Connecting Sites with Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW3005: Connecting Sites with Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Connecting Sites with Sophos Firewall - 1

 Connecting Sites with Sophos Firewall
In this chapter you will learn RECOMMENDED KNOWLEDGE AND EXPERIENCE
about the different methods ✓ Sophos Firewall zones and interfaces
Sophos Firewall offers for ✓ Protocols used for VPN access
connecting sites.

DURATION

5 minutes

In this chapter you will learn about the different methods Sophos Firewall offers for connecting
sites.

Connecting Sites with Sophos Firewall - 2

 Site-to-Site Connections
Sophos Firewall

Site-to-site VPN

Sophos Firewall

Remote Ethernet Device

Remote Ethernet Device

Sophos Firewall includes two main ways to connect sites; site-to-site VPNs, and Remote Ethernet
Devices, or REDs. How you choose to connect your sites will depend on the requirements of the
site.

For example, a small site that routes all traffic back to the head office might be a good fit for a RED,
saving on the need for a full Sophos Firewall on-site. Whereas a large site that needs a Sophos
Firewall for web filtering and web server protection could be connected using a site-to-site VPN
without the need for additional hardware.

Connecting Sites with Sophos Firewall - 3

 Site-to-Site Connections

Site-to-Site VPN Remote Ethernet Device (RED)

✓ Connection between two Sophos ✓ Connection between a Sophos

Firewalls Firewall and a small hardware device

✓ Connection can be made to third- ✓ Plug and play with no technical

party firewalls expertise required onsite

✓ Sophos Firewall can provide security ✓ Can transparently extend the

filtering at the remote site network between sites

If we look at a high-level comparison of the two connectivity options, there are a few key
differences.

Site-to-site VPNs can be used to create an encrypted tunnel between two Sophos Firewalls, or
between a Sophos Firewall and another device that supports compatible protocols. Having a
Sophos Firewall at the remote site also allows you to provide the same level of security filtering on-
site without sending all traffic back over the VPN.

Remote Ethernet Devices are small hardware devices that are connected in branch offices that can
transparently extend the network between sites with a layer-2 connection. REDs are plug-and-play,
and don’t require any technical expertise to connect at the remote site.

The RED tunnel technology can also be used to establish connections between Sophos Firewalls
without using additional hardware; this can be used as an alternative to the other supported site-
to-site VPN options.

Connecting Sites with Sophos Firewall - 4

 Site-to-Site VPNs
SSL IPsec
✓ Simple configuration ✓ Can be more secure if configured correctly
✓ Effective site-to-site connectivity ✓ Flexible routing options
✓ Supports failover groups
✓ Compatibility with third-party devices

• HTTPS (TLS) • UDP port 500

• Port 8443 (can be changed) • IP protocols 50 & 51
• Digital certificates for authentication • Pre-shared key, RSA key, or digital certificates
for authentication
• Tunnel mode for site-to-site connections

For site-to-site VPN connections, Sophos Firewall supports two protocols, SSL and IPsec.

SSL site-to-site VPNs are simple to configure, providing a quick and effective way to connect branch
offices.

IPsec on the other hand, can be more secure if configured correctly, provides more flexible routing
options and supports failover groups. IPsec can also be used to connect with third-party devices
but can be more complex to setup.

Connecting Sites with Sophos Firewall - 5

 VPN Zone

All VPNs that are created are automatically added to the VPN zone. This is a special zone that has
no physical interfaces; all VPN connections, whether they are site-to-site or remote access are
always in this zone, but you cannot add or remove any other types of interface.

While you cannot edit interface membership for this zone, you can manage the device access
options.

RED connections are not included in the VPN zone and can be configured to be in any zone,
providing flexible alternative if you need to create a custom zone.

Connecting Sites with Sophos Firewall - 6

 Chapter Review

Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet
Devices (REDs)

Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup,
and IPsec, which is more configurable and flexible

All VPN connections are automatically added to the VPN zone, which is a special zone
with no physical interfaces that cannot be edited

Here are the three main things you learned in this chapter.

Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices, or
REDs.

Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and IPsec,
which is more configurable and flexible.

All VPN connections are automatically added to the VPN zone, which is a special zone with no
physical interfaces that cannot be edited.

Connecting Sites with Sophos Firewall - 11

Connecting Sites with Sophos Firewall - 12
 Configuring SSL Site-to-Site
VPNs on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW3010: Configuring SSL Site-to-Site VPNs on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 1

 Configuring SSL Site-to-Site VPNs on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create an SSL site-to-site VPN ✓ Methods offered by Sophos Firewall for connecting
between two Sophos Firewalls. sites

DURATION

5 minutes

In this chapter you will learn how to create an SSL site-to-site VPN between two Sophos Firewalls.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 2

 SSL Site-to-Site VPN

Client initiates
connection with server

Branch Office Sophos Firewall Head Office Sophos Firewall

Client for SSL VPN Server for SSL VPN

Site with dynamic public IP address Site with static public IP address

SSL site-to-site VPNs are implemented using a client-server configuration where each end of the
tunnel has a distinct role. The client side will always initiate the connection to the server, and the
server will always respond to client requests. This is different from IPsec where normally either end
can initiate a connection.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 3

 Device access is configured in:
Device Access for SSL VPN SYSTEM > Administration > Device access

Before creating any VPNs, first ensure that SSL VPN is enabled for the zones in which you want to
use it. This will be the zones where the VPN will connect to the Sophos Firewall from. For site-to-
site VPNs this will most likely be the WAN zone.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 4

 SSL VPNs are configured in:
SSL VPN Global Settings CONFIGURE > Site-to-Site VPN > SSL VPN

SSL site-to-site VPNs are configured in CONFIGURE > Site-to-Site VPN > SSL VPN.

In the top-left of the page is a link to the SSL VPN global settings; you should check and configure
these before you start creating VPNs.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 5

 SSL VPN Global Settings

SSL VPN settings apply to both site-to-site and remote access VPNs

It is important to note that these settings apply to both site-to-site and remote access SSL VPNs, so
this should be considered when making changes.

Sophos Firewall uses port 8443 by default; if you are going to change this port you should do so
before you begin creating any VPNs.

Here, you can configure the network settings for SSL VPNs, including, the subnet for IP leases, DNS
servers, and the domain name.

You can also customize the cryptographic settings for the connection and choose whether to
compress the traffic.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 6

 Creating an SSL VPN
1 Configure server

The configuration of SSL site-to-site VPNs is done in three steps, the first is to create the server side
of the connection. On the firewall that will be acting as the SSL VPN server, click Add in the ‘Server’
section.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 7

 Creating an SSL VPN
1 Configure server

The server connection is configured with a name and the local and remote networks. You can also
optionally set a static IP address for the client rather than an IP address from the address pool.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 8

 Creating an SSL VPN
2 Download configuration

Next, download the configuration file from the server connection. You can choose to encrypt the
connection file so that it requires a password to import.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 9

 Creating an SSL VPN
3 Upload on client

On the client Sophos Firewall, click Add in the ‘Client’ section.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 10

 Creating an SSL VPN
3 Upload on client

Here, you will give the connection a name and upload the configuration file. If necessary, you can
override the hostname for the server Sophos Firewall, this can be a static or dynamic DNS name or
an IP address. You can also optionally define a HTTP proxy server.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 11

 Creating an SSL VPN
SERVER

CLIENT

Here you can see a connected SSL site-to-site VPN. Sophos Firewall will automatically create the
required routes and firewall rules so that traffic can flow between the networks defined in the
connection.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 12

 Simulation: Create an SSL Site-to-Site VPN

In this simulation you will create an

SSL site-to-site VPN between two
Sophos Firewalls.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SslVpnS2s/1/start.html

In this simulation you will create an SSL site-to-site VPN between two Sophos Firewalls.

Getting Started with Firewall and NT Rules on Sophos Firewall - 13

 Chapter Review

SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs

You need to enable SSL VPNs for the zones you want to create them in

You configure the connection on the server Sophos Firewall then upload the
configuration file to the client Sophos Firewall

Here are the three main things you learned in this chapter.

SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs.

You need to enable SSL VPNs for the zones you want to create them in.

You configure the connection on the server Sophos Firewall then upload the configuration file to
the client Sophos Firewall.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 18

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 19
 Getting Started with IPsec
Site-to-Site VPNs on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW3020: Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 1

 Getting Started with IPsec Site-to-Site VPNs on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure IPsec site-to-site ✓ Sophos Firewall zones and interfaces
VPN connections for simple ✓ Protocols used for VPN access
environments.

DURATION

11 minutes

In this chapter you will learn how to configure IPsec site-to-site VPN connections for simple
environments.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 2

 IPsec Site-to-Site VPNs
Route-based VPN Policy-based VPN
• VPN connection is • Local and remote networks
independent of routes for are defined as part of the
traffic VPN

• Routes can be modified • VPN must be edited to

without disconnecting VPN change networks and
requires disconnecting and
• Routes are created manually reconnecting

• Routes are created

automatically

Sophos Firewall supports two types of IPsec VPN; route-based and policy based.

With route-based VPNs you create a VPN connection between two firewalls, then separately
configure routing for the traffic you want to send over the connection.

With policy-based VPNs, you define the local and remote networks as part of the VPN connection
and routes will be created for these networks only.

The advantage of route-based VPNs is that you can make changes to the traffic being routed over
the connection without having to edit, and therefore disconnect and reconnect, the VPN.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 3

 IPsec VPN profiles are configured in:
IPsec VPN Profiles SYSTEM > Profiles > IPsec profiles

Security parameters used to establish and maintain the VPN connection

Both sides of the VPN must allow the same settings

There are several profiles provided out-of-the-box

IPsec VPNs require a matching set of algorithms and settings on both ends for a tunnel to be
successfully created. On the Sophos Firewall these are configured in IPsec profiles.

There are several preconfigured profiles that ship with the Sophos Firewall, but these can be
cloned and modified to meet your requirements. This may be necessary to meet compliance
criteria, or to create a VPN with a third-party device.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 4

 Route-Based VPN

xfrm tunnel interface

Sophos Firewall Sophos Firewall

172.16.16.0/24 172.20.77.0/24 192.168.16.0/24 192.168.2.0/24

When you create a route-based VPN, an xfrm tunnel interface is created on the Sophos Firewall.
This can be configured like any other interface, except it is always in the VPN zone. You can create
routes, NAT rules, and firewall rules in the same way you would for any other traffic.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 5

 IPsec VPNs are configured in:
Creating the VPN Tunnel Interfaces CONFIGURE > Site-to-Site VPN > IPsec

Select the Tunnel interface

connection type

At least one side of the

connection must be configured to
initiate the connection

Select either:
• Preshared key
• Digital certificate
• RSA key

Let’s look at how you can configure this. We will look at the configuration for one side of the
tunnel; however, this will need to be done on both ends.

The first step is to create the tunnel interfaces. This is done by creating a new IPsec configuration;
select Tunnel interface for the connection type.

You will notice that when you select tunnel interface the IP version automatically changes to Dual,
as tunnel interfaces support both IPv4 and IPv6.

One side of the connection must be configured to initiate the connection. The other can be
configured to only respond.

In the ‘Encryption’ section, select the IPsec profile and type of authentication you want to use.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 6

 Creating the VPN Tunnel Interfaces

You do not need to specify the local and

remote networks for tunnel interfaces

In the ‘Gateway settings’ section, select the local interface that will be used to create the VPN
connection and enter the IP address of the firewall that will be on the other side.

When configuring the local and remote gateways you do not specify the local and remote networks
for tunnel interfaces; however, you must set the remote gateway address. Unlike IPsec VPNs, you
cannot use a wildcard for the remote gateway address even if the tunnel interface is configured to
respond only.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 7

 Configuring the Tunnel Interfaces

Tunnel interfaces are always in

the VPN zone

Once you have saved the IPsec connection you will see a new interface has been created for it. The
interface will be bound to the physical interface selected when you created the IPsec connection.

The interface itself is configured in the same way as any other interface; however, you cannot
configure the zone. Tunnel interfaces are always in the VPN zone.

You must ensure that the tunnel interfaces at each end of the tunnel are in the same subnet.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 8

 Routing for Route-Based VPNs
Configure routes to send the traffic over the tunnel
Supports static routes, SD-WAN policy routes, and dynamic routing

Once you have configured the tunnel interfaces you can create routes for the traffic to use the
VPN. Routing can be configured using static routes, SD-WAN policy routes, and dynamic routing.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 9

 Simulation: Create a Route-Based IPsec Site-to-Site VPN

In this simulation you will create a

route-based IPsec site-to-site VPN
between two Sophos Firewalls.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsecVpnS2s/1/start.html

In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos
Firewalls.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 10

 Policy-Based IPsec VPN: IPsec VPN Wizard

Step-by-step guide for creating

IPsec VPNs

IPsec VPN policies are configured in:

CONFIGURE > VPN > IPsec Connections

Additional information about the

configuration shown on the left

We will now look at configuring policy-based VPNs.

There is a wizard that can be launched from the IPsec site-to-site VPN page, which can be used to
create a policy-based VPN. The wizard will walk through the steps necessary to create a VPN,
providing additional help and descriptions for each field on the left.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11

 Policy-Based IPsec VPN 1

Let’s walk through the configuration created by the wizard.

In the ‘General settings’ you can choose between IPv4 or IPv6 and whether the Sophos Firewall
should only respond to VPN requests or try to initiate them.

When you are creating a new VPN you can also optionally choose to have the Sophos Firewall
automatically create firewall rules, although these will be fairly general and should be reviewed.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12

 Policy-Based IPsec VPN 2

Copy this to the ‘Remote RSA Copy this from the ‘Local RSA
key’ field on the peer device key’ field on the peer device

In the ‘Encryption’ section you select the VPN profile, either one of the out-of-the-box profiles, or
one you have created yourself. Select the authentication type, which can be either a pre-shared
key, an RSA key, or a digital certificate.

Pre-shared keys are a passphrase that is entered on both devices. This is generally the weakest
authentication type, mostly because the key length is usually short in comparison to the other
options.

RSA keys are public private key pairs. The public key is copied from each device to the other device.
This provides good security, as the key length is much longer, and different keys are used for each
device. As a bonus, you do not need to create a passphrase, you can simply copy and paste the
keys.

Digital certificates are the most secure option, but take some additional effort to configure. They
provide similar public private key pairs to RSA keys, but are also signed by trusted certificate
authorities, and have the longest key lengths.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 13

 Policy-Based IPsec VPN 3

In the ‘Gateway settings’ you configure the interface the Sophos Firewall will use for the VPN and
where it will be connecting to. If the remote side has a dynamic IP address a wildcard can be used;
however, this also means the Sophos Firewall cannot initiate the connection as it does not know
where to connect to.

IPsec VPNs can also have an ID, which can be based on DNS, IP address, email address, or an X.509
certificate name.

Finally, you need to define which networks will be available over the VPN. That is, the local
networks that remote devices will be able to access, and the remote networks you expect to be
able to access over the VPN.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14

 IPsec Acceleration

XGS Series Appliances Support IPsec Acceleration

Cipher and Authentication Combinations

SUPPORTED UNSUPPORTED

• AES-CBC 128/192/256-bit AES keys • DES, 3DES

with SHA-1, SHA-256, SHA-384, or • TwoFish
SHA-512 HMAC • MD5
• AES-GCM with 128/192/256-bit AES
key
• NULL cipher with 128-bit GMAC
authentication

Sophos XGS Series appliances support IPsec acceleration, which offloads the IPsec encryption and
decryption to the NPU.

This is both faster in terms of performance, but it is also offloading work from the CPU, freeing up
cycles to work on other security processing functions.

Here you can see that the most used ciphers and authentication combinations are supported, with
only DES, 3DES, TwoFish, and MD5 being unsupported.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 15

 IPsec Acceleration
console> system ipsec-acceleration disable

This will restart all IPsec tunnels and stop offloading IPsec VPN traffic
to the Xstream flow processor.

Turn off IPsec acceleration(Y/N)?

Y

console> system ipsec-acceleration enable

This will restart all IPsec tunnels and offload IPsec VPN traffic to the
Xstream flow processor.

Turn on IPsec acceleration(Y/N)?

Y

IPsec acceleration is configured on the Console using the system ipsec-acceleration command to
enable and disable the feature.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 16

 IPsec Acceleration
SOPHOS FIREWALL
Kernel does packet
encapsulation and adds
the ESP header
KERNEL

ESP + Request

The NPU detects the

encapsulated packet and
performs the encryption
NPU/Xstream Processor
Request ESP Request

With IPsec acceleration enabled, when a packet comes in the kernel will still perform the
encapsulation, but it will not encrypt the packet.

The NPU will detect the ESP header and perform the encryption on the packet.

The reverse will happen with the reply. The NPU will decrypt the packet and the kernel will remove
the encapsulation.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17

 IPsec Acceleration with Firewall Acceleration (FastPath)
SOPHOS FIREWALL

KERNEL

NPU does packet

encapsulation and adds The NPU detects the
the ESP header encapsulated packet and
performs the encryption
NPU/Xstream Processor
Request ESP + Request ESP Request

If you also have firewall acceleration enabled, offloading to the FastPath, the NPU will do the
packet encapsulation and the encryption. This is the ideal scenario.

The opposite is true with IPsec acceleration and firewall acceleration both disabled, as the kernel
will do both the encapsulation and encryption.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 18

 Chapter Review
IPsec profiles contain the security parameters to establish and maintain the VPN. Both
sides of the VPN need to support the same settings

Route-based VPNs create an xfrm interface that is configured like any other interface.
Routes are created manually, separate to the connection

Policy-based VPNs define the networks, and routes are created automatically. The VPN
requires a reconnection if you edit the networks for the VPN

Firewall rules can be created automatically when you create a policy-based VPN but are
broad and should be edited

Here are the four main things you learned in this chapter.

IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of the
VPN need to support the same settings.

Route-based VPNs create an xfrm interface that is configured like any other interface. Routes are
created manually, separate to the connection.

Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a
reconnection if you edit the networks for the VPN.

Firewall rules can be created automatically when you create a policy-based VPN but are broad and
should be edited.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 23

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 24
 Advanced IPsec Site-to-Site
Configuration on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW3025: Advanced IPsec Site-to-Site Configuration on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 1

 Advanced IPsec Site-to-Site Configuration on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to make use of advanced IPsec ✓ Configuring IPsec site-to-site VPN connections for
features, and how to combine simple environments
IPsec VPN with SD-WAN profiles
and policy routes to select the
most optimal link.

DURATION

21 minutes

In this chapter you will learn how to make use of advanced IPsec features, and how to combine
IPsec VPN with SD-WAN profiles and policy routes to select the most optimal link.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 2

 IPsec VPN Connections
• Most popular VPN option
• Cross vendor compatible
• Different products have different
names for the same options

Vs.

IPsec VPNs are the most popular VPN option for connecting sites. One of the advantages of IPsec
VPNs is that there is good cross-vendor compatibility, so you can create connections between sites
that have different firewalls.

For IPsec VPNs to be established, both sides of the connection need to support the same set of
security parameters. While most vendors support the same or similar options, you may find that
they may go by different names.

On Sophos Firewall, these security parameters are configured in IPsec profiles.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 3

 Additional information in
IPsec Profiles the notes

• Security parameters used to establish and maintain VPN connection between two peers
• Both sides of the VPN must support the same settings
• Create and modify IPsec policies in: SYSTEM > Profiles > IPsec profiles

IPsec Profile When to Use

Default Profile Simple profile with a single algorithm
DefaultBranchOffice Branch office appliance to initiate VPN tunnel
DefaultHeadOffice Head office appliance to respond to VPN tunnel
DefaultL2TP L2TP remote user VPN tunnel
DefaultRemoteAccess IPsec remote user VPN tunnel
IKEv2 Profile using IKEv2
Microsoft Azure For creating a VPN to Azure

IPsec profiles describe the security parameters used for negotiating, establishing, and maintaining
a secure tunnel between two peers.

Before you set up your secure tunnels, to make their configuration faster and easier, you can create
VPN profiles that work on a global level. Rather than configuring the profile parameters for every
tunnel you create, you can configure general policies and then apply them to your secure tunnels.

When creating a profile, remember that both sides of the VPN connection must have the same
settings.

These are the several default IPsec VPN policies configured on the Sophos Firewall for different use
cases, and these can be cloned and edited as required to make them compatible with other
products, or to meet your company’s security requirements.

[Additional Information]
• Default profile – A simple profile that enforces a single strong algorithm
• DefaultBranchOffice - To be used when the appliance of a branch office within an organization
initiates the VPN tunnel
• DefaultHeadOffice - To be used when the appliance of the head office responds to the VPN
tunnel
• DefaultL2TP - To be used in L2TP remote user VPN tunnels
• DefaultRemoteAccess - To be used in IPsec remote user VPN tunnels
• IKEv2 – A profile that implements IKEv2
• Micorsoft Azure – A profile that can be used when creating a VPN to Azure

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 4

 IPsec Profile Configuration

Let’s look at the IPsec profile configuration.

Enter a name and description for the profile.

The option to ‘Re-key connection’ starts the negotiation process automatically before key expiry.
The re-keying process will start automatically at the re-key margin specified in the phase 1
configuration. The negotiation process can be initiated by both the local or remote peer. If this
option is not enabled, the tunnel will be disconnected at the end of the key life.

‘Key negotiation tries’ specifies the maximum number of key negotiation tries allowed. Set to ‘0’
for an unlimited number of tries.

The ‘Authentication mode’ is used for exchanging authentication information.

Main mode consists of 6 messages. The phase 1 parameters are exchanged in multiple rounds with
encrypted authentication making it more secure

The Aggressive mode consists of 3 messages. With Aggressive Mode, the tunnel can be established
faster than using Main mode, as fewer messages are exchanged during authentication, and no
cryptographic algorithm is used to encrypt the authentication information. Use Aggressive mode
when the remote peer has dynamic IP addresses.

Enable to pass data in a compressed format to increase throughput.

The version of IKE (v1 or v2) can be selected for higher security or compatibility.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 5

 Additional information in
IPsec Profile Configuration the notes

Options for when to create new keys

Diffie-Hellman Group

Define which combinations of

encryption and hashing algorithm
will be accepted

Phase 1 – Internet Key Exchange, or IKE.

Select the encryption and authentication algorithms that can be negotiated for phase 1.

Supported authentication algorithms include SHA512, SHA384, and SHA256. SHA1 and MD5 are
also supported, but not recommended.

Up to three combinations of encryption and authentication algorithms can be selected. The

remote peer must support at least one of the combinations for the VPN to be successfully
established.

The DH, or Diffie-Hellman, the Group specifies the key length used for encryption.

The remote peer must be configured to use the same group. If mismatched groups are specified on
each peer, negotiation fails.

Specify the ‘Key life’ in seconds. Key Life is the amount of time that will be allowed to pass before
the key expires. The default is 3600 seconds, which is 1 hour.

The ‘Re-key margin’ sets the time during the remaining Key Life when the negotiation process
should be started automatically, without interrupting the communication, before the key expiry.
For example, if Key Life is 8 hours and the Re-key Margin is 10 minutes, then the negotiation
process will automatically start after 7 hours 50 minutes usage of Key Life. The default is 120
seconds, which is 2 minutes.

The Randomize Re-Keying Margin by field can be used to randomize the time that the rekeying

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 6

negotiation starts relative to the re-key margin. For example, if Key Life is 8 hours, Re-
Key Margin is 10 minutes and Randomize Re-Keying time is 20%, then the Re-Key
Margin will be 8 to 12 minutes and negotiation process will start automatically 8
minutes before the key expiry and will try up to 2 minutes after key expiry. The
default is 0%.

[Additional Information]
Supported algorithms are:
• 3DES – Triple DES is a symmetric strong encryption algorithm that is compliant
with the OpenPGP standard. It is the application of DES standard where three keys
are used in succession to provide additional security
• AES – Advanced Encryption Standard offers the highest standard of security. The
effective key lengths that can be used with AES are 128, 192 and 256 Bits. This
security system supports several encryption algorithms
• Serpent – Serpent is a 128-bit block cipher i.e., data is encrypted and decrypted in
128-bit chunks, and a variable key length of 128, 192, or 256 bits. The Serpent
algorithm uses 32 rounds or iterations of the main algorithm. Serpent is faster than
DES and more secure than Triple DES
• BlowFish – BlowFish is a symmetric encryption algorithm that uses the same secret
key to both encrypt and decrypt messages. It is also a block cipher which divides a
message into fixed-length blocks during encryption and decryption. It has a 64-bit
block size and a key length of anywhere from 32 bits to 448 bits and uses 16
rounds of the main algorithm
• TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and
key sizes up to 256 bits

DH (Diffie-Hellman) Group specifies the key length used for encryption.

• DH Group 1 uses 768-bit encryption
• DH Group 2 uses 1024-bit encryption
• DH Group 5 uses 1536-bit encryption
• DH Group 14 uses 2048-bit encryption
• DH Group 15 uses 3072-bit encryption
• DH Group 16 uses 4096-bit encryption

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 6

 IPsec Profile Configuration
Define the key strength and lifetime for phase 2

Define which combinations of

encryption and hashing algorithm
will be accepted

Phase 2 – IPsec Internet Security Association and Key Management Protocol, or ISAKMP.

Select the encryption and authentication algorithms that can be negotiated for phase 2.

Up to three combinations of encryption and authentication algorithms can be selected. The

remote peer must support at least one of the combinations for the VPN to be successfully
established.

PFS Group (DH Group) specifies the Diffie-Hellman group which controls the key length used for
encryption. The default is to use the same as phase 1.

Specify the Key Life in seconds. As in Phase 1 the default is 3600 seconds.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 7

 IPsec Profile Configuration

How frequently to check peer and timeout

Action when dead peer detected

• Hold
• Re-initialize
• Disconnect

In the last section of the IPsec profile, you can enable and configure dead peer detection.

Here you define how frequently you want to check the peer and how long to wait for a response.

If a dead peer is detected you can choose to either hold, re-initialize the connection, or disconnect.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 8

 IPsec Connection Authentication
Passphrase that must match on both sides of the tunnel.
Most commonly used authentication type.

Copy the local RSA key to the ‘Remote

RSA key’ field of the other firewall.
These are the public keys for each
firewall.
Authenticate by exchanging certificates.
Requires either the certificate from the
other firewall, or certificate authority
certificate to validate it.

Sophos Firewall supports three modes for encrypting and authenticating IPsec VPNs; pre-shared
key, RSA key, and digital certificate.

Pre-shared key is the most used authentication type. You provide a passphrase, which must match
on both sides of the tunnel.

RSA key is a variation on this. Each firewall has a local and remote RSA key. You copy the local RSA
key of each firewall to the other firewall and paste it into the remote RSA key field. These are the
public keys of the key pair generated for each firewall.

The last option is digital certificate, where the authentication is done by exchanging certificates.
These can be either locally signed or issued by a certificate authority. Note that using a public
certificate authority is a security risk. You select the local certificate you want to use, and then
either a local copy of the opposing firewall’s certificate, or ‘External certificate’. If you select
‘External certificate’ you also need to select the certificate authority used to verify the certificate
presented by the other firewall.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 9

 Route-Based VPN
Network topology changes don’t require VPN policy updates

• Networks can be added/removed easily

• Support for both static and dynamic routing
• Simplifies VPN creation for larger/dynamic networks

Interoperates with other route-based VPN tunnels

Static Routes RIP BGP OSPF

SF to SF    
SF to Fortigate    
SF to Cisco n/a n/a  n/a

• Does not interoperate with policy-based VPNs

Route-based VPNs are generally the preferred choice for many next-gen firewalls and VPN
gateways because they don’t require VPN tunnel edits as networks change. As the routing supports
both static and dynamic routing, networks can be added and removed easily without the need to
edit the VPN policy, this particularly makes them a better choice for larger or dynamic networks.

Route-based VPNs can interoperate with other route-based VPN tunnels, however they cannot
interoperate with policy-based VPNs, so do not try to mix them!

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 10

 Route-Based VPN

While you do not have to define networks in route-based VPNs, you do have the option to do so.
Including traffic selectors will only permit traffic that matches the defined networks.

To configure traffic selectors in the route-based VPN you need to change the IP version from the
default of ‘Dual’, to either ‘IPv4’ or ‘IPv6’. When you specify traffic selectors, VPN routes are
automatically created, and you don’t need to assign an IP address to the tunnel.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 11

 Route-Based VPN Routing
Route-based VPNs support static routes, SD-WAN policy routes, and dynamic routing

Route-based VPNs support static routes, SD-WAN policy routes, and dynamic routing. In the
example shown here, BGP has been configured on either side of the route-based VPN.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 12

 IPsec as a Backup Connection Using SD-WAN
Site-to-site VPN over the Internet

MPLS link

London Office New York Office

A common scenario is to have a primary or dedicated link between offices and a VPN as a backup
connection.

In this diagram we have two sites connected by two links; an MPLS link defined and an IPsec route-
based site-to-site VPN.

By using SD-WAN policy routes and SD-WAN profiles, Sophos Firewall can switch between the
connections based on their availability and quality of service.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 13

 IPsec as a Backup Connection Using SD-WAN
1. Create gateways for the MPLS connection and IPsec route-based VPN

Let’s take a look at how you would configure this.

The first step is to create gateways for the MPLS connection and the IPsec route-based VPN. Health
checks should be enabled and correctly configured for these gateways.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 14

 IPsec as a Backup Connection Using SD-WAN
2. Configure an SD-WAN profile for the gateways

Create an SD-WAN profile for the gateways. Select the gateways with the preferred gateway at the
top of the list.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 15

 IPsec as a Backup Connection Using SD-WAN
2. Configure an SD-WAN profile for the gateways

Configure the quality of service settings for the gateway. This can be determined automatically
based on latency, jitter, and packet loss, or you can configure custom settings using a mix of all
three.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 16

 IPsec as a Backup Connection Using SD-WAN
2. Configure an SD-WAN profile for the gateways

Configure how Sophos Firewall should check the health of the connections; using PING or a TCP
connection to a target on the other side of the connection.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 17

 IPsec as a Backup Connection Using SD-WAN
3. Create an SD-WAN policy route that will route the traffic based on the SD-WAN profile

Finally, create an SD-WAN policy route that will match traffic destined for the other side of the
connection and that will route the traffic based on the current active gateway as determined by
the SD-WAN profile.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 18

 Route-Based VPN NATing

SNAT SNAT
172.20.77.0/24 -> 172.20.77.0/24 ->
172.20.81.0/24 172.20.82.0/24
Sophos Firewall A Sophos Firewall B

DNAT DNAT
172.20.81.0/24 -> 172.20.82.0/24 ->
172.20.77.0/24 172.20.77.0/24

Network 1 Network 2 Network 3 Network 4

172.16.16.0/24 172.20.77.0/24 192.168.16.0/24 172.20.77.0/24

One scenario you may encounter is where there are overlapping subnets on either side of the VPN.
This can happen during acquisitions and mergers.

Let’s look at an example. Here there are two identical subnets on each side of the route-based
VPN. For successful communication between these subnets, the Sophos Firewalls will have to
modify the traffic.

Sophos Firewall A will need to perform an SNAT on traffic coming from Network 2 that is going
over the VPN, so that Sophos Firewall B knows how to route the reply traffic.

To connect to a device in Network 2 from Network 3, you would need to use a subnet other than
172.20.77.0, otherwise Sophos Firewall B would not know to route it over the VPN.

In this example, Sophos Firewall A will DNAT requests to the 172.20.81.0 subnet to the 172.20.77.0
subnet.

Sophos Firewall B can do the same to manage traffic to and from Network 4. So, a total of four NAT
rules are required for this scenario.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 19

 Route-Based VPN NATing

When NATing for networks you must use IP range objects

Use one-to-one load balancing to DNAT the networks

Limit the scope of the NAT rules using the source and destination networks

Let’s look at what the configuration for this looks like on Sophos Firewall A.

As route-based VPNs use standard routing, you would need to configure NAT rules for the traffic
using the standard NAT rule table.

Here you can see the SNAT and DNAT rules required.

The first rule performs an SNAT for traffic coming from 172.20.77.0/24 and destined for Remote
Networks so that the source address is in the range 172.20.81.0/24.

The second rule performs a DNAT for traffic coming from Remote Networks to 172.20.81.0/24 so
that it maps back to the local 172.20.77.0/24 network.

When creating NATing for networks like this, you must use IP range objects, you cannot use
network objects.

When you are NATing to and from multiple sources to multiple destinations you can select the
one-to-one load balancing option.

To limit the scope of the NAT rules you can use the source and destination networks that are not
being NATed.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 20

 Policy-Based VPN NATing

Networks to present to
the VPN

Enable network NATing

NAT one or more local

networks to the VPN

The configuration for this scenario is different when you are using a policy-based VPN, as all the
configuration must be done in the VPN connection.

Here you can see what the configuration looks like on Sophos Firewall A. In the local and remote
subnets, you enter the NATed networks that will be used, these are what is presented to the VPN.

Enable the NAT option for the VPN.

For each for the networks that you present to the VPN you can select to NAT it to the real local
subnet.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 21

 IPsec VPN Failover
• Automatic backup connection for VPN traffic
• VPN connection needs to be re-established when one of the two WAN connections drops
Advantages:
• Lessens possibility of single point of failure
• Minimizes dependence on manual intervention to establish new connection
• Reduces failover time of VPN connection with redundant VPN tunnels and VPN monitoring
WAN link 1 WAN link 1

WAN link 2

London Office New York Office

VPN connection failover is a feature that enables you to provide an automatic backup connection
for VPN traffic, enabling ‘always on’ VPN connectivity for IPsec connections.

With VPN auto-failover configured, a VPN connection can be re-established when one of the two
WAN connections drops. A failover latency of a few seconds can be achieved by constantly
monitoring the link and instantaneously switching over in the event of a failure.

The advantages of using VPN failover are that:

• It reduces the possibility of a single point of failure by utilizing multiple WAN links
• It reduces downtime in the event of a failure by removing the need for manual intervention to
establish new connections
• It reduces the failover time of a VPN connection with redundant VPN tunnels and VPN
monitoring
• The firewall implements failover using a VPN connection group. A VPN group is a set of VPN
tunnel configurations. The Phase 1 and Phase 2 security parameters for each connection in a
group can be different or identical, except for the IP address of the remote gateway. The order
of connections in the group defines the fail-over priority of the connection
• When the primary connection fails, the subsequent active connection in the group takes over
without manual intervention and keeps traffic moving. The entire process is transparent to users

In this example the London office has two WAN links, and the New York office has one WAN link. A
failover group can be created with two VPN connections:

A primary connection between the New York office and WAN link 1 in London and a failover
connection between the New York office and WAN link 2 in London.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 22

For route-based VPNs, you can also use SD-WAN profiles and SD-WAN policy routes
to achieve this with the added benefit of being able to define quality settings for the
links.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 22

 Failover Groups

To create a VPN failover group, you need at least two IPsec connections that are configured to
initiate the connection. Select the connections you want to include in the failover group, then
configure the test conditions for when to failover the VPN. The checks can be either PING or TCP to
a specified port.

