How to roll out a firewall policy

Roll out a policy which allows you to monitor all traffic that is passing throughout your network. You will receive traffic reports in the Firewall Event Viewer. Use this information to set up a basic policy.

You should run a phased rollout of the Sophos Client Firewall across your network, that is, roll out Sophos Client Firewall to one group at a time. This will avoid flooding your network with traffic in the initial stages.

Caution Do not deploy across your entire network until the configuration has been thoroughly checked and tested.
  1. Deploy Sophos Client Firewall to a test group of computers, which is representative of the various roles in your network.
  2. Configure a firewall policy to use the Allow by default mode to detect but not block common traffic, applications and processes, and assign the policy to the test group.
    1. Create a new firewall policy. In Sophos Enterprise Console, in the Policies pane, right-click Firewall and select Create Policy. Give this policy a name, and then double-click it.
      The Firewall Policy wizard appears.
    2. Choose either to use the wizard, by clicking Next, or to configure the policy manually, by clicking Advanced firewall policy.
      • Using the wizard: Click Next. Select Single location and click Next. Select Monitor, click Next, and then Next again, and then Finish.
      • Using the Advanced firewall policy option: In the Firewall Policy dialog box, next to Primary location, click Configure. On the General tab, set the working mode to Allow by default. Click OK, and then OK again.
    3. Assign the new firewall policy to the test group.
  3. Use the Firewall Event Viewer to view which traffic, applications, and processes are being used. The Event Viewer also allows you to easily create rules that allow or block reported traffic, applications, and processes. You can access the Event Viewer by clicking Events > Firewall Events.
  4. Monitor firewall events and build up your policy for some time, for example, over a couple of weeks.
    1. Create rules from the Event Viewer. Right-click on an event to create a rule for it. For more information about creating firewall rules, see the Sophos Enterprise Console help.
    2. Check for any weaknesses in the policy (for example, giving too much access to some users).
    3. Where needs differ, subdivide the group and create extra policies and rules as needed.
  5. Review the rules created via the Event Viewer. An application may trigger multiple firewall events (different events for different actions performed by the application) but an application rule must cover all application actions. For example, an email client may trigger two different events when sending email and receiving email, but an application rule for that client must deal with both these actions.
  6. Split the rest of your network into manageable groups, representative of the various roles in your network, for example, sales workstations, IT administrator workstations, and so on.
  7. Once you are satisfied that you have covered everything, for example, when you are no longer getting many new firewall events for which there are no rules, create policies from your rules and assign them as required. If you have a significant number of computers on your network, we recommend that you deploy Sophos Client Firewall to one group at a time.
  8. Once you've tested the rules, change the policy mode to Block by default; otherwise, computers will remain insecure.

For more information on setting up firewall policy, see the Sophos Enterprise Console help.

Note As an alternative to monitoring network traffic and creating rules using the Firewall Event Viewer, on a very small network or on single standalone computers running Windows 7 or earlier, you can install Sophos Client Firewall on a test computer and configure it in Interactive mode. Run as many applications used on your network as possible, including web browsers. Then import and edit the firewall configuration containing rules established by that process. For more information, see the Sophos Endpoint Security and Control help.