cannot be used when STAS is enabled on the XG Firewall.
Let’s have a look at how STAS works.
The user Lucy Fox logs into the domain on a computer that has the IP address 10.1.1.1. 
The domain controller writes the login details to the security event log with ID 4768, this includes 
the IP address of the computer and the name of the user that logged in. Note that in Windows 
2003 the event ID is 672.
STAS monitors the event logs for login events. When a login event is detected, the STAS records the 
details. As STAS is monitoring the event logs, you need to ensure that successful logon events are 
being audited in the Local Security Policy.
STAS notifies XG Firewall of the login and supplies the details recorded from the event log, this is 
done on port 6060.
The XG Firewall updates the live users, mapping the traffic from 10.1.1.1 to the user Lucy Fox.
Module 5: Authentication - 275
Installing the STAS Software
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Select Components Provide a user for the service
• Download from the WebAdmin
• CONFIGURE > Authentication > Client downloads
• One installation per domain controller
• Either on domain controller or member server
Additional information 
in the notes
To get started with STAS, download the software from the WebAdmin at CONFIGURE > 
Authentication > Client downloads and install it on all Active Directory domain controllers, or a 
member server for each domain controller.
During the installation you can choose to install just the Collector or Agent component of STAS or 
both. There may be benefits to installing individual components in larger and more complex 
environments, however this course will focus on installing the suite of both components.
STAS also needs to be configured with a user that will be used to run the service. The user must 
have the right to logon as a service, and must be able to monitor the Security event log.
Additional notes:
The service account should be added to the Backup Operators and Event Log Readers Groups in 
AD, and the local Administrators groups on endpoints (this can be done via a group policy and is 
required for WMI logoff detection to work). The account should also be granted ‘Logon as a 
service’ permission on the domain controller, and full NTFS permission on the STAS folder.
Module 5: Authentication - 276
Configure the STAS Software
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Required if 
installed on a 
member server
Once installed, the STAS software needs to be configured.
On the ‘General’ tab, configure the domain that STAS will be monitoring login events for.
On the ‘STA Agent’ tab, configure the networks for which logon events will be monitored. Here you 
can see we are monitoring logon events for the 172.16.16.0/24 network. If a user logs in from 
another network, 10.1.1.0/24 for example, this login will not be forwarded to the XG Firewall.
If STAS is being installed on a member server instead of a domain controller you need to specify 
the IP address of the domain controller here.
Module 5: Authentication - 277
Configure the STAS Software
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
The IP address(es) of the 
XG Firewall(s) to send the 
login information to
Polling for the currently 
logged on user can be 
done using WMI or 
registry read access
Optionally detect when 
users logoff via polling or 
PING
The IP address of the XG Firewall needs to be added to the ‘Sophos Appliances’ section of STAS.
Workstation polling can be configured to use either WMI (this is the default option) or registry read 
access. This is used to determine the currently logged on user when a computer is not found in the 
live users table.
STAS can also be configured to detect when users logoff. This can be done using the same method 
as workstation polling (this is the default option) or PING.
Module 5: Authentication - 278
Configure STAS on XG Firewall
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
STAS is configured in:
CONFIGURE > Authentication > STAS
Once the STAS software is installed and configured STAS needs to be enabled on the XG Firewall, 
this is done in CONFIGURE > Authentication > STAS.
Switch STAS on, then click Activate STAS.
You can configure how long XG Firewall will try to probe for the identity and whether access should 
be limited while it tries to confirm the user’s identity.
You can also optionally enable and configure user inactivity handling by setting the inactivity timer 
and data transfer threshold.
Module 5: Authentication - 279
Configure STAS on XG Firewall
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
For every server you installed STAS on, you must add the IP address as a collector on the XG 
Firewall.
If you are installing the full STA suite for each domain controller you should put each collector in its 
own group. Using collector groups is beyond the scope of this course.
Module 5: Authentication - 280
Authentication Agent
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Agent and 
certificate need 
to be installed
The agent 
authenticates 
the user
The user sets 
their credentials
Another method for authenticating with the XG Firewall is to use an agent on each endpoint. 
You can download agents for Windows, Mac and Linux, and need to install the agent and certificate 
on the computer. 
The user sets the credentials for authentication, and then the agent will authenticate with the XG 
Firewall. The agent also shares the MAC address telemetry with the XG Firewall which allows MAC 
address restrictions to be used.
Module 5: Authentication - 281
Chromebook Single Sign-On (SSO)
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s The Chrome extension needs to be 
pushed to devices from Google G 
Suite
1. Deploy Extension
XG Firewall needs to be configured 
with an Active Directory server that is 
synchronized with G Suite, and 
Chromebook SSO enabled
2. Active Directory Server
The Chromebook extension shares the 
user ID with XG Firewall
3. Chromebook Authentication
Active Directory Server
XG Firewall
Google G Suite
Chromebook Devices
Chromebooks are increasingly popular in education and some corporate environments, but they 
create a unique set of challenges for user identification with network firewalls. XG Firewall 
provides a Chromebook extension that shares Chromebook user IDs with the Firewall to enable full 
user-based policy enforcement and reporting. Pre-requisites include an on-premise Active 
Directory Server synced to Google G Suite. The Chrome extension is pushed from the G Suite 
admin console providing easy and seamless deployment that is transparent to users. 
Module 5: Authentication - 282
Chromebook Single Sign-On (SSO)
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Chromebook SSO is configured in:
CONFIGURE > Authentication > Services
The domain name as registered with G 
Suite
The certificate used for communication 
with the Chromebooks
The certificate CN must match the 
zone/network where the Chromebook 
users are, for xg.sophostraining.xyz.
The port number Chromebooks 
connect to from the LAN or Wi-Fi
Chromebook SSO must be enabled in CONFIGURE> Authentication > Services, by providing your 
domain that is registered with G Suite and certificate used to communicate with the Chromebooks, 
where the common name matches the network where the Chromebook users are.
A couple of things to remember:
• Youwill need to enable the Chromebook SSO service in device access for the zones where the 
devices are located
• You will also need to create a firewall rule that allows the Chromebooks to access the Google 
API and Chrome Web Store
Module 5: Authentication - 283
G Suite Configuration
A
u
th
en
ti
ca
ti
o
n
 M
et
h
o
d
s
Navigate to App Management
Search for and open Sophos Chromebook User ID
Upload the configuration (sample in the notes)
Navigate to Device Management > Networks
Upload the CA certificate from the XG Firewall (select Use this 
certificate as an HTTPS certificate authority)
Only 
required 
where the 
XG Firewall 
uses a self-
signed 
certificate
Additional information 
in the notes
To configure the Chromebook app in G Suite, you need to navigate to App Management, then 
search for and open the Sophos Chromebook User ID app.
Here you will need to upload the configuration as a JSON file that includes server address, port and 
log settings. You can find a sample JSON in the course notes.
If the XG Firewall is using a self-signed certificate, you will also need to upload the CA certificate in 
Device Management > Networks, selecting the option, Use this certificate as an HTTPS certificate 
authority.
Example JSON configuration of G Suite configuration
Note: the uppercase Value is important, otherwise it won't work.
{
"serverAddress": {
"Value": "10.8.19.132"
},
"serverPort": {
"Value": 65123
},
"logLevel": {
"Value": 2
},
"logoutOnLockscreen": {
"Value": true
},
"logoutOnIdle": {
Module 5: Authentication - 284
"Value": true
},
"idleInterval": {
"Value": 900
}
{ 
Module 1: XG Firewall Overview - 284
Using Authentication
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Module 5: Authentication - 285
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Enable ‘Exclude this user activity 
from data accounting’ if this traffic 
should not count towards quotas
Enable ‘Match known users’ to 
control network access based on 
user identity
Within firewall rules you can enable the option to ‘Match known users’, and you can then select 
the users and groups that you want to match on. This makes the firewall rule a user rule instead of 
a network rule.
If the XG Firewall is unable to match the user’s identity you can choose to enable the web 
authentication, which can then further fall back to displaying the captive portal.
If the firewall rule is for business applications, such as a Office 365 or SalesForce, you can choose 
to exclude the traffic from data accounting, which means that it will not count towards any quotas 
you have configured.
Module 5: Authentication - 287
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Select users and groups as part of the 
source matching in TLS decryption rules
TLS decryption rules can be matched on user identity. This allows you to customize decryption per-
user or group, allowing you to set specific decryption rules and standards for a department, for 
example finance.
Module 5: Authentication - 288
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
SD-WAN policy routes allow you to select traffic based on various properties, including users and 
groups, to determine which gateway it should be routed to.
Module 5: Authentication - 289
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
Remote Access VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Select the users and groups that can 
connect to the VPN
Remote access VPNs allow you to control who can connect to and login to the network. First the 
authentication source needs to be selected in the authentication services, and the users and 
groups need to be selected in the VPN configuration.
Module 5: Authentication - 290
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Apply web filtering rules to users and groups
As you will see in the next module, within web policies you can create rules that apply to specific 
users and groups. This allows you to build a single policy of rules that you can then apply to web 
traffic.
Module 5: Authentication - 291
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Wireless protection on XG Firewall supports WPA and WPA2 Enterprise security that can use a 
RADIUS authentication server to control access to wireless networks.
Module 5: Authentication - 292
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Protect access to web resources 
with user authentication
You can protect access to web servers by forcing users to authenticate before the connection even 
reaches the destination server. This means that attackers cannot try to exploit the web server as 
they don’t have access to it.
Module 5: Authentication - 293
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Download authentication client and SPX plug-in
Download VPN clients and configuration
Manage email quarantine
Review Internet usage
The user portal allows users to manage their own quarantine, password and Internet usage, as well 
as download VPN and authentication clients.
The User Portal is accessed using HTTPS to the IP address of the firewall. By default the user portal 
is only available to clients connecting from the LAN zone, but it can also be enabled for other 
zones. Note that the port for the user portal can be changed in SYSTEM > Administration > Admin 
settings.
Module 5: Authentication - 294
Where can Authentication be Used?
U
si
n
g 
A
u
th
en
ti
ca
ti
o
n
Firewall Rules
TLS Decryption Rules
SD-WAN Policy Routes
VPNs
Web Policies
Wireless Networks
Web Server Authentication
User Portal
WebAdmin
Allow users to login and manage 
the XG Firewall
Users can be configured as either a user or administrator. If they are an administrator then they are 
able to login to the WebAdmin and manage the XG Firewall based on the profile that is applied to 
their account.
Module 5: Authentication - 295
One-Time Passwords
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
Module 5: Authentication - 296
One-Time Passwords
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
123456
234567
345678
456789
567890
678901
Key
Time Time
User XG Firewall
Key
Token Algorithm Token Algorithm
123456
234567
567890
XG Firewall supports two factor authentication using one-time passwords. Two factor 
authentication means that you provide two pieces of information to login, something you know, 
your password, and something you have, your token.
There are different types of one-time password, the XG Firewall supports time-based one time 
passwords. You can use either software tokens, such as the Sophos Authenticator App or Sophos 
Intercept X App that are available for Android and iOS, or hardware tokens, as long as they conformto RFC 6238.
Note that RSA tokens are not supported.
Let’s take a look at how the OTP authentication works. In this diagram we have the user with their 
token on the left, and the XG Firewall on the right.
The user has a token that contains a key and gets the time from a synchronized clock. These are 
processed using the algorithm described in RFC 6238 to produce the token code.
The XG Firewall needs to have the same key, and be synchronized to the same clock so that when it 
calculates the token code it comes out with the same number.
To allow for variations in the time between the token and the XG Firewall, it will accept the 
previous and next token code as valid by default. This is the token offset step, and can be changed 
in the settings.
Module 5: Authentication - 297
Configuration
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
Optionally select 
which users need 
to use OTP
Create software 
tokens for users
Global token settings
Where XG Firewall will 
require OTP
One-time passwords are configured in:
CONFIGURE > Authentication > One-time passwords
One-time passwords are not enabled by default and have to be turned on, and this can be done for 
either all users, or a selected set of users and groups.
You can choose to have the XG Firewall automatically generate a token secret (key) when users try 
to authenticate and they don’t have one. XG generated secrets can be used with software tokens, 
hardware tokens need to be added manually.
The XG Firewall can use one-time passwords to improve the security of the WebAdmin, User Portal 
(including the Clientless VPN Portal), and SSL and IPsec remote access VPNs.
You can configure the global token settings. For example, if you are using a hardware token with a 
60 second timestep you can configure this here. You can also configure the passcode offset steps 
which we discussed in the previous slide.
Module 5: Authentication - 298
Adding Tokens Manually
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
Optionally override the global token timestep
To add a token, you simply need to specify the secret, which is a 32 – 120 character HEX string, and 
select which user to assign the token to.
Optionally, the global timestep can be overridden, which may be necessary if you are using a 
mixture of tokens.
Module 5: Authentication - 299
Adding Tokens Automatically
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
Now let’s take a look at how tokens can be automatically generated for users.
When a user logs into the User Portal for the first time after one-time passwords have been 
enabled, the XG Firewall will generate and display the information they need to configure a 
software token. In most cases this can be done automatically by scanning the QR code with an app, 
such as the Sophos Authenticator App.
Once the token is configured the user clicks Proceed to login.
The user will then be presented with the User Portal login again. This time they login with their 
password and append their current token code.
Module 5: Authentication - 300
Additional Token Settings
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
Here we can see a token for John Smith that we will use to consider two scenarios.
In the first scenario, John has his token but the login is failing.
This might be caused if the time of the token and XG Firewall are out of sync. To resolve this you 
can enter the current passcode into the XG Firewall and it can compensate for the time difference.
Module 5: Authentication - 301
Additional Token Settings
O
n
e-
Ti
m
e 
P
as
sw
o
rd
s
Generate 10 one-time codes 
that can be used
In the second scenario, John Smith is on the road but has dropped and broken his mobile phone 
that has the Sophos Authenticator app on it. He needs to access the SSL VPN, but it is secured 
using OTP.
If this happens, you can add additional codes to the token. These are a set of single use codes that 
will automatically be removed after they are used.
