Flavors
This section provides information about different flavors available for XG Firewall.
Administrative access
This section provides information on how to access XG Firewall.
Keep track of currently signed-in local and remote users, current IPv4, IPv6, IPsec, SSL, and wireless connections.
Live users
Live users are users who are currently signed in to XG Firewall.
Live connections
Use Live connections page to view a list of all currently active IPv4 connections.
Live connections IPv6
Use Live connections IPv6 page to view a list of all currently active IPv6 connections.
IPsec connections
The page displays list of all the connected IPsec tunnels and you can filter the list based on connection name, local server
name, local subnet, user name, remote server/host or remote subnet.
Remote users
Use Remote users page to view a list of active remote users.
Reports provide a unified view of network activity for the purpose of analyzing traffic and threats and complying with regulatory
bodies. For example, you can view a report that includes all web server protection activities taken by the firewall, such
as blocked web server requests and identified viruses.
Dashboards
View information about network traffic passing through the firewall and security threats.
Applications & web
View information about application and internet usage on your network.
Network & threats
View information about network usage and associated threats.
VPN
View information about remote users connecting to your network using IPsec VPN, SSL VPN, and clientless access.
Email
View information about email traffic on your network.
Compliance
View information about regulatory compliance.
Custom
Create reports that include only the criteria that you specify.
Bookmarks
Bookmarks allow you to access frequently used reports quickly. For example, you may need to refer to a report that identifies
intrusion attacks for a specified period to isolate a specific threat.
Report settings
Report settings let you specify configuration options for reports. For example, you can specify data to show in custom reports
and manage report schedules for all report groups. Other options let you specify data retention times and purge data.
This menu allows checking the health of your device in a single shot. Information can be used for troubleshooting and diagnosing
problems found in your device.
Tools
Using the Tools page, one can view the statistics to diagnose the connectivity problem, network problem and test network communication.
It assists in troubleshooting issues such as hangs, packet loss, connectivity, discrepancies in the network.
System graphs
System graphs page displays graphs pertaining to system related activities for different time intervals.
Support access
Use the Support access page to allow a Sophos Support team member to temporarily access your firewall for troubleshooting
purpose.
Firewall rules implement control over users, applications, and network objects in an organization. Using the firewall
rule, you can create blanket or specialized traffic transit rules based on the requirement. The rule table enables
centralized management of firewall rules.
User/Network rule
User/Network rule is used to define access rights and protection to the network objects/hosts. In a nutshell, if you want
to control traffic by source, service, destination, zone, then use a network rule. Additionally, the administrator has
the option to attach user identity to a rule in order to customize access of assorted hosts/servers. Such an identity
based rule is considered a user rule.
Business application rule
Business application rule is used to protect internally or publicly hosted business applications or servers like SalesForce,
Sharepoint etc.
With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Using
policies, you can define rules that specify an action to take when traffic matches signature criteria. You can specify
protection on a zone-specific basis and limit traffic to trusted MAC addresses or IP–MAC pairs. You can also create
rules to bypass DoS inspection.
DoS attacks
DoS attack status allows you to see if traffic limits have been applied and the amount of data dropped after the limit
has been exceeded. The firewall applies the traffic limits specified in DoS settings and logs the corresponding events.
Data is available for the source and destination in real time.
IPS policies
With IPS policies, you can prevent network attacks using rules. The firewall enforces the actions specified in the rules
and logs the corresponding events. The set of default policies prevents network attacks for several common types of traffic.
You can create custom policies with rules that meet your traffic requirements.
Custom IPS signatures
With custom signatures, you can protect your network from vulnerabilities related to network objects such as servers,
protocols, and applications. You can create custom signatures and later add them to IPS policy rules.
DoS & spoof protection
To prevent spoofing attacks, you can restrict traffic to only that which matches recognized IP addresses, trusted MAC addresses,
and IP–MAC pairs. You can also set traffic limits and flags to prevent DoS attacks and create rules to bypass DoS inspection.
The firewall logs dropped traffic.
Web protection keeps your company safe from attacks that result from web browsing and helps you increase productivity.
You can define browsing restrictions with categories, URL groups, and file types. By adding these restrictions to policies,
you can block websites or display a warning message to users. For example, you can block access to social networking sites
and executable files. General settings let you specify scanning engines and other types of protection. Exceptions let
you override protection as required for your business needs.