The Sophos Firewall can be configured to automatically failback to the original VPN connection
when it can be restored. You may want to do this if the secondary VPN is on a more expensive or
slower link.

Optionally, the Sophos Firewall can send a notification email when the VPN fails over.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 23

 IPsec Failover with Multiple WAN Links
• Use multiple links on each side for additional failover connections

WAN link 1 WAN link 1

WAN link 2 WAN link 2

London Office New York Office

If both sites have multiple WAN links, then you can add additional connections to the failover
group on each side of the IPsec VPN connection. This would allow for a complete failover solution
in case each side has lost an Internet connection.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 24

 Chapter Review

Route-based VPNs support routing using static routes, SD-WAN policy routes, and
dynamic routing. You can use SD-WAN profiles and SD-WAN policy routes with route-
based VPNs to select the best link for traffic

Where you have overlapping subnets on either side of the tunnel you need to use
NATing. For route-based VPNs you can create SNAT and DNAT rules using the normal
method. For policy-based VPNs you need to configure the NATing in the connection

You can create failover groups for IPsec VPNs. It would be more common to use these
with policy-based VPNs as you can use SD-WAN policy routes to manage connections for
route-based VPNs

Here are the three main things you learned in this chapter.

Route-based VPNs support routing using static routes, SD-WAN policy routes, and dynamic routing.
You can use SD-WAN profiles and SD-WAN policy routes with route-based VPNs to select the best
link for traffic.

Where you have overlapping subnets on either side of the tunnel you need to use NATing. For
route-based VPNs you can create SNAT and DNAT rules using the normal method. For policy-based
VPNs you need to configure the NATing in the connection.

You can create failover groups for IPsec VPNs. It would be more common to use these with policy-
based VPNs as you can use SD-WAN policy routes to manage connections for route-based VPNs.

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 31

Advanced IPsec Site-to-Site Configuration on Sophos Firewall - 32
 Getting Started with Remote
Ethernet Devices on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW3035: Getting Started with Remote Ethernet Devices on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Remote Ethernet Devices on Sophos Firewall - 1

 Getting Started with Remote Ethernet Devices on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to deploy a Remote Ethernet ✓ Sophos Firewall zones and interfaces
Device on Sophos Firewall. ✓ Protocols used for VPN access

DURATION

9 minutes

In this chapter you will learn how to deploy a Remote Ethernet Device on Sophos Firewall.

Getting Started with Remote Ethernet Devices on Sophos Firewall - 2

 RED Overview
• Plug and play branch office connectivity
• No technical expertise required onsite
• Creates a layer-2 tunnel to Sophos Firewall

RED
Layer-2 Tunnel

Router TCP:3400
DHCP & DNS UDP:3410 Sophos Firewall
Server

Sophos Remote Ethernet Devices or RED provide a simple way to connect remote sites to a central
network securely, by creating a layer-2 tunnel. Installing the RED device on-site requires no
configuration or technical expertise. RED connections use a small hardware RED device at the
remote location and all configuration for that device is done locally at the Sophos Firewall.

At the remote location, the RED requires:

• A power connection
• A network connection
• A DHCP server to provide an IP address, DNS server and default gateway
• And ports 3400 TCP and 3410 UDP open on the firewall

Getting Started with Remote Ethernet Devices on Sophos Firewall - 3

 RED Deployment
RED Provisioning Service:
red.astaro.com
1. Configure RED device

Head Office
RED
7. Establish Layer-2 Tunnel
4. Receive Router
local IP Sophos Firewall
(DHCP)

3. Deploy RED device

Let’s look at how you deploy a RED.

You configure the RED on the Sophos Firewall. You need to provide the publicly resolvable
hostname the RED will connect to and the IP address and netmask of the RED interface that will be
created on the Sophos Firewall. You also enter the 15-character RED ID that is printed on a sticker
on the base of the RED. This is used to tie the configuration to the device.

The Sophos Firewall then sends the configuration to the cloud-based provisioning server.

Next, the RED is plugged in at the remote office and gets an IP address, DNS server and gateway
from the local DHCP server.

The RED connects to the provisioning server with its ID, and the provisioning server sends back the
configuration that the RED needs to connect to the Sophos Firewall at the central office. The
provisioning server is no longer used from this point forward.

Finally, the RED establishes a layer-2 tunnel to the Sophos Firewall using TCP port 3400 and UDP
port 3410.

Getting Started with Remote Ethernet Devices on Sophos Firewall - 4

 RED Deployment Modes
Standard/Unified Standard/Split Transparent/Split

Default GW Default GW Default GW

DHCP Server DHCP Server DHCP Server DHCP Client

Traffic routed over RED tunnel

Traffic routed directly to the Internet

REDs can be deployed in three modes.

In Standard/Unified mode the remote network is managed by the Sophos Firewall, which serves
as the DHCP server and default gateway for all clients connecting through the RED. All traffic
generated on the remote network is sent through the RED to Sophos Firewall.

In Standard/Split mode the Sophos Firewall still manages the remote network, acting as the DHCP
server and default gateway. However, in this configuration only traffic to defined networks is sent
through the RED to Sophos Firewall, and all other traffic is sent directly to the Internet.

In Transparent/Split mode the Sophos Firewall doesn’t manage the remote network but is a
member of it. The Firewall gets its IP address from a DHCP server running on the remote network.
Only traffic to defined networks is sent through the RED to Sophos Firewall, and all other traffic is
sent directly to the Internet. As this mode of deployment does not require any re-addressing it is
an easy way to connect networks following an acquisition or similar.

In the case of Standard/Split and Transparent/Split deployment modes, the Sophos Firewall does
not provide any web filtering or other security to clients on the remote network.

Please note that you still need to create firewall rules for the computers connected to the remote
network to be able to interact with computers on the central office network.

Getting Started with Remote Ethernet Devices on Sophos Firewall - 5

 Configuring RED in Different Deployment Modes

Standard/Unified Standard/Split Transparent/Split

Zone for the RED interface on the Sophos Firewall 
IP address for the RED interface on the Sophos Firewall Static Static DHCP
DHCP server for the remote network Optional Optional No
Split networks (Networks that are accessed through the  
RED from the remote site)
Split DNS server (DNS server for the split networks) 
Split domains (Domains that are accessed through the 
RED from the remote site)
MAC address filtering Optional
Tunnel compression Optional

The configuration required when deploying REDs in the different modes is slightly different and is
summarised in this table.

Both standard modes have similar configuration; you set IP address for the RED interface on
Sophos Firewall statically and can optionally provide DHCP for the remote side of the tunnel.
Where it differs is that for standard/split, you need to define for which networks traffic will be
routed over the RED tunnel, with all other traffic being routed onto the local Internet gateway.

The transparent mode is most different. In this case the RED interface on Sophos Firewall will get
its IP address settings from a DHCP on the remote side of the tunnel. As the Sophos Firewall is not
the default gateway for the network you need to supply more split settings. In addition to the split
networks, you configure a DNS server for those networks, and the split domains.

Getting Started with Remote Ethernet Devices on Sophos Firewall - 6

 Simulation: Deploy a RED on Sophos Firewall

In this simulation you will deploy a

Remote Ethernet Device (RED) on
Sophos Firewall in standard/split
mode.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/DeployRED/1/start.html

In this simulation you will deploy a Remote Ethernet Device (RED) on Sophos Firewall in
standard/split mode.

Getting Started with Firewall and NT Rules on Sophos Firewall - 7

 Additional information in
SD-RED Models the notes

SD-RED 20 and SD-RED 60

There are two RED models, SD-RED 20 and SD-RED 60.

The SD-RED hardware provides the option for dual power supplies for redundancy, and an
expansion slot that can be used to add WiFi or 4G.

[Additional Information]
https://community.sophos.com/xg-firewall/f/recommended-reads/119318/substituting-xg-for-red-
devices-via-light-touch-deployment-from-sophos-central

Getting Started with Remote Ethernet Devices on Sophos Firewall - 8

 Additional information in
SD-RED Models the notes

SD-RED 20 SD-RED 60
PERFORMANCE
Maximum Throughput 250 Mbps 850 Mbps
CONNECTIVITY
LAN Interfaces 4 x 10/100/1000 Base-TX (1 GbE Copper)
WAN Interfaces 1 x 10/100/1000 Base-TX (shared 2 x 10/100/1000 Base-TX
with SFP) (WAN1 shared port with SFP)
SPF Interfaces 1x SFP Fiber (shared port with 1x SFP Fiber (shared port with
WAN) WAN1)
PoE Ports None 2 PoE Ports (total power 30W)
MODULARITY
Expansion Bays 1 (for use with optional Wi-Fi OR 4G/LTE Card)
REDUNDANCY
Swappable Components Optional 2nd power supply

Here you can see a table comparing the SD-RED 20 and 60.

The number of users that can be used with the RED models is unlimited, and the model selected is
driven by the maximum throughput and other features.

The SD-RED 20 is designed for smaller sites with a maximum throughput of 250 Mbps, while the
SD-RED 60 is ideal for larger sites reaching a throughput of up to 850 Mbps.

Both models have gigabit connections on both the internal and external interfaces and have
support for SFP fiber.

The SD-RED 60 adds dual WAN ports, as well as two power over ethernet ports and can supply a
total of up to 30 watts of power.

[Additional Information]
Datasheet: https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-sd-red-ds.pdf

Optional Wi-Fi Module: 802.11 a/b/g/n/ac Wave 1 (Wi-Fi 5) dual-band capable 2x2 MIMO 2
antennas

Optional 3G/4G LTE Module: MC7430/MC7455 Sierra Wireless Card

Getting Started with Remote Ethernet Devices on Sophos Firewall - 9

 Discontinued Supported RED Models

RED 15 RED 15 W RED 50

Maximum users Unrestricted Unrestricted Unrestricted

Maximum throughput 90 Mbit/s 90 Mbit/s 360 Mbit/s
LAN ports 4 x Gbit 4 x Gbit 4 X Gbit
WAN ports 1 x Gbit 1 X Gbit 2 x Gbit
USB ports 1 1 2
Hardware accelerated encryption ✓
Configure VLANs on LAN ports ✓
Data compression ✓ ✓ ✓
Built-in wireless access point ✓

There are three discontinued models of RED that are still supported, starting with the RED 15,
which is suitable for small sites. All three RED models feature gigabit connections and at least one
USB port that can be used to provide backup connectivity using UMTS.

The RED 15w has all the features of the RED 15 and includes a built-in wireless access point.

The RED 50, which is designed for larger sites and includes advanced features including:
• Two external ports that can be configured for load balancing or failover
• The ability to configure the internal ports in either switch mode or for VLANs
• And two USB ports

Getting Started with Remote Ethernet Devices on Sophos Firewall - 10

 Chapter Review

RED requires DHCP, DNS, ports TCP 3400 and UDP 3410

RED can be deployed in three modes; standard/unified, standard/split, and

transparent/split. Each deployment mode requires slightly different configuration

There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or
4G module using the expansion bay

Here are the three main things you learned in this chapter.

RED requires DHCP, DNS, ports TCP 3400 and UDP 3410.

RED can be deployed in three modes; standard/unified, standard/split, and transparent/split. Each
deployment mode requires slightly different configuration.

There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G
module using the expansion bay.

Getting Started with Remote Ethernet Devices on Sophos Firewall - 15

Getting Started with Remote Ethernet Devices on Sophos Firewall - 16
 Introducing Authentication on
Sophos Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]
Sophos Firewall
FW3505: Introducing Authentication on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Introducing Authentication on Sophos Firewall - 1

 Introducing Authentication on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
authentication provides granular ✓ Navigating and Managing the Sophos Firewall using
controls to many of Sophos the WebAdmin
Firewall’s functions and can be
performed locally or using an
external server.

DURATION

7 minutes

In this chapter you will learn how authentication provides granular controls to many of Sophos
Firewall’s functions and can be performed locally or using an external server.

Introducing Authentication on Sophos Firewall - 2

 Authentication Overview

Network Web
Access Filtering

Application
Routing
Control

Leveraging the Sophos Firewall’s authentication capabilities provides the opportunity to control
access to network resources, filter websites, route traffic, control applications and more.

You can also get detailed reporting on user activity and identify high-risk users.

Introducing Authentication on Sophos Firewall - 3

 Local Authentication

Users can be created manually or imported using a CSV file

Choose between user and administrator

Users inherit policies from groups they are assigned to

Best suited to small organizations

Authentication can be done locally on the Sophos Firewall, although it is more commonly
configured to use external authentication sources.

You can add users to the Sophos Firewall manually or import via a CSV, and these can be either
users or administrators. The difference is that administrators have a profile associated to them that
controls their administrative access to the Sophos Firewall.

Users can be manually assigned to a group and will inherit policy settings that can be overridden
per-user.

Local authentication is best suited to smaller organizations that do not have an existing directory
service in place, or when guest users need access in authentication-enabled networks.

Introducing Authentication on Sophos Firewall - 4

 Authentication Servers

Supported authentication servers

• Active Directory
• eDirectory
• OpenLDAP
• RADIUS
• Apple Directory
• TACACS+ • Other standard LDAP directories
• LDAP/S
• Azure AD SSO (admin web console only)

Sophos Firewall can also be configured to authenticate with external servers such as:
• Active Directory
• Novell eDirectory
• RADIUS Server
• TACACS+
• LDAP / LDAPS

Using LDAP or LDAPS, Sophos Firewall can authenticate using OpenLDAP, Apple Directory or any
other standard LDAP directory.

Sophos Firewall can be configured to authenticate administrators to the web console using Azure
AD SSO. You cannot currently use this to authenticate users with the firewall.

Introducing Authentication on Sophos Firewall - 5

 Additional information in
Authentication Servers the notes

External
authentication server

SOPHOS FIREWALL AZURE AD DIRECTORY SERVICES

If you want to authenticate users with Sophos Firewall using Azure Active Directory as an external
Active Directory authentication server, you need to use the Azure AD Directory Services
functionality. You can find a guide on setting this up in the Sophos Community pages
recommended reads.

Note that Azure AD Directory Services is an additional charged service and is not included with
Azure AD.

[Additional Information]

Guide
https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125872/sophos-xg-
firewall-integrate-xg-firewall-with-azure-ad

Azure AD Domain Services

https://azure.microsoft.com/en-gb/pricing/details/active-directory-ds/

Introducing Authentication on Sophos Firewall - 6

 Where can Authentication be Used?
Firewall Rules
Enable ‘Match known users’ to
control network access based on
TLS Decryption Rules user identity

SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks

Web Server Authentication

User Portal Enable ‘Exclude this user activity

from data accounting’ if this traffic
WebAdmin should not count towards quotas

Within firewall rules you can enable the option to ‘Match known users’, and you can select the
users and groups that you want to match on. This makes the firewall rule a user rule instead of a
network rule.

If the Sophos Firewall is unable to match the user’s identity you can choose to enable the web
authentication, which can then further fall back to displaying the captive portal.

If the firewall rule is for business applications, such as Office 365, you can choose to exclude the
traffic from data accounting, which means that it will not count towards any quotas you have
configured.

Introducing Authentication on Sophos Firewall - 8

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules Select users and groups as part of the

source matching in TLS decryption rules
SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks

Web Server Authentication

User Portal

WebAdmin

TLS decryption rules can be matched on user identity. This allows you to customize decryption per-
user or group, allowing you to set specific decryption rules and standards for a department, for
example finance.

Introducing Authentication on Sophos Firewall - 9

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules

SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks

Web Server Authentication

User Portal

WebAdmin

SD-WAN policy routes allow you to select traffic based on various properties, including users and
groups, to determine which gateway it should be routed to.

Introducing Authentication on Sophos Firewall - 10

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules

SD-WAN Policy Routes

Remote Access VPNs

Web Policies

Wireless Networks

Web Server Authentication

User Portal
Select the users and groups that can
WebAdmin connect to the VPN

Remote access VPNs allow you to control who can connect to and login to the network. First the
authentication source needs to be selected in the authentication services, and the users and
groups need to be selected in the VPN configuration.

Introducing Authentication on Sophos Firewall - 11

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules Apply web filtering rules to users and groups

SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks

Web Server Authentication

User Portal

WebAdmin

Within web policies you can create rules that apply to specific users and groups. This allows you to
build a single policy of rules that you can then apply to web traffic.

Introducing Authentication on Sophos Firewall - 12

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules

SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks

Web Server Authentication

User Portal

WebAdmin

Wireless protection on Sophos Firewall supports WPA and WPA2 Enterprise security that can use a
RADIUS authentication server to control access to wireless networks.

Introducing Authentication on Sophos Firewall - 13

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules

SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks
Protect access to web resources
Web Server Authentication with user authentication

User Portal

WebAdmin

You can protect access to web servers by forcing users to authenticate before the connection even
reaches the destination server. This means that attackers cannot try to exploit the web server as
they don’t have access to it.

Introducing Authentication on Sophos Firewall - 14

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules

SD-WAN Policy Routes

VPNs

Web Policies Download authentication client and SPX plug-in

Wireless Networks Download VPN clients and configuration

Web Server Authentication

Manage email quarantine
User Portal
Review Internet usage
WebAdmin

The user portal allows users to manage their own quarantine, password and Internet usage, as well
as download VPN and authentication clients.

The User Portal is accessed using HTTPS to the IP address of the firewall. By default, the user portal
is only available to clients connecting from the LAN zone, but it can also be enabled for other
zones. Please note that the port for the user portal can be changed in SYSTEM > Administration >
Admin settings.