Module 5: Authentication - 302
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Explain the types of user on the XG Firewall and know when to use them
List the supported authentication sources and enable them for services on the XG Firewall
Module Review
Now that you have completed this module, you should be able to:
Create identity-based policies
Configure authentication using Synchronized User Identity, NTLM and Kerberos and STAS
Enable and configure one-time passwords
Module 5: Authentication - 303
Complete the following simulation tasks for Module 5
• Task 5.1: Configure an Active Directory Authentication Server
• Task 5.2: Configure Single Sign-On Using STAS
• Task 5.3: User-Based Policies
• Task 5.4: One-Time Passwords
Module 5 Simulations
• Complete the following simulation tasks for Module 5
▪ Task 5.1: Configure an Active Directory Authentication Server
▪ Task 5.2: Configure Single Sign-On Using STAS
▪ Task 5.3: User-Based Policies
▪ Task 5.4: One-Time Passwords
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 5: Authentication - 311
Hi there, this is the web protection module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET806 – Web Protection
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 6: Web Protection
Version: 18.0v2
Module 6: Web Protection - 314
Web Protection
Web Policies
• Creating and editing
• Web activities
• Applying policies
Global Settings
• Protection settings
• Advanced settings
• User notifications
Quotas and Traffic Shaping
• Web policy rule quotas
• Surfing quotas
• Traffic shaping
Web Protection Overview
• Overview
• Transparent and explicit proxy
• DPI vs. web proxy filtering
Exceptions
• Policy overrides
• Exceptions
Web Protection and Application Control on the XG Firewall protects users from web-based 
malware, and other threats such as social engineering, as well as restricting access to unproductive 
websites.
In this module you will learn to configure custom activities and use this to create web policies that 
have different rules based on a user’s identity. 
Module 6: Web Protection - 315
Web Protection Overview
W
eb
 P
ro
te
ct
io
n
 O
ve
rv
ie
w
Module 6: Web Protection - 317
Web Protection Overview
W
eb
 P
ro
te
ct
io
n
 O
ve
rv
ie
w
• Scan for malware with two antivirus 
engines
• Sophos Sandstrom cloud-based 
sandbox scanning
• Scan for potentially unwanted 
applications
• Allow, warn, block and quota access 
to web content
• Apply rules to users and groups
• Control content based on categories, 
file types, URLs and content
• Surfing quotas
Protection Control
Web Protection on the XG Firewall can be used to defend against malware and to control user 
behaviour.
XG Firewall can scan for malicious content using two antivirus engines, Sophos and Avira, and if 
additional checking is required can leverage Sophos Sandstorm, a cloud-based sandbox solution. In 
addition to malicious content, you can also choose to block potentiallyunwanted applications from 
being downloaded on your network.
You can improve your network security by blocking access to risky websites and applying controls 
to user’s browsing behaviour. XG Firewall comes with several predefined policies to get started that 
can be further customized to meet your needs.
Module 6: Web Protection - 318
Web Protection Overview
W
eb
 P
ro
te
ct
io
n
 O
ve
rv
ie
w
Transparent
Explicit
Web filtering on XG Firewall can be done either transparently, intercepting traffic as it passes, or as 
an explicit proxy, where clients are configured to use the XG Firewall as their web proxy.
Module 6: Web Protection - 319
DPI vs. Web Proxy Filtering
✓ Enforce SafeSearch *
✓ Apply YouTube restrictions
✓ Explicit proxy mode
Web Proxy Filtering
✓ Port agnostic protocol detection
✓ Support for FastPath
✓ Decrypts TLS 1.3 traffic
✓ Offloads traffic trusted by 
SophosLabs
DPI
W
eb
 P
ro
te
ct
io
n
 O
ve
rv
ie
w
Additional information 
in the notes
In v18 of XG Firewall, the DPI engine can perform web filtering for improved performance, however 
the legacy web proxy is still supported. Let’s take a look at some of the differences between DPI 
and web proxy filtering.
DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol 
detection and supports the partial or full offload of traffic flows to the network FastPath. It can 
decrypt and scan TLS 1.3 traffic and offloads the traffic trusted by SophosLabs. 
In comparison, you may want to use the web proxy filtering to enforce SafeSearch or YouTube 
restrictions, or because your clients are configured to use the XG Firewall as an explicit proxy. 
Note that there is an alternative method for enforcing SafeSearch using DNS. Details can be found 
in the handout notes.
https://support.opendns.com/hc/en-us/articles/227986807-How-to-Enforcing-Google-SafeSearch-
YouTube-and-Bing
Let’s take a closer look at how the traffic is processed in each of these scenarios. 
Module 6: Web Protection - 320
DPI Filtering
Fi
re
w
al
l Web Proxy
DPI Engine
SSL/TLS 
Rules
Web 
Policy
Content 
Scan
App 
Control
IPS
Decrypt 
HTTPS
Web 
Policy
Content 
Scansophos.com on port 80
sophos.com on port 443
sophos.com on port 8080
FastPath
W
eb
 P
ro
te
ct
io
n
 O
ve
rv
ie
w
With the DPI engine and separate SSL/TLS inspection rules the controls available in the Web 
Filtering section have changed.
Using the configuration shown here, all of the traffic will be handled by the new faster DPI engine 
for IPS and proxy-less web filtering and SSL decryption on any port for HTTP and HTTPS using port 
agnostic protocol identification.
In this configuration the SSL/TLS inspection rules are used to manage the decryption of secure web 
traffic.
Using the DPI engine allows the XG Firewall to offload safe traffic to the FastPath. This is done for 
traffic that the XG Firewall qualifies as being safe, or that matches identities for SophosLabs trusted 
traffic.
Module 6: Web Protection - 321
Web Proxy Filtering
Fi
re
w
al
l Web Proxy
DPI Engine
SSL/TLS 
Rules
Web 
Policy
Content 
Scan
App 
Control
IPS
Decrypt 
HTTPS
Web 
Policy
Content 
Scansophos.com on port 80
sophos.com on port 443
sophos.com on port 8080
FastPath
W
eb
 P
ro
te
ct
io
n
 O
ve
rv
ie
w
If you enable the web proxy, then HTTP and HTTPS traffic on ports 80 and 443 will be processed by 
the legacy web proxy for decryption, web policy and content scanning before being handed to the 
DPI engine for application control and IPS.
HTTP or HTTPS traffic on other ports will still be handled by the DPI engine.
The legacy web proxy is also used in explicit proxy configurations.
When the web proxy is being used none of the traffic can be offloaded to the FastPath. This 
includes any traffic that matches identities for SophosLabs trusted traffic.
Module 6: Web Protection - 322
Web Policies
W
eb
 P
o
lic
ie
s
Module 6: Web Protection - 323
Creating and Editing Web Policies
W
eb
 P
o
lic
ie
s
The main part of each web policy is made up of an ordered list of rules and a default action, either 
allow or deny, that determines the behaviour if the traffic does not match any of the rules.
Module 6: Web Protection - 324
Creating and Editing Web Policies
W
eb
 P
o
lic
ie
s
Users & 
Groups
U
se
r 
A
ct
iv
it
ie
s
Dynamic Categories
Content Filter Action Status
Categories
Constraints
URL Groups
File Types
Each web policy rule applies to either specific users and groups, or everyone.
You define the activities, or types of web traffic that are going to be controlled by the rule, and you 
can optionally also apply a keyword content filter to the traffic.
Each rule has an action, allow, warn, quota or block, and this can be overridden so there is a 
separate action applied to HTTPS traffic.
You can set time constraints for the rule. If no time constraints are selected then the rule will be 
active all of the time.
Finally, you can enable and disable individual rules – don’t forget to turn rules on when you create 
them!
Module 6: Web Protection - 325
Creating and Editing Web Policies
W
eb
 P
o
lic
ie
s
Below the rules are some additional settings that allow you to:
• Enforce SafeSearch in common search engines. This is done by modifying the request to enable 
the features in the search engine
• Enforce YouTube restrictions, which is done in the same was as enforcing SafeSearch
• Configure how much quota time users have per day. We will cover this in more detail later in the 
module
• Control advanced settings such as logging, file size limits and access to Google apps
Module 6: Web Protection - 326
User Activities
W
eb
 P
o
lic
ie
s
User activities are a group of web categories, URL groups and file types
Let’s take a look at the types of traffic you can select to control in the web policy rules, starting 
with User Activities.
User Activities are a way of grouping web categories, URL groups and file types into a single object 
to simplify management.
Module 6: Web Protection - 327
Categories
W
eb
 P
o
lic
ie
s
Additional information 
in the notes
Web categories are what most people think of when they think of web filtering. XG Firewall comes 
with over 90 predefined web categories, which you can reclassify and apply traffic shaping policies 
to.
You can also create custom web categories based on either local lists of domains and keywords or 
an external URL database.
[Additional Notes]
External URL databases can be from either a HTTP or FTP server. The database should be in one of 
the following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.
Module 6: Web Protection - 328
URL Groups
W
eb
 P
o
lic
ie
s
URL groups match on domains and all subdomains for the entered domains.
There are a couple of important default groups:
• Local TLS exclusion list, which you can use to manage domains you do not want to decrypt 
traffic for
• Managed TLS exclusion list, which is a Sophos managed list of domains that are excluded from 
TLS decryption. On this page you can see the domains that are included, although you cannot 
edit this group
Module 6: Web Protection - 329
File Types
W
eb
 P
o
lic
ie
s
XG Firewall can manage access to files through the web policy, and comes with a number of groups 
of common file types defined by extension and MIME type.
You can also create custom file types, which can use an existing group as a template to import 
already defined types.
Module 6: Web Protection - 330
Content Filters
W
eb
 P
o
lic
ie
s
Web policies include the option to log, monitor and enforce policies related to keyword lists. This 
feature is particularly important in education environments to ensure online child safety and 
provide insights into students using keywords related to self-harm, bullying, radicalization or 
otherwise inappropriate content. Keyword libraries can beuploaded to XG Firewall and applied to 
any web filtering policy as an added criteria with actions to log and monitor, or block search results 
or websites containing the keywords of interest.
Comprehensive reporting is provided to identify keyword matches and users that are searching or 
consuming keyword content of interest, enabling proactive intervention before an at-risk user 
becomes a real problem.
Keyword lists are plain text files with one term per line.
You will have an opportunity to experiment with this in the labs
Module 6: Web Protection - 331
Applying Policies
W
eb
 P
o
lic
ie
s
Once you have created your web policy you can apply it in firewall rules.
Module 6: Web Protection - 332
Global Settings
G
lo
b
al
 S
et
ti
n
gs
Module 6: Web Protection - 333
Protection Settings
G
lo
b
al
 S
et
ti
n
gs
Additional information 
in the notes
There are a number of protection settings that can be managed in Web > General settings, 
including:
• Selecting between single and dual engine scanning
• Scan mode
• And the action to take for unscannable content and potentially unwanted applications
The HTTPS decryption and scanning settings on this page allow you to change the signing CA and 
modify the scanning behaviour for the legacy web proxy. These settings do not effect the TLS 
decryption rules.
[Additional Notes]
Sandstorm protection requires the Sophos scan engine; this means that you need to either select 
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection), or use 
dual engine scanning.
The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more 
cautious approach.
Then we must decide on how to handle content that cannot be scanned due to factors such as 
being encrypted or password protected. The safest option is to block this content but it can be 
allowed if required.
An option is available as part of web protection to block Potentially Unwanted Applications from 
being downloaded. Specific applications can be allowed by adding them to the Authorized PUAs 
list; and is applied as part of the malware protection in firewall rules.
Module 6: Web Protection - 334
Sophos Sandstorm
G
lo
b
al
 S
et
ti
n
gs
The global Sandstorm configuration is located in PROTECT > Advanced threat > Sandstorm 
settings.
Here you can specify whether an Asia Pacific, Europe or US Sandstorm datacenter will be used, or 
let Sandstorm decide where to send files for analysis based on which will give the best 
performance. You may need to configure this to remain compliant with data protection laws.
You can also choose to exclude certain types of file from Sandstorm using the predefined file type 
options.
Sandstorm scanning is enabled in the Web filtering section of firewall rules.
Module 6: Web Protection - 335
Advanced Settings
G
lo
b
al
 S
et
ti
n
gs
On the General settings tab there are also some advanced settings where you can enable web 
caching and caching Sophos endpoint updates.
You can also configure some web proxy settings:
• The port that clients should use to configure the XG Firewall as an explicit proxy
• And the ports that can be connected to
Module 6: Web Protection - 336
User Notifications
G
lo
b
al
 S
et
ti
n
gs
In the User notifications tab you can modify the images and text shown on the warn and block 
pages.
Module 6: Web Protection - 337
Quotas and Traffic Shaping
Q
u
o
ta
s 
an
d
 T
ra
ff
ic
 S
h
ap
in
g
Module 6: Web Protection - 338
Quotas and Traffic Shaping
Q
u
o
ta
s 
an
d
 T
ra
ff
ic
 S
h
ap
in
g
Web policy rule quotas (category and time-based)
Surfing quotas (time-based)
Traffic shaping (bandwidth-based)
The XG Firewall can control web access in three ways:
• Using the quota action in web policy rules
• Applying surfing quotas to groups of users
• Applying traffic shaping policies
Click on each to learn more, then click Continue when you are ready to proceed.
Module 6: Web Protection - 339
Web Policy Rule Quotas
Q
u
o
ta
s 
an
d
 T
ra
ff
ic
 S
h
ap
in
g
Choose which activities should have a 
quota restriction
Configure how much quota time users 
have per day
In the web policy you can set rules to a quota action. This will apply to all activities in that rule.
Further down in the policy you can configure how much quota time users have per day. All quota 
activities share the same pool of quota time.
When a user accesses a quoted activity they are asked how much quota time to use now. This is to 
prevent quota time being exhausted by websites updating in the background.
Module 6: Web Protection - 340
Surfing Quotas
Q
u
o
ta
s 
an
d
 T
ra
ff
ic
 S
h
ap
in
g
Surfing quotas are applied to users and groups
Surfing quotas are applied to users and groups and are another way to control the amount of time 
spent on the Internet. Unlike web policy rule quotas, surfing quotas apply to all Internet traffic.
Surfing quotas define an amount of surfing time, which can either be a single amount of time or 
cyclic, where the surfing time is reset on a schedule.
Surfing quotas can also have a validity period, which could be useful to guest users.
You can optionally apply additional schedule restrictions to the surfing quota that limit Internet 
access to specific times of day or days of the week.
Module 6: Web Protection - 341
Traffic Shaping
Q
u
o
ta
s 
an
d
 T
ra
ff
ic
 S
h
ap
in
g
Traffic shaping does not limit the amount of time or data, instead it can either limit or guarantee 
how much bandwidth will be available. XG Firewall supports traffic shaping for several types of 
policy, in this context the traffic shaping would be applied to web categories, but can be applied to 
users and groups, firewall rules and applications.
Module 6: Web Protection - 342
Exceptions
Ex
ce
p
ti
o
n
s
Module 6: Web Protection - 343
Policy Overrides
Ex
ce
p
ti
o
n
s
Web policy overrides allow authorized users to override blocked sites on user devices, temporarily 
allowing access. 