Policies
With web policies, you can create rules to control end users’ web browsing activities. Policies take effect when you add
them to firewall rules. The default set of policies specifies some common restrictions. You can modify one of the default
policies to fit your requirements or create new policies.
User activities
User activities combine web categories, file types, and URL groups in one container. You can include user activities in
policies to control access to websites or files that match any of the criteria specified.
Categories
With web categories, you can organize and classify domains and keywords in a container. You can use categories within
policies to control access to websites.
URL groups
URL groups contain one or more domains that you can use in web policies to control access to websites.
Exceptions
With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless
of any policies in effect. For example, you can create an exception to skip HTTPS decryption for sites that contain confidential
data. The default set of exceptions allows software updates and other important functions for well-known websites without
being affected by web filtering.
General settings
The firewall scans HTTP(S) and FTP traffic for threats as specified by your firewall rules and for inappropriate web usage
when a web policy is selected for a rule. These settings apply only to traffic that matches firewall rules with these options
set. You can specify the type of scanning, maximum file size to be scanned, and additional checking. You can also create
policy overrides to allow end users to access otherwise blocked websites.
File types
A file type is a classification that is determined by file extension or MIME type. You can include file types in web and
email policies to control access to files. The default types contain some common criteria and you can create additional
types.
Surfing quotas
Surfing quotas allow you to control internet access for users using access settings. Quotas specify access on a cyclical
(repeat) or non-cyclical (one-time) basis and the access time allowed. The default quotas specify some commonly used
quotas such as unlimited access and block-type access.
User notifications
The firewall displays a notification to users when a web policy is set to block access or warn before connecting.
Content filters
A content filter is a named list of terms. You can use content filters in policies to restrict access to websites
that contain any of the terms listed. The default set of filters includes terms that are blocked by many organizations.
Enhancing web protection
You may want to use scanning behavior that is stronger than the default. To do this, you select a scanning engine,
specify maximum file size, and enable other options.
Customizing web protection
Sometimes you may need to customize web protection settings for certain categories of traffic or certain domains. For example,
you may not want to decrypt HTTPS traffic for financial services websites because they contain sensitive financial data. You
also may want to skip malware scanning and Sandstorm analysis for sites that you know are low-risk. You can specify this behavior
using exceptions.
Controlling access to websites
Many organizations need to control access to certain categories, and often the access varies according to user group.
For example, you may wish to allow some users to access websites that are blocked by the default workplace policy.
Blocking content using a list of terms
You may want to block all users from accessing websites that contain terms that your company considers offensive.
To do this, you create a list of terms and apply it in a policy.
Application protection helps keeps your company safe from attacks and malware that result from application traffic exploits.
You can also apply bandwidth restrictions and restrict traffic from applications that lower productivity. Application
filters allow you to control traffic by category or on an individual basis. With synchronized application control, you
can restrict traffic on endpoints that are managed with Sophos Central. Managing cloud application traffic is also supported.
Application filter
With application filter policies, you can control access to applications for users behind the firewall. Policies specify
access to application categories or individual applications using rules. The default set of policies includes some commonly
used restrictions. You can also create custom policies according to the requirements of your organization.
Synchronized Application Control
Synchronized Application Control monitors all applications on endpoints connected through Security Heartbeat. Detected
applications are displayed here. You can see newly detected applications, hide known applications, sort applications
into categories, and control their traffic through application filters. Synchronized Application Control supports
up to 10,000 apps.
Cloud applications
By analyzing cloud application traffic, you can mitigate the risks posed by cloud application usage. Options allow
you to classify traffic and apply a traffic shaping policy.
Application list
The application list contains many commonly used applications. You can sort applications according to their category,
risk, technology, characteristics, and classification.
Traffic shaping default
You can implement bandwidth restrictions using traffic shaping policies. You can apply default traffic shaping policies
to categories or individual applications.
Blocking high-risk applications
To guard their networks against malware, many organizations need to control access to applications that are considered
high risk. You can create policies to restrict traffic to all applications categorized as high risk. When the application
signature database is updated, new applications are automatically added to application filters and
firewall rules. For example, if a new signature is added for a high-risk application and there is already
an application filter that blocks all high-risk applications, the new application will be blocked.
Wireless protection lets you define wireless networks and control access to them. The firewall supports the latest
security and encryption, including rogue access point scanning and WPA2. Wireless protection allows you to configure and manage access points, wireless networks, and clients. You can also
add and manage mesh networks and hotspots.
