Control center

The control center provides a single-screen snapshot of the status and health of the security system.

The control center appears as soon as you sign in.

System panel

The system panel displays the real-time state of the services of XG Firewall, VPN connections, WAN links and performance as well as the number of days that the device has been up and running. The status is shown as an icon. Colored icons are used to differentiate statuses. Click the icon to see detailed information of the services.

The icons and their meanings are as follows:

Performance

Icon

Status

Normal

Load average is less than 2 units.

Warning

Load average is from 2 to 5 units.

Alert

Load average more than 5 units.

Unknown

Click the icon to see the load average graph.

Load average is the average number of processes waiting to run on a CPU. Any number greater than the number of processor cores in the system indicates that, during the time period being measured (for example, 5 minutes), there was more work to do than the system was capable of doing.

Services

Icon

Status

Normal

All the services are running.

Warning

One or more services has been stopped by the administrator. You can restart services from System services > Services.

Alert

One or more services is not running.

You can restart services from System services > Services.

Unknown

On clicking the icon, the services that are stopped or dead are displayed.

Interfaces

Icon

Status

Normal

All the WAN links are up.

Warning

50% or less WAN links are down.

Alert

50% or more WAN links are down.

Unknown

Click the icon to see details of the WAN links.

Note Ports without an IP address assigned to them have a red status. Example: Ports assigned to VLAN interfaces.

VPN connections

Icon

Status

Normal

All the VPN tunnels are UP.

Warning

50% or less VPN tunnels are DOWN.

Alert

50% or more VPN tunnels are DOWN.

Unknown

Click the icon to see details of the VPN tunnels.

RED

The widget displays the number of RED tunnels established and total number of RED tunnels configured in the form of 4/8. Click the widget to view a list of RED tunnels.

Wireless APs

The widget displays active access points (AP) and the total number of access points configured in the form of 2/3. Pending access points, if any, will be displayed separately in a bracket in red color. Click the widget to be redirected to the Access points page.

Connected remote users

The widget displays the total number of users connected remotely through SSL VPN. Click the widget to be redirected to the Remote users page.

Live users

The widget displays the total number of live users. Click the widget to be redirected to the Live users page.

CPU

CPU graphs allow the administrator to monitor the CPU usage by users and system components. Maximum and average CPU usage is also displayed when you click on the widget.

X-axis – Hours/weeks/months/year (depending on the selected option)

Y-axis – Percentage of use

Click the widget to view details.

Memory

Memory graphs allow you to monitor the memory usage in percentage. The graphs display the memory used, free memory, and total memory available. In addition, the graphs show the maximum and average memory usage.

X-axis – selected

Y-axis – Percentage of use

Click the widget to view details.

Bandwidth

The graph displays the total data transfer through the WAN zone. In addition, it shows the maximum and average data transfer.

X-axis – Hours/days/months/year (depending on the option selected)

Y-axis – Total data transfer in Kbits/second

Click the widget to view details.

Sessions

The graph displays current sessions of Sophos XG Firewall. It also displays the maximum and average live connections.

Click the widget to view details.

Decryption capacity

Decrypted SSL/TLS connections as a percentage of your firewall's decryption capacity.

Decrypt sessions

Current number of decrypted SSL/TLS connections.

Decryption details are updated every five minutes.

High availability (HA)

Displays HA mode configured as below.

A-A : When Sophos XG Firewall is configured in active-active mode.

A-P (M) : When Sophos XG Firewall is configured in active-passive mode and is acting as primary device.

A-P (S) : When Sophos XG Firewall is configured in active-passive mode and is acting as auxiliary device.

Traffic insight panel

The section provides statistics related to network traffic processed by your Sophos XG Firewall in the last 24 hours. The at-a-glance information helps find out who is consuming the most bandwidth, unusual traffic patterns, and most-visited websites and applications.