You define which users (for example this could be teachers in an education setting) have the option 
to authorize policy overrides. Those users can then create their own override codes in the XG 
Firewall User Portal and define rules about which sites they can be used for. In the WebAdmin you 
can see a full list of all override codes created and disable or delete them, as well as defining sites 
or categories that can never be overridden. There is also a report providing full historical insight 
into web override use.
Module 6: Web Protection - 344
Policy Overrides
Ex
ce
p
ti
o
n
s
Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse, 
codes can easily be changed or cancelled. 
Module 6: Web Protection - 345
Policy Overrides
Ex
ce
p
ti
o
n
s
Codes can be shared with end users, who enter them directly into the block page to allow access 
to a blocked site.
Module 6: Web Protection - 346
Exceptions
Ex
ce
p
ti
o
n
s
The exceptions found within the web protection in the Sophos XG Firewall can be used to bypass 
certain security checks or actions for any sites that match criteria specified in the exception. There 
are a few predefined exceptions already in the XG Firewall and more can be created at the 
administrators discretion. It is important to note that exceptions apply to all web protection 
policies no matter where they are applied in the XG Firewall.
Module 6: Web Protection - 347
Exceptions
Ex
ce
p
ti
o
n
s
Exceptions can be matched on any combination of:
• URL patterns, which can be either simple strings or regular expressions
• Website categories
• Source IP address
• Destination IP addresses
Note that many websites have multiple IP addresses, and all of them would need to be listed.
Where multiple matching criteria is used, then thetraffic must match all of the criteria to match 
successfully.
You can then select which checks the exception will bypass.
Module 6: Web Protection - 348
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Create, edit and apply web policies
Describe the different deployment and web filtering modes
Module Review
Now that you have completed this module, you should be able to:
Apply quotas to web policy rules and users and configure traffic shaping policies
Locate and configure global settings for protection and the explicit proxy
Configure web policy overrides and exceptions
Module 6: Web Protection - 349
Complete the following simulation tasks for Module 6
• Task 6.1: Create a TLS inspection rule
• Task 6.2: Create custom web categories and user activities
• Task 6.3: Create a content filter
• Task 6.4: Create a custom web policy
• Task 6.5: Create web policy overrides
• Task 6.6: Create a surfing quota for guest users
Module 6 Simulations
• Complete the following simulations tasks for Module 6
▪ Task 6.1: Create Custom Web Categories and User Activities
▪ Task 6.2: Create a Content Filter
▪ Task 6.3: Create a Custom Web Policy
▪ Task 6.4: Create Web Policy Overrides
▪ Task 6.5: Create a Surfing Quota for Guest Users
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 6: Web Protection - 357
Sophos Certified Engineer
XG Firewall 18.0 ET807 – Application Control
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 7: Application Control
Version: 18.0v2
Module 7: Application Control - 360
Application Control
Application Filters
• Application filters
• Creating filters
• Filter rules
Synchronized App Control
• Managing Synchronized App Control
• Control Center widget
• Categorising identified apps
Cloud Applications
• Control Center widget
• Classifying and traffic shaping cloud 
applications
Application Control Overview
• Overview
• Application list
• Live connections
Traffic Shaping
• Policies
• Settings
• Applying traffic shaping
In this module you will learn how to identify applications on your network using the live 
connection viewer, Synchronized Application Control and cloud applications. You will learn how to 
create and apply application filters to control access to applications, and how to guarantee or limit 
bandwidth to applications.
Module 7: Application Control - 361
Application Control Overview
A
p
p
lic
at
io
n
 C
o
n
tr
o
l O
ve
rv
ie
w
Module 7: Application Control - 363
Application Control Overview
A
p
p
lic
at
io
n
 C
o
n
tr
o
l O
ve
rv
ie
w
Cloud Storage
Video Streaming
Peer-to-Peer
Social Media
XG Firewall
Computer
Block or limit 
unproductive 
applications
Protect against risky 
applications Guarantee bandwidth for 
business applications
Many applications and tools used for day-to-day business are provided through cloud-based 
services, so ensuring good Internet connectivity to employees if vital.
Alongside these business applications are every other type of application and service that can be 
imaged, many of which are unproductive or can expose users and the company network to risks.
The XG Firewall can protect against risky applications and either block or limit access to 
unproductive applications, and at the same time guarantee that business applications have the 
bandwidth they need.
Module 7: Application Control - 364
Application List
A
p
p
lic
at
io
n
 C
o
n
tr
o
l O
ve
rv
ie
w
Applications can be found in:
PROTECT > Applications > Application list
XG Firewall comes with definitions for thousands of known applications, which you can filter and 
view the details of in PROTECT > Applications > Application list.
Module 7: Application Control - 365
Live Connections
A
p
p
lic
at
io
n
 C
o
n
tr
o
l O
ve
rv
ie
w
Current connections can be monitored in:
MONITOR & MANGE > Current activities > Live connections
The Live connections page lists all of the current applications making connections through the XG 
Firewall. You can use the link in the ‘Total connections’ column to get more detailed information 
about all of the connections for that application.
The live connections can be shown by application, username or source IP address, and the page 
can be optionally set up to automatically refresh to give a real-time view.
Module 7: Application Control - 366
Application Filters
A
p
p
lic
at
io
n
 F
ilt
er
s
Module 7: Application Control - 367
Application Filters
A
p
p
lic
at
io
n
 F
ilt
er
s
Applications can be found in:
PROTECT > Applications > Application filter
Application filters are sets of rules that can allow or deny access to applications. Unlike web 
policies, application filter rules are not applied to users and groups, so the application filter will 
apply to all users for the firewall rule it is used in.
Module 7: Application Control - 368
Creating Application Filters
A
p
p
lic
at
io
n
 F
ilt
er
s
1
2
You can now add rules to your 
application filter
Create a new application filter
You can optionally select an existing 
application filter as a template
Application filters are created in two stages.
First you create the application filter. Here you can optionally select an existing application filter as 
a template.
You save the application filter and if you selected a template the rules will be copied over to the 
new filter.
You can now open the application filter and start adding rules, or edit rules if you selected a 
template.
Note that the rules are processed in order, and you can rearrange them by dragging and dropping.
Module 7: Application Control - 369
Application Filter Rules
A
p
p
lic
at
io
n
 F
ilt
er
s
For each application filter rule you select which applications it will apply to, set whether the action 
for those applications is allow or deny, and optionally select a schedule for when the rule will be 
active.
Selecting the applications in the rule is done by filtering the applications using the criteria 
provided, or using a free-text smart filter. When new applications are added that match the filters 
they will automatically be included in the rule.
You can optionally choose to select individual applications rather than all applications included in 
the filtered results, in this case newly added applications will not automatically be added to the 
rule.
Module 7: Application Control - 370
Synchronized App Control
Sy
n
ch
ro
n
iz
ed
 A
p
p
 C
o
n
tr
o
l
Module 7: Application Control - 371
Synchronized App Control
Sy
n
ch
ro
n
iz
ed
 A
p
p
 C
o
n
tr
o
l
Custom Business 
Application
I don’t recognize this traffic, 
what application is it from?
Sophos
Central 
Managed
endpoint
XG Firewall Internet
This is Custom Business 
Application and it is allowed
Synchronized App Control can identify, classify and control previously unknown applications active 
on the network. It uses the Security Heartbeat to obtaininformation from the endpoint about 
applications that don’t have signatures, or are using generic HTTP or HTTPS connections. This 
solves a significant problem that affects signature-based app control on all firewalls today, where 
many applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”.
Note: Synchronized App Control is not supported in active-active high availability deployments.
Module 7: Application Control - 372
Managing Synchronized App Control
Sy
n
ch
ro
n
iz
ed
 A
p
p
 C
o
n
tr
o
l
Synchronized Application Control is enabled when you register the XG Firewall with Sophos 
Central.
In the Control Center there is a Synchronized Application Control widget that provides an at-a-
glance indication of unidentified applications that have been identified.
Module 7: Application Control - 373
Categorizing Identified Applications
Sy
n
ch
ro
n
iz
ed
 A
p
p
 C
o
n
tr
o
l
Identified applications are managed in:
PROTECT > Applications > Synchronized Application Control
Where possible, XG Firewall will automatically classify identified applications and they will be 
controlled based on the current application filters you have in place.
You can also manually recategorize identified applications if you disagree with the automatic 
classification, or if XG Firewall was unable to classify the application.
Module 7: Application Control - 374
Cloud Applications
C
lo
u
d
 A
p
p
lic
at
io
n
s
Module 7: Application Control - 375
Cloud Applications
C
lo
u
d
 A
p
p
lic
at
io
n
s
OneDrive
Dropbox
OneDrive
Dropbox
OneDrive is sanctioned
Dropbox is unsanctioned
Identify cloud 
applications being used
Classify cloud 
applications
Apply traffic shaping 
rules
Block using application 
control
The XG Firewall has a lite Cloud Access Security Broker (CASB) implementation, which helps to 
identify risky behavior by providing insights into what cloud services are being used. You can then 
take appropriate action by educating users or implementing application control or traffic shaping 
policies to control or eliminate potential risky or unwanted behavior.
For example, if your company has a corporate Office 365 and uses OneDrive for file storage, and 
one user is consistently uploading data to Dropbox, that could be a red flag that needs further 
investigation or policy enforcement. This practice of using unsanctioned cloud services is called 
“Shadow IT”, a term you’ll often hear in association with CASB.
Module 7: Application Control - 376
Cloud Applications in the Control Center
C
lo
u
d
 A
p
p
lic
at
io
n
s
In Control Center there is a widget that provides a visual summary of cloud application usage by 
classification. This can be New, Sanctioned, Unsanctioned or Tolerated. 
The statistics show the number of cloud applications, and the amount of data in and out.
Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can 
get more detailed information.
Module 7: Application Control - 377
Cloud Applications
C
lo
u
d
 A
p
p
lic
at
io
n
s
Applications can be found in:
PROTECT > Applications > Application filter
Here you can see all of the cloud applications that have been detected, and filter them by 
classification and category, and can be sorted either by volume of data or number of users.
You can expand each application to see which users have been using it, and how much data they 
have transferred.
Module 7: Application Control - 378
Classifying and Traffic Shaping
C
lo
u
d
 A
p
p
lic
at
io
n
s
From this page you can also reclassify the application, or apply a traffic shaping policy.
Module 7: Application Control - 379
Traffic Shaping
Tr
af
fi
c 
Sh
ap
in
g
Module 7: Application Control - 380
Traffic Shaping Default
Tr
af
fi
c 
Sh
ap
in
g
Applications can be found in :
PROTECT > Applications > Application filter
You can create and apply traffic shaping policies based on applications.
Here you can see the applications grouped by their category. You can apply traffic shaping policies 
to a category of applications. You can also apply policies to individual applications, which will take 
precedence over any category level traffic shaping policy.
Module 7: Application Control - 381
Traffic Shaping Policies
Tr
af
fi
c 
Sh
ap
in
g
Traffic shaping policies are configured in :
CONFIGURE > System Services > Traffic shaping
Traffic shaping policies can either be configured to limit the amount of bandwidth they can use, 
perhaps to prevent video streaming impacting business, or to guarantee an amount of bandwidth 
in the case of business critical applications.
Module 7: Application Control - 382
Traffic Shaping Settings
Tr
af
fi
c 
Sh
ap
in
g
Traffic shaping settings are configured in :
CONFIGURE > System Services > Traffic shaping settings
For traffic shaping to work correctly you need to configure the settings. This includes the total 
WAN bandwidth available, which XG Firewall needs so it can allocate bandwidth effectively.
Module 7: Application Control - 383
Applying Traffic Shaping
Tr
af
fi
c 
Sh
ap
in
g
To enable the application traffic shaping, select Apply application-based traffic shaping policy in 
the firewall rule where you have applied the application filter.
Module 7: Application Control - 384
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Create and apply application filters
View the details of applications are connecting through XG Firewall
Module Review
Now that you have completed this module, you should be able to:
Classify and apply traffic shaping to cloud applications
Categorize applications identified by Synchronized Application Control
Create and apply traffic shaping policies to applications
Module 7: Application Control - 385
Complete the following simulation tasks for Module 7
• Task 7.1: Create an application filter policy
• Task 7.2: Categorize applications using Synchronized Application Control
• Task 7.3: Detect and categorize cloud applications
Module 7 Simulations
• Complete the following simulation tasks for Module 7
▪ Task 7.1: Create an application filter policy
▪ Task 7.2: Categorize applications using Synchronized Application Control
▪ Task 7.3: Detect and categorize cloud applications
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 7: Application Control - 393
Hi there, this is the Email Protection module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET808 – Email Protection
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 8: Email Protection
Version: 18.0v2
Module 8: Email Protection - 396
Email Protection
Email Policies
• SMTP route & scan
• IMAP and POP
• Legacy SMTP
Data Control and Encryption
• Data control
• Secure PDF Exchange (SPX)
Quarantine Management
• WebAdmin
• Digest emails
• User portal
Email Protection Configuration
• Email protection modes
•Protection configuration
• Smarthosts
DKIM
• Verification
• Keys
• Signing
Sophos XG Firewall provides comprehensive email protection for both server protocols, SMTP/S, 
and client protocols, POP3 and IMAP. In this module you will learn how to configure and mange 
email on the XG Firewall, and implement data protection and encryption features.
Module 8: Email Protection - 397
Email Protection Configuration
Em
ai
l P
ro
te
ct
io
n
 C
o
n
fi
gu
ra
ti
o
n
Module 8: Email Protection - 399
Email Protection Modes
Em
ai
l P
ro
te
ct
io
n
 C
o
n
fi
gu
ra
ti
o
n • Default mode
• XG Firewall is a full mail transfer agent (MTA)
• Explicit and transparent proxy
• Per-domain routing
• Mail spool
• Mail log
• Relay protection and authenticated relay
• Validation checks
• Sandstorm protection
• DKIM
MTA Mode
• Used for XG86(w)
• XG Firewall acts as a transparent proxy
Legacy Mode
The SMTP deployment mode can be changed in PROTECT > Email > General settings
Email Protection on the XG Firewall has two modes, the default MTA mode where the XG Firewall 
is a full mail transfer agent (MTA) and a legacy mode where the XG acts as a transparent proxy.
Note that: XG86 and XG86w are only supported in legacy mode.
We will be focusing on MTA throughout the rest of this module.