Introducing Authentication on Sophos Firewall - 15

 Where can Authentication be Used?
Firewall Rules

TLS Decryption Rules

SD-WAN Policy Routes

VPNs

Web Policies

Wireless Networks
Allow users to login and manage
the Sophos Firewall
Web Server Authentication

User Portal

WebAdmin

Users can be configured as either a user or administrator. If they are an administrator, then they
can login to the WebAdmin and manage the Sophos Firewall based on the profile that is applied to
their account.

Introducing Authentication on Sophos Firewall - 16

 Chapter Review

Sophos Firewall’s authentication capabilities provide the opportunity to control access

to network resources, filter websites, route traffic, control applications and more. You
can also get detailed reporting on user activity and identify high-risk users

Authentication can be done locally on the Sophos Firewall or more commonly

configured to use external servers such as Active Directory, Novell eDirectory, RADIUS
Server, TACACS+, LDAP / LDAPS

You can add users to the Sophos Firewall manually or import via a CSV, and these can be
either users or administrators

Here are the three main things you learned in this chapter.

Sophos Firewall’s authentication capabilities provide the opportunity to control access to network
resources, filter websites, route traffic, control applications and more. You can also get detailed
reporting on user activity and identify high-risk users

Authentication can be done locally on the Sophos Firewall or more commonly configured to use
external servers.

You can add users to the Sophos Firewall manually or import via a CSV, and these can be either
users or administrators.

Introducing Authentication on Sophos Firewall - 21

Introducing Authentication on Sophos Firewall - 22
 Configuring Authentication
Servers and Services on
Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3510: Configuring Authentication Servers and Services on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Authentication Servers and Services on Sophos Firewall - 1

 Configuring Authentication Servers and Services
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
external authentication servers ✓ Authentication methods that are supported by
can be added in Sophos Firewall Sophos Firewall
and configured for service ✓ How authentication can be used to provide
granular controls to Sophos Firewall’s functions
authentication.

DURATION

16 minutes

When you have completed this chapter, you will know how external authentication servers can be
added in Sophos Firewall and configured for service authentication.

Configuring Authentication Servers and Services on Sophos Firewall - 2

 Authentication Servers

Sophos Firewall can be configured to authenticate using external servers. This is beneficial if the
organization already has a directory service in place. This will allow an organization to leverage the
user information they already have. Sophos Firewall supports directory services such as:
• Active Directory
• Novell eDirectory
• RADIUS Server
• TACACS+
• and LDAP / LDAPS

Configuring Authentication Servers and Services on Sophos Firewall - 3

 Additional information in
Add a Server the notes

Go to CONFIGURE > Authentication > Servers and click Add

Enter a name

Select a server type and specify settings

• LDAP server
• Active Directory server
• RADIUS server
• TACACS+ server
• eDirectory server

Click Test connection to validate credentials and check the connection

To add an authentication server, navigate to CONFIGURE > Authentication > Servers and click Add.

• Enter a name.
• Select a server type and specify the settings.
• Click Test connection to validate the user credentials and check the connection to the server.

Use the link in the student notes to find out more about authentication servers and how to add
them. We will look at two examples in this chapter.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Authentication/Servers/index.html

Configuring Authentication Servers and Services on Sophos Firewall - 4

 Active Directory Server

One or more search

queries are required

To use Synchronized User Identity, an Active Directory authentication server must be configured on
the Sophos Firewall, so we will use adding an Active Directory server as our first example.

In addition to the settings that configure the connectivity to the server, one or more search queries
are required to define where the users are located.

Once configured, the firewall can use the server to query user and resource information on the
Windows domain network.

Configuring Authentication Servers and Services on Sophos Firewall - 5

 Active Directory Server

The Test Connection button will allow the firewall to perform a sample query against the AD
server. In this example, test connection shows that there is connectivity with the AD server.

Configuring Authentication Servers and Services on Sophos Firewall - 6

 Group Import from Active Directory

When using Active Directory as an authentication server, users will be created on Sophos Firewall
and assigned to a group when they first successfully login.

To use Active Directory groups, use the import wizard before the user's login and they will be
assigned to their associated Active Directory group.

Please note that Sophos Firewall groups cannot be nested.

Configuring Authentication Servers and Services on Sophos Firewall - 7

 Import Group Wizard

Base DN for the import

Select the Base DN from which groups will be imported. The Base DN is the starting point for the
search in the Active Directory domain. The list is populated from the ‘Search Queries’ configured
for the server.

Configuring Authentication Servers and Services on Sophos Firewall - 8

 Import Group Wizard

Select the groups to

import

The organizational units below SOPHOS.LOCAL are listed. One or more OUs can be selected and
the groups they contain will be shown in the selected groups pane.

Configuring Authentication Servers and Services on Sophos Firewall - 9

 Import Group Wizard

Select policies to attach

to the groups

Common policies, such as ‘Surfing quota’ and ‘Access time’ can be selected and attached to the
groups.

Configuring Authentication Servers and Services on Sophos Firewall - 10

 Imported Groups

On completion of the wizard the imported groups are now shown in Sophos Firewall.

When a user logs in they will be automatically added to the firewall group that matches their
Active Directory group.

Please note that if a user is a member of multiple groups, they will be added to the first one they
match on Sophos Firewall.

The groups can be reordered as required.

Configuring Authentication Servers and Services on Sophos Firewall - 11

 Authentication services are configured in:
Service Authentication CONFIGURE > Authentication > Services

By default, authentication for Services is Local. Once authentication servers have been added these
can be enabled for:
• Firewall
• User portal
• VPN
• Administrator
• and SSL VPN

In the example, an Active Directory server named DC has been added for Firewall authentication.

Configuring Authentication Servers and Services on Sophos Firewall - 12

 Service Authentication

Enabled authentication servers are processed from top to bottom and can be reordered by
dragging and dropping the servers in the list. In the example, the Active Directory server is now the
primary authentication method.

To simplify the configuration for services, you can optionally choose to set it to be the same as the
firewall authentication so that it will mirror those settings and any changes you make to it.

Configuring Authentication Servers and Services on Sophos Firewall - 13

 Simulation: Add an Active Directory Authentication Server

In this simulation you add an Active

Directory authentication server to
Sophos Firewall and import groups.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AddAdServer/1/start.html

In this simulation you add an Active Directory authentication server to Sophos Firewall and import
groups.

[Additional Information]

https://training.sophos.com/fw/simulation/AddAdServer/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14

 RADIUS Authentication Server

For our second example we will look at RADIUS (Remote Authentication Dial In User Service). This
is a protocol that allows network devices, such as routers to authenticate users against a database
and it is used with Sophos Firewall wireless protection. Passwords are encrypted using the RADIUS
shared secret.

RADIUS also supports accounting, which is commonly used for billing and statistical purposes.

Configuring Authentication Servers and Services on Sophos Firewall - 15

 RADIUS Accounting

Real-time data collection

Data can be collected and stored at a central location

3rd party products can be used to analyze accounting data

RADIUS accounting can be configured on the Sophos Firewall so that it can send accounting start
and stop messages to a RADIUS server. This allows the radius server to track network usage for
auditing and billing purposes. There are three main advantages to radius authentication:

• Real-time data collection

• Accounting data can be collected and stored at a central location
• Third-party products can be used to analyze RADIUS accounting data to provide charge-back,
performance, and exception reports

Configuring Authentication Servers and Services on Sophos Firewall - 16

 RADIUS Accounting
User signs into the
domain

Sophos Firewall

Internet
Computer User performs a log off
10.1.1.1 operation
The Sophos Firewall
sends an Accounting
The Sophos Firewall Stop Request
sends an Accounting
Start Request
Domain Controller RADIUS Server

Let's look at how radius accounting works.

When a user logs into the network and communicates with the Sophos Firewall, the firewall sends
an accounting start request packet to a configured RADIUS server along with the user's login time.
The RADIUS server will then begin collecting accounting information for that user.

When the user logs out from the domain, the Sophos Firewall will send an accounting stop request
along with the user's logout time. At this point, the RADIUS server stops recording accounting
information for that user. If the Sophos Firewall reboots or is shut down, the accounting stop
message is not sent.

Clients that are supported for RADIUS accounting are: Windows client, HTTP client, Linux client,
Android, iOS, iOS HTTP client, Android HTTP client, API client.

RADIUS accounting can be very useful when working with third party wireless controllers, as it
provides a mechanism for logged on user’s details to be passed to the Sophos Firewall, allowing
single sign-on and accurate reporting.

Configuring Authentication Servers and Services on Sophos Firewall - 17

 Configuration

Select Radius server type

Name for server
IP address of server
Communication port

Enable Radius accounting

Radius accounting port

Shared secret group name

To configure RADIUS with accounting, first configure the external RADIUS server in the Sophos
Firewall by selecting RADIUS as the server type, giving the server a name and entering the IP
address to contact the server and the port that will be used to communicate with the RADIUS
server for authentication requests. Also, a shared secret to secure the authentication requests and
the group name attribute must be entered. These steps will configure a basic RADIUS server.

To enable RADIUS accounting, first select the Enable Accounting checkbox.

Enter the port that corresponds with the accounting port selected on the RADIUS server.

The RADIUS server should then be added to the Authentication server list for the required services.

Configuring Authentication Servers and Services on Sophos Firewall - 18

 Additional information in
Secure LDAP (LDAPS) the notes

SSL/TLS over port 636

STARTTLS over port 389

As well as Active Directory, Sophos Firewall also supports native LDAP servers for authentication.

Traditional LDAP works on plain text. With Secure LDAP (also known as LDAPS), the communication
can be encrypted via two techniques:
• SSL/TLS over port 636
• STARTTLS which works over the standard LDAP port of 389

[Additional Information]

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Authentication/HowToArticles/AuthenticationConfigur
eLDAP/index.html

Configuring Authentication Servers and Services on Sophos Firewall - 19

 Secure LDAP
CONFIGURE > Authentication > Servers > Add

STARTTLS SSL/TLS
• Attempts to negotiate an encrypted connection • Enforces an encrypted connection
• Falls back to plain text using the plaintext port

STARTTLS uses the plaintext port and will attempt to negotiate an encrypted connection. If this
fails, then it will fall back to using plain text.

SSL/TLS enforces the use of an encrypted connection.

Configuring Authentication Servers and Services on Sophos Firewall - 20

 Secure LDAP (LDAPS) Requirements

A client certificate is used to establish a secure connection.

This shows an example of a certificate that has been issued to Sophos Firewall by the
organization's Active Directory CA. A requirement of the certificate is that the Enhanced Key Usage
extension needs to include the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also
known as OID).

Configuring Authentication Servers and Services on Sophos Firewall - 21

 Public Key

Secure LDAP: Method One Private Key

Certificate signed by enterprise CA Import certificate and CA cert on Sophos Firewall

SF-CSR CA Server CA-CERT

1. Certificate Request

2. Import CA-CERT and SF-CERT

SF-CERT
Sophos
Firewall
4. Secure Communication LDAP Server CA-CERT

3. Select SF-CERT as the client certificate for the secure LDAP server
LDAP-CERT

There are two methods that can be used to configure secure LDAP. The first is to sign a certificate
for the Sophos Firewall using your trusted enterprise CA.

To obtain a certificate signed by the enterprise CA:

1. Create a certificate signing request (SF-CSR) on the Sophos Firewall and request a certificate
from the enterprise CA.
2. Import the CA certificate and SF-CERT server certificate on the Sophos Firewall from the
enterprise CA.
3. Select the SF-CERT certificate as the client certificate for the secure LDAP server.
4. The Sophos Firewall and LDAP server can now communicate securely.

This works because the LDAP server already trusts the enterprise CA server that has signed the
certificate for the Sophos Firewall.

By importing the CA certificate on the Sophos Firewall, it can also validate and trust the certificate
used by the LDAP server.

Configuring Authentication Servers and Services on Sophos Firewall - 22

 Certificates > Add > Generate certificate
Create a CSR signing request (CSR)

This shows an example of a certificate signing request created on Sophos Firewall.

Configuring Authentication Servers and Services on Sophos Firewall - 23

 Additional information in
Download or Copy the CSR the notes

Certificate
type CSR

The CSR can be downloaded as a file or copied to the clipboard and then sent to the CA.

[Additional Information]

If you are using a Microsoft CA, you cannot sign a certificate without a template. The links below
provides guidance if you see an error stating that the request contains no certificate template
information.

https://www.vxav.fr/2020-02-18-how-to-sign-a-certificate-with-no-template-information-on-a-
microsoft-ca/

Configuring Authentication Servers and Services on Sophos Firewall - 24

 Public Key

Secure LDAP: Method Two Private Key

Import CA cert on Sophos Firewall

Certificate signed by Sophos Firewall
Import Sophos Firewall CA cert on LDAP server

1. Generate a certificate CA Server CA-CERT

2. Import CA-CERT

Sophos
Firewall
SF-CA-CERT SF-CERT 3. Import SF-CA-CERT LDAP Server

5. Secure Communication
CA-CERT LDAP-CERT
4. Select SF-CA-CERT as the client certificate for the secure LDAP server

The second method that can be used to configure secure LDAP is a certificate signed by the Sophos
Firewall’s internal CA.

1. Create a certificate on the Sophos Firewall signed by the internal CA.

2. Import the CA certificate from the enterprise CA into the Sophos Firewall.
3. Import the certificate of the Sophos Firewall internal CA into the LDAP server.
4. Select the certificate created in the first step as the client certificate for the LDAP server on
Sophos Firewall.
5. The Sophos Firewall and LDAP server can now communicate securely.

This works because the LDAP server now has the CA certificate of the Sophos Firewall to validate
the certificate.

By importing the CA certificate on the Sophos Firewall, it can also validate and trust the certificate
used by the LDAP server.

Configuring Authentication Servers and Services on Sophos Firewall - 25

 Secure LDAP

Validate server
certificate

Client certificate

In the example, the LDAP server has been configured with a client certificate. You can also choose
whether the Sophos Firewall will validate the LDAP server's certificate. If you have imported the CA
certificate as recommended in both approaches described, then this should succeed if selected.

Configuring Authentication Servers and Services on Sophos Firewall - 26

 Chapter Review

Sophos Firewall can be configured to authenticate using external servers. To use

Synchronized User Identity an Active Directory authentication server must be
configured

Groups can be imported from Active Directory. When a user logs in they will be
automatically added to the firewall group that matches their Active Directory group

By default, authentication for Services is Local. Once authentication servers have been
added these can be enabled for services such as Firewall and User portal

Here are the three main things you learned in this chapter.

Sophos Firewall can be configured to authenticate using external servers. To use Synchronized User
Identity an Active Directory authentication server must be configured.

Groups can be imported from Active Directory. When a user logs in they will be automatically
added to the firewall group that matches their Active Directory group.

By default, authentication for Services is Local. Once authentication servers have been added these
can be enabled for services such as Firewall and User portal.

Configuring Authentication Servers and Services on Sophos Firewall - 31

Configuring Authentication Servers and Services on Sophos Firewall - 32
 Configuring Azure AD SSO on
Sophos Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]
Sophos Firewall
FW3511: Configuring Azure AD SSO on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Azure AD SSO on Sophos Firewall - 1

 Configuring Azure AD SSO on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure Azure AD SSO to ✓ Add authentication servers and select them to
authenticate administrators on authenticate users for firewall services
Sophos Firewall. ✓ Administering Azure AD

DURATION

10 minutes

In this chapter you will learn how to configure Azure AD SSO to authenticate administrators on
Sophos Firewall.

Configuring Azure AD SSO on Sophos Firewall - 2

 Azure AD SSO for Web Console Login

Sophos Firewall Azure AD

Single username and password for administrators

Dynamically manage administrators using roles and groups
Uses Open ID Connect and Oauth 2.0
Works with Azure AD free tier

Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to the
web console.

Using Azure AD for the administrator login, allows administrators to have a single username and
password for all the systems they need to access, and provides a single place where you can
manage administrator’s access.

The Azure AD capabilities utilized for this integration are part of the free tier of Azure AD, and our
implementation takes advantage of Open ID Connect and OAuth 2.0 for optimal security.

Configuring Azure AD SSO on Sophos Firewall - 3

 Configuration Process

Create a new client Add API permissions

Create an app Add an app role to
secret in the app to the app
registration in Azure the app registration
registration registration

Select the
authentication server
Add a redirect URI to Add an Azure AD SSO
as an authentication Assign users to the
the app registration authentication server
source for app role
on Azure on Sophos Firewall
administrators on
Sophos Firewall

The configuration process can be broken down in to eight steps, most of which are completed in
Azure.
• Start by creating an app registration in Azure, this will provide the basis for Sophos Firewall to
communicate with Azure
• In the App registration, create a client secret that Sophos Firewall will use to authenticate
• Add an app role to the app registration, this will be used to manage access
• Add API permissions to the app registration, these are the permissions required for Sophos
Firewall to authenticate the users
• Assign users to the app role
• On Sophos Firewall, add an Azure AD SSO authentication server
• Select the Azure AD SSO authentication service as an authentication source for administrators
• Add a redirect URI to the app registration on Azure so that users are redirected back to Sophos
Firewall once they have authenticated

Configuring Azure AD SSO on Sophos Firewall - 4

 Create an App Registration on Azure

Let’s look at each of these steps in a little more detail.

The configuration is done in Azure AD, and you start by creating a new app registration. Give the
app registration a name and select the redirect URI type as ‘Web’. You will add the redirect URI
later.

Configuring Azure AD SSO on Sophos Firewall - 5

 Create a New Client Secret for the App Registration

Once you navigate away from this

page you can no longer copy the
secret!

So the Sophos Firewall can authenticate you will need to create a new client secret. When you
create the secret you can only copy the value once. As soon as you navigate away from the page
you lose the ability to copy it.