The statistics is displayed as bar graphs:

  • Web activity: The graph provides the user data transfer information over the last 24 hours, which helps in understanding the web surfing trend. It also displays the maximum and average amount of data transferred, in bytes, over the last 24 hours, which helps you spot unusual traffic patterns, if any. For example, if the graph displays a peak level at a certain point of time, it means the maximum amount of data transfer was done over that time period.
  • Allowed app categories: The graph displays the amount of data transferred, in bytes, for the top five application categories. This information provides an administrator at a glance view of the most-used applications in the last 24 hours, which in turn helps you identify which applications consume the most bandwidth. Clicking on the bar of a specific application category in the graph will redirect you to the filtered application report of that category.
  • Network attacks: The graph lists the top five hosts that were denied access to the network due to health reasons. Clicking on the bar of a specific attack category in the graph will redirect you to the filtered report of that category.
  • Allowed web categories: The graph displays the amount of data transferred, in bytes, for the top five web categories. This information provides an administrator an at-a-glance view of the most-visited websites in the last 24 hours, which in turn helps you identify which websites consume the most bandwidth. Clicking on the bar of a specific web category in the graph will redirect you to the filtered report of that category.
  • Blocked app categories: The graph displays the top five denied application categories along with number of hits per category. This way an administrator gets to know about the applications with the most number of failed access attempts. Clicking on the bar of a specific application category in the graph will redirect you to the filtered application report of that category.

User & device insights panel

Security Heartbeat

The Security Heartbeat widget provides the health status of all endpoint devices. An endpoint device is an internet-capable computer hardware device connected to Sophos XG Firewall via Sophos Central. The endpoint sends a heartbeat signal at regular intervals and also informs about potential threats to the Sophos XG Firewall.

If Security Heartbeat is not configured, a Configure button appears on the control center.

The health status of endpoint can be red, yellow, or green:
  • Red labeled “At risk” - Active malware detected.
  • Yellow labeled “Warning” - Inactive malware detected.
  • Green (no label) - No malware detected.
  • Red labeled “Missing” - Endpoints not sending health status information but causing network traffic.

When Security Heartbeat has been configured, the endpoints are classified in any of the four statuses. The Security Heartbeat widget shows the total number of endpoints for each status.

Select the widget to see all the endpoints, their user, hostname, IP address, and elapsed time since the status change. You can choose to display all or just certain endpoints based on their health status.

The detailed view doesn't show endpoint details if all connected endpoints have green status.

Threat intelligence

Shows details of files and incidents seen by Sophos Sandstorm. Sandstorm is a cloud-based service that provides enhanced protection against malware. You can configure the firewall to send suspicious downloads to Sandstorm for analysis. Sandstorm runs files to check for ransomware and other advanced threats. Because the analysis takes place in the cloud, your system is never exposed to potential threats.

Sandstorm requires a subscription. Click the link to start your free 30 day evaluation.

When Sandstorm is enabled, users will be prevented from downloading files that match the firewall criteria until the analysis is complete.

The Threat intelligence widget displays analysis results for web and email traffic. Click the widget to view Threat intelligence activity details.

The following details are shown in the widget:

Counter

Description

Recent

New threat reports for files scanned by Sandstorm that are malicious, suspicious or PUA in the last seven days.

Incidents

Shows a complete count of files seen by Sandstorm that are marked as malicious, suspicious, or PUA.

The time period covered is only limited by the retention period for entries in the database.

Scanned

Shows all traffic seen by Sandstorm including files marked as clean.

The time period covered is only limited by the retention period for entries in the database.

Click any of the above sections of the widget to be taken to the Threat intelligence page of XG Firewall.

ATP

The ATP (advanced threat protection) widget provides a snapshot of advanced threats detected in your network. ATP can help rapidly detect infected or compromised clients inside the network and raise an alert or drop the respective traffic.

When the widget has been configured, it will have either of the two statuses:

Icon

Status

Normal

No threats detected.

Alert

This displays number of sources blocked. Clicking on it gives details like hostname/IP of the source, threat and count.

UTQ

The widget displays the user threat quotient (UTQ) status of an organization aggregated for the last seven days. This helps you to get quick visibility of risky users, if any, who are posing security threats to the organization’s network.