Module 8: Email Protection - 400
Email Protection Configuration
Em
ai
l P
ro
te
ct
io
n
 C
o
n
fi
gu
ra
ti
o
n
Set the SMTP settings, including the hostname
PROTECT > Email > General settings
Review TLS settings and configure as required
PROTECT > Email > General settings
Configure host and user relay settings
PROTECT > Email > Relay settings
Enable SMTP relay for the zones you want to accept email from
SYSTEM > Administration > Device access
Optionally, configure the advanced SMTP settings
PROTECT > Email > General settings
Additional information 
in the notes
Let’s take a look at the process for configuring Email Protection.
Before you start creating policies you should configure the settings shown here:
• The SMTP settings, in particular the hostname that the XG Firewall uses when communicating 
with other email servers, but also in this section you can enable denial of service settings
• The XG Firewall will always try to use TLS when communicating with other email servers, but 
you can customize the settings based on your requirements
• You need to configure which servers and users are able to relay emails through the XG Firewall
• SMTP relay must be enabled for the zones you want to be able to accept email from
• Optionally you can configure the advanced SMTP settings, including whether to scan outbound 
email and validation of HELO arguments
You will complete these steps as part of the labs.
[Additional Notes]
PROTECT > Email > General settings
SMTP Settings
When operating in MTA mode, it is important that you configure the SMTP Hostname the XG 
Firewall uses to talk to other mail servers to a publicly resolvable hostname. If you do not do this 
some mail servers may reject the emails being sent by the XG Firewall.
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S 
will not be scanned. The default size is 1MB (1024KB). Specify 0 to use the default file size or 
configure the scanning restriction up to 50 MB (51200 KB).
Module 8: Email Protection - 401
The options for handling oversized emails are:
• Accept: All the oversized mails are forwarded to the recipient without scanning
• Reject: All the oversized mails are rejected and sender is notified
• Drop: All the oversized mails are dropped, without notifying the sender
With IP reputation enabled you can choose to reject emails that are being sent from 
known spam senders. By doing this during the message transmission, you can reduce 
the processing that Sophos XG Firewall is required to do.
To protect against SMTP denial of service attacks (DoS) you can limit the number of 
connections and the rate of emails being sent in total and by host.
PROTECT > Email > Relay settings
To be able to send emails out to external domains, you need to configure who can 
relay emails through the XG Firewall.
You can specify servers that can relay email to the Internet, such as an Exchange 
server, in the ‘Host Based Relay’ section. By default, the XG Firewall will block relaying 
from all hosts. In most scenarios the ‘Any’ option can be left in the block relay section 
and specific allowed hosts can be added to the allow relay section.
In the ‘Upstream Host’ section you can control which networks or hosts the XG 
Firewall will accept inbound email from. This may be your ISP or an external mail 
exchange.
Finally, users can be allowed to relay email if they authenticate with the XG Firewall.
SYSTEM > Administration > Device access
For the MTA to be able to accept incoming email connections, the ‘SMTP Relay’ 
service has to be enabled for each zone that the connection will originate from.
PROTECT > Email > General settings
Advanced SMTP Settings
Reject invalid HELO or missing RDNS: Select this option if you want to reject hosts 
that send invalid HELO/EHLO arguments or lack RDNS entries. 
Do strict RDNS checks: Select this option if you want to additionally reject email from 
hosts with invalid RDNS records. An RDNS record is invalid if the found hostname 
does not resolve back to the original IP address.
Scan Outgoing Mails: Enable this to scan all outgoing email traffic. Email is 
quarantined if found to be malware infected, or marked as Spam.
Module 1: XG Firewall Overview - 401
Out of these options only ‘Scan Outgoing Mails’ is enabled by default.
Module 1: XG Firewall Overview - 401
Smarthosts
Em
ai
l P
ro
te
ct
io
n
 C
o
n
fi
gu
ra
ti
o
n
Smarthosts can be used to improve the reliability of your email delivery with outbound relays, 
allowing you to route email via an alternate set of servers (a smart host), rather than directly to the 
recipients server. Perfect in environments that are more complex and where email is not directly 
routed via the Sophos gateway.
Smarthosts can be enabled in PROTECT > Email > General settings. One or more smarthosts must 
be selected, and if required, the port can be modified and credentials for authenticating provided.
Module 8: Email Protection - 402
Email Policies
Em
ai
l P
o
lic
ie
s
Module 8: Email Protection - 403
Email Policies
Em
ai
l P
o
lic
ie
s
SMTP route & scan
Server-to-server
POP and IMAP
Client-to-server
There are two types of Email Protection policy on the XG Firewall:
• SMTP policies for server-to-server communication, in MTA mode this is SMTP route & scan
• IMAP and POP policies for clients downloading emails from mail servers
Module 8: Email Protection - 404
SMTP Route & Scan Policy
Em
ai
l P
o
lic
ie
s
Let’s start with SMTP route & scan.
In MTA mode the policies are applied to domains, either the recipient or the sender. If the recipient 
is matched then it is considered inbound mail, if the sender is matched it is considered outbound 
mail, and if both sender and recipient match, the recipient takes precedence. You need to add one 
or more domains to the policy.
You can choose to route the email using either:
• A static host, where you select one or more mail servers
• DNS host, where you enter a DNS name to be resolved
• Or MX record, where the XG will perform an MX lookup on the recipient domain
You set the global action for the rule, in most cases this will be ‘Accept’, optionally with SPX 
encryption, but the policy can be defined to reject email.
Module 8: Email Protection - 405
SMTP Route & Scan Policy
Em
ai
l P
o
lic
ie
s
Additional information 
in the notes
In the next section you configure the spam protection. 
Note that you need to enable each section of the policy that you want to configure.
In this section you can control which spam checks are used and define what action to take if the 
email is classified as spam or probable spam.
Recipient verification canbe used to confirm whether the recipient email address is valid, and 
reject invalid email addresses to reduce processing.
[Additional Notes]
SPF is the sender policy framework, which allows receiving mail servers to validate that the email 
has been sent from an authorized IP address using records published in the DNS for that senders 
domain.
Enabling greylisting can help block more spam at the gateway, as most spam and viruses only 
attempt to deliver the message once. With greylisting enabled, the XG Firewall temporarily denies 
the first attempt to deliver an email, telling the sending mail server to try again. On the next 
attempt, the message is accepted and scanned as usual. If a mail server passes this test enough 
times it is added to the whitelist automatically, alternatively the admin can update whitelist 
records manually or use inbuilt presets for common senders.
BATV, or Bounce Tag Validation, determines whether the bounce address specified in the received 
email is valid and can reject backscatter spam.
BATV cryptographically signs the envelope for an email, which serves as proof that the email really 
came from the original sender, it can reliably stop the receipt of virus warning messages and reject 
Module 8: Email Protection - 406
any spam with a blank sender address.
BATV also eliminates fake bounce and non-deliver report (NDR) messages sent by 
external (third-party) servers.
To configure BATV, first configure the secret in Email > General Settings > Advanced 
SMTP Settings. BATV can then be enabled in the Spam Protection section of the 
SMTP policy.
BATV replaces the envelope sender address. For example:
jsmith@sophostraining.xyz
Becomes:
prvs=<tag-value>=jsmith@sophostraining.xyz
PRVS stands for Simple Private Signature.
Email that is returned without this valid signature can be rejected.
Note that to work, bounced email must also have a null return address.
Please see the article below for more information about BATV:
https://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation
The difference between the premium and standard RBL services are that with 
premium no false positives are expected, and with standard some false positives may 
be possible.
Then you can define the actions to take for spam and probable spam. The available 
actions are None, Warn, Quarantine and Drop.
The XG Firewall can verify if the recipient email address is valid by using an SMTP 
query to the recipients mail server. If the email address is incorrect, the email will be 
rejected causing a bounce message to the sender. This reduces the load on XG 
Firewall as it does not have to process the email, and it provides senders, including 
customers and valued partners, with an instant response if they mistype your email 
address. 
If the email address is valid, the message is processed for spam and viruses as 
normal.
Module 1: XG Firewall Overview - 406
SMTP Route & Scan Policy
Em
ai
l P
o
lic
ie
s
In the Malware Protection section you can choose between using a single antivirus engine or dual-
engine scanning with both Sophos and Avira. Unlike with a real-time activity like web browsing, the 
small additional latency caused by using dual anti-virus scanning is invisible to the end users, it 
does however increase the work load on the device.
When a virus is detected, you can choose to take no action, drop the message (default) or 
quarantine. You can also optionally enable a notification to the sender, and choose whether to 
quarantine unscannable content, such as encrypted attachments.
Sandstorm can only be used with Email Protection in MTA mode, and is enabled in the SMTP 
policy.
You can limit the size of files that are sent to Sandstorm for analysis. The default is 10MB, and this 
is the maximum value.
Module 8: Email Protection - 407
SMTP Route & Scan Policy
Em
ai
l P
o
lic
ie
s
The File Protection section allows you to select the types of files you want to block from a pick list; 
this will automatically populate the MIME White List with file types. You can select file types from 
the MIME White List, and those file types will be allowed, all other file types in the list will be 
blocked.
You can also configure to drop messages that exceed a specific size, measured in kilobytes.
Module 8: Email Protection - 408
SMTP Route & Scan Policy
Em
ai
l P
o
lic
ie
s
The Data Protection section allows you to select a Data Control List and apply an action to 
matching emails. The available actions are Accept, Accept with SPX, which also allows you to select 
a template to use, and Drop. You can additionally choose to notify the sender.
We will look at this in more detail in the Data Protection and Encryption section of this module.
Module 8: Email Protection - 409
POP and IMAP Policies
Em
ai
l P
o
lic
ie
s
Now that we have looked at an SMTP policy let’s take a look at how to configure policies for POP 
and IMAP.
POP and IMAP scanning has a single malware scanning policy that can be edited but cannot be 
deleted. This policy allows you to select single or dual anti-virus engines, or to disable malware 
scanning.
Module 8: Email Protection - 410
POP and IMAP Policies
Em
ai
l P
o
lic
ie
s
Configure policies on sender and recipient
Properties of the message to match on for 
this policy
The action to take
The POP and IMAP content filtering policies are matched on the sender and recipient.
Messages can then be filtered based on:
• Whether the email is detected as spam/probable spam or part of a virus outbreak
• The source network or host of the email
• The message size
• Message headers
• Or no filtering can be applied, if you want to apply the action to all messages
The actions available for POP and IMAP are to either accept the message or add a prefix to the 
subject line.
Module 8: Email Protection - 411
Legacy SMTP Policies
Em
ai
l P
o
lic
ie
s
Separate malware 
and spam policies
Configure on sender 
and recipient
We will now take a look at the differences when configuring email policies in legacy mode.
There are two main differences:
• The first is that the SMTP policies are split into separate malware and content scanning policies
• The second is that policies are configured based on the sender and recipient
The configuration of POP and IMAP rules is the same for both MTA and legacy mode.
Module 8: Email Protection - 412
Data Protection and Encryption
D
at
a 
P
ro
te
ct
io
n
 a
n
d
 E
n
cr
yp
ti
o
n
Module 8: Email Protection - 413
Data Control
D
at
a 
P
ro
te
ct
io
n
 a
n
d
 E
n
cr
yp
ti
o
n
Data control lists are configured in:
Protect > Email > Data Control List
The XG Firewall can help prevent confidential data being sent out by mistake by scanning the 
content for confidential and sensitive data. There are predefined content control lists (CCLs) 
created and maintained by SophosLabs that can be used to detect common types of data that need 
to be controlled. The CCLs can be filtered by type and by region making it easy to select the rules 
that are most relevant to you when creating your own policies.
Module 8: Email Protection - 414
Secure PDF Exchange (SPX)
D
at
a 
P
ro
te
ct
io
n
 a
n
d
 E
n
cr
yp
ti
o
n
• Simple email encryption without the need to exchange keys or certificates
• The email is converted to PDF (with attachments) and encrypted
• Supports AES-128 and AES-256
• Content can be scanned before encryption
Sd
• Email matches a scanning rule with an action to use SPX
• Email has the X-Sophos-SPX-Encrypt x-header
• Added by Sophos Outlook plugin when users chooses to encrypt
CONFIGURE > Authentication > Client downloads 
What is Secure PDF Exchange (SPX)?
How are emails selected for encryption?
XG Firewall includes Sophos’ Secure PDF Exchange (SPX), which provides an easy way to send 
encrypted emails without the need to exchange keys or certificates with the recipient. The original 
email is converted to a PDF, along with an attachments, and is then encryptedwith AES-128 or 
256.
The XG Firewall will encrypt emails when either:
• The email matches a scanning rule with an action to use SPX
• Or it detects the x-header to encrypt. The x-header is added by the Sophos Outlook plugin when 
the user clicks the button to encrypt the email
Module 8: Email Protection - 415
SPX Templates
D
at
a 
P
ro
te
ct
io
n
 a
n
d
 E
n
cr
yp
ti
o
n
1. Encryption algorithm 2. How password is generated
3. Email templates
4. Reply portal
SPX templates are configured in:
Protect > Email > Encryption
The behaviour of SPX is defined in the SPX template. Here you:
• Set the encryption algorithm to use
• Choose how the password will be generated and any settings related to that method
• Customize email templates that the recipient will see
• Optionally enable the reply portal, which allows recipients to reply securely using a button in 
the PDF
Module 8: Email Protection - 416
SPX Passwords
D
at
a 
P
ro
te
ct
io
n
 a
n
d
 E
n
cr
yp
ti
o
n
• XG Firewall encrypts email with password provided
• Sender must provide password via another secure mode
Password specified 
by sender
• XG Firewall generates a password and encrypts the email
• XG Firewall sends the password to the sender
• Sender must provide password via another secure mode
Password 
generated by XG 
Firewall
• XG Firewall sends an email to the recipient with a link to 
registration portal
• Recipient creates a password in the registration portal
• XG Firewall encrypts the email with the password provided
Password specified 
by recipient
There are three methods that can be used for generating the password.
1. Password specified by sender. The password must be provided in the subject line or the email 
will fail to send as it cannot be encrypted
2. System generated passwords. The XG Firewall will generate the password and send it to the 
sender to share with the recipient. System generated passwords can either be one-time for 
each email or stored and reused for every email that need to be encrypted for that recipient
3. Password specified by recipient. The recipient receives a request to create a password in the 
registration portal that will be stored and used for that recipient
For the sender specified and system generated passwords, the sender is responsible for 
communicating the password to the recipient. This would usually be done via a separate channel 
of communication, for example by SMS or phone.
Module 8: Email Protection - 417
SPX Configuration
D
at
a 
P
ro
te
ct
io
n
 a
n
d
 E
n
cr
yp
ti
o
n
Used when x-header detected 
from Outlook plugin
Hostname to use for reply portal
How long the reply button in the 
PDF will work
With the SPX template created you can now configure SPX and start using it.