When you create the client secret you can choose how long it is valid for. We would recommend
rotating the secret periodically for security.

Configuring Azure AD SSO on Sophos Firewall - 6

 Add an App Role to the App Registration

Create an app role in the app registration. This role will be used to assign a role on Sophos Firewall.
You can create multiple roles that will determine the role the administrator logging in will get on
Sophos Firewall.

You can only assign one role to a user.

Configuring Azure AD SSO on Sophos Firewall - 7

 Add API Permissions to the App Registration

You will need to add permissions to the app registration so that Sophos Firewall can retrieve the
information required as part of the login process.

In addition to the default User.Read permission, add User.Read.All and Group.Read.All Microsoft
Graph permissions as Delegated permissions.

Once you have added the permissions, use the Grant admin consent button. If you do not do this
step then administrators will have an additional step to grant the permissions when logging in.

Configuring Azure AD SSO on Sophos Firewall - 8

 Assign Users to the App Role

Assign administrators to the app role so they are assigned the correct permissions when they
authenticate.

Configuring Azure AD SSO on Sophos Firewall - 9

 Add an Azure AD SSO Authentication Server on Sophos
Firewall

App Registration

The next step is to configure Sophos Firewall.

You need to add an Azure AD SSO authentication server and configure it with the details from the
app registration you created in Azure.

You will need to enter the ‘Application (client) ID’ and ‘Directory (tenant) ID’ from the Overview
page of the app registration.

You also need to enter the client secret you created.

On this page you will find the ‘Web admin console URL’, which will need to be added as the
redirect URI in Azure.

Configuring Azure AD SSO on Sophos Firewall - 10

 Add an Azure AD SSO Authentication Server on Sophos
Firewall

Further down the page you select the fallback user group. This is the group that will be assigned to
the user if they do not match any other group.

You also create a mapping between the app role you created in Azure and the roles on Sophos
Firewall. Enter the value from the role you created in Azure and select the Sophos Firewall role.

Configuring Azure AD SSO on Sophos Firewall - 11

 Enable the Authentication Server for Administrator Logins

Once the authentication server has been created, you need to select it as an authentication
method for Sophos Firewall administrators.

Configuring Azure AD SSO on Sophos Firewall - 12

 Add a Redirect URL to the App Registration on Azure

Back in Azure, you need to add the redirect URI from the Azure AD SSO authentication server on
Sophos Firewall to the app registration.

Configuring Azure AD SSO on Sophos Firewall - 13

 Web Console Login with SSO Enabled

When SSO is configured on Sophos Firewall the login screen will change to give administrators the
choice between using SSO or local credentials to login. If they choose SSO they will be redirected
to the Azure login screen.

Configuring Azure AD SSO on Sophos Firewall - 14

 Simulation: Sophos Firewall Admin Azure SSO for Web
Console

In this simulation you will configure

single sign-on for administrators
using Azure AD.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/AzureADAdminSSO/1/start.html

Configuring Azure AD SSO on Sophos Firewall - 15

 Chapter Review

Sophos Firewall allows you to configure Azure AD single sign-on for administrators to
login to the web console using the capabilities included in the free tier of Azure AD.

You need to configure an app registration with a client secret, app role, API permissions,
and redirect URI in Azure AD.

On Sophos Firewall you need to add an authentication server using the app registration
details from Azure. This page will provide the redirect URI to use in the app registration.

Here are the three main things you learned in this chapter.

Sophos Firewall allows you to configure Azure AD single sign-on for administrators to login to the
web console using the capabilities included in the free tier of Azure AD.

You need to configure an app registration with a client secret, app role, API permissions, and
redirect URI in Azure AD.

On Sophos Firewall you need to add an authentication server using the app registration details
from Azure. This page will provide the redirect URI to use in the app registration.

Configuring Azure AD SSO on Sophos Firewall - 20

Configuring Azure AD SSO on Sophos Firewall - 21
 Getting Started with Sophos
Firewall Authentication

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3515: Getting Started with Sophos Firewall Authentication

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Sophos Firewall Authentication - 1

 Getting Started with Sophos Firewall Authentication
In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
types of users and groups that ✓ Authentication methods that are supported
can be configured for Sophos by Sophos Firewall
Firewall and the methods that
can be used for authentication.

DURATION

30 minutes

In this chapter you will learn the types of users and groups that can be configured for Sophos
Firewall and the methods that can be used for authentication.

Getting Started with Sophos Firewall Authentication - 2

 Authentication Methods
Hotspot
Clientless Users

Precedence Single Sign-On (SSO)

• Synchronized User Identity
• Sophos Transparent Authentication Suite (STAS)
• SSO Client
• VPN
• RADIUS
• Web Authentication (NTLM and Kerberos)

Authentication Agent
Captive Portal

Sophos Firewall supports five main methods for authenticating users, these are:
• Hotspot
• Clientless Users
• Single Sign-On (SSO)
• Authentication Agent
• Captive Portal

This is the order in which authentication is checked for users. Throughout the rest of this chapter,
we will look at some of the most common forms of authentication in more detail.

Getting Started with Sophos Firewall Authentication - 3

Activity
Put the authentication methods in order or precedence

Captive Portal

Authentication Agent

Hotspot

Clientless Users

Clientless Single Sign-On

Getting Started with Sophos Firewall Authentication - 4

 Hotspots

Hotspot type
selection

A hotspot is a portal that controls network access to devices connecting to the network. Hotspots
are typically used to provide guest Internet access in public areas. When you add an interface to a
hotspot, all devices connecting through that interface must authenticate through the hotspot.

Hotspots support a full suite of protection features and authentication methods. You can redirect
users to a captive portal or sign-in page where users must accept terms of usage or authenticate
themselves using a generated password or voucher.

Getting Started with Sophos Firewall Authentication - 6

 Types of User

Clientless Users
Authenticated by IP address
Locally authenticated

Guest Users Temporary users authenticated with a system generated

username and password
Locally authenticated

Users
Authenticate with a username and password
Can be locally or externally authenticated

Sophos Firewall has three types of user.

Clientless users do not authenticate using a username and password, but instead are identified
purely by their IP address. Clientless users are always authenticated locally by the Sophos Firewall.

Guest users are given temporary network access, usually to access the Internet. They authenticate
with a username and password that are generated by the Sophos Firewall and are always
authenticated locally.

Standard users authenticate with a username and password. They can be authenticated locally by
the Sophos Firewall or using an external authentication server such as Active Directory.

Getting Started with Sophos Firewall Authentication - 7

 Clientless users are managed in:
Creating Clientless Users CONFIGURE > Authentication > Clientless users

Typically, you would use clientless users to control network access for servers or devices such as
printers and VoIP phones.

Here you can see an example of two printers being added as a clientless users. You give the devices
a name, specify the IP address and select which group they will be a member of. You will use the
group in the firewall rules to then control the network access the devices have.

Clientless users can also be added in bulk by specifying a range of IP addresses and selecting the
group they will be a member of. You can edit the details for each IP address after adding them.

Getting Started with Sophos Firewall Authentication - 8

 Guest users are managed in:
Creating Guest Users CONFIGURE > Authentication > Guest users

You can create guest users either individually, shown on the left, or in bulk, shown on the right.

There are two main options when creating guest users:

1. How long the credentials will be valid for
2. And whether the time will start as soon as the user is added or when the user first logs in

Using the Print option, you can print the credentials for multiple selected users. This is useful if
someone will be providing these to visitors when they ask for access to the guest Wi-Fi, for
example.

Getting Started with Sophos Firewall Authentication - 9

 Creating Guest Users

All guest users are created with the same settings that can be managed in CONFIGURE >
Authentication > Guest user settings.

Here you can set the group that the user will be added to and the password complexity.

Optionally you can also integrate Sophos Firewall with an SMS gateway to allow guest users to
register for their own access details. This can save significant time where there are large volumes
of guest users such as in hotels and airports.

Getting Started with Sophos Firewall Authentication - 10

 Local users are managed in:
Creating Local Users CONFIGURE > Authentication > Users

Administration Profiles

Select policies to attach

to the user

Local users can also be added to Sophos Firewall. The user types are:

• User: End users who are connecting to the internet from behind the firewall.
• Administrator: Users who have access to firewall objects and settings as defined in an
administration profile.

Policies can also be assigned, such as for internet access and VPN. Those specified at the user level
take precedence over those specified at the group level.

Getting Started with Sophos Firewall Authentication - 11

 Synchronized User Identity
Sophos Firewall gets user ID from endpoints
that are on an Active Directory domain
automatically

Sophos Firewall
Sophos
Security Heartbeat™
Endpoints
Internet

Active Directory Server

Synchronized User Identity leverages the presence of Sophos on the Windows endpoints to
provide transparent user authentication with the firewall by sharing the user’s identity through the
Security Heartbeat connection. This makes authentication seamless, without having to deploy
additional agents onto domain controllers.

Synchronized User Identity is enabled by default for all Windows endpoints that establish a
Security Heartbeat with the Sophos Firewall.

Getting Started with Sophos Firewall Authentication - 12

 Synchronized User Identity

1 Add an Active Directory authentication server on Sophos Firewall

2 Import groups from Active Directory into the Sophos Firewall

3 Enable Active Directory server in Firewall authentication methods

4 Computers with a Security Heartbeat™ will synchronize the user details

For Synchronized User Identity to work, you will need to have added an Active Directory
authentication server on the Sophos Firewall and imported the groups using the wizard.

The Active Directory authentication server must be enabled as an authentication source for the
firewall in CONFIGURE > Authentication > Services.

With this done, all Windows endpoints with a heartbeat to the Sophos Firewall will be
authenticated transparently.

Getting Started with Sophos Firewall Authentication - 13

 Disabling Synchronized User Identity – add link
Sophos Firewall
===============
(C) Copyright 2000-2020 Sophos Limited and others. All rights reserved.
Sophos is a registered trademark of Sophos Limited and Sophos Group.
All other product and company names mentioned are trademarks or registered
trademarks of their respective owners.

For End User License Agreement - http://www.sophos.com/en-us/legal/sophos-end-

user-license-agreement.aspx

NOTE: If not explicitly approved by Sophos support, any modifications

done through this option will void your support.

XG135_XN02_SFOS 18.0.0# touch /content/no_userid

XG135_XN02_SFOS 18.0.0# service access_server:restart -ds nosync
200 OK
XG135_XN02_SFOS 18.0.0#

Synchronized User Identity will work by default if the prerequisites are satisfied, however if you
want to disable it this can be done via the console by creating the file /content/no_userid.

Removing this file will re-enable Synchronized User ID again, however, you do need to restart the
authentication service for this change to take effect.

Getting Started with Sophos Firewall Authentication - 14

 Groups are managed in:
Groups CONFIGURE > Authentication > Groups

Now that we’ve looked at the different types of users, we’ll look at groups. There are two types of
groups: normal and clientless, named for their respective user types.

A group is a collection of users with common policies and can be used to assign access to
resources. The user will automatically inherit all the policies added to the group.

Examples of policies that can be applied to groups include:

• Surfing Quota
• Access Time
• Network Traffic
• and Traffic Shaping
These are configured in SYSTEM > Profiles.

By default, users will inherit their assigned group’s policies. To adjust a group’s assigned policies,
select a policy from the list of available policies while editing or creating a new group. You can also
create a new policy directly from the group page.

Getting Started with Sophos Firewall Authentication - 15

 Group Import from Active Directory

When using Active Directory as an authentication server, users will be created on Sophos Firewall
and assigned to a group when they first successfully login. To use Active Directory groups, use the
import wizard, and users will be assigned to their associated Active Directory group.

Please note that Sophos Firewall groups cannot be nested, and if a user is a member of multiple
groups, they will be added to the first one they match on Sophos Firewall.

Getting Started with Sophos Firewall Authentication - 16

 Additional information in
Web Authentication the notes

Unknown user tries to visit a webpage

Transparent web filtering

Redirect to URL served by Sophos Firewall and User is

send an HTTP_AUTH challenge so the browser recorded
responds with the user credentials against the IP
address for
Direct proxy mode
future
Respond with a PROXY_AUTH challenge so the transactions
browser responds with the user credentials

If user authentication is only required for web filtering, Sophos Firewall can use a proxy challenge
to authenticate Active Directory users with NTLM or Kerberos.

Let’s start by looking at what happens when an unknown user tries to visit a web page. There are
two scenarios:
1. For transparent web filtering Sophos Firewall will redirect to a URL served by the firewall and
send a HTTP_AUTH challenge so that the browser responds with the credentials.
2. In the case of direct proxy mode, Sophos Firewall can respond with a PROXY_AUTH challenge
so that the browser responds with the user credentials.

In both cases the user is recorded against the IP address for future transactions.

[Additional Information]
Kerberos is more secure and has lower overheads than NTLM:
• NTLM requires an additional response round-trip between Sophos Firewall and the browser
• NTLM requires a lookup between Sophos Firewall and the challenge/domain controller for every
authentication event

To avoid clients seeing a popup for authentication we would recommend configuring Sophos
Firewall as an explicit proxy in the browser using the internal hostname of the firewall that is in the
domain. The default proxy port is 3128, but this can be changed in PROTECT > Web > General
settings.

Getting Started with Sophos Firewall Authentication - 17

 Web Authentication

Browser can now respond Enable AD SSO on the Device

with Kerberos or NTLM Access page

To use Active Directory SSO (NTLM and Kerberos) it must be enabled per-zone on the Device
Access page. With this option enabled, if you have an authentication server configured, AD SSO will
be tried before the captive portal is displayed.

The Web authentication tab combines the AD SSO configuration and captive portal behaviour
appearance settings. The page is laid out to follow the authentication flow:
• Try to authenticate the user using NTLM and/or Kerberos.
• If authentication fails then display the captive portal with this configuration.

Getting Started with Sophos Firewall Authentication - 18

 Web Authentication

Will try NTLM and Kerberos as per the web

authentication configuration and fall back to
the captive portal

In the firewall rules, the option to ‘Use web authentication for unknown users’ will try to
authenticate the user using NTLM or Kerberos based on the configuration you have selected, and
then fall back to using the captive portal.

Getting Started with Sophos Firewall Authentication - 19

 Captive Portal
Captive portal appearance

Port 8090 used for

Captive portal

The Captive portal is a browser interface that requires users behind the firewall to authenticate
when attempting to access a website. After authenticating, the user proceeds to the address or the
firewall redirects the user to a specified URL. This shows the default appearance of the Captive
portal, using port 8090.

With the current configuration, once the user has logged in, another browser tab will open. Closing
the page showing the successful login will cause the user to be signed out.

Getting Started with Sophos Firewall Authentication - 20

 Captive Portal Behavior

The behavior of captive portal can be customized. For example, changing when a user is signed
out.

While there is an option to never sign-out a user logged in through the captive portal, this is not
recommended.

Getting Started with Sophos Firewall Authentication - 21

 Captive Portal Appearance

As shown, it is also possible to customize the appearance and contents of the captive portal. For
example, you can change the logo and custom button text.

The new appearance can be previewed before the changes are applied.

Getting Started with Sophos Firewall Authentication - 22

 Per Connection Authentication

Add multi-user servers

Sophos Firewall can authenticate multiple different users coming from the same source IP address
when their proxy settings configured to use the Sophos Firewall as an explicit proxy. This is ideal for
terminal servers, Windows remote desktop, or direct access systems.

To use the multi-host client, you need to:

• Add an Active Directory authentication server
• Enable AD SSO (NTLM and Kerberos web authentication) for the zone where the multi-user
server is located
• Create a firewall rule to allow the traffic to match traffic from the multi-user server
• And add your multi-user servers in Authentication > Web authentication

Sophos XG Firewall v19.0 EAP 1 - 23

 Authentication Demo

In this demo you will see how to

configure per connection
authentication for multiuser
servers.

PLAY DEMO CONTINUE

https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

In this demo you will see how to configure per connection authentication for multiuser servers.

[Additional Information]

https://techvids.sophos.com/watch/nPQbf634vyUSqHYCd8SDS7

Getting Started with Sophos Firewall Authentication - 24

 Sophos Transparent Authentication Suite (STAS)
• Uses an agent installed onto domain controllers
• Requires one STAS installation serving each domain controller
• Provides SSO without a client on the endpoints
• Supports IPv4 only

Lucy Fox logs into the Sophos Firewall logs in Lucy Fox and maps traffic
domain from a computer from 10.1.1.1 to the user
with the IP address
10.1.1.1

The domain controller

writes the login details to STAS notifies the Sophos
the event log with ID 4768 Firewall of the login on port
6060

The Sophos Transparent Authentication Suite, or STAS, provides transparent SSO authentication for
users without requiring a client on the endpoint. It employs an agent on the Microsoft Active
Directory domain controller or a member server that monitors and stores authentication activity
and sends authentication information to Sophos Firewall. There must be an STAS installation
serving all domain controllers to ensure that all logon events can be monitored. It is important to
note that the STAS software only works with Microsoft Active Directory, and only works with IPv4.

Please note that the SSO Client cannot be used when STAS is enabled on the Sophos Firewall.

Let’s have a look at how STAS works.

The user Lucy Fox logs into the domain on a computer that has the IP address 10.1.1.1.

The domain controller writes the login details to the security event log with ID 4768. This includes
the IP address of the computer and the name of the user that logged in.

STAS monitors the event logs for login events. When a login event is detected, the STAS records the
details. As STAS is monitoring the event logs, you need to ensure that successful logon events are
being audited in the Local Security Policy.

STAS notifies Sophos Firewall of the login and supplies the details recorded from the event log, this
is done on port 6060.