Possible UTQ statuses:

Icon

Status

There are no users with risky web surfing behavior or using infected hosts that are part of a botnet.

There are 13 users who account for 80% of overall risk posed to the organization’s network. Note that the number 13 here is just an example. Click on this icon to see the UTQ reports for last seven days.

SSL/TLS connections

You can see the details of SSL/TLS connections, including decrypted traffic, traffic that isn't decrypted, and failed connections. You can see error types based on websites, users, and IP addresses. You can exclude websites from decryption. Decryption details are updated every five minutes.

If you don't see the connection and decryption details in the control center or the log viewer, make sure the following are turned on:
  • SSL/TLS inspection rules: Go to Rules and policies > SSL/TLS inspection rules and turn the SSL/TLS inspection switch on.
  • SSL/TLS engine: Go to Rules and policies > SSL/TLS inspection rules > SSL/TLS inspection settings. Under Advanced settings > SSL/TLS engine, select Enabled.

Name

Description

Percentage of traffic

SSL/TLS encrypted traffic as a percentage of total firewall traffic.

Percentage decrypted

Decrypted connections as a percentage of SSL/TLS connections.

Failed

Failed SSL/TLS connections.

The counter is reset at midnight.

Select the widget to see the SSL/TLS sessions during the past 24 hours, firewall session details, and errors in the past seven days.

SSL/TLS sessions during the past 24 hours

The chart shows unencrypted traffic, decrypted traffic, and traffic that isn't decrypted. It doesn't include connections going through the web proxy. The chart is updated every five minutes. To see the traffic details, hover over the chart.

Firewall sessions

Select the time frame of the active firewall sessions. The live connection average is updated every 30 seconds. Averages for the other time frames are updated every five minutes. The graph for the 24-hour time frame matches the chart in Errors in the past 7 days.

To see the traffic details, hover over the graph.

Name

Description

Other traffic

Unencrypted traffic.

Undecrypted SSL/TLS

Number of connections not decrypted during the selected period.

For details of exclusions from decryption, go to Rules and policies > SSL/TLS inspection rules and see the exclusion lists and decryption profiles.

Decrypted SSL/TLS

Number of decrypted connections during the selected period.

Decryption peak

Maximum number of decrypted connections in the past. Shown only when actual traffic is close to or above this level.

Decryption limit

Number of connections your XG Firewall can decrypt. Shown only when actual traffic is close to or above this level.

Errors in the past 7 days

The table lists SSL/TLS errors by the top websites and top users (users and IP addresses that initiated the connection). Use this to identify issues, such as websites that don't work well when SSL/TLS traffic is intercepted. Resolve the issues with policy changes.

Decryption details are updated every five minutes.

Name

Description

Top websites

Select to see the number of errors and users for each website.

To see the details, select the website. To see the error logs, select the corresponding number under Errors.

Top users

Select to see the number of errors for each user.

To see the details, select the username or IP address. To see the error logs, select the corresponding number under Errors.

Fix errors

Select to see the error type by websites and users.

Note The data shown in this section doesn't include connections going through the web proxy.

The data only includes connection errors that can be resolved by changing an SSL/TLS inspection rule, or that suggest a missing CA or application trust issues on user devices. It doesn't include connections blocked by a web policy or other security policies.

SSL/TLS errors in the past 7 days

The pop-up window shows the error types by websites and users. You can hide or show the websites and users. To prevent errors, you can exclude the related websites from decryption.

  • Select Top websites or Top users.
  • For websites, select the website to see the error type and the affected users and IP addresses.
  • For users, select the user to see the error type and the affected websites.
  • To view the logs of an error type, website, or user, select the corresponding number under Errors. The action opens a pop-up window that only shows the relevant items. You can see the website details under the column Server name.
  • Hide a website or user:
    1. Go to the website or user.
    2. At the bottom of the pop-up window, select Hide from website error list or Hide from user error list.
  • Show a website or user:
    1. Select Show hidden under the search field.
    2. Go to the website or user.
    3. At the bottom of the pop-up window, select Unhide from website error list or Unhide from user error list.