Wireless settings
Use these settings to enable wireless protection, to set notification time-out, and to configure a RADIUS
server for enterprise authentication.
Wireless client list
The wireless client list displays all clients that are currently connected to a wireless network through
an access point. You can view clients by access point or SSID. Connection characteristics such as signal strength and frequency
are also displayed.
Wireless networks
A wireless network provides common connection settings for wireless clients. These settings include SSID,
security mode, and the method for handling client traffic.
Access points
A wireless access point (WAP) is a hardware device that allows Wi-Fi clients to connect to your wired
network. The firewall obtains configuration and status details from access points using AES-encrypted communication. Use
these settings to allow Sophos access points to connect to your network and to manage the access points on your
network.
Rogue AP scan
A rogue access point refers to any access point connected to your network without authorization. Attackers can use rogue access
points for traffic sniffing and other purposes such as man-in-the-middle attacks. You can mitigate these threats by scanning
the access points on your network and marking unauthorized access points as rogue access points.
Access point groups
With access point groups, you can assign wireless networks and specify VLAN tagging to a group of access
points. Groups provide a convenient method of managing wireless networks for several access points, rather than individually.
Mesh networks
A mesh network is a network topology in which each node relays data for the network, allowing the network
to extend over a large area. In a mesh network, access points can act as root or as mesh nodes. You can deploy a mesh
network as a wireless repeater or as a wireless bridge.
Hotspots
A hotspot is a network node that provides internet connectivity using a Wi-Fi device such as a wireless
router. Hotspots are typically used to provide guest access in public areas. When you add an interface to a hotspot, the
associated access points act as hotspots. Hotspots support a full suite of protection features and authentication
methods.
Hotspot settings
Use these settings to configure various hotspot settings such as deletion options and certificates to
use for HTTPS authentication.
Hotspot voucher definition
Hotspot voucher definitions specify network access. You can use voucher definitions to limit the validity period, time
quota, and data volume for users who have access to voucher-type hotspots.
Deploying a mesh network
We want to deploy a mesh network that contains one root access point and one mesh access point.
Deploying a wireless network as a separate zone
We want to create a wireless network for guests that allocates IP addresses from a defined range. We want to prevent
access by hosts that we know to be sources of malware.
Deploying a wireless network as a bridge to an access point LAN
We want wireless clients to use the same address range as an access point LAN.
Deploying a hotspot with a custom sign-in page
We want to create a hotspot with a customized sign-in page for the end-user.
Provide guest access using a hotspot voucher
We want to allow guests to access a wireless network using a voucher.
With email protection, you can manage email routing and relay and protect domains and mail servers. You can specify SMTP/S,
POP/S, and IMAP/S policies with spam and malware checks, data protection, and email encryption.
You can protect web servers against Layer 7 (application) vulnerability exploits. These attacks include cookie, URL, and
form manipulation. Use these settings to define web servers, protection policies, and authentication policies for use in
Web Application Firewall (WAF) rules. General settings allow you to protect web servers against slow HTTP attacks.
Web servers
Define the servers to be protected. Web servers specify a host, a type, and other connection settings. You can protect
plain text (HTTP) and encrypted (HTTPS) servers.
Protection policies
Using policies, you can define protection against vulnerability exploits such as cookie, URL, and form manipulation. Policies
also mitigate common threats such as protocol violations and cross-site scripting (XSS) attacks. The firewall provides
default policies for use with some common web services.
Authentication policies
Using authentication policies, you can provide basic or form-based reverse-proxy authentication for your web servers.
You can also use them to control access to the paths specified in firewall rules. The firewall supports basic HTTP
authentication as described in RFC 7617. Authentication policies specify an authentication method and users.
Authentication templates
Authentication templates define HTML forms for use in form-based authentication policies.
General settings
You can configure slow HTTP protection and set the TLS version.
Protecting a web server against attacks
You can protect a web server against attacks using a business application rule.
Advanced threat protection allows you to monitor all traffic on your network for threats and take appropriate action,
for example, drop the packets. You can also view Sandstorm activity and the results of any file analysis. Use these results
to determine the level of risk posed to your network by releasing these files.
Advanced threat protection
Advanced threat protection analyzes incoming and outgoing network traffic for threats. Using ATP, you can quickly detect
compromised clients in your network and log or drop the traffic from those devices.