Sophos Firewall updates the live users, mapping the traffic from 10.1.1.1 to the user Lucy Fox.

Getting Started with Sophos Firewall Authentication - 25

 Additional information in
Installing the STAS Software the notes

• Download from the WebAdmin

• CONFIGURE > Authentication > Client downloads
• One installation per domain controller
• Either on domain controller or member server

Select Components Provide a user for the service

To get started with STAS, download the software from the WebAdmin at CONFIGURE >
Authentication > Client downloads and install it on all Active Directory domain controllers, or a
member server for each domain controller.

During the installation you can choose to install just the Collector or Agent component of STAS or
both. There may be benefits to installing individual components in larger and more complex
environments.

STAS also needs to be configured with a user that will be used to run the service. The user must
have the right to logon as a service and must be able to monitor the Security event log.

[Additional Information]

The service account should be added to the Backup Operators and Event Log Readers Groups in
AD, and the local Administrators groups on endpoints (this can be done via a group policy and is
required for WMI logoff detection to work). The account should also be granted ‘Logon as a
service’ permission on the domain controller, and full NTFS permission on the STAS folder.

Getting Started with Sophos Firewall Authentication - 26

 Configure the STAS Software

Required if
installed on a
member server

Once installed, the STAS software needs to be configured.

On the ‘General’ tab, configure the domain that STAS will be monitoring login events for.

On the ‘STA Agent’ tab, configure the networks for which logon events will be monitored. Here you
can see we are monitoring logon events for the 172.16.16.0/24 network. If a user logs in from
another network, 10.1.1.0/24 for example, this login will not be forwarded to the Sophos Firewall.

If STAS is being installed on a member server instead of a domain controller you need to specify
the IP address of the domain controller here.

Getting Started with Sophos Firewall Authentication - 27

 Configure the STAS Software

The IP address(es) of the

Sophos Firewall(s) to send
the login information to

Polling for the currently

logged on user can be
Optionally detect when done using WMI or
user's logoff via polling or registry read access
PING

The IP address of the Sophos Firewall needs to be added to the ‘Sophos Appliances’ section of
STAS.

Workstation polling can be configured to use either WMI (this is the default option) or registry read
access. This is used to determine the currently logged on user when a computer is not found in the
live users table.

STAS can also be configured to detect when user’s logoff. This can be done using the same method
as workstation polling (which is the default option) or PING.

Getting Started with Sophos Firewall Authentication - 28

 STAS is configured in:
Configure STAS on Sophos Firewall CONFIGURE > Authentication > STAS

Once the STAS software is installed and configured STAS needs to be enabled on the Sophos
Firewall, which is done in CONFIGURE > Authentication > STAS.

You can configure how long Sophos Firewall will try to probe for the identity, and whether access
should be limited while it tries to confirm the user’s identity.

You can also optionally enable and configure user inactivity handling, by setting the inactivity timer
and data transfer threshold.

Getting Started with Sophos Firewall Authentication - 29

 Configure STAS on Sophos Firewall

For every server you installed STAS on, you must add the IP address as a collector on the Sophos
Firewall.

If you are installing the full STA suite for each domain controller, you should put each collector in its
own group. Using collector groups is beyond the scope of this chapter.

Getting Started with Sophos Firewall Authentication - 30

 Simulation: Configure Single Sign-On Using STAS on Sophos
Firewall

In this simulation you will configure

single sign-on using the Sophos
Transparent Authentication Suite
(STAS) on Sophos Firewall. You will
then test your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/STAS/1/start.html

In this simulation you will configure single sign-on using the Sophos Transparent Authentication
Suite on Sophos Firewall. You will then test your configuration.

[Additional Information]

https://training.sophos.com/fw/simulation/STAS/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 31

 Authentication Agent
Agent and
The user sets
certificate need
their credentials
to be installed

The agent
authenticates
the user

Another method for authenticating with the Sophos Firewall is to use an agent on each endpoint.

You can download agents for Windows, Mac and Linux, and then need to install the agent and
certificate on the computer.

The user sets the credentials for authentication, and then the agent will authenticate with the
Sophos Firewall. The agent also shares the MAC address telemetry with the Sophos Firewall, which
allows MAC address restrictions to be used.

Getting Started with Sophos Firewall Authentication - 32

 Chromebook Single Sign-On (SSO)
1. Deploy Extension 2. Active Directory Server 3. Chromebook Authentication

The Chrome extension needs to be Sophos Firewall needs to be The Chromebook extension shares the
pushed to devices from Google G configured with an Active Directory user ID with Sophos Firewall
Suite server that is synchronized with G
Suite, and Chromebook SSO enabled

Sophos Firewall

Google G Suite

Active Directory Server Chromebook Devices

Chromebooks are increasingly popular in education and some corporate environments, but they
create a unique set of challenges for user identification with network firewalls.

Sophos Firewall provides a Chromebook extension that shares Chromebook user IDs with the
firewall to enable full user-based policy enforcement and reporting. Pre-requisites include an on-
premise Active Directory Server synced to Google G Suite. The Chrome extension is pushed from
the G Suite admin console providing easy and seamless deployment that is transparent to users.

Getting Started with Sophos Firewall Authentication - 33

 Chromebook SSO is configured in:
Chromebook Single Sign-On (SSO) CONFIGURE > Authentication > Services

The domain name as registered with G

Suite

The port number Chromebooks

connect to from the LAN or Wi-Fi

The certificate used for communication

with the Chromebooks.
The certificate CN must match the
zone/network where the Chromebook
users are, for example:
xg.sophostraining.xyz.

Chromebook SSO must be enabled in CONFIGURE > Authentication > Services. To do this it is
necessary to provide your domain that is registered with G Suite, and the certificate used to
communicate with the Chromebooks. The common name must match the network where the
Chromebook users are.

A couple of things to remember:

• You will need to enable the Chromebook SSO service in device access for the zones where the
devices are located.
• You will also need to create a firewall rule that allows the Chromebooks to access the Google
API and Chrome Web Store.

Getting Started with Sophos Firewall Authentication - 34

 Additional information in
G Suite Configuration the notes

Navigate to App Management

Search for and open Sophos Chromebook User ID

Upload the configuration (sample in the notes)

Only
required Navigate to Device Management > Networks
where the
Sophos
Firewall uses Upload the CA certificate from the Sophos Firewall
a self-signed (select Use this certificate as an HTTPS certificate authority)
certificate

To configure the Chromebook app in G Suite, you need to navigate to App Management, and then
search for and open the Sophos Chromebook User ID app.

Here you will need to upload the configuration as a JSON file that includes server address, port and
log settings.

If the Sophos Firewall is using a self-signed certificate, you will also need to upload the CA
certificate in Device Management > Networks, selecting the option, Use this certificate as an
HTTPS certificate authority.

[Additional Information]

Example JSON configuration of G Suite configuration

Note: the uppercase Value is important, otherwise it won't work.
{
"serverAddress": {
"Value": "10.8.19.132"
},
"serverPort": {
"Value": 65123
},
"logLevel": {
"Value": 2
},
"logoutOnLockscreen": {
"Value": true

Getting Started with Sophos Firewall Authentication - 35

},
"logoutOnIdle": {
"Value": true
},
"idleInterval": {
"Value": 900
}
{

Getting Started with Sophos Firewall Authentication - 35

 Simulation: Configuring User Policies

In this simulation you will configure

firewall rules to match based on
user identity on Sophos Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/UserPolicies/1/start.html

In this simulation you will configure firewall rules to match based on user identity on Sophos
Firewall.

[Additional Information]

https://training.sophos.com/fw/simulation/UserPolicies/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 36

 Chapter Review

Sophos Firewall has three types of user. Clientless users are identified by their IP
address. Guest users are given temporary network access. Standard users authenticate
locally or using an external server such as Active Directory

Synchronized User Identity provides transparent user authentication by sharing the

user’s identity through the Security Heartbeat connection.

Authentication agents for Windows, Mac and Linux can be installed locally on the
computer. The Sophos Transparent Authentication Suite provides transparent SSO using
an agent on the Microsoft Active Directory domain controller

Here are the three main things you learned in this chapter.

Sophos Firewall has three types of user. Clientless users are identified by their IP address. Guest
users are given temporary network access. And standard users provide a username and password
to authenticate locally or using an external server such as Active Directory.

Synchronized User Identity provides transparent user authentication by sharing the user’s identity
through the Security Heartbeat connection. This is enabled by default for all Windows endpoints
that establish a Security Heartbeat with the firewall.

Authentication agents for Windows, Mac and Linux can be installed locally on the computer. The
Sophos Transparent Authentication Suite provides transparent SSO authentication for users
without requiring a client on the endpoint. It employs an agent on the Microsoft Active Directory
domain controller.

Getting Started with Sophos Firewall Authentication - 45

Getting Started with Sophos Firewall Authentication - 46
 Advanced STAS Configuration
on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3535: Advanced STAS Configuration on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced STAS Configuration on Sophos Firewall - 1

 Advanced STAS Configuration on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure STAS for larger and ✓ Configuring Sophos Transparent Authentication
more complex environments that Suite
include multiple Active Directory
domain controllers.

DURATION

10 minutes

In this chapter you will learn how to configure STAS for larger and more complex environments
that include multiple Active Directory domain controllers.

Advanced STAS Configuration on Sophos Firewall - 2

 Sophos Transparent Authentication Suite (STAS)
Provides SSO without a client on each workstation
Makes it easier to enforce user-based policies

Installation Prerequisites
• The STAS agent can be installed on Active Directory Domain Controllers
• Every domain controller must by monitored by STAS
• It CAN be installed on a member server:
• One member server can serve one domain controller
• Required STAS version 2.5 or higher

STAS works with Microsoft Active Directory and IPv4 only

We’ll start by reviewing the purpose and functionality of the Sophos Transparent Authentication
Suite, or STAS.

The purpose of STAS is to provide reliable transparent SSO authentication for network users
without requiring a client on the endpoint. It employs an agent on the Microsoft Active Directory
domain controller that monitors and stores authentication activity and exchanges authentication
information with the Sophos Firewall, making user-based policy enforcement easy.

If you are unable to install STAS on a domain controller, you can alternatively install it on a member
server and configure it to serve that domain controller.

Every domain controller must have an installation of STAS monitoring its login events, whether that
is installed locally or on a member server, to ensure that all logins are captured. It is important to
note that the STAS software only works with Microsoft Active Directory, and only works with IPv4.

Advanced STAS Configuration on Sophos Firewall - 3

 How STAS Works
5. The Sophos Firewall updates the Live Users,
1. John Smith logs into mapping traffic from 10.1.1.1 to the user John
the domain on a Smith
computer with the IP
10.1.1.1 Computer
10.1.1.1

2. Domain Controller
writes the login details to Internet
the Security event log Sophos
with ID 4768 Domain Controller Firewall
(ID 672 on Windows 2003)
4. STAS notifies the Sophos
Firewall of the login on port
6060
Security Audit
STAS
Log
IP
3. STAS monitors the event log for logon events
UN

Let’s review how STAS works by using a fictitious user, John Smith.

The user John Smith logs into the domain on his computer that has the IP address 10.1.1.1.

The domain controller writes the login details to the Security event log with ID 4768. This includes
the IP address of the computer and the name of the user that logged in. The Live Users can be
found in MONITOR & ANALYZE > Current activities > Live users.

As STAS is monitoring the event logs, you need to ensure that successful logon events are being
audited in the Local Security Policy.

When STAS detects a login event it records the details and notifies Sophos Firewall of the login and
its details using port 6060.

The Sophos Firewall updates the Live Users, mapping the traffic from 10.1.1.1 to the user John
Smith.

Advanced STAS Configuration on Sophos Firewall - 4

 STAS with Multiple Domain Controllers
2. Domain Controller creates 3. STA Agent sends login
Security Audit Log event event to STA Collector

IP IP
UN UN

Security Sophos Firewall Security

STA Agent Audit Log Audit Log STA Agent

Domain Controller Domain Controller

Domain Controller
Computer: 10.1.1.1 4. STA Collector sends Computer: 10.1.1.2
login event to Sophos
1. User logs into domain STA Collector & Firewall
Agent

In larger or more complex environments that include multiple Active Directory domain controllers,
the agent and Collector roles can be divided onto multiple servers.

An agent would be installed and configured on each Active Directory domain controller, This way,
no matter which server a workstation logs into, a logon event entry will be created in the Windows
event log where an STA Agent exists.

The STA Agents forward a copy of the log events to a central Collector that will aggregate the log
information. The STA Collector will then pass the collected log information to the Sophos Firewall.

Advanced STAS Configuration on Sophos Firewall - 5

 Installation
Select Components

Download client installer from Web Admin

CONFIGURE > AUTHENTICATION > Client downloads

Install Collector on domain controllers or other

member servers

Install an agent for every domain controller

Whether installing just the agent or just the Collector, the same client installer is used.

Remember that the agent software needs to be installed for every domain controller in the
domain. This can either be on the domain controller or on a member server. This is important to
ensure that logon events are captured no matter which domain controller a user authenticates
against.

There only needs to be one Collector in the network; however, it is beneficial to have multiple
Collectors for redundancy, or to control traffic flow in larger routed networks.

Advanced STAS Configuration on Sophos Firewall - 6

 Permissions Required

Add the STAS service account to:

• Backup Operators and Event Log Readers groups in AD
• Local Administrators groups on endpoints

Give the STAS service account:

• ‘Logon as a service’ permission on the domain controller
• Full Control NTFS permissions on the STAS folder

The STAS service account should be added to the Backup Operators and Event Log Readers Groups
in AD, and the local Administrators groups on endpoints. This can be done via a group policy and is
required for WMI logoff detection to work.

The account should also be granted ‘Logon as a service’ permission on the domain controller, and
Full Control NTFS permission on the STAS folder.

Advanced STAS Configuration on Sophos Firewall - 7

 Collector Groups
• Collector groups are used to manage redundancy
• You can have up to 5 Collectors per group
• Sophos Firewall uses the first available Collector as the primary Collector

Sophos Firewall

Domain Controller Domain Controller

with STA Collector with STA Collector
and Agent and Agent

Primary Collector
Domain Controller Domain Controller
with STA Collector with STA Collector
and Agent and Agent

When you enable STAS on the Sophos Firewall and add multiple Collectors you must create a
Collector group. STAS Collector groups are used by the Sophos Firewall to provide redundancy and
control the flow of data in large and complex networks.

Each Collector group can have up to five Collectors, so if you have more than five domain
controllers with a full installation of the STAS software, you will either need to use multiple groups
or split the Collector and Agent roles.

For each Collector group, the Sophos Firewall will use the first available Collector in the list as the
primary Collector.

Advanced STAS Configuration on Sophos Firewall - 8

 Agents and Collectors
• ALL agents report to ALL Collectors
Agents are configured
• One group per region or location in larger deployments
with the IPs of all
Collectors
Only the primary Collector
responds to Agents

Domain Controller Domain Controller

with STA Collector & Agent with STA Collector & Agent
Sophos Firewall
Primary Collector IP 1
Collector IP 2
Collector IP 3
Collector IP 4

Domain Controller Domain Controller Domain Controller Domain Controller

with STA Agent with STA Agent with STA Agent with STA Agent

Agents should be configured with the IP addresses of all the Collectors in the group so that they
have an up-to-date user list in the case the primary Collector fails.

Given this behavior, it is sensible to create a Collector group for each region or location so that all
Agents at that location are reporting to local Collectors.

Advanced STAS Configuration on Sophos Firewall - 9

 Failover

• If the primary Collector fails, Sophos Firewall will use the next available Collector
• The new primary Collector will have the Live Users list from all agents

Primary Sophos
Firewall
Domain Controller Domain Controller
with STA Collector with STA Collector
and Agent LIVE USERS and Agent
John Smith 10.1.1.1
Jane Doe 10.1.1.2
Lisa Fox 10.1.1.3
Tom Jones 10.1.1.4

If the primary Collector fails, the Sophos Firewall uses the next available Collector.

The Collector will have an up-to-date Users list because the Agents will have been reporting to all
Collectors in the group.

Advanced STAS Configuration on Sophos Firewall - 10

 Primary Collector
• Performs log off detection
• Authenticates users that are not in the Live Users lists

2. Sophos Firewall asks the primary Collector who is logged

into 10.1.1.1

Port 6677
Sophos
Primary
Firewall
Domain Controller
Domain Controller
with STA Collector
with STA Collector
and Agent
and Agent
10.1.1.1
1. John Smith tries to
3. The primary Collector polls the
access the Internet
computer for the logged in user

As well as reporting logon events to the Sophos Firewall, the Sophos Firewall also uses the primary
Collector to poll computers for log off detection. The Sophos Firewall polls the Collector to check
whether the users in the Sophos Firewall list are still logged in.

When a computer tries to access the network and they cannot be found in the Live Users list, the
Sophos Firewall asks the primary Collector who is logged into the computer.

The primary Collector polls the computer to find out who is logged in, adds them to its Live Users
list, and updates the Sophos Firewall.

This might occur if the computer has been disconnected from the network long enough for the
Collector to log the user out.

Advanced STAS Configuration on Sophos Firewall - 11

 Authentication Over VPNs Login request from user
STAS login details to firewall

Head Office Branch Office

Site-to-site VPN

Domain Controller Computer

With STA Suite Sophos Sophos
Firewall Firewall

Authentication information is not accepted from VPN zone

By default, the Sophos Firewall does not accept authentication information from Collectors that
are in the VPN zone.

If we consider this example, where a computer in a small branch office is authenticating using a
domain controller in the head office over a site-to-site VPN, that logon event needs to reach the
Sophos Firewall at the branch office.