      The default websites in the exclusion lists of SSL/TLS inspection rules remain hidden.

  • Exclude a website from decryption:
    1. Go to the website.
    2. At the bottom of the pop-up window, select Exclude from decryption. You can exclude domains and subdomains.
Domains and subdomains are added to the URL group Local TLS exclusion list. To edit this list, go to Web > URL groups.

To view the exclusion lists, go to Rules and policies > SSL/TLS inspection rules.

Excluded websites won't show in this table after the seven-day time frame.

Active firewall rules

This widget shows the number of firewall rules by rule type and rule status. It shows the traffic (in bytes) that matched the firewall rules in the past 24 hours.

  • To see the data volume, hover over the chart.
  • To see the rules in the Firewall rule table, select a firewall rule status. The rule table sets a filter based on your selection.

All administrators, irrespective of their rights, can see the firewall rules.

Table 1. Rule type

Name

Description

WAF

Firewall rules for web server protection.

User

Firewall rules in which users or groups are selected.

Network

Firewall rules in which users are not selected.

Total

All three firewall rule types.

Table 2. Status

Name

Description

Unused

XG Firewall looks for firewall rule usage at the end of every 12 hours. Rules whose criteria didn't match any traffic during the period are listed here.

You may want to revise or delete unused firewall rules.

Disabled

Firewall rules that are configured, but turned off.

Changed

A firewall rule remains in this list for 24 hours from the time you've made changes to the rule.

New

A firewall rule remains in this list for 24 hours from the time of its creation.

Note For short durations, rules may belong to some or all the above status lists because of the default duration for which they remain in a list. See the following example:

Rule name: Test

Rule creation: 10 AM. Test rule is listed under New until 10 AM the next day.

Rule change: 11 AM. Test rule is listed under Changed until 11 AM the next day.

Usage check: If XG Firewall performs a usage check at 12 noon, and test rule remains unused, the rule is listed under Unused until the next usage check.

Turned off: 01 PM. Test rule is listed under Disabled. A disabled rule is listed under Changed and Disabled.

Reports panel

Not applicable to CR10iNG, CR10wiNG, CR15i, CR15wi, CR15iNG, CR15wiNG, CR15iNG-LE, CR15iNG-4P, CR15wiNG-4P, XG85 and XG85w models.

Depending on the modules subscribed, at most five critical reports from the below mentioned table are displayed:

Report name

Number/data displayed

Subscription module

High risk applications

<number of> risky apps seen yesterday

Web Protection

Objectionable websites

<number of> objectionable websites seen yesterday

Web Protection

Web users

<data transfer> (in bytes) used by top 10 users yesterday

Web Protection

Intrusion attacks

<number of> intrusion attacks yesterday

Network Protection

Web server protection

<number of> web server attacks yesterday

Web Server Protection

Email usage

<data transfer> (in bytes) used

Email Protection

Email protection

<number of> spam mails yesterday

Email Protection

Traffic dashboard

-

Either Web Protection or Network Protection

Security dashboard

-

Either Web Protection or Network Protection

Prevalent malware panel

Applicable to CR15iNG, CR15wiNG, CR15i and CR15wi models only

Displays top five malware identified by XG Firewall, in addition to the number of occurrences per malware.

Messages panel

The panel displays information which allows you to monitor and track the system events of the device. Each message displays the date and time that the event occurred.

Displays following alerts:
  1. The default password for the “admin” user has not been changed. We highly recommend you to change the password. – This alert is displayed when default password for super administrator is not changed.
  2. The default the web admin console password has not been changed.
  3. HTTPS, SSH based management is allowed from the WAN. This is not a secure configuration. We recommend using a good password.
  4. HTTP, Telnet-based management is allowed from the WAN. This is not a secure configuration. We recommend using a good password.
  5. Your XG Firewall is not registered.
  6. The modules expired.

Symbolic representations are used for easier identification of messages.

: Indicates alert messages.

: Indicates warnings.

: Indicates firmware download notifications.