Sandstorm activity
Activity records provide basic information such as the date and time on which files or email messages containing suspicious
attachments were sent to Sandstorm. They also indicate analysis and release status. Use the links provided to view report
details and release files or email messages.
Sandstorm settings
Use these settings to specify a data center and to exclude files from Sandstorm analysis.
Central synchronization
By synchronizing with Sophos Central, you can use Security Heartbeat to enable devices on your network to
share health information. Synchronized Application Control lets you detect and manage applications in your network.
Additionally, you can manage your XG Firewall devices centrally through Sophos Central.
Security Heartbeat
Security Heartbeat is a feature that allows endpoints and firewalls to communicate their health status with each other.
Find the details on how it works, what different health statuses there are, and what they mean.
A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint to another over a public
network such as the internet. VPN allows users to transfer data as if their devices were directly connected to a private network.
You can use a VPN to provide secure connections from individual hosts to an internal network and between networks. VPNs are
commonly used to secure communication between off-site employees and an internal network and from a branch office to the company
headquarters.
IPsec connections
Internet Protocol Security (IPsec) is a suite of protocols that support cryptographically secure communication at the
IP layer. With IPsec connections, you can provide secure access between two hosts, two sites, or remote users and a LAN.
The firewall supports IPsec as defined in RFC 4301. Use these settings to create and manage IPsec connections and to configure failover.
SSL VPN (remote access)
With remote access policies, you can provide access to network resources by individual hosts over the internet using point-to-point
encrypted tunnels. Remote access requires SSL certificates and a user name and password.
SSL VPN (site-to-site)
With a site-to-site SSL VPN, you can provide access between internal networks over the internet using point-to-point encrypted
tunnels. The tunnel endpoints act as either client or server. The client initiates the connection, and the server responds
to client requests. This contrasts with IPsec where both endpoints can initiate a connection. An SSL VPN can connect from
locations where IPsec encounters problems due to network address translation and firewall rules.
Sophos Connect client
Sophos Connect client is VPN software that runs on Microsoft Windows 7 SP2 and later, and Mac OS 10.12 and later.
It establishes highly secure, encrypted VPN tunnels for off-site employees.
L2TP (remote access)
The Layer Two Tunneling Protocol (L2TP) enables you to provide connections to your network through private tunnels over the
internet. The firewall supports L2TP as defined in RFC 3931.
Clientless access
Allow users to access services and areas on your network such as remote desktops and file shares using only a browser, and
without the need for additional plug-ins. Clientless access policies specify users (policy members) and bookmarks.
Bookmarks
Bookmarks specify a URL, a connection type, and security settings. Use bookmarks with clientless access policies to give
users access to your internal networks or services. For example, you may want to provide access to file shares or allow
remote desktop access. Users can access bookmarks through the VPN page in the user portal.
Bookmark groups
Bookmark groups allow you to combine bookmarks for easy reference. For example, you can create a group containing all of the
bookmarks for remote desktops so that you do not need to specify access on an individual basis.
PPTP (remote access)
Using the Point-to-Point Tunneling Protocol (PPTP), you can provide connections to your network through private tunnels
over the internet. The protocol itself does not describe encryption or authentication features. However, the firewall
supports several authentication options including Password Authentication Protocol (PAP), Challenge Handshake Authentication
Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAPv2). The firewall supports PPTP as
described in RFC 2637.
IPsec policies
Internet Protocol Security (IPsec) profiles specify a set of encryption and authentication settings for an Internet Key
Exchange (IKE). You can use profiles when setting up IPsec or L2TP connections. The default set of profiles supports some
commonly used VPN deployment scenarios.
VPN settings
Define settings requested for remote access using SSL VPN and L2TP. These include protocols, server certificates, and
IP addresses for clients.
Creating a remote access SSL VPN
We want to configure and deploy a connection to enable remote users to access a local network. The VPN establishes
an encrypted tunnel to provide secure access to company resources through TCP on port 443.
Creating a site-to-site SSL VPN
We want to establish secure, site-to-site VPN tunnels using an SSL connection. This VPN allows a branch office to connect
to the head office. Users in the branch office will be able to connect to the head office LAN.
Creating a site-to-site IPsec VPN
We want to create and deploy an IPsec VPN between the head office and a branch office. We use a preshared key for
authentication.
Network objects let you enhance security and optimize performance for devices behind the firewall. You can use these settings
to configure physical ports, create virtual networks, and support Remote Ethernet Devices. Zones allow you to group interfaces
and apply firewall rules to all member devices. Network redundancy and availability is provided by failover and load balancing.
