Generate passcodes manually
If a user has no access to passcodes (for example, if the authenticator is temporarily unavailable), you can generate them manually.
Keep track of currently signed-in local and remote users, current IPv4, IPv6, IPsec, SSL, and wireless connections.
Reports provide a unified view of network activity for the purpose of analyzing traffic and threats and complying with regulatory bodies. For example, you can view a report that includes all web server protection activities taken by the firewall, such as blocked web server requests and identified viruses.
This menu allows checking the health of your device in a single shot. Information can be used for troubleshooting and diagnosing problems found in your device.
Firewall rules implement control over users, applications, and network objects in an organization. Using the firewall rule, you can create blanket or specialized traffic transit rules based on the requirement. The rule table enables centralized management of firewall rules.
With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Using policies, you can define rules that specify an action to take when traffic matches signature criteria. You can specify protection on a zone-specific basis and limit traffic to trusted MAC addresses or IP–MAC pairs. You can also create rules to bypass DoS inspection.
Web protection keeps your company safe from attacks that result from web browsing and helps you increase productivity. You can define browsing restrictions with categories, URL groups, and file types. By adding these restrictions to policies, you can block websites or display a warning message to users. For example, you can block access to social networking sites and executable files. General settings let you specify scanning engines and other types of protection. Exceptions let you override protection as required for your business needs.
Application protection helps keeps your company safe from attacks and malware that result from application traffic exploits. You can also apply bandwidth restrictions and restrict traffic from applications that lower productivity. Application filters allow you to control traffic by category or on an individual basis. With synchronized application control, you can restrict traffic on endpoints that are managed with Sophos Central. Managing cloud application traffic is also supported.
Wireless protection lets you define wireless networks and control access to them. The firewall supports the latest security and encryption, including rogue access point scanning and WPA2. Wireless protection allows you to configure and manage access points, wireless networks, and clients. You can also add and manage mesh networks and hotspots.
With email protection, you can manage email routing and relay and protect domains and mail servers. You can specify SMTP/S, POP/S, and IMAP/S policies with spam and malware checks, data protection, and email encryption.
You can protect web servers against Layer 7 (application) vulnerability exploits. These attacks include cookie, URL, and form manipulation. Use these settings to define web servers, protection policies, and authentication policies for use in Web Application Firewall (WAF) rules. General settings allow you to protect web servers against slow HTTP attacks.
Advanced threat protection allows you to monitor all traffic on your network for threats and take appropriate action, for example, drop the packets. You can also view Sandstorm activity and the results of any file analysis. Use these results to determine the level of risk posed to your network by releasing these files.
By synchronizing with Sophos Central, you can use Security Heartbeat to enable devices on your network to share health information. Synchronized Application Control lets you detect and manage applications in your network. Additionally, you can manage your XG Firewall devices centrally through Sophos Central.
Security Heartbeat is a feature that allows endpoints and firewalls to communicate their health status with each other. Find the details on how it works, what different health statuses there are, and what they mean.
A Virtual Private Network (VPN) is a tunnel that carries private network traffic from one endpoint to another over a public network such as the internet. VPN allows users to transfer data as if their devices were directly connected to a private network. You can use a VPN to provide secure connections from individual hosts to an internal network and between networks. VPNs are commonly used to secure communication between off-site employees and an internal network and from a branch office to the company headquarters.
Network objects let you enhance security and optimize performance for devices behind the firewall. You can use these settings to configure physical ports, create virtual networks, and support Remote Ethernet Devices. Zones allow you to group interfaces and apply firewall rules to all member devices. Network redundancy and availability is provided by failover and load balancing. Other settings allow you to provide secure wireless broadband service to mobile devices and to configure advanced support for IPv6 device provisioning and traffic tunnelling.
This section provides options to configure both static and dynamic routes.
You can set up authentication using an internal user database or third-party authentication service. To authenticate themselves, users must have access to an authentication client. However, they can bypass the client if you add them as clientless users. The firewall also supports two-factor authentication, transparent authentication, and guest user access through a captive portal.
External servers authenticate users who are attempting to access the firewall and associated services. Use these settings to define servers and manage access to them.
Select the authentication servers for the firewall and other services such as VPN. You can also configure global authentication settings, NTLM settings, web client settings, and RADIUS single sign-on settings. Web policy actions let you specify where to direct unauthenticated users.
Groups contain policies and settings that you can manage as a single unit. With groups, you can simplify policy management for users. For example, you may want to create a grouping of settings that specifies a surfing quota and limits the access time for guest users.
The firewall distinguishes between end users, who connect to the internet from behind the firewall, and administrator users, who have access to firewall objects and settings.