In the SPX configuration settings you can select the default template. This is the template that will 
be used when an email is encrypted because the user has requested it with the Outlook plugin, or 
when the x-header has been added in another way.
You can also configure the reply portal settings. These are:
• How long the reply URL will be active. Once the URL has expired the Reply button in the 
encrypted PDF will no longer work
• The hostname to use for the reply portal URL. If no hostname is selected here then the XG 
Firewall will default to using the LAN IP address
You can also restrict access to the reply portal to only a list of specific IP addresses and change the 
port.
Module 8: Email Protection - 418
Quarantine Management
Q
u
ar
an
ti
n
e 
M
an
ag
em
en
t
Module 8: Email Protection - 419
Quarantine Management
Q
u
ar
an
ti
n
e 
M
an
ag
em
en
t WebAdmin
Quarantine digest email
User portal
There are three ways to manage quarantined emails on the XG Firewall:
1. By an administrator in the WebAdmin
2. By users using quarantine digest emails
3. And by users in the user portal
Module 8: Email Protection - 420
WebAdmin
Q
u
ar
an
ti
n
e 
M
an
ag
em
en
t
Release emails that are 
not detected as viruses
Filter and search the 
quarantine
Download the email
In the WebAdmin you can filter and search the quarantine, and then either download the email to 
view it or choose to release it. Note that you cannot release emails that have been detected as 
containing a virus.
Module 8: Email Protection - 421
Digest Emails
Q
u
ar
an
ti
n
e 
M
an
ag
em
en
t
In addition to administrators being able to manage the quarantine through the WebAdmin, there 
are two other methods which allow users to manage their own quarantined items; quarantine 
digest emails and the User Portal.
Let’s look at the quarantine digest emails first.
The quarantine digest email contains a list of newly quarantined emails that have been 
quarantined since the last digest. When enabled, the firewall can send the quarantine digest on the 
selected frequency, either every set number of hours, daily at a set time, or only on specific days at 
a set time.
For each email in the quarantine digest there is a link that can be used to release the email.
Note that the quarantine digest will be created in the language which is used within the 
WebAdmin.
Module 8: Email Protection - 422
User Portal
Q
u
ar
an
ti
n
e 
M
an
ag
em
en
t
In the User Portal all emails quarantined for that user can be viewed. Users cannot release emails 
that are infected, as this would put the internal network at risk.
Quarantined emails can be filtered based on the reason they were sent to quarantine, and there 
are text filters for searching by sender and subject.
Module 8: Email Protection - 423
User Portal
Q
u
ar
an
ti
n
e 
M
an
ag
em
en
t
Users can also manage a personal allow and block list of email addresses and domains. Allowed 
email will still be checked for malware, but will not be subject to spam checks.
Module 8: Email Protection - 424
DomainKeys Identified Mail (DKIM)
D
o
m
ai
n
K
ey
s
Id
en
ti
fi
ed
 M
ai
l (
D
K
IM
)
Module 8: Email Protection - 425
DomainKeys Identified Mail
DomainKeys Identified Mail
Authenticates email servers for a domain
Outbound emails are signed with a cryptographic signature based on 
the email head using a private key
The recipient can query DNS to retrieve the public key and verify the 
hashing and signature of the email to confirm it has not been 
tampered with in transit
DKIM
D
o
m
ai
n
K
ey
s
Id
en
ti
fi
ed
 M
ai
l (
D
K
IM
)
DKIM, or DomainKeys Identified Mail, is used to authenticate email servers for a domain and 
detect forged sender addresses. Outbound emails are signed with a cryptographic signature based 
on the email header using asymmetrical keys (public keys).
The recipient can query DNS to get the public key for the domain and use this to verify the hashing 
and signature of the email, this confirms that it was signed by the indicated domain and that the 
header has not been tampered with in transit.
Module 8: Email Protection - 426
DKIM Verification
D
o
m
ai
n
K
ey
s
Id
en
ti
fi
ed
 M
ai
l (
D
K
IM
)
DKIM verification for emails that are received can be enabled in Email > General Settings.
Module 8: Email Protection - 427
Keys
Generate a new key and export the public key stripping unwanted characters
This is the public key after stripping unwanted characters
D
o
m
ai
n
K
ey
s
Id
en
ti
fi
ed
 M
ai
l (
D
K
IM
)
To configure DKIM signing you first need to generate a private and public key pair.
Here you can see a private key being generated and the public key being exported.
The unwanted characters are then stripped from the public key. The private key will be used in the 
default format.
To create a 2048 bit private key: openssl genrsa -out dkim.key 2048
To extract the public key: openssl rsa -in dkim.key -out dkim.pub -pubout -outform PEM
To strip unwanted characters from the public key: grep –v –e “^-” dkim.pub | tr –d “\n” > 
dkim.pubkey
Module 8: Email Protection - 428
DKIM Signing
D
o
m
ai
n
K
ey
s
Id
en
tifi
ed
 M
ai
l (
D
K
IM
)
In the WebAdmin you need to upload the private key with a key selector that can be used to 
retrieve the associated public key from DNS. This is done in Email > General Settings.
Module 8: Email Protection - 429
DKIM Signing
Tip: You can include “t=y;” in the DNS record to indicate it is for 
testing and that recipients should ignore your DKIM signature.
Text DNS record
Selector as the host
selector._domainkey
DKIM version Key algorithm
Public key
D
o
m
ai
n
K
ey
s
Id
en
ti
fi
ed
 M
ai
l (
D
K
IM
)
Additional information 
in the notes
The last step is to create a DNS record containing the public key that receiving servers can use to 
verify the signature.
The DNS record is a text record.
The host is the selector followed by ”._domainkey”.
The data for the record contains the DKIM version, key algorithm and public key.
You can optionally set a flag to indicate that it is for testing and should be ignored.
For more information please refer to the following resources:
• RFC 4871 DomainKeys Identified Mail (DKIM)
• http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
• http://www.dkim.org
Module 8: Email Protection - 430
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Create email policies for SMTP, IMAP and POP
Configure the global settings for email protection
Module Review
Now that you have completed this module, you should be able to:
Manage the quarantine using the WebAdmin, email digests and the user portal
Configure encryption using SPX and data control
Module 8: Email Protection - 431
Complete the following simulation tasks for Module 8
• Task 8.1: Enable and Configure Quarantine Digests
• Task 8.2: Configure an Email Protection policy
• Task 8.3: Configure Data Control and SPX Encryption
• Task 8.4: User Quarantine Management
Module 8 Simulations
• Complete the following simulation tasks for Module 8
▪ Task 8.1: Enable and Configure Quarantine Digests
▪ Task 8.2: Configure an Email Protection policy
▪ Task 8.3: Configure Data Control and SPX Encryption
▪ Task 8.4: User Quarantine Management
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 8: Email Protection - 439
Hi there, this is the Remote Access module for Sophos XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET809 – Remote Access
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 9: Remote Access
Version: 18.0v2
Module 9: Remote Access - 442
Remote Access
Sophos Connect
• Overview
• Configuration
• Deployment
Clientless Access Portal
• Clientess access portal
• Bookmarks
• Clientless access
SSL VPN
• Overview
• Configuration
• VPN client
Mobile Access
• Overview
• SSL VPN demo
• Bullet
In this module we will cover how to get started with both SSL VPNs and IPsec, using Sophos’ 
Connect client. We will also take a look at how you can provide access to internal resources 
through the User Portal, and support for mobile devices.
Module 9: Remote Access - 443
SSL VPN
SS
L 
V
P
N
Module 9: Remote Access - 445
SSL VPN
SS
L 
V
P
N
SSL VPN client for Windows
Compatible with OpenVPN-based clients on Mac, Linux and mobile devices
One-time password support
Split tunneling and tunnel all
XG Firewall supports SSL remote access VPNs based on OpenVPN, a full-featured VPN solution. The 
encrypted tunnels between remote devices and the XG Firewall use both SSL certificates and 
username and password to authenticate the connection, and you can also enable one-time 
passwords for additional security.
We provide an SSL VPN client for Windows devices, and configuration files that can be used with 
compatible OpenVPN-based clients on Mac, Linux and mobile devices.
Module 9: Remote Access - 446
Configuration
SS
L 
V
P
N
You can create multiple remote access profiles for SSL VPN, which allows you to manage which 
network resources users are able to access.
Within each profile, you select which users and groups you want it to apply to.
Module 9: Remote Access - 447
Configuration
SS
L 
V
P
N
Split tunnel or tunnel all option
Allowed networks, IP ranges, or 
hosts
Automatically disconnect idle 
sessions
Don’t forget to create firewall 
rules to allow the traffic
You can choose whether you want to make the VPN the default gateway or not. If it is the default 
gateway, the connected device will send all traffic through the VPN to the XG Firewall, otherwise it 
will only send traffic for network resources it is permitted access to.
Define the network resources that the policy members will be able to access. This is done by 
adding networks, IP ranges, or hosts to the appropriate IPv4 or IPv6 list.
And finally, you can set the idle timeout setting so that users will be automatically disconnected if 
they are not actively using the VPN.
Note: you will need to create firewall rules to allow traffic between the clients in the VPN zone and 
the permitted resources.
Module 9: Remote Access - 448
SSL VPN Settings
SS
L 
V
P
N
By default XG Firewall uses
port 8443
There are a number of important SSL VPN settings that can be configured. Note that these are 
global settings for both site-to-site and remote access SSL VPNs.
By default XG Firewall hosts the SSL VPN on port 8443, however this can be changed to a different 
available port here.
You can modify the SSL certificate for the connection and override the hostname used in the 
configuration files.
You can configure the IP lease range, DNS, WINS and domain name that will be used for clients that 
connect.
In addition to this, there are a number of advanced connection settings such as the algorithms, key 
size, key lifetime and compression options.
Module 9: Remote Access - 449
SSL VPN Client
SS
L 
V
P
N
Download the SSL VPN client 
from the User Portal
• Client and configuration for 
Windows
• Configuration for other platforms
Once a profile has been created for a user there will be an SSL VPN section in their User Portal. 
Here they can download the SSL VPN client for Windows and configurations for all platforms.
Module 9: Remote Access - 450
Sophos Connect
So
p
h
o
s 
C
o
n
n
ec
t
Module 9: Remote Access - 451
Sophos Connect
So
p
h
o
s 
C
o
n
n
ec
t
IPsec VPN client for Windows and Mac
One-time password support
Split tunneling and tunnel all (default)
Synchronized Security
View online documentation
The Sophos Connect IPsec VPN client is freely available to XG Firewall customers for both Windows 
and Mac, and supports functionality including one-time passwords and split tunneling, as well as 
the Sophos Security Heartbeat™.
https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-
us/webhelp/onlinehelp/nsg/sfos/concepts/SCONVPNClientConfiguration.html
Module 9: Remote Access - 452
Configuration
So
p
h
o
s 
C
o
n
n
ec
t
Configure the users that can 
connect to the VPN
You can enable Sophos Connect on the dedicated tab in the VPN section, where youcan configure 
a single connection profile and grant access to selected users. The VPN can be authenticated using 
a preshared key or digital certificates.
Module 9: Remote Access - 453
Configuration
So
p
h
o
s 
C
o
n
n
ec
t
IP range to use for the VPN
DNS servers
Installers for Windows and Mac
You need to configure the IP range that will be used for clients that connect, and optionally you can 
also assign DNS servers.
The Sophos Connect client and admin installers are also downloaded from this page, and the 
connection configuration can be exported using the button at the bottom.
The admin installer is required to edit advanced settings in the connection configuration, such as 
split tunneling.
Module 9: Remote Access - 454
Deploy the Sophos Connect MSI as a software installation package in GPO
Knowledgebase Article 133555
How to Deploy Sophos Connect via Group Policy Object (GPO)
Deploying Sophos Connect
So
p
h
o
s 
C
o
n
n
ec
t
Open KBA 
133555
1
Push the configuration as a file in the Windows Settings GPO2
The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires 
two elements to be configured.
First, you need to add the Sophos Connect MSI as a software installation package in a Group Policy 
Object.
Secondly, you need to configure a Windows Settings file to push the configuration to the 
endpoints.
Details on how to do this are covered in knowledgebase article 133555. 
https://sophos.com/kb/133555
Module 9: Remote Access - 455
Clientless Access Portal
C
lie
n
tl
es
s 
A
cc
es
s 
P
o
rt
al
Module 9: Remote Access - 456
Clientless Access Portal
C
lie
n
tl
es
s 
A
cc
es
s 
P
o
rt
al
Clientless access bookmarks
The Clientless Access Portal is a part of the User Portal and can be used to provide access to 
internal resources without the need for a VPN client to be installed.
At the bottom of the page bookmarks will be displayed in the ‘Clientless access connections’ 
section as buttons that will launch the associated connection using a secure SSL tunnel.
Module 9: Remote Access - 457
Bookmarks
C
lie
n
tl
es
s 
A
cc
es
s 
P
o
rt
al
Clientless access is granted by creating a bookmark for each internal resource. It is important to 
note that each bookmark represents a session to a resource, so if you wanted to give five people 
access to a resource, you would create a bookmark for each. You can enable session sharing, which 
means that two users can use the bookmark at the same time, but there will still only be a single 
session.
Bookmarks can be created to internal resources using a range of protocols, which can be seen 
here.
You can also create bookmark groups, which can then be used to assign multiple bookmarks in 
Clientless Access policy.
Module 9: Remote Access - 458
Clientless Access
C
lie
n
tl
es
s 
A
cc
es
s 
P
o
rt
al
Once the bookmarks have been created, and optionally added to bookmark groups, they need to 
be assigned to a specific user or group using a Clientless Access policy. This simple policy just has 
the users and groups, the bookmarks, and an option to restrict web applications.
Enabling the option to Restrict Web Applications will suppress the secure web browsing that is 
enabled as part of the Clientless Access policy, so that users can only access URLs that bookmarks 
have been created for.
Module 9: Remote Access - 459
Mobile Access
M
o
b
ile
 A
cc
es
s
Module 9: Remote Access - 460
Remote Access Mobile VPN
M
o
b
ile
 A
cc
es
s
IPsec
L2TP over IPsec
Other protocols with 3rd party apps
IPsec
L2TP over IPsec
PPTP (not recommended)
Other protocols with 3rd party apps
iOS Devices Android Devices
Users can connect to the XG Firewall using any current smartphone or tablet. We’ll look at Apple 
iOS devices and Android devices as these are the most commonly used.