The Collector in the head office can send the logon event to the local Sophos Firewall, but when it
tries to send it to the branch office Sophos Firewall over the site-to-site VPN it will fail because it is
coming from the VPN zone.

Advanced STAS Configuration on Sophos Firewall - 12

 Authentication Over VPNs
Enable Client authentication for the VPN zone
SYSTEM > Administration > Device Access

To make this scenario work you need to enable Client authentication for the VPN zone in SYSTEM >
Administration > Device Access.

The Sophos Firewall at the branch office will then accept the traffic from the Collector and be able
to authenticate the user.

The type of VPN you are using, (SSL or IPsec), will determine what source IP address will be used
for the response. If the IP address is unknown to the Collector, it will reject the response. To
correct this, you can use a local NAT policy to ensure the response comes from the correct IP
address.

Advanced STAS Configuration on Sophos Firewall - 13

 Subnet Filtering

Assign subnets to specific

Sophos Firewalls using subnet
filtering

If we consider our scenario further, we do not want users in the branch office to be authenticated
on the head office Sophos Firewall, they only need to be authenticated by the local Sophos
Firewall.

This can be achieved using the subnet-based filter. This allows you to configure a Sophos Firewall
for each of the subnets you are monitoring logons for. It is done when you add the IP addresses of
the Sophos Firewalls.

Advanced STAS Configuration on Sophos Firewall - 14

 Default STAS Ports
UDP 6060 UDP 6677 TCP 5566

From: STA Collector From: Sophos Firewall From: STA Agent

To: Sophos Firewall To: STA Collector To: STA Collector

This port cannot be This port can be configured This can be configured in
customized when the Collector group is the STA Agent and Collector
created

It must also be configured

in the STA Collector

This table shows the default ports that are used for communication between the STAS components
and where they can be customized.

Advanced STAS Configuration on Sophos Firewall - 15

 STAS Quarantine
• Traffic is dropped when authenticating users that are not in the Live Users list
• The timeout period of dropped traffic can be adjusted in the STAS Quarantine section
• Default limit it set to 2 minutes
• Should not be set to less than 45 seconds

In large environments, the process of having the Sophos Firewall use the Collector to poll a
computer to identify the logged in user, can take some time. While this is taking place the Sophos
Firewall will drop traffic from the computer.

By default, the timeout for this before the Captive Portal is displayed is two minutes, but this can
be modified by navigating to CONFIGURE > Authentication > STAS. In most environments the
identity probe time-out value should not be set lower than 45 seconds.

Additionally, you can select to restrict client traffic during the identity probe and enable user
inactivity settings.

Advanced STAS Configuration on Sophos Firewall - 16

 Additional information in
STAS Quarantine the notes

The timeout period can be adjusted from the console using the command:

system auth cta unauth-traffic drop-period <seconds>

The time out period can also be viewed and modified from the console using the commands
shown.

[Additional Information]

To modify the current configuration: system auth cta unauth-traffic drop-period <seconds>

To view the current configuration: system auth cta show

Advanced STAS Configuration on Sophos Firewall - 17

 Chapter Review

All Collectors should be configured with the IP addresses of all Sophos Firewalls

All agents should be configured with the IP addresses of all the Collectors

Collector groups provide redundancy with a maximum of FIVE Collectors in a

Collector group

Here are the three main things you learned in this chapter.

All the Collectors should be configured with the IP addresses of all the Sophos Firewalls so that all
the firewalls have all the logged in users.

All the Agents should be configured with the IP addresses of all the Collectors to provide
redundancy.

Collector groups provide redundancy, and you can have a maximum of five Collectors in a Collector
group.

Advanced STAS Configuration on Sophos Firewall - 22

Advanced STAS Configuration on Sophos Firewall - 23
 Enabling Multifactor
Authentication on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW3545: Enabling Multifactor Authentication on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Enabling Multifactor Authentication on Sophos Firewall - 1

 Enabling Multifactor Authentication on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure multi-factor ✓ Configuring authentication and users on Sophos
authentication on Sophos Firewall
Firewall and how this changes
the way in which users
authenticate.

DURATION

9 minutes

In this chapter you will learn how to configure multi-factor authentication on Sophos Firewall and
how this changes the way in which users authenticate.

Enabling Multifactor Authentication on Sophos Firewall - 2

 Multi-factor Authentication

Multi-factor authentication means that two pieces of information

are required to login:
• Something you know
• Something you have

Sophos Firewall supports multi-factor authentication using one-time passwords

One-time passwords can be software tokens or hardware tokens that conform to RFC
6238

Multi-factor authentication means that two pieces of information are required to login:
• something you know, your password, and
• something you have, your token

Sophos Firewall supports multi-factor authentication using one-time passwords.

There are different types of one-time password. You can use either software tokens, such as the
Sophos Authenticator App or Sophos Intercept X App that are available for Android and iOS, or
hardware tokens, if they conform to RFC 6238.

Please note that RSA tokens are not supported.

Enabling Multifactor Authentication on Sophos Firewall - 3

 One-Time Passwords
Time Time
456789

User 345678 Sophos Firewall

234567
123456
Key Key
567890
Token Algorithm Token Algorithm

678901

Let’s look at how one time passwords work. In this diagram we have the user with their token on
the left, and the Sophos Firewall on the right.

The user has a token that contains a key and gets the time from a synchronized clock. These are
processed using the algorithm described in RFC 6238 to produce the token code.

The Sophos Firewall needs to have the same key and be synchronized to the same clock so that
when it calculates the token code it comes out with the same number.

To allow for variations in the time between the token and the Sophos Firewall, it will accept the
previous and next token code as valid by default. This is the token offset step and can be changed
in the settings.

Enabling Multifactor Authentication on Sophos Firewall - 4

 One-time passwords are configured in:
CONFIGURE > Authentication > Multi-factor
Configuration Authentication

Optionally select which users

need to use OTP

Create software
tokens for users

Where Sophos Firewall

will require OTP

OTP timestamp settings

Multi-factor authentication is not enabled by default and must be turned on. This can be done for
either all users, or a selected set of users and groups.

You can choose to have the Sophos Firewall automatically generate a token secret (key) when
users try to authenticate, and they don’t have one. Sophos Firewall generated secrets can be used
with software tokens. Hardware tokens need to be added manually.

Sophos Firewall can use multi-factor authentication to improve the security of the WebAdmin,
User Portal (including the Clientless VPN Portal), and SSL and IPsec remote access VPNs.

You can configure the global token settings. For example, if you are using a hardware token with a
60 second timestep you can configure this here. You can also configure the passcode offset steps
which we discussed in the previous slide.

Enabling Multifactor Authentication on Sophos Firewall - 5

 Adding Tokens Manually

Optionally override the

global token timestep

To add a token, you simply need to specify the secret, which is a 32-to-120-character HEX string
and select which user to assign the token to.

Optionally, the global timestep can be overridden, which may be necessary if you are using a
mixture of tokens.

Enabling Multifactor Authentication on Sophos Firewall - 6

 Adding Tokens Automatically

The password becomes <User_Password><Generated_Password>

Now let’s look at how tokens can be automatically generated for users.

When a user logs into the User Portal for the first time after one-time passwords have been
enabled, the Sophos Firewall will generate and display the information they need to configure a
software token. In most cases this can be done automatically by scanning the QR code with an app,
such as the Sophos Authenticator App.

Once the token is configured, the user clicks Proceed to login.

The user will then be presented with the User Portal login again. This time they login with their
password and append their current token code.

Enabling Multifactor Authentication on Sophos Firewall - 7

 Sophos Authenticator App

training-user@C01001CP99YB30E

This shows an example of the generated password on the Sophos Authenticator App.

Enabling Multifactor Authentication on Sophos Firewall - 8

 Additional Token Settings

Here we can see a token for training-user that we will use to consider two scenarios.

In the first scenario, the user has their token, but the login is failing.

This might be caused if the time of the token and Sophos Firewall are out of sync. To resolve this,
you can enter the current passcode into the firewall, and it can compensate for the time
difference.

Enabling Multifactor Authentication on Sophos Firewall - 9

 Additional Token Settings

Generate 10 one-time codes

that can be used

In the second scenario, the user is on the road but has dropped and broken the mobile phone that
has the Sophos Authenticator app on it. They need to access the SSL VPN, but it is secured using
OTP.

If this happens, you can add additional codes to the token. These are a set of single use codes that
will automatically be removed after they are used. They would have to be sent to the user in some
fashion, preferably through a secure channel, after they have been created. These codes will
persist until they are used, or an administrator removes them.

Enabling Multifactor Authentication on Sophos Firewall - 10

 Simulation: Enable Multifactor Authentication

In this simulation you will enable

multi-factor authentication on
Sophos Firewall. You will then test
your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/MFA/1/start.html

In this simulation you will enable multi-factor authentication on Sophos Firewall. You will then test
your configuration.

[Additional Information]

https://training.sophos.com/fw/simulation/MFA/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11

 Chapter Review

Sophos Firewall supports multi-factor authentication using one-time passwords. These

can be either software tokens, such as the Sophos Authenticator, or hardware tokens if
they conform to RFC 6238

Tokens can be automatically generated so when a user logs into the User Portal after
one-time passwords have been enabled, the prompt to configure a software token is
displayed. Typically, this is done by scanning the QR code with an app

Additional codes can be added to a user’s token if the user does not have access to the
OTP app. These are a set of single use codes that will automatically be removed after
they are used

Here are the three main things you learned in this chapter.

Sophos Firewall supports multi-factor authentication using one-time passwords. These can be
either software tokens, such as the Sophos Authenticator, or hardware tokens if they conform to
RFC 6238.

Tokens can be automatically generated so when a user logs into the User Portal after one-time
passwords have been enabled, the prompt to configure a software token is displayed. Typically, this
is done by scanning the QR code with an app.

Additional codes can be added to a user’s token if the user does not have access to the OTP app.
These are a set of single use codes that will automatically be removed after they are used.

Enabling Multifactor Authentication on Sophos Firewall - 16

Enabling Multifactor Authentication on Sophos Firewall - 17
 Sophos Firewall Web
Protection Overview

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
4005: Sophos Firewall Web Protection Overview

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Sophos Firewall Web Protection Overview - 1

 Sophos Firewall Web Protection Overview
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Firewall can provide web ✓ The multiple layers of protection provided by
protection as a transparent or Sophos Firewall to detect and block attacks
explicit proxy.

DURATION

10 minutes

In this chapter you will learn how Sophos Firewall can provide web protection as a transparent or
explicit proxy.

Sophos Firewall Web Protection Overview - 2

 Web Protection Overview

Protection Control

• Scan for malware with two antivirus • Allow, warn, block and quota access
engines to web content

• Sophos zero-day protection cloud- • Apply rules to users and groups

based sandbox scanning
• Control content based on categories,
• Scan for potentially unwanted file types, URLs and content
applications
• Surfing quotas

Web Protection on Sophos Firewall can be used to defend against malware and to control user
behaviour.

Sophos Firewall can scan for malicious content using two antivirus engines, Sophos and Avira, and
if additional checking is required, it can leverage zero-day protection, a Sophos cloud-based
sandbox solution. In addition to malicious content, you can also choose to block potentially
unwanted applications from being downloaded onto your network.

You can improve your network security by blocking access to risky websites and applying controls
to users’ browsing behaviour. Sophos Firewall comes with several predefined policies to get started
that can be further customized to meet your needs.

Sophos Firewall Web Protection Overview - 3

 Web Protection Overview

Transparent

Explicit

Web filtering on Sophos Firewall can be done either transparently, intercepting traffic as it passes,
or as an explicit proxy, where clients are configured to use the Sophos Firewall as their web proxy.

Sophos Firewall Web Protection Overview - 4

 DPI vs. Web Proxy Filtering
DPI Web Proxy Filtering

✓ Port agnostic protocol detection

✓ Support for FastPath ✓ Enforce SafeSearch
✓ Decrypts TLS 1.3 traffic ✓ Apply YouTube restrictions
✓ Offloads traffic trusted by ✓ Explicit proxy mode
SophosLabs

The DPI (Deep Packet Inspection) engine can perform web filtering for improved performance,
however you can still choose to use the legacy web proxy. Let’s take a look at some of the
differences between DPI and web proxy filtering.

DPI implements proxy-less filtering handled by the IPS (Intrusion Prevention System) engine. It
provides port agnostic protocol detection and supports the partial or full offload of traffic flows to
the network FastPath. It can decrypt and scan TLS 1.3 traffic and offloads the traffic trusted by
SophosLabs.

In comparison, you may want to use the web proxy filtering to enforce SafeSearch or YouTube
restrictions, or because your clients are configured to use the Sophos Firewall as an explicit proxy.

Let’s take a closer look at how the traffic is processed in each of these scenarios.

Sophos Firewall Web Protection Overview - 5

 Firewall Rule > Security Features

The Security Features section of the Firewall Rules provides settings to choose between the DPI
Engine and Web Proxy for each individual rule.

Sophos Firewall Web Protection Overview - 7

 DPI Filtering

Decrypt Web Content

sophos.com on port 80 HTTPS Policy Scan

sophos.com on port 443 Web Proxy

Firewall

sophos.com on port 8080

SSL/TLS Web Content App
IPS
Rules Policy Scan Control

DPI Engine

FastPath

Using the configuration shown here, all the traffic will be handled by the faster DPI engine for IPS
and proxy-less web filtering and SSL decryption on any port for HTTP and HTTPS using port
agnostic protocol identification.

In this configuration the SSL/TLS inspection rules are used to manage the decryption of secure web
traffic.

Using the DPI engine allows the Sophos Firewall to offload safe traffic to the FastPath. This is done
for traffic that the Sophos Firewall qualifies as being safe, or that matches identities for SophosLabs
trusted traffic.

Sophos Firewall Web Protection Overview - 8

 Web Proxy Filtering

Decrypt Web Content

sophos.com on port 80 HTTPS Policy Scan

sophos.com on port 443 Web Proxy

Firewall

sophos.com on port 8080

SSL/TLS Web Content App
IPS
Rules Policy Scan Control

DPI Engine

FastPath

If you enable the web proxy, then HTTP and HTTPS traffic on ports 80 and 443 will be processed by
the web proxy for decryption, web policy and content scanning, before being handed to the DPI
engine for application control and IPS.

HTTP or HTTPS traffic on other ports will still be handled by the DPI engine.

The web proxy is also used in explicit proxy configurations.

When the web proxy is being used none of the traffic can be offloaded to the FastPath.

Sophos Firewall Web Protection Overview - 9

 Deploying Sophos Firewall for Web Protection

Gateway or mixed mode deployments

LAN Zone WAN Zone

Internet
Sophos Firewall

Filter web traffic

If the Sophos Firewall is the network gateway or will be replacing an existing gateway, then web
filtering can simply be enabled for the traffic passing through it.

This deployment scenario is ideal as all traffic must pass through the Sophos Firewall before being
allowed out to the Internet. As such, all traffic entering the network must also pass through the
Sophos Firewall before reaching clients. By implementing in this fashion, all web traffic can be
scanned, decrypted, sent to zero-day protection if needed, and controlled so that users cannot
violate company policy, and hackers cannot pass unseen.

In this deployment scenario, the Sophos Firewall can be used as both a transparent and explicit
proxy.

Sophos Firewall Web Protection Overview - 10

 Deploying Sophos Firewall for Web Protection

Bridge mode deployments

Firewall Internet
Sophos Firewall

Transparently filter
web traffic Other networks such
as DMZ will not be
filtered

In scenarios where the Sophos Firewall will not be the primary network gateway there are two
deployment options.

The first is to add Sophos Firewall to the network in bridge mode, allowing it to transparently filter
the web traffic. This is a good solution if the existing edge device will not be replaced. Similarly, to
the previous solution, anyone behind the Sophos Firewall will not be able to bypass the filter and
will have their traffic inspected. The only exception would be if there were another network, such
as a DMZ hosting public servers, behind the edge firewall.

Sophos Firewall Web Protection Overview - 11

 Deploying Sophos Firewall for Web Protection

Explicit proxy deployments

Switch

Firewall Internet

Configure clients to use

Allow web traffic from
Sophos Firewall as web
Sophos Firewall only
proxy

Sophos Firewall

The other option is for the Sophos Firewall to be on the network but not in the direct flow of
traffic, and to have the clients configured to use it as an explicit proxy.

In this configuration, the Sophos Firewall doesn’t have any control over traffic that is sent directly
to the default gateway, and so it is important that the edge device is configured to only allow web
traffic from allowed devices, including the Sophos Firewall.

Sophos Firewall Web Protection Overview - 12

 Transparent vs. Explicit Proxy
Transparent Explicit

Typically deployed at the gateway

Requires client (operating
Does not require client configuration system/browser/application) to be
configured with the proxy details
Client (operating
system/browser/application) is unaware Firewall must be configured to only
the traffic is being filtered allow web traffic from the proxy to
prevent users from circumventing it
Users cannot circumvent the filtering

The key differences between transparent and explicit proxy web filtering are:

In a transparent proxy configuration, the proxy is typically deployed at the Internet gateway and
the proxy service is configured to intercept traffic for a specified port. The client (e.g., browser,
desktop application etc.) is unaware that traffic is being processed by a proxy. For example, a
transparent HTTP proxy is configured to intercept all traffic on port 80/443. This provides a
standard enterprise configuration where all clients routed to the Internet will be filtered and
protected, no matter what the end users do or change on their machines. An added benefit is a
reduction of client-proxy configuration troubleshooting. Transparent proxies also handle mobile
and guest devices without any additional configuration.