Other settings allow you to provide secure wireless broadband service to mobile devices and to configure advanced support
for IPv6 device provisioning and traffic tunnelling.
Interfaces
The firewall is shipped with physical and virtual interfaces. A physical interface is a port, for example, Port1, PortA, or
eth0. A virtual interface is a logical representation of an interface that lets you extend your network using existing ports.
You can bind multiple IP addresses to a single physical interface using an alias. You can also create and configure
interfaces that support Remote Ethernet Devices.
Zones
A zone is a grouping of interfaces. Zones also specify the services that can be used to administer devices and authenticate
users. When used with firewall rules, zones provide a convenient method of managing security and traffic for a group of
interfaces.
WAN link manager
The WAN link manager allows you to configure gateways to support failover and load balancing.
DNS
You can obtain the address of a DNS server from a DHCP or PPPoE server, or you can specify static DNS servers. Other options
allow you to resolve requests for specific hosts using a specified IP address and to resolve requests for external domains
using DNS servers on your network.
DHCP
The firewall supports the Dynamic Host Configuration Protocol as defined in RFC 2131 (IPv4) and RFC 3315 (IPv6). You can use DHCP servers to dynamically allocate unique IP addresses to devices on a network. Using a
DHCP relay, you can provide dynamic address allocation for clients that are not on the same subnet as the DHCP server.
You can also view lease records.
IPv6 router advertisement
The firewall supports stateless address auto-configuration (SLAAC) for IPv6 devices. Using SLAAC, IPv6 devices automatically
create unique link-local addresses for IPv6 enabled interfaces, and clients use router advertisement messages to configure
their own IP address automatically.
Cellular WAN
Cellular WAN networks provide secure wireless broadband service to mobile devices.
IP tunnels
An IP tunnel is a mechanism that encapsulates one network protocol as a payload for another network protocol. Using a tunnel,
you can encapsulate an IPv6 packet into an IPv4 packet for communication between IPv6-enabled hosts/networks over an IPv4
network, or vice versa.
Neighbors (ARP–NDP)
The firewall uses the Address Resolution Protocol (ARP) and Neighbor Discover Protocol (NDP) to enable communication between
hosts residing on the same subnet. Using these protocols, the firewall creates IP/MAC mappings and stores them in neighbor
caches. Static mappings are also supported. The firewall uses cached entries to detect neighbor poisoning attempts.
Dynamic DNS
Using Dynamic DNS, you can ensure that the firewall is accessible even when it is provisioned with a dynamic IP address.
When the firewall receives a new IP address, it contacts the Dynamic DNS service and updates the public DNS name with
the new address. Using DDNS, the public DNS name will always point to the correct IP address.
Creating a site-to-site RED tunnel
Set up a site-to-site RED tunnel between two Sophos XG Firewall devices without deploying a RED device. In
this type of configuration, one device acts as the server and the other as the client.
Deploying a RED manually
To deploy RED devices manually, you need to download the provisioning file for the RED interface and save it to a
USB stick.
This section provides options to configure both static and dynamic routes.
You can set up authentication using an internal user database or third-party authentication service. To authenticate themselves,
users must have access to an authentication client. However, they can bypass the client if you add them as clientless users.
The firewall also supports two-factor authentication, transparent authentication, and guest user access through a captive
portal.
Servers
External servers authenticate users who are attempting to access the firewall and associated services.
Use these settings to define servers and manage access to them.
Services
Select the authentication servers for the firewall and other services such as VPN. You can also configure
global authentication settings, NTLM settings, web client settings, and RADIUS single sign-on settings. Web policy
actions let you specify where to direct unauthenticated users.
Groups
Groups contain policies and settings that you can manage as a single unit. With groups, you can simplify
policy management for users. For example, you may want to create a grouping of settings that specifies a surfing
quota and limits the access time for guest users.
Users
The firewall distinguishes between end users, who connect to the internet from behind the firewall, and
administrator users, who have access to firewall objects and settings. You can add or import user records
to be used for authentication. When you add (register) a user, you specify the user type and associate the record with a
group. The user inherits the policies defined in the group, but the user's policy overrides the group settings.
One-time password
You can implement two-factor authentication using one-time passwords, also known as passcodes. Passcodes
are generated by Sophos Authenticator on a mobile device or tablet without the need for an internet connection. When users
log on, they must provide a password and a passcode.