Apple iOS devices can connect to IPsec and L2TP over IPsec VPNs, and Android devices can 
connect to IPsec, L2TP over IPsec and PPTP VPNs. These are only the natively supported VPNs, 
however other protocols are supported through third party applications.
For example, OpenVPN compatible apps are available for both iOS and Android, and these can be 
used to create an SSL VPN with XG Firewall by installing the configuration package from the User 
Portal. Let’s take a look at how that works now.
Module 9: Remote Access - 461
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Configure an IPsec remote access VPN with Sophos Connect
Configure remote access with an SSL VPN
Module Review
Now that you have completed this module, you should be able to:
Provide remote access to mobile devices
Configure clientless access via the User Portal
Module 9: Remote Access - 463
Complete the following simulation tasks for Module 9
• Task 9.1: Configure an SSL remote access VPN
• Task 9.2: Configure an IPsec remote access VPN with Sophos Connect
Lab 9: Remote Access
• Complete the following simulation tasks for Module 9
▪ Task 9.1: Configure an SSL remote access VPN
▪ Task 9.2: Configure an IPsec remote access VPN with Sophos Connect
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 9: Remote Access - 471
Hi there, this is the wireless protection module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET810 – Wireless Protection
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 10: Wireless Protection
Version: 18.0v2
Module 10: Wireless Protection - 474
Wireless Protection
Wireless Networks
Deployment
Wireless Overview
Hotspots
Wireless network solutions for use in businesses need to be able to provide a fast, reliable and 
uninterrupted signal for the entire office. In an office environment it is important that wireless 
networks provide strong security options and are able to be easily deployed and centrally 
managed.
In this module you will learn how to deploy and centrally manage Sophos access points on XG 
Firewall, and configure wireless networks and hotspots.
Module 10: Wireless Protection - 475
Wireless Overview
W
ir
el
es
s 
O
ve
rv
ie
w
Module 10: Wireless Protection - 477
Wireless Overview
W
ir
el
es
s 
O
ve
rv
ie
w
Company laptop connected 
to the company wireless 
network
Guest laptop connected 
to the guest network
Company laptop connected 
to the company wireless 
network
Network connections
Company laptop access
Guest laptop access
Internal computers and 
servers connected to the 
network
Access
Point
Access
Point
Internet
RED
XG Firewall
With XG Firewall you can deploy and manage wireless access points giving you the same control 
and security features that you have for wireless devices as those that are physically connected to 
the network.
Sophos access points can be used to broadcast multiple wireless networks to keep traffic 
separated, for example for corporate and guest networks.
You are not limited to managing wirelessnetworks in the local office, you can deploy access points 
in remote offices that are connected to the XG Firewall with a RED.
Module 10: Wireless Protection - 478
Access Point Models
W
ir
el
es
s 
O
ve
rv
ie
w
APX 120
APX 320
APX 530
APX 740
APX series access points
AP 15
AP 55
AP 100
AP 100X
Legacy AP series access points
XG Firewall supports Sophos’ APX series access points that include support for 802.11 ac wave 2 as 
well as the legacy AP series access points.
Note that the AP series access points are now end of sale.
Module 10: Wireless Protection - 479
To help you understand the range of APX access points let’s take a look at their naming scheme. 
The APX part of the model name is made up of AP for access point followed by the X. This denotes 
that this model is next-gen. Any legacy models are referred to as the AP series.
The first number in the naming sequence refers to the range or model series, in this example we 
use 3. 
The second number denotes the MIMO capabilities of the model, in this example this is 2 for 2x2. 
The last number is the product generation number, in this example this is 0. 
This gives you the full name of the model, in this example; APX 320. 
Access Point Model Naming
Next-gen access 
point
Range or model 
series
MIMO capabilities
2 = 2x2
3 = 3x3
4 = 4x4
Product Generation
APX 3 2 0Example:
W
ir
el
es
s 
O
ve
rv
ie
w
Module 10: Wireless Protection - 480
Access Point Models – APX Series
Continue
APX 120 APX 320 APX 530 APX 740
Deployment Indoor, desktop, wall or 
ceiling mount
Indoor; desktop, wall or ceiling 
mount
Indoor; desktop, wall or ceiling 
mount
Indoor; desktop, wall or ceiling 
mount
Maximum 
Throughput
867 Mbps + 300 Mbps 300 Mbps + 867 Gbps 450 Mbps + 1.3 Gbps 450 Mbps + 1.7 Gbps
Multiple SSIDs 8 per radio 
(16 in total)
8 per radio 
(16 in total)
8 per radio
(16 in total)
8 per radio
(16 in total)
LAN Interfaces 1x 12V DC-in
1x RJ45 10/100/1000 
Ethernet w/PoE
1 x RJ45 connector console 
serial port
1 x RJ45 10/100/1000 
Ethernet w/PoE
1 x RJ45 connector console serial 
port
1 x RJ45 10/100/1000 Ethernet 
Port
1 x RJ45 10/100/1000 Ethernet 
w/PoE
1 x RJ45 Connector console 
serial port
1 x RJ45 10/100/1000 Ethernet 
port
1 x RJ45 10/100/1000 Ethernet 
w/PoE
Support WLAN
Standards
802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2
Power over Ethernet 802.3af 802.3af 802.3at 802.3at
Number of Radios 1x 2.4 GHz single band
1x 5 GHz single band
1 x 2.4 GHz/5 GHz dual-band
1 x 5 GHz single band
1 x Bluetooth low energy (BLE)
1 x 2.4 GHz single band
1 x 5 GHz single band
1 x Bluetooth low energy (BLE)
1 x 2.4 GHz single band
1 x 5 GHz single band
1 x Bluetooth low energy (BLE)
MIMO Capabilities 2x2 2x2 3x3 4x4
W
ir
el
es
s 
O
ve
rv
ie
w
The APX series of Access Point models support WLAN Standard 802.11ac Wave 2.0, and all four 
models are optimized for both wall and ceiling mount and are for indoor use. 
This table provides a more technical comparison of these models. Click Continue when you are 
ready to proceed.
Module 10: Wireless Protection - 481
Now that you know the available access point models, you need to determine which model is best 
to use based on your environment. We will focus on the APX range for access points.
Firstly, let’s split the types of activities wireless is used for into the following categories:
• Basic connectivity
• Mixed browsing
• High speed connectivity
• Video conferencing 
Now, we can assign an approximate number of clients to those categories. 
• For basic connectivity between 1 – 15 clients per access point is the recommended use
• For mixed browsing between 7-25 clients per access point and up to 30 clients in dual 5 GHz
• For high speed connectivity between 7-25 clients per access point
• For video conferencing between 7-35+ clients per access point
So let’s apply this to example deployments. 
• For small companies that require basic coverage using a mixture of mobile devices – basic 
connectivity will be recommended
• For environments such as schools and small offices using entry level endpoints and unmanaged 
mobile devices – mixed browsing will be recommended
• For medium size offices using a mixture of BYOD and corporate owned mobile devices such as 
iPads – High speed connectivity will be recommended
• For large offices and medium enterprise companies using managed endpoints made up of 
Deployment Guide
Approximate number of 
clients: 
1-15
Small companies
Mix of mobile devices
Approximate number of 
clients: 
7-25 (2.4 GHz) 
Up to 30 (5 GHz)
Schools & Small Offices
Unmanaged endpoints 
& mobile devices
Approximate number of 
clients:
7-25
Medium size offices
BYOD & COD Mobile 
devices
Approximate number of 
clients:
7-35+
Large offices & Medium 
Enterprise
Managed Endpoints
APX 740APX 530APX 320APX 120
High Speed Connectivity
Video Conferencing
High Speed Connectivity
Mixed BrowsingBasic Connectivity
W
ir
el
es
s 
O
ve
rv
ie
w
Module 10: Wireless Protection - 482
laptops and mobile devices – video conferencing/high speed will be recommended
Module 1: XG Firewall Overview - 482
XG 86w XG 106w XG 115w XG 125w XG 135w
Deployment
Retail/SOHO
Desktop
Small office
Desktop
Small office
Desktop
Small branch office
Desktop
Growing branch office
Desktop
Wireless throughput Up to 300 Mbps Up to 450 Mbps Up to 450 Mbps Up to 1.3 Gbps Up to 1.3 Gbps
Multiple SSIDs 8 8 8 8 8
Ports 4 GE copper ports 4 GE copper ports 4 GE copper ports 8 GE copper ports 8 GE copper ports
Supported WLAN 
Standards
802.11a/b/g/n/ac 
2.4 GHz/5 GHz
Number of radios 1 1 1 1 1
(2nd WI-FI module available)
MIMO capabilities 2x2:2 2x2:2 2x2:2 3x3:3 3x3:3
Built-In Wireless
W
ir
el
es
s 
O
ve
rv
ie
w
In addition to the APX and AP access points, the desktop models of XG Firewall are available with a 
built-in wireless access point that supports either 2.4Ghz or 5Ghz with a single radio.
The built-in wireless differs from the external access points by not connecting through a network 
interface and instead appearing as a local device.
The coverage of the built-in wireless can be extended by connecting external Sophos access points 
to the network.
Module 10: Wireless Protection - 483
Wireless Networks
W
ir
el
es
s 
N
et
w
o
rk
s
Module 10: Wireless Protection - 484
Wireless Networks
W
ir
el
es
s 
N
et
w
o
rk
s
Configuration deployed to access points to allow clients to connect
Define security and authentication requirements
Define network parameters
Wireless networks are the configuration that access points use to allow clients to connect. They 
define the security and authentication requirements for devices that want to access the network 
as well as network parameters such as IP range and gateway.
Module 10: Wireless Protection - 485
Creating Wireless Networks
W
ir
el
es
s 
N
et
w
o
rk
s
Wireless networks are configured in:
PROTECT > Wireless > Wireless networks
Visible network name No encryption
WEP Open
WPA Personal/Enterprise
WPA2 Personal/Enterprise (recommended)
Separate Zone
Bridge to AP LAN
Bridge to VLAN
Configuration for separate zone wireless 
interface
Here you can see the main configuration for a wireless network. The main elements are:
• The SSID, which is the visible network name that devices will connect to
• The security mode, we recommend using WPA2 either with a passphrase or using a RADIUS 
server to authenticate users by selecting Enterprise
• How to route client traffic, either to the same network as the access point, a specific VLAN or 
directly back to the XG Firewall using a separate zone
Separate zone configuration is used to create a wireless interface on the XG Firewall. The traffic for 
the wireless network is then routed back to that interface on the XG Firewall using a VXLAN.
Module 10: Wireless Protection - 486
Advanced Settings
W
ir
el
es
s 
N
et
w
o
rk
s
Additional information 
inthe notes
There are also a number of advanced settings that allow you to control options such as which 
bands the network is broadcast on, when the network is available and whether clients can see 
each other on the network.
[Additional Notes]
Fast BSS (Base Service Set) Transition allows the key negotiation and the request for wireless 
resources to happen concurrently, in order to enable fast and secure handoffs between base 
stations to deliver seamless connectivity for wireless devices as they move around. This is 
supported on WPA2 Personal and Enterprise networks only. The clients must also support 802.11r 
as well.
To enable Fast Transition, use the option in the advanced settings of the wireless network 
configuration.
Access points will announce support for both WPA-PSK/Enterprise and FT-PSK/Enterprise, so they 
can perform normal roaming for clients which are not capable of Fast Transition.
Module 10: Wireless Protection - 487
Security Modes: Bridge to AP LAN
W
ir
el
es
s 
N
et
w
o
rk
s
Management
Tr
af
fi
c
Traffic
Tr
af
fi
c
Wireless 
clients
Switch
Access point
Local Network
Traffic
Tr
af
fi
c
XG Firewall
Internet
Let’s take a more detailed look at the different security modes that are available in the XG 
Firewall’s wireless network configuration, starting with Bridge to AP LAN.
The Bridge to APLAN configuration is used when traffic needs to be routed to the network that the 
access point is directly connected to. With Bridge to AP LAN, the traffic is never sent to the XG 
Firewall by the access point; instead, it simply takes the traffic and drops it right onto the LAN that 
it is connected to. The XG Firewall is only used for management of the AP and to collect logging 
information from the access point.
Module 10: Wireless Protection - 488
Security Modes: Bridge to VLAN
W
ir
el
es
s 
N
et
w
o
rk
s
Wireless 
clients
Managed
Switch Access point
Local Network VLAN X
XG Firewall
Internet
V
LA
N
 X
 T
ra
ff
ic
VLAN Y Management Traffic
Tagged traffic
Tr
af
fi
c
VLAN Z Guest Traffic
V
A
LN
 Z
 G
u
es
t 
Tr
af
fi
c
Trunk port
Next is Bridge to VLAN.
In a Bridge to VLAN configuration, wireless traffic is tagged by the access point allowing upstream 
switches, or the XG Firewall, to identify that the traffic is associated to a specific VLAN. This allows 
the wireless network to extend that VLAN wirelessly.
The access point must be connected to a trunk or hybrid port on the switch so that it is able to 
read the VLAN tags and route the traffic correctly.
Again, the XG Firewall still communicates with the access point for management and to collect 
logging, but it may not necessarily be involved in routing the traffic.
Note, that to broadcast a bridge to VLAN wireless network, the access point must be configured to 
use a VLAN for management traffic. The bridge to VLAN options only become available once you 
have set a VLAN for management.
Module 10: Wireless Protection - 489
Security Modes: Separate Zone
W
ir
el
es
s 
N
et
w
o
rk
s
Wireless 
clients
Managed Switch
Access point
Local Network VLAN X
XG Firewall
Internet
Management
Tr
af
fi
c
Tr
af
fi
c
Blocked by firewall 
rule
VXLAN
Lastly we have the Separate Zone configuration.
Separate zone allows an administrator to segment the wireless traffic without using a VLAN, which 
is often very useful in smaller environments that may not use managed switches or have a complex 
network environment but still want to secure wireless traffic, for example, for guest access. With a 
separate zone configuration, all traffic is fed into a VXLAN tunnel by a wireless interface on the XG 
Firewall. From there the XG Firewall will treat it like any other traffic coming in through an 
interface. By default the interface is called wlan<NUMBER>. This traffic must then be routed to any 
allowed networks, either internally or externally and rules need to be created to allow this traffic.
When configuring a separate zone you may also need to:
• Create a DHCP server for the wireless network on that interface
• Enable DNS for the zone
• Create firewall and NAT rules that include Web protection, IPS policies, and any other security 
modules to protect the users
Module 10: Wireless Protection - 490
Deployment
D
ep
lo
ym
en
t
Module 10: Wireless Protection - 493
Access Point Discovery
D
ep
lo
ym
en
t DHCP IP address and gateway
Connect to ‘magic IP’
Intercept and respond
Access PointXG Firewall
Knowledgebase article
https://sophos.com/kb/119131
Additional information 
in the notes
Discovery packet is sent to 1.2.3.4 so it is sent to the default gateway
DHCP can be used to override the magic IP if the XG Firewall is not the default gateway
Before we jump into deploying access points it is useful to understand how the discovery process 
works.