In an explicit proxy configuration, the client is explicitly configured to use a proxy server, meaning
the client knows that all requests will go through a proxy. The client is given the hostname, IP
address, and port number of the proxy service. When a user makes a request, the client connects
to the proxy service and sends the request. The disadvantage of the explicit proxy is that each
client must be properly configured to use the proxy.

Sophos Firewall Web Protection Overview - 13

 Chapter Review

DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic
protocol detection and supports offload of traffic flows to the network FastPath. It can
decrypt and scan TLS 1.3 traffic.

When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be
processed by the web proxy for decryption, web policy and content scanning before
being handed to the DPI engine for application control and IPS

If Sophos Firewall is the network gateway, web filtering can be enabled for the traffic
passing through it. When it is not the primary network gateway it can operate in bridge
mode, transparently filtering the web traffic, or be configured as an explicit proxy

Here are the three main things you learned in this chapter.

DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol
detection and supports the partial or full offload of traffic flows to the network FastPath. It can
decrypt and scan TLS 1.3 traffic.

When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be processed by the
web proxy for decryption, web policy and content scanning before being handed to the DPI engine
for application control and IPS. Add Sophos Firewall to the network in bridge mode, allowing it to
transparently filter the web traffic.

If Sophos Firewall is the network gateway, then web filtering can be enabled for the traffic passing
through it. When Sophos Firewall is not the primary network gateway it can operate in bridge
mode, allowing it to transparently filter the web traffic, or be configured as an explicit proxy.

Sophos Firewall Web Protection Overview - 18

Sophos Firewall Web Protection Overview - 19
 Configuring Web Protection
on Sophos Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]

Sophos Firewall
4010: Configuring Web Protection on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Web protection on Sophos Firewall- 1

 Configuring Web Protection on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create policies for web ✓ How Sophos Firewall provides web protection as a
protection and TLS transparent or explicit proxy
decryption and configure global
settings for protection and an
explicit proxy.

DURATION

24 minutes

In this chapter you will learn how to create policies for web protection and TLS decryption and
configure global settings for protection and an explicit proxy.

Configuring Web protection on Sophos Firewall- 2

 Web Policies

Web Protection Policies Policy Rules

• Include options to control end users’ • Define the type of usage to restrict
web browsing
• SafeSearch prevents potentially • Specify content filters to restrict web
inappropriate images, videos, and content that contains any terms in
text from appearing search results the lists
• YouTube restrictions also restrict
search results • Define the action to take when the
• Time quotas can allow limited access firewall encounters traffic that
to restricted websites matches the rule criteria

Web policies can be used to control end users’ web browsing activities. Policies include options for:
• SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in
Google, Yahoo, and Bing search results.
• YouTube restrictions, which prevent access to potentially inappropriate content by restricting
YouTube search results.
• Time quotas, that allow access to restricted websites, such as online shopping, for a limited
period.

Policies include rules, which are used to:

• Define the type of usage to restrict. This can include user activities, categories, URL groups, file
types, and dynamic categories.
• Specify content filters to restrict web content that contains any terms in the lists.
• Define the action to take when the firewall encounters HTTP traffic that matches the rule
criteria.

Configuring Web protection on Sophos Firewall- 3

 Creating and Editing Web Policies

This shows an example of a web policy. It has an ordered list of rules and a default action, in this
case allow, that determines the behaviour if the traffic does not match any of the rules.

Configuring Web protection on Sophos Firewall- 4

 Creating and Editing Web Policies
Dynamic Categories

User Activities
Categories

URL Groups

Users &
Groups File Types Constraints

Content Filter Action Status

Each web policy rule applies to either specific users and groups, or anybody.

You define the activities, or types of web traffic that are going to be controlled by the rule, and you
can optionally also apply a keyword content filter to the traffic.

Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a
separate action applied to HTTPS traffic.

You can set time constraints for the rule. If no time constraints are selected, then the rule will be
active all the time.

Finally, you can enable and disable individual rules. This is especially useful when creating new
rules and testing.

Configuring Web protection on Sophos Firewall- 5

 Web Policies

Below the web policy rules are further options, some of which require the web proxy to be
enforced. These are indicated with a notice. If these options are selected and used with the DPI
engine, they will not be enforced.

The available options are:

• Enforce SafeSearch in common search engines. This is done by modifying the request to enable
the features in the search engine and requires decrypting the web traffic.
• Enforce YouTube restrictions, which is done in the same ways as enforcing SafeSearch.
• Configure how much quota time users have per day.

Configuring Web protection on Sophos Firewall- 6

 Advanced Settings

Advanced settings allow you to:

• Include this policy in logs and reports.
• Prevent the downloading of files greater than the size specified.
• Add X-Forwarded-For header to pass on the IP address of the original HTTP request.
• Allow users to sign into Google Apps, such as Gmail and Drive, only with the domains specified.
• Apply Microsoft Azure AD tenant restrictions.

Again, a notice indicates which settings require the web proxy to be enforced.

Configuring Web protection on Sophos Firewall- 7

 User Activities

User activities are a group of web categories, URL groups and file types

Let’s look at the types of traffic you can select to control in the web policy rules, starting with User
Activities.

User Activities are a way of grouping web categories, URL groups and file types into a single object
to simplify management.

Configuring Web protection on Sophos Firewall- 8

 Additional information in
the notes
Categories

Web categories are what most people think of when they think of web filtering. Sophos Firewall
comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping
policies to.

You can also create custom web categories based on either local lists of domains and keywords or
an external URL database.

[Additional Information]

External URL databases can be from either a HTTP or FTP server. The database should be in one of
the following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.

Configuring Web protection on Sophos Firewall- 9

 URL Groups

Local TLS exclusion list

Managed TLS exclusion

list (read only)

URL groups are used to create a match list of domains for which the default configuration should
not be applied. All subdomains for the entered domains will also be matched.

There are a couple of important default groups:

• Local TLS exclusion list, which you can use to manage domains you do not want to decrypt
traffic for.
• Managed TLS exclusion list, which is a Sophos managed list of domains that are excluded from
TLS decryption. On this page you can see the domains that are included, although you cannot
edit or delete this group.

Configuring Web protection on Sophos Firewall- 10

 File Types

Sophos Firewall can manage access to files through the web policy and comes with several groups
of common file types defined by extension and MIME type.

You can also create custom file types, which can use an existing group as a template to import
already defined types.

Configuring Web protection on Sophos Firewall- 11

 Simulation: Create Custom Web Categories on Sophos
Firewall
In this simulation you will create a
keyword filter, modify the existing
‘Unproductive Browsing’ user
activity, and create user activity for
controlling access to specific
categories of website.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebCategories/1/start.html

In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user
activity, and create user activity for controlling access to specific categories of website.

[Additional Information]

https://training.sophos.com/fw/simulation/WebCategories/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12

 Content Filters

Web policies include the option to log, monitor and enforce policies related to keyword lists. This
feature is particularly important in educational environments to ensure online child safety and to
provide insights into students using keywords related to self-harm, bullying, radicalization or
otherwise inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and
applied to any web filtering policy as an added criteria with actions to log and monitor or block
search results or websites containing the keywords of interest.

Comprehensive reporting is provided to identify keyword matches and users that are searching or
consuming keyword content of interest, enabling proactive intervention before an at-risk user
becomes a real problem.

Keyword lists are plain text files with one term per line.

Configuring Web protection on Sophos Firewall- 13

 Simulation: Create a Web Content Filter on Sophos Firewall

In this simulation you will create a

custom content filter that will be
used to detect web pages that
contain common bullying terms.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ContentFilter/1/start.html

In this simulation you will create a custom content filter that will be used to detect web pages that
contain common bullying terms.

[Additional Information]

https://training.sophos.com/fw/simulation/ContentFilter/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14

 Applying Policies

Once you have created your web policy you can apply it in firewall rules.

Configuring Web protection on Sophos Firewall- 15

 Web Policies

If there are options that cannot be enforced, this will be indicated in the firewall rule with a
warning triangle. Hovering over the warning will provide additional information.

Configuring Web protection on Sophos Firewall- 16

 Simulation: Create a Custom Web Policy on Sophos Firewall

In this simulation you will clone and

customize a web policy by adding
additional rules. You will then test
the policy using two different users
and the Policy Test tool.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicy/1/start.html

In this simulation you will clone and customize a web policy by adding additional rules. You will
then test the policy using two different users and the Policy Test tool.

[Additional Information]

https://training.sophos.com/fw/simulation/WebPolicy/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17

 Additional information in
Web Protection the notes

When any web filtering is enabled Sophos Firewall will:

• Automatically block websites that are identified as containing child sexual abuse content
by the Internet Watch Foundation (IWF)
• Hide the domain name in logs and reports
• Not support any policy or exclusion to allow the sites

We minimize the availability of online sexual abuse content.

Specifically:
• Child sexual abuse content hosted anywhere in the world
• Non-photographic child sexual abuse images hosted in the UK

When any web filtering is enabled, Sophos Firewall will automatically block websites that are
identified as containing child sexual abuse content by the Internet Watch Foundation.

No policy or exclusions can be configured to allow these sites, and the domain names will be
hidden in the logs and reports.

[Additional Information]

Find out more about the IWF at https://www.iwf.org.uk

Configuring Web protection on Sophos Firewall- 18

 Additional information in
Protection Settings the notes

There are several protection settings that can be managed in Web > General settings, including:
• Selecting between single and dual engine scanning.
• Scan mode.
• And the action to take for unscannable content and potentially unwanted applications.

[Additional Information]

Zero-day protection requires the Sophos scan engine; this means that you need to either select
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use
dual engine scanning.

The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more
cautious approach.

Then we must decide on how to handle content that cannot be scanned due to factors such as
being encrypted, or password protected. The safest option is to block this content, but it can be
allowed if required.

An option is available as part of web protection to block Potentially Unwanted Applications from
being downloaded. Specific applications can be allowed by adding them to the Authorized PUAs
list; and this is applied as part of the malware protection in firewall rules.

Configuring Web protection on Sophos Firewall- 19

 Protection Settings

The HTTPS decryption and scanning settings on this page allow you to change the signing CA and
modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS
decryption rules.

Configuring Web protection on Sophos Firewall- 20

 Zero-Day Protection

The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection
settings.

Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos
decide where to send files for analysis based on which will give the best performance. You may
need to configure this to remain compliant with data protection laws.

You can also choose to exclude certain types of file from zero-day protection using the predefined
file type options.

Zero-day protection scanning is enabled in the Web filtering section of firewall rules.

Configuring Web protection on Sophos Firewall- 21

 Advanced Settings

On the General settings tab there are also some advanced settings where you can enable web
caching and caching Sophos endpoint updates.

You can also configure some web proxy settings:

• The port that clients should use to configure the Sophos Firewall as an explicit proxy.
• The ports that can be connected to.
• And the minimum TLS version.

Configuring Web protection on Sophos Firewall- 22

 Web Proxy Content Caching

The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites
with limited or slower Internet access; however, the web proxy is required in order to enforce this.

Configuring Web protection on Sophos Firewall- 23

 User Notifications

In the User notifications tab, you can modify the images and text shown on the warn and block
pages. The text can include variables to display the category detected, and to link to suggesting a
different category.

You can preview what the message will look like when users see it using the link.

Configuring Web protection on Sophos Firewall- 24

 Policy Overrides

Web policy overrides settings allow authorized users to override blocked sites on user devices,
temporarily allowing access.

You define which users (for example this could be teachers in an education setting) have the option
to authorize policy overrides. Those users can then create their own override codes in the Sophos
Firewall User Portal and define rules about which sites they can be used for. In the WebAdmin you
can see a full list of all override codes created and disable or delete them, as well as defining sites
or categories that can never be overridden. There is also a report providing full historical insight
into web override use.

Configuring Web protection on Sophos Firewall- 25

 Policy Overrides

Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse,
codes can easily be changed or cancelled.

Configuring Web protection on Sophos Firewall- 26

 Policy Overrides

Codes can be shared with end users, who enter them directly into the block page to allow access
to a blocked site.

Configuring Web protection on Sophos Firewall- 27

 Simulation: Delegate Web Policy Overrides on Sophos Firewall
In this simulation you will enable
web policy overrides for Fred
Rogers. You will then create a web
policy override and use the access
code generated to allow John Smith
to access a site that is currently
blocked
LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html

In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web
policy override and use the access code generated to allow John Smith to access a site that is
currently blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 28

 Exceptions

The exceptions found within the web protection in the Sophos Firewall can be used to bypass
certain security checks or actions for any sites that match criteria specified in the exception. There
are a few predefined exceptions already in Sophos Firewall and more can be created at the
administrator's discretion. It is important to note that exceptions apply to all web protection
policies no matter where they are applied in Sophos Firewall.

Configuring Web protection on Sophos Firewall- 29

 Exceptions

Exceptions can be matched on any combination of:

• URL patterns, which can be either simple strings or regular expressions.
• Website categories.
• Source IP addresses.
• And destination IP addresses.

Please note that many websites have multiple IP addresses, and all of them would need to be
listed. Where multiple matching criteria are used, then the traffic must match all the criteria to
match successfully. You can then select which checks the exception will bypass.

Configuring Web protection on Sophos Firewall- 30

 Chapter Review

Web policy rules can apply to specific users and groups, or anyone. They define the
activities or types of web traffic and have an action to allow, warn, apply quota or
block. A separate action can be applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It
provides an option to use the web proxy or the DPI engine. Some policy options can only
be enforced by the web proxy

Web policy overrides allow authorized users to override blocked sites on user devices,
temporarily allowing access

Here are the three main things you learned in this chapter.

Web policy rules can apply to specific users and groups, or anyone. They define the activities or
types of web traffic and have an action to allow, warn, apply quota or block. A separate action can
be applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It provides an option
to use the web proxy or the DPI engine. Some policy options can only be enforced by the web
proxy.

Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.

Configuring Web protection on Sophos Firewall- 35

Configuring Web protection on Sophos Firewall- 36
 Sophos Firewall Web
Protection Quotas and Traffic
Shaping

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW4035: Sophos Firewall Web Protection Quotas and Traffic Shaping

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 1

 Sophos Firewall Web Protection Quotas and Traffic
Shaping
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use web policy rule quotas, ✓ Configuring Web Protection on Sophos Firewall
surfing quotas and traffic shaping ✓ Configuring traffic shaping settings
to control web access.

DURATION

7 minutes

In this chapter you will learn how to use web policy rule quotas, surfing quotas and traffic shaping
to control web access.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 2

 Quotas and Traffic Shaping

Web policy rule quotas (category and time-based)

Surfing quotas (time-based)

Traffic shaping (bandwidth-based)

Sophos Firewall can control web access in three ways:

• Using the quota action in web policy rules.

• Applying surfing quotas to groups of users.
• And applying traffic shaping policies.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 3

 Web Policy Rule Quotas

Choose which activities should have a

quota restriction

In the web policy you can set rules to apply a quota action. This will apply to all activities in that
rule.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 4

 Web Policy Rule Quotas
Configure how much quota
time users have per day

Further down in the policy you can configure how much quota time users have per day. All quota
activities share the same pool of quota time.

When a user accesses an activity with a quota, they are asked how much quota time to use now.
This is to prevent quota time being exhausted by websites updating in the background.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 5

 Surfing Quotas
Surfing quotas are applied to users and groups

Surfing quotas are applied to users and groups and are another way to control the amount of time
spent on the Internet. Unlike web policy rule quotas, surfing quotas apply to all Internet traffic.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 6

 Surfing Quotas
Surfing quotas are applied to users and groups

Surfing quotas define an amount of surfing time, which can either be a single amount of time or
cyclic, where the surfing time is reset on a schedule.

Surfing quotas can also have a validity period, which could be useful to guest users. The validity
period defines how long the quota is active for.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 7

 Simulation: Create a Surfing Quota for Guest Users on Sophos
Firewall

In this simulation you will configure

a surfing quota for guest users and
apply it to the ‘Guest Group’. You
will create a guest user and test
your quota policy.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SurfingQuota/1/start.html

In this simulation you will configure a surfing quota for guest users and apply it to the ‘Guest
Group’. You will create a guest user and test your quota policy.

[Additional Information]
https://training.sophos.com/fw/simulation/SurfingQuota/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 8

 Traffic Shaping

Traffic shaping does not limit the amount of time or data, instead it can either limit or guarantee
how much bandwidth will be available.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 9

 Traffic Shaping

Sophos Firewall supports traffic shaping for several types of policy. In this context, the traffic
shaping would be applied to web categories, but can be applied to users and groups, firewall rules
and applications.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 10

 Traffic Shaping

Applying the traffic shaping

policy to the new category

The example shows a new web category that has been created for www.example.com and has the
traffic shaping policy applied.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 11

 Chapter Review

Using web policies, you can include rules to apply a quota action to all activities. When
a user accesses an activity with a quota, they are asked how much time to use

Surfing quotas are applied to users and groups. Unlike web policy rule quotas, surfing
quotas apply to all Internet traffic

Traffic shaping does not limit the amount of time or data. Instead, it can either limit or
guarantee how much bandwidth will be available. As well as web categories, it can be
applied to users and groups, firewall rules and applications

Here are the main things you learned in this chapter.

Using web policies, you can include rules to apply a quota action to all activities within the rule.
When a user accesses an activity with a quota, they are asked how much time to use.

Surfing quotas are applied to users and groups. Unlike web policy rule quotas, surfing quotas apply
to all Internet traffic.

Traffic shaping does not limit the amount of time or data. Instead, it can either limit or guarantee
how much bandwidth will be available. As well as web categories, it can be applied to users and
groups, firewall rules and applications.

Sophos Firewall Web Protection Quotas and Traffic Shaping - 14

Sophos Firewall Web Protection Quotas and Traffic Shaping - 15