Captive portal
The captive portal is a browser interface that requires users behind the firewall to authenticate when
attempting to access a website. After authenticating, the user proceeds to the address or the firewall redirects the user
to a specified URL. Use these settings to customize the appearance and contents of the captive portal. For example, you
can specify your company logo and custom button text.
Guest users
Guest users are users who do not have an account and want to connect to your network in order to access
the internet. You can add (register) guest users or allow them to register themselves through the guest
user portal. You can print credentials or send them through SMS. After authentication, the guest user is granted access
according to the selected policies or is redirected to the captive portal.
Clientless users
Clientless users are not required to authenticate using a client to access the internet. Instead, the
firewall authenticates these users by matching a user name to an IP address.
Guest user settings
Guest users are users who do not have an account and want to connect to your network in order to access
the internet. You can add (register) guest users or allow them to register themselves through the guest
user portal. Use these settings to enable guest users to register through the guest user registration page and to configure
guest user authentication settings and default group.
Client downloads
Use these settings to download the clients and components that support single sign-on, transparent authentication,
and email encryption.
STAS
Sophos Transparent Authentication Suite (STAS) enables users on a Windows domain to sign in to XG Firewall automatically
when signing in to Windows. This eliminates the need for multiple sign-ins and for SSO clients on each client device.
Configuring two-factor authentication
Two-factor authentication ensures that only users with trusted devices can log on. To provide two-factor authentication,
you configure the OTP service. Then, end-users scan tokens and obtain passcodes using Sophos Authenticator.
Deploying OTP tokens manually
In some cases, you may need to provide an OTP token to an end-user manually, even when the service is set to create
tokens automatically. These cases include, for example, when a user doesn’t have access to Sophos Authenticator. To
do this, you configure the OTP service and deploy a token manually. Then, the user obtains the token through
the captive portal.
Configuring Active Directory authentication
You can add existing Active Directory users to the firewall. To do this, you add an AD server, import groups, and
set the primary authentication method.
Configuring LDAP authentication
You can add existing LDAP users to the firewall. Adding the users to a dedicated group allows you to specify policies
for these users. You add a group, add an LDAP server, and set the primary authentication method.
Configuring RADIUS authentication
You can add existing RADIUS users to the firewall. To do this, you add a RADIUS server and set the primary authentication
method.
Configuring transparent authentication using STAS
Clientless SSO is in the form of Sophos Transparent Authentication Suite (STAS). You can integrate STAS in an environment
with a single Active Directory server.
Configuring Chromebook single sign-on
Learn how to configure XG Firewall to sign in Chromebook users to XG Firewall at the time they sign in to
their Chromebook.
Use system services to configure the RED provisioning service, high availability, and global malware protection settings.
Other options let you view bandwidth usage and manage bandwidth to reduce the impact of heavy usage. Using log settings,
you can specify system activity to be logged and how to store logs. Data anonymization lets you encrypt identities in
logs and reports.
High availability
High availability refers to the hardware configuration and settings that allow the firewall to continue functioning during a power loss,
disk failure, or other event.
Traffic shaping settings
Use these settings to specify maximum bandwidth, traffic optimization, and bandwidth allocation for internet-bound traffic.
RED
A Remote Ethernet Device is a network appliance that provides a secure tunnel between a remote site and the
firewall. The RED provisioning service supports RED deployment and provides security options.
Malware protection
Specify global malware protection settings.
Log settings
The firewall provides extensive logging capabilities for traffic, system, and network protection functions. You can use
logs to analyze network activity to help identify security issues and reduce network abuse. You can store logs locally or
send them to syslog servers. The firewall supports syslog as defined in RFC 5424.
Notification List
You can send alerts to an administrator about system-generated events through email notifications and SNMP traps.
Data anonymization
Using data anonymization, you can encrypt identities in logs and reports. Identities include user names, IP addresses,
MAC addresses and email addresses. When you enable data anomymization, you specify one or more administrators who are
authorized to de-anonymize the data. You can override anonymization using exceptions.
Traffic shaping
Using traffic shaping policies, you can manage bandwidth and prioritize network traffic to reduce the impact of heavy
bandwidth usage. Policies specify an association type. For example, you can create policies to be used to restrict bandwidth
for users or applications. You can limit the effectiveness of a policy by specifying a schedule.
Services
View system service status and manage services.