When an access point is connected to the network it will need a DHCP server to provide it with an 
IP address, DNS server and gateway.
The access point will send a discovery packet to 1.2.3.4, which we refer to as the magic IP. This is a 
valid Internet address and so will be routed to the default gateway.
If the XG Firewall is the default gateway, or on the route to the Internet, it can intercept and 
respond to the discovery packet beginning the registration process.
If the XG Firewall is not the default gateway or on the route to the Internet you need to configure a 
special DHCP option with the IP address of the XG Firewall so the access point can find it. There is 
additional information in the notes regarding this.
[Additional Notes]
If the XG Firewall is not in the path to the Internet, for example, it is not the default gateway for the 
network, then a special DHCP option to select the target Sophos XG Firewall is required:
{ OPTION_IP , 0xEA }, /* wireless-security-magic-ip */ 
By default the XG Firewall will configure and pass this option if it is configured as a DHCP server for 
the network.
When a Sophos AP is connected to the network, the AP uses DHCP request broadcasts. The AP 
acting as a DHCP client uses a Parameter Request List in its DHCP Discover message which requests 
certain parameters from the DHCP server. If the DHCP server provides the special parameter, code 
Module 10: Wireless Protection - 494
234, wireless-security-magic-ip, it will be used as the IP address to connect to when 
starting the control connection.
For more information see KBA 119131:
https://sophos.com/kb/119131
Module 1: XG Firewall Overview - 494
Deployment
D
ep
lo
ym
en
t
Connect the access point to the network1
Navigate to PROTECT > Wireless > Access points2
Accept the pending access point3
Assign wireless networks to broadcast4
Once you have connected an access point to the network and the discovery process has taken 
place you need to navigate to PROTECT > Wireless > Access points in the WebAdmin.
In the pending access points section you will see any access points that have been discovered. You 
need to accept the access point before it will be managed by the XG Firewall.
Note that the access point may go offline after being accepted. This is normal as it may perform a 
firmware upgrade directly after being accepted, in order to match the firmware of the firewall. This 
normally takes between 5 – 10 minutes.
Module 10: Wireless Protection - 495
Access Points
D
ep
lo
ym
en
t
External access point
Built-in wireless
When working with built-in wireless on an XG Firewall, there is no need to accept the built-in 
access point. It is a local device that is always active as long as the wireless protection feature is 
active on the device. It is named LocalWifi0 and the name cannot be modified.
Module 10: Wireless Protection - 496
Broadcasting Wireless Networks
D
ep
lo
ym
en
t
Assign wireless networks to access points Use access point groups to assign wireless networks
When you accept an access point you can select which wireless networks it will broadcast. 
Alternatively you can assignthe access point to a group and use the group to manage which 
wireless network the member access points will broadcast.
Sophos access points can broadcast up to 8 wireless networks per radio. Almost all access point 
models have 2 radios and so can broadcast up to 16 networks. However, in most scenarios you will 
want to broadcast the wireless networks on both 2.4Ghz and 5Ghz so you will be effectively use up 
to 8 network per access point.
Module 10: Wireless Protection - 497
DNS and DHCP
D
ep
lo
ym
en
t
Remember, for the XG Firewall to respond to DNS requests from devices connected to the wireless 
network it has to be enabled for the zone that network is in. This is done in SYSTEM 
>Administration > Device access.
When creating a wireless network where there is no DHCP server, this is usually the case for guest 
networks or where you have used a separate zone configuration, you will most likely want to 
create a DHCP server on the XG Firewall.
Module 10: Wireless Protection - 498
Hotspots
H
o
ts
p
o
ts
Module 10: Wireless Protection - 499
Type of Hotspot
H
o
ts
p
o
ts
Terms of acceptance
Password of the day
Voucher
Hotspots can be used to provide a number of functions depending on how it is configured. There 
are three hotspot types:
• Terms of use acceptance, where users have to agree to a set of terms before getting access 
through the hotspot
• Password of the day, a password needs to be provided by users and it is generated daily
• Voucher, each user has there own voucher for access that can be used to limit access time or 
data allowance
Note that hotspots are accessed after the device is connected to the network and do not replace 
the security mode selected for wireless networks.
Hotspots are deployed to interfaces on the XG Firewall, whether that is a physical port or a 
wireless interface from a separate zone. This means that hotspots are not limited to being used 
with wireless networks or Sophos access points.
Module 10: Wireless Protection - 500
Creating Hotspots
H
o
ts
p
o
ts
Policies to apply to traffic 
from the hotspot
Any interface not in the 
WAN zone
To configure a hotspot, start be selecting which interfaces it will apply to; this can be any interface 
that is not in the WAN zone.
You can select policies to apply to the traffic coming from the hotspot. You will see where these 
are used later.
Module 10: Wireless Protection - 501
Creating Hotspots
H
o
ts
p
o
ts
Terms of acceptance
Password of the day
Voucher
Force HTTPS for 
authenticating with the 
hotspot
When users access the hotspot using HTTP you can choose to redirect to HTTPS.
You need to select the hotspot type, each of which will have some associated configuration.
Module 10: Wireless Protection - 502
Creating Hotspots
H
o
ts
p
o
ts
Terms can be enabled for 
password of the day and 
voucher hotspots
Customize the look of the 
hotspot
If you are using a password of the day or voucher hotspot you can still enable a terms of use that 
has to be accepted.
You can optionally redirect users to a specific URL after they have authenticated with the hotspot, 
and you can customize the look of the hotspot.
Module 10: Wireless Protection - 503
Firewall and NAT
H
o
ts
p
o
ts
When you save the hotspot a firewall rule and linked NAT rule will be created. In the firewall rule 
the policies that you selected when creating the hotspot will be applied.
Module 10: Wireless Protection - 504
Vouchers
H
o
ts
p
o
ts
For voucher-based hotspots you can define different vouchers. All vouchers have to have a validity 
period, but can also include time and data quotas.
Module 10: Wireless Protection - 505
Complete the following simulation tasks for Module 10
• Task 10.1: Deploy a Wireless Access Point
Module 4: Site-to-Site Connections - 512
Module 10 Simulations
• Complete the following simulation tasks for Module 10
▪ Task 10.1: Deploy a Wireless Access Point
Use the Simulation Workbook to view details of each 
task and access the simulations
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Configure wireless networks
List the access point models available and their features
Module Review
Now that you have completed this module, you should be able to:
Create hotspots and list the different types available
Deploy access points and assign wireless networks to them
Module 10: Wireless Protection - 513
Hi there, this the logging and reporting module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET811 – Logging and Reporting
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 11: Logging and Reporting
Version: 18.0v2
Module 11: Logging and Reporting - 516
Logging and Reporting
Logging
• Log viewer
• Syslog
• Log configuration
Notifications
• Email settings
• SNMP configuration
• Notification list
Reporting
• Reports and bookmarks
• Application risk meter and UTQ
• Threat intelligence reports
In this module you will learn how to access, customize, and save reports. You will learn to use the 
log viewer, as well as manage log configuration and notification settings.
Module 11: Logging and Reporting - 517
Reporting
R
ep
o
rt
in
g
Module 11: Logging and Reporting - 519
Reporting
R
ep
o
rt
in
g
• Preconfigured dashboards for traffic, security, executive reports and user threat quotient (UTQ)
• Preconfigured and custom reports
• Compliance focused reports for common standard including HIPAA and PCI
• Export or schedule reports to be sent via email
Built-in Reporting
• Last 7 days of data available in Sophos Central
• Access to reports and logs
Central Firewall Reporting
XG Firewall has built-in reporting, which provides a comprehensive view of what is happening on 
your network. There are preconfigured dashboards and reports that you can refine and drill down 
into in order to get the exact information you are looking for. Reports can also be exported or 
scheduled to be sent via email.
In addition to the built-in reporting the XG Firewall can send report and log data to Sophos Central. 
This will be covered in more detail in the next module.
Note that reporting is not available on the XG86 and XG86w.
Module 11: Logging and Reporting - 520
Reports
R
ep
o
rt
in
g
Here you can see an example report that has a filter applied. Filters can be quickly added by 
clicking on the fields of the charts, and you can add multiple filters to build the report you need.
Module 11: Logging and Reporting - 521
Bookmarks
R
ep
o
rt
in
g
Once you have the report showing the data you want you can create a bookmark to save the 
report so you can quickly access it again in the future.
Module 11: Logging and Reporting - 522
Bookmarks
R
ep
o
rt
in
g
Bookmark group
When you add the bookmark you can select a bookmark group; these are used to organize and 
access bookmarks. Once the first bookmark has been created, a new tab will be created called 
Bookmarks. By clicking theBookmarks tab, you can see all of your reports.
Module 11: Logging and Reporting - 523
Application Risk Meter
R
ep
o
rt
in
g
• Risk factor based on analysis of traffic
• Displayed on all application reports
XG Firewall has a couple of powerful reporting tools to help you identify risky applications and 
users.
In the Applications & web reports tab in the User app risks & usage reports you will see the 
application risk meter, which provides a risk assessment based on an analysis of traffic flowing 
through the network. 
The score can identify whether you need to tighten your security or investigate the actions of 
users. The risk meter ranges from 1 being low risk and 5 being the highest risk.
Module 11: Logging and Reporting - 524
User Threat Quotient
R
ep
o
rt
in
g
• Identify risky or malicious users
• Based on web usage
XG Firewall also calculates a metric called User Threat Quotient (UTQ). The UTQ is based on a 
user’s web usage data and is intended to help you quickly identify users that are risky or malicious 
or who perform naïve actions such as responding to spear phishing attempts. This can minimize 
the effort required to identify users that need to be educated on how to work securely, and 
provides clear visibility into the risks posed by your organization’s users.
Module 11: Logging and Reporting - 525
Compliance Reports
R
ep
o
rt
in
g
Regulatory compliance has become a priority for many organizations, normally requiring 
overwhelming effort, time and cost in the form of retrieval and storage of logs and reports from 
multiple devices. Correlating the vast amount of logs and reports to complete the compliance 
picture is a complicated and time-consuming task.
XG Firewall reporting is compliance-ready, making it easy for you to view and manage compliance-
based reports. It provides reports based on criteria for compliance standards such as:
• HIPAA (Health Insurance Portability and Accounting Act)
• GLBA (Gramm-Leach Biley Act)
• SOX (Sarbanes-Oxley)
• PCI (Payment Card Industry)
• FISMA (Federal Information Security Management Act)
• And several more…
Module 11: Logging and Reporting - 526
Custom Reports
R
ep
o
rt
in
g
On the Custom tab you can configure customized reports for web, email, FTP, users and web 
servers. Depending on which report you select you can change options including the report type, 
fields to search and specific data to search for.
You may want to use this additional control to further investigate the actions of a user identified as 
risky by the UTQ.
Module 11: Logging and Reporting - 527
Report Settings
R
ep
o
rt
in
g
In the report settings section you can control various options including scheduling reports, data 
retention and managing your bookmarks.
Over time XG Firewall will store a lot of data, so it is important to configure the retention period to 
allow old data to be purged.
If your device is running low on disk space, it is also possible to perform a manual purge from 
specific report modules or all report modules for a specific date period. This is done in Reports > 
Reports settings > Manual purge.
Module 11: Logging and Reporting - 528
Threat Intelligence Reports
R
ep
o
rt
in
g
View Report Continue
Threat intelligence reports for files that have been referred to Sandstorm are accessed from 
PROTECT > Advanced threat > Threat intelligence.
Here you can check the status of files that are being checked by Sandstorm, manually release a file, 
or view the detailed report.
Sandstorm activity is grouped by file. You can expand the file to see the events related to it, 
including the user and IP address and source, which can be a website or email.
Click the button to review an example report, then click Continue when you are ready to proceed.
https://training.sophos.com/ET80/v18/ThreatReport.html
Module 11: Logging and Reporting - 529
Logging
Lo
gg
in
g
Module 11: Logging and Reporting - 530
Logging
Lo
gg
in
g
Access to real-time logs using the log viewer
Add up to 5 external syslog servers
Manage which events are logged
Up to 5
XG Firewall provides access to real-time logs in the WebAdmin so you can easily monitor the 
impact of changes and troubleshoot issues. Log data can also be reported to external syslog 
servers, and there is granular control over which events are logged. 
Module 11: Logging and Reporting - 531
Log Viewer
Lo
gg
in
g
Customize columns
Select log
Available on the top right of every page, the Log viewer link opens a new window with the live log 
view for XG Firewall.
In the default column view the log viewer will display a single log, and you can use the drop-down 
menu to select which log is displayed.
You can customize which columns are displayed, selecting up to 20, with time, log component and 
action being mandatory.
Module 11: Logging and Reporting - 532
You can apply structured filters to the logs and perform free text searches, in both cases the 
matching terms will be highlighted. At any time you can choose to export the data to a CSV file.
Log Viewer
Lo
gg
in
g
Export data to a CSV file Free text search
Apply structured filters
Module 11: Logging and Reporting - 533
Log Viewer
Lo
gg
in
g
Hover to see more 
detailed information
By hovering your mouse over the log entry you can also see more detailed information.
Module 11: Logging and Reporting - 534
Log Viewer
Lo
gg
in
g
By clicking on data in the logs you will get context sensitive actions. You will always have the option 
to filter using the data either as a structured filter or free text search, but in many cases you will 
also be able to edit rules and policies or create new configuration.
The example here includes the option to create an objectionable custom URL category including 
this data, because it was allowed. If it had been blocked the option would have been to create an 
acceptable custom URL category.
Module 11: Logging and Reporting - 535
Log Viewer
Lo
gg
in
g
Select multiple logs
Switch between column 
and unified log view
You can switch to the detailed unified log view using the buttons at the top. This view has the same 
searching and filtering options as the standard view, but can aggregate the logs from multiple 
modules.
By default, when you switch to this view, all of the logs will be shown. You can use the drop-down 
menu to select which modules you want to view the logs for.
When you click the links for firewall rules and policies, the parent WebAdmin window will 
automatically navigate to that location, making it quicker and easier to review the relevant 
configuration for a log entry.
Module 11: Logging and Reporting - 536
Syslog
Lo
gg
in
g
Syslog servers are configured in:
CONFIGURE > System services > Log settings
In addition to the local real-time logs, XG Firewall can be configured to log to up to 5 external 
syslog servers, usually on UDP port 514, although this can be customized.