You can implement two-factor authentication using one-time passwords, also known as passcodes. Passcodes are generated by Sophos Authenticator on a mobile device or tablet without the need for an internet connection. When users log on, they must provide a password and a passcode.
If a user has no access to passcodes (for example, if the authenticator is temporarily unavailable), you can generate them manually.
The captive portal is a browser interface that requires users behind the firewall to authenticate when attempting to access a website. After authenticating, the user proceeds to the address or the firewall redirects the user to a specified URL. Use these settings to customize the appearance and contents of the captive portal. For example, you can specify your company logo and custom button text.
Guest users are users who do not have an account and want to connect to your network in order to access the internet. You can add (register) guest users or allow them to register themselves through the guest user portal. You can print credentials or send them through SMS. After authentication, the guest user is granted access according to the selected policies or is redirected to the captive portal.
Clientless users are not required to authenticate using a client to access the internet. Instead, the firewall authenticates these users by matching a user name to an IP address.
Guest users are users who do not have an account and want to connect to your network in order to access the internet. You can add (register) guest users or allow them to register themselves through the guest user portal. Use these settings to enable guest users to register through the guest user registration page and to configure guest user authentication settings and default group.
Use these settings to download the clients and components that support single sign-on, transparent authentication, and email encryption.
Sophos Transparent Authentication Suite (STAS) enables users on a Windows domain to sign in to XG Firewall automatically when signing in to Windows. This eliminates the need for multiple sign-ins and for SSO clients on each client device.
Two-factor authentication ensures that only users with trusted devices can log on. To provide two-factor authentication, you configure the OTP service. Then, end-users scan tokens and obtain passcodes using Sophos Authenticator.
In some cases, you may need to provide an OTP token to an end-user manually, even when the service is set to create tokens automatically. These cases include, for example, when a user doesn’t have access to Sophos Authenticator. To do this, you configure the OTP service and deploy a token manually. Then, the user obtains the token through the captive portal.
You can add existing Active Directory users to the firewall. To do this, you add an AD server, import groups, and set the primary authentication method.
You can add existing LDAP users to the firewall. Adding the users to a dedicated group allows you to specify policies for these users. You add a group, add an LDAP server, and set the primary authentication method.
You can add existing RADIUS users to the firewall. To do this, you add a RADIUS server and set the primary authentication method.
Clientless SSO is in the form of Sophos Transparent Authentication Suite (STAS). You can integrate STAS in an environment with a single Active Directory server.
Learn how to configure XG Firewall to sign in Chromebook users to XG Firewall at the time they sign in to their Chromebook.
Use system services to configure the RED provisioning service, high availability, and global malware protection settings. Other options let you view bandwidth usage and manage bandwidth to reduce the impact of heavy usage. Using log settings, you can specify system activity to be logged and how to store logs. Data anonymization lets you encrypt identities in logs and reports.
Profiles allow you to control users’ internet access and administrators’ access to the firewall. You can define schedules, access time, and quotas for surfing and data transfer. Network address translation allows you to specify public IP addresses for internet access. You can specify levels of access to the firewall for administrators based on work roles.
Hosts and services allows defining and managing system hosts and services.
Administration allows you to manage device licenses and time, administrator access, centralized updates, network bandwidth and device monitoring, and user notifications.
Certificates allows you to add certificates, certificate authorities and certificate revocation lists.
The firewall provides extensive logging capabilities for traffic, system activities, and network protection. Logs include analyses of network activity that let you identify security issues and reduce malicious use of your network. You can send logs to a syslog server or view them through the log viewer.
With the policy test tool, you can apply and troubleshoot firewall and web policies and view the resulting security decisions. For example, you can create a web policy to block all social networking sites for specified users and test the policy to see if it blocks the content only for the specified users. The results display the details of the action taken by the firewall, including the relevant rules and content filters.
You can set up authentication using an internal user database or third-party authentication service. To authenticate themselves, users must have access to an authentication client. However, they can bypass the client if you add them as clientless users. The firewall also supports two-factor authentication, transparent authentication, and guest user access through a captive portal.
You can implement two-factor authentication using one-time passwords, also known as passcodes. Passcodes are generated by Sophos Authenticator on a mobile device or tablet without the need for an internet connection. When users log on, they must provide a password and a passcode.
If a user has no access to passcodes (for example, if the authenticator is temporarily unavailable), you can generate them manually.
If a user has no access to passcodes (for example, if the authenticator is temporarily unavailable), you can generate them manually.
© 2020 Sophos Limited. All rights reserved. Legal details