How to roll out a firewall policy
Roll out a policy which allows you to monitor all traffic that is passing throughout your network. You will receive traffic reports in the Firewall Event Viewer. Use this information to set up a basic policy.
You should run a phased rollout of the Sophos Client Firewall across your network, that is, roll out Sophos Client Firewall to one group at a time. This will avoid flooding your network with traffic in the initial stages.
Caution Do not deploy across your entire network until the
configuration has been thoroughly checked and tested.
- Deploy Sophos Client Firewall to a test group of computers, which is representative of the various roles in your network.
-
Configure a firewall policy to use the Allow by default mode to
detect but not block common traffic, applications and processes, and assign the
policy to the test group.
- Use the Firewall Event Viewer to view which traffic, applications, and processes are being used. The Event Viewer also allows you to easily create rules that allow or block reported traffic, applications, and processes. You can access the Event Viewer by clicking .
-
Monitor firewall events and build up your policy for some time, for example,
over a couple of weeks.
- Create rules from the Event Viewer. Right-click on an event to create a rule for it. For more information about creating firewall rules, see the Sophos Enterprise Console help.
- Check for any weaknesses in the policy (for example, giving too much access to some users).
- Where needs differ, subdivide the group and create extra policies and rules as needed.
- Review the rules created via the Event Viewer. An application may trigger multiple firewall events (different events for different actions performed by the application) but an application rule must cover all application actions. For example, an email client may trigger two different events when sending email and receiving email, but an application rule for that client must deal with both these actions.
- Split the rest of your network into manageable groups, representative of the various roles in your network, for example, sales workstations, IT administrator workstations, and so on.
- Once you are satisfied that you have covered everything, for example, when you are no longer getting many new firewall events for which there are no rules, create policies from your rules and assign them as required. If you have a significant number of computers on your network, we recommend that you deploy Sophos Client Firewall to one group at a time.
- Once you've tested the rules, change the policy mode to Block by default; otherwise, computers will remain insecure.
For more information on setting up firewall policy, see the Sophos Enterprise Console help.
Note As an alternative to monitoring network traffic and creating rules using the Firewall Event
Viewer, on a very small network or on single standalone computers running Windows 7
or earlier, you can install Sophos Client Firewall on a test
computer and configure it in Interactive mode. Run as many
applications used on your network as possible, including web browsers. Then import
and edit the firewall configuration containing rules established by that process.
For more information, see the Sophos Endpoint Security and Control
help.