In the syslog server configuration you can select which facility you want to log for:
• DAEMON, which includes information from services running on the firewall
• KERNEL, for the kernel log
• LOCAL0 – LOCAL7, for information from a specific log level
• USER, for logging based on users who are connected to the server
You can also select the severity of the events you want to log. The firewall will log all events for the 
selected level and above. So if you select CRITICAL it will also log ALERT and EMERGENCY events.
There are two logging formats that can be selected:
• Central Reporting Format, which is a fairly standard syslog format and is used to log to Sophos 
Central
• Device Standard Format, which is a more proprietary format and is used when logging to iView
Module 11: Logging and Reporting - 537
Log Configuration
Lo
gg
in
g
You can enable and disable specific event types within each module or the entire module itself, 
and this can be done independently for local logging, Sophos Central and each syslog server.
Module 11:Logging and Reporting - 538
Retrieving Log Files
Lo
gg
in
g
ftpput –u <username> -p <password> host ip <Remote file name> 
<Local file name>
scp <Local file name> <username>@<host>:/path/to/remote/file
Upload a file from XG Firewall using FTP
Upload a file from XG Firewall using SCP
There may be a time when files need to be copied to or from the XG Firewall. For example, you 
may want to copy some log files off of the device in order to retain them for an extended period of 
time. You can do this using either ftpput or scp.
To use FTP, you can use the following commands in advanced shell:
• Get file : ftpget –u <username> -p <password> host ip <Local file name> <Remote file name>
• Put file : ftpput –u <username> -p <password> host ip <Remote file name> <Local file name>
To use SCP, you can use the following command in the advanced shell:
• scp <local file name> <username>@<host>:/path/to/remote/file
Module 11: Logging and Reporting - 539
Notifications
N
o
ti
fi
ca
ti
o
n
s
Module 11: Logging and Reporting - 540
Notifications
N
o
ti
fi
ca
ti
o
n
s
SYSTEM > Administration > 
Notification settings
• Configure email server settings
• Set email addresses
• Select management interface address
Email
SYSTEM > Administration > SNMP
• Enable SNMP agent
• Create SNMPv3 users and traps
• Create SNMPv1 and v2c community and 
traps
SNMP
CONFIGURE > System settings > Notification list
• Enable and disable email and SNMP notifications globally
• Select which notifications to send for email and SNMP
XG Firewall can send notification by email, SNMP or both. There are two steps to configuring this:
1. Configure the notification method, email or SNMP
2. Select which notifications you want to send via email and SNMP
Module 11: Logging and Reporting - 541
Email
N
o
ti
fi
ca
ti
o
n
s
Optionally configure an email 
server to use for sending 
notifications
Select which interface admins 
receiving the notifications will 
be using to access the XG 
Firewall
During the initial setup you configure some basic settings for email alerts so that you will receive 
notifications for new firmware and when the status of gateways change. You can further modify 
the email settings in SYSTEM > Administration > Notification settings. 
Module 11: Logging and Reporting - 542
SNMP
N
o
ti
fi
ca
ti
o
n
s
Enable and configure the 
SNMP agent
Create SNMP traps
SNMP can be configured in SYSTEM > Administration > SNMP.
Here you enable and configure the SNMP agent on XG Firewall and create SNMPv3 users and traps 
and SNMP communities and traps for v1 and v2c.
Module 11: Logging and Reporting - 543
Notification list
N
o
ti
fi
ca
ti
o
n
s Globally enable and disable 
notifications for email and 
SNMP
Select which notifications to 
send or email and SNMP
Once email and SNMP are configured go to CONFIGURE > System services > Notification list.
You can globally enable and disable notifications for email and SNMP, and separately control which 
notifications are sent via each channel.
Module 11: Logging and Reporting - 544
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
Use the log viewer to find information and configure log settings
Customize reports and create bookmarks
Module Review
Now that you have completed this module, you should be able to:
Configure email and SNMP notifications
Module 11: Logging and Reporting - 545
Complete the following simulation tasks for Module 10
• Task 11.1: Run, bookmark and schedule reports
• Task 11.2: Review threat intelligence reports
Module 11 Simulations
• Complete the following simulation tasks for Module 10
▪ Task 11.1: Run, bookmark and schedule reports
▪ Task 11.2: Review threat intelligence reports
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 11: Logging and Reporting - 553
Hi there, this is the Central Management module of XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0 ET812 – Central Management
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 12: Central Management
Version: 18.0v2
Module 12: Central Management - 556
In this module we will cover the XG Firewall management and reporting in Sophos Central.
Central Management
Central Firewall ReportingCentral Firewall Management
Zero-Touch Deployment Backup Management
Module 12: Central Management - 557
Central Firewall Management
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
Module 12: Central Management - 559
Central Firewall Management Overview
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
Remotely access the WebAdmin of managed XG Firewalls
No additional license required
Manage configuration of groups of XG Firewalls
You can enable management of XG Firewall in Sophos Central, this allows you to access the 
WebAdmin from anywhere without needing to enable access for the WAN zone.
If you have multiple XG Firewalls you can also create groups and centrally manage the 
configuration.
This powerful functionality will be included with your XG Firewall, so no additional Sophos Central 
license will be required.
Module 12: Central Management - 560
Enabling Central Management on XG Firewall
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
PROTECT > Central Synchronization
To start managing an XG Firewall in Sophos Central, the XG Firewall needs to be registered with 
Sophos Central and the option Use Sophos Central management must be enabled in Sophos 
Central services. This can be found in PROTECT > Central Synchronization.
Module 12: Central Management - 561
Accepting Management in Central
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
Firewall Management > Manage Firewalls > Firewalls
Once you have enabled Central management on XG Firewall you need to login to Sophos Central 
and accept the management services in Firewall Management > Manage Firewalls > Firewalls.
Module 12: Central Management - 562
Managing a Single Firewall
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
You can now rename the XG Firewall in Sophos Central to make it easier to identify, view device 
reports (this is covered in another part of this course), and manage your firewall.
Module 12: Central Management - 563
Managing a Single Firewall
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
Real-time access to the WebAdmin of 
managed XG Firewalls
By selecting to Manage Firewall you are logged into the WebAdmin of the XG Firewall as the 
admin user. This provides real-time access to the WebAdmin from anywhere without having to 
enable access on the WAN zone. The only way that you can tell it is not the local WebAdmin is the 
URL and the option to go back to firewall management in Sophos Central.
Module 12: Central Management - 564
Firewall Groups
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
The new functionality in this early access release is the group management of configuration.
Module 12: Central Management - 565
Creating Groups
C
en
tr
alF
ir
ew
al
l M
an
ag
em
en
t
XG Firewalls are not assigned a group by default, so you can either edit an existing group to add 
them or create a new group.
Module 12: Central Management - 566
Central Managed XG Firewall
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
Once an XG Firewall has been added to a group and synchronized, a banner message will be 
displayed warning you that local changes to configuration may result in a conflict.
Module 12: Central Management - 567
Managing Group Policies
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
To manage the configuration select Manage Policy from the menu for the group. You can create 
and configure a group before you start adding the XG Firewalls to it.
Module 12: Central Management - 568
Managing Group Policies
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
Local rules on XG Firewall are only overwritten when a rule with the same 
name is created in Sophos Central
Here you can see that the configuration looks exactly the same as in the WebAdmin.
When creating new firewall rules, note that local rules on the XG Firewall are only overwritten 
when a rule with the same name is created in Sophos Central. Rules created locally on the XG 
Firewall do not appear here and are not managed or removed.
Module 12: Central Management - 569
Task Queue
C
en
tr
al
 F
ir
ew
al
l M
an
ag
em
en
t
When you make a change to the configuration a new task is created, and you can see which XG 
Firewalls it is being applied to and track the progress.
Module 12: Central Management - 570
Central Firewall Reporting
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Module 12: Central Management - 572
Central Firewall Reporting Overview
Last 7 days of data available in Central
Dashboards and reports available in Central
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
View and filter logs from the XG Firewall
Central Firewall Reporting provides access to dashboards and reports in Sophos Central for each of 
your XG Firewalls. You can also view and filter logs. The last 7 days of data is available in Sophos 
Central updated on a first in, first out (FIFO) basis. This means that the oldest data is always 
replaced with the most current data.
Module 12: Central Management - 573
Enabling Central Firewall Reporting
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
PROTECT > Central Synchronization
To start using Central Firewall Reporting the XG Firewall needs to be registered with Sophos Central 
and the option Use Sophos Central reporting must be enabled in Sophos Central services. This can 
be found in PROTECT > Central synchronization.
Once enabled, data should start appearing in Sophos Central within around 10 – 15 minutes.
Module 12: Central Management - 574
Managing Central Firewall Reporting
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Syslog server created for 
Central Firewall Reporting
Manage that data uploaded 
to Central
Enabling Central reporting creates a syslog server for uploading the data to Central in CONFIGURE 
> System services > Log settings.
Here you can also customize the data that is uploaded to Central in the Log settings section.
Module 12: Central Management - 575
Accessing Firewall Reports
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
In this early access release reports are accessed per XG Firewall using the menu. The ability to 
create consolidated reports will be added at a later date.
Module 12: Central Management - 576
Report Dashboard
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Click the summary buttons 
to see more details below
When you access the report you will see a dashboard. You can click on the summary buttons and 
the information below will be updated to show more detail.
Module 12: Central Management - 577
Reports
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Select report
In the Reports section you can access the prebuilt reports and any custom reports you have 
created. Note that custom reports are not available yet.
Module 12: Central Management - 578
Reports
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Click links to apply 
filters
Click data to apply 
filters
By clicking on the data in the chart or the links in the table below you can apply filters to the 
report.
Module 12: Central Management - 579
Reports
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Manually enter filters
You can also manually enter filters. When you click in the ‘Filter Query’ field you will see the fields 
that you can select to filter on.
Module 12: Central Management - 580
Reports
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Customize chart type
• Bar chart
• Horizontal bar chart
• Pie chart
• Line chart
• Stack-area chart
Customize the fields 
for the chart
You can customize the graphs in each report by selecting the type of chart and the fields that you 
want displayed.
Module 12: Central Management - 581
Reports
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Customize the columns 
in the table
You can also select which columns you want to appear in the table.
Module 12: Central Management - 582
Logs
C
en
tr
al
 F
ir
ew
al
l R
ep
o
rt
in
g
Select columns
Click links to apply 
filters
Manually enter filters
In the ‘Log Viewer & Search’ report you will see the logs from the XG Firewall. Just like for the 
reports you can click on the links to add filters or you can add them manually. In the top-right you 
can select which columns are shown and switch between the column view and log view.
Module 12: Central Management - 583
Zero-Touch Deployment
Ze
ro
-T
o
u
ch
 D
ep
lo
ym
en
t
Module 12: Central Management - 585
Zero-Touch Deployment
Ze
ro
-T
o
u
ch
 D
ep
lo
ym
en
t
Use the setup wizard in 
Sophos Central
Optionally, email the 
configuration to another 
location
Copy the configuration to a 
USB drive
Plug the USB drive into the 
XG Firewall and start it up
Create Configuration Send Configuration Create USB Boot XG with USB
+
Zero-touch configuration files can only be created for unregistered hardware serial numbers
Zero-touch deployment enables even a non-technical person to connect and configure a remote 
XG Firewall and get it connected into Sophos Central. An administrator can add the new firewall in 
Central and step through the initial setup wizard before the XG device is installed. They can then 
download the configuration or email it to another location, so it can be copied to a USB stick. 
The stick is then plugged into the XG Firewall device when it is first fired up, setting its initial 
configuration, after which it can be fully managed from Sophos Central. For power users, the config 
file can be edited and customized further. 
Note that zero-touch configuration files can only be created for unregistered hardware serial 
numbers.
Module 12: Central Management - 586
Backup Management
B
ac
ku
p
 M
an
ag
em
en
t
Module 12: Central Management - 587
Backup Management
B
ac
ku
p
 M
an
ag
em
en
t
Schedule daily, weekly or monthly 
configuration backups
Select which devices to create the 
backups for
You can schedule configuration backups of your XG Firewalls in Central. Backups can be daily, 
weekly, or monthly, and you can select which devices the schedule applies to.
Module 12: Central Management - 588
Backup Management
B
ac
ku
p
 M
an
ag
em
en
t
Select the device you 
want to manage 
backups for
Trigger a backup now
Pin a backup as a 
stored backup
Download a backup
Sophos Central will store the five most recent backups for each device. You can pin one backup for 
each device as a stored backup in addition to the most recent five.
If you download a backup you can choose a password for it to be encrypted with.
Module 12: Central Management - 589
Enabling Backup Management
B
ac
ku
p
 M
an
ag
em
en
t
To make use of Sophos Central managed backups, the option Send configuration backups to 
Sophos Central must be enabled. This can be found in the Central servicessection of Central 
Synchronization.
Module 12: Central Management - 590
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
View and filter XG Firewall reports and log in Sophos Central
Manage the configuration of groups of XG Firewall in Sophos Central
Module Review
Now that you have completed this module, you should be able to:
Create a zero-touch configuration file in Sophos Central
Manage backup configuration files in Sophos Central
Module 12: Central Management - 591
Complete the following simulations tasks for Module 11
• Task 11.1: Manage an XG Firewall in Sophos Central
Module 11 Simulations
• Complete the following simulations tasks for Module 11
▪ Task 11.1: Manage an XG Firewall in Sophos Central
Use the Simulation Workbook to view details of each 
task and access the simulations
Module 12: Central Management - 598
On completion of this course, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you feel confident that you have met these objectives, click Continue.
Configure firewall rules, policies and user authentication
Explain how XG Firewall help to protect against security threats
Course Review
Now that you have completed this course, you should be able to:
Perform the initial setup of an XG Firewall and configure the required network settings
Demonstrate threat protection and commonly used features
Continue
Module 12: Central Management - 599
Now that you have completed this course, you should complete the assessment in the training 
portal.
You will have 2.5 hours to complete the assessment from when you launch it, and you have 4 
attempts to pass the assessment.
Next Steps
Now that you have completed this course, you should:
Complete the assessment
in the training portal
You have 2.5 hours to complete 
the assessment
You have 4 attempts to 
pass the assessment
The assessment may include 
questions on the theory or
simulations
Module 12: Central Management - 600
Feedback on our courses is always welcome. 
Please email us at globaltraining@sophos.com with your comments.
TRAINING FEEDBACK
Feedback is always welcome
Please email globaltraining@sophos.com
Module 12: Central Management - 601
Module 12: Central Management - 602