Profiles allow you to control users’ internet access and administrators’ access to the firewall. You can define schedules,
access time, and quotas for surfing and data transfer. Network address translation allows you to specify public IP addresses
for internet access. You can specify levels of access to the firewall for administrators based on work roles.
Schedule
Schedules specify the duration for which rules and policies are in effect. You can create recurring and one-time schedules.
You can then apply these to firewall rules, web, application, traffic shaping, and access time policies, and trigger scans
for rogue access points. The firewall specifies some commonly used default schedules.
Access time
With access time, you can control internet access for users, groups, and guest users. You can allow or deny internet access
based on a scheduled time period. The firewall specifies some commonly used default policies.
Surfing quotas
Surfing quotas allow you to control internet access for users using access settings. Quotas specify access on a cyclical
(repeat) or non-cyclical (one-time) basis and the access time allowed. The default quotas specify some commonly used
quotas such as unlimited access and block-type access.
Network traffic quota
With network traffic quota policies, you can control data transfer by users and groups. You can specify quotas for total
data transfer or individually for upload and download. Quotas can be cyclic and non-cyclic. Cyclic policies can have quotas
for the cycle and for maximum traffic. The firewall specifies some commonly used default quotas.
Network address translation
With network address translation (NAT) policies, you can allow intenal hosts to access the internet through the firewall’s
public IP addresses. The firewall maps internal IP addresses to the public IP addresses.
Device access
With device access, you can create role-based access to the firewall for administrators. The default set of profiles specifies
privileges for a super administrator and for some common administrator roles. You can create custom profiles and specify
the privileges.
Hosts and services allows defining and managing system hosts and services.
IP host
The IP host page displays the list of all the dynamic hosts, default hosts and manually added hosts.
IP host group
The IP host grouppage displays the list of all the host groups.
MAC host
The device allows you to assign a hostname to one or more MAC addresses.
FQDN host
The FQDN host page displays the list of all the available FQDN host.
FQDN host group
FQDN host group allows you to add individual FQDN hosts to one or more host groups.
Services
The Services page displays the list of all the default and custom services.
Service group
The Service group page displays the list of all the default and custom service groups.
Administration allows you to manage device licenses and time, administrator access, centralized updates, network bandwidth
and device monitoring, and user notifications.
Device access
Device access allows you to limit administrative access to certain services from custom and default zones (LAN, WAN,
DMZ, VPN, Wi-Fi).
Admin settings
Admin settings allows you to modify the admin port settings and sign-in parameters. Customize the sign-in parameters to restrict
local and remote user access based on time duration.
Central management
Sophos Firewall Manager (SFM), Sophos Central Firewall Manager(CFM) or Sophos Central centrally manages your Sophos
XG Firewall (device). Central management allows you to configure keep-alive requests and to enable configuration and
signature updates of the device through the firewall manager.
Time
You can set the time and date to the device’s clock or synchronize the device with a Network Time Protocol (NTP) server.
Notification settings
Configure a mail server and email settings to send and receive alert emails.
Netflow
Netflow allows you to add, update, or delete Netflow servers. The device offers Netflow, a network protocol, to monitor network
bandwidth usage and traffic flow. Netflow records of source, destination and volume of traffic are exported to the Netflow
server. The records help you identify the protocols, policies, interfaces and users consuming high bandwidth. Data analyzing
tools like Open Source Data Analyzer and PRTG software can generate reports from the Netflow records.
Firmware
You can manage firmware versions and install hotfixes on XG Firewall.
Certificates allows you to add certificates, certificate authorities and certificate revocation lists.
Certificate revocation lists
Certificates can be revoked when the key or CA has been compromised, or the certificate is no longer valid for the
original purpose. CAs maintain a list of revoked certificates.
The firewall provides extensive logging capabilities for traffic, system activities, and network protection. Logs include
analyses of network activity that let you identify security issues and reduce malicious use of your network. You can send
logs to a syslog server or view them through the log viewer.
Log ID
Logs are identified by log ID.
Log viewer
Use the log viewer to display event information for modules such as, system, email, web protection, Sandstorm activity,
and so on.
Policy test
With the policy test tool, you can apply and troubleshoot firewall and web policies and view the resulting security
decisions. For example, you can create a web policy to block all social networking sites for specified users and test
the policy to see if it blocks the content only for the specified users. The results display the details of the action
taken by the firewall, including the relevant rules and content filters.