Jump to main content
XG Firewall help
XG Firewall help
User assistance
  • Administrator help
  • User portal help
  • Command line help
  • Startup help
  • High availablity startup guide
  • XG Firewall virtual and software appliances help
  • Support
  • Open Source Software Attributions
  • Copyright notice
  • Administrator help
    • Getting started

      Follow these recommendations if you are new to XG Firewall. You learn how to secure the access to your XG Firewall, test and validate it, and finally how to go live once you feel comfortable.

    • Control center

      The control center provides a single-screen snapshot of the status and health of the security system.

    • IPv6 features

      This document lists IPv6 features that XG Firewall supports and IPv6 features that aren't supported.

    • Current activities

      Keep track of currently signed-in local and remote users, current IPv4, IPv6, IPsec, SSL, and wireless connections.

    • Reports

      Reports provide a unified view of network activity for the purpose of analyzing traffic and threats and complying with regulatory bodies.

    • Diagnostics

      This menu allows checking the health of your device in a single shot. Information can be used for troubleshooting and diagnosing problems found in your device.

    • Rules and policies

      Rules and polices enable traffic flow between zones and networks while enforcing security controls, address translation, and decryption and scanning.

    • Intrusion prevention

      With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Using policies, you can define rules that specify an action to take when traffic matches signature criteria. You can specify protection on a zone-specific basis and limit traffic to trusted MAC addresses or IP–MAC pairs. You can also create rules to bypass DoS inspection.

    • Web

      Web protection keeps your company safe from attacks that result from web browsing and helps you increase productivity. You can define browsing restrictions with categories, URL groups, and file types. By adding these restrictions to policies, you can block websites or display a warning message to users. For example, you can block access to social networking sites and executable files. General settings let you specify scanning engines and other types of protection. Exceptions let you override protection as required for your business needs.

    • Applications

      Application protection helps keeps your company safe from attacks and malware that result from application traffic exploits. You can also apply bandwidth restrictions and restrict traffic from applications that lower productivity. Application filters allow you to control traffic by category or on an individual basis. With synchronized application control, you can restrict traffic on endpoints that are managed with Sophos Central. Managing cloud application traffic is also supported.

    • Wireless

      Wireless protection lets you define wireless networks and control access to them.

    • Email

      Manage email routing and protect domains and mail servers. You can configure SMTP/S, POP/S, and IMAP/S policies with spam and malware checks, data protection, and email encryption.

    • Web server

      You can protect web servers against Layer 7 (application) vulnerability exploits. These attacks include cookie, URL, and form manipulation. Use these settings to define web servers, protection policies, and authentication policies for use in Web Application Firewall (WAF) rules. General settings allow you to protect web servers against slow HTTP attacks.

    • Advanced threat

      Advanced threat protection allows you to monitor and analyze all traffic on your network for threats and take appropriate action, for example drop the packets. You can also view Sandstorm activity and the results of any file analysis. Use these results to determine the level of risk posed to your network by releasing these files.

    • Central synchronization

      By synchronizing with Sophos Central, you can use Security Heartbeat to enable devices on your network to share health information. Synchronized Application Control lets you detect and manage applications in your network. Additionally, you can manage your XG Firewall devices centrally through Sophos Central.

    • VPN
    • Network

      Network objects let you enhance security and optimize performance for devices behind the firewall. You can use these settings to configure physical ports, create virtual networks, and support Remote Ethernet Devices. Zones allow you to group interfaces and apply firewall rules to all member devices. Network redundancy and availability is provided by failover and load balancing. Other settings allow you to provide secure wireless broadband service to mobile devices and to configure advanced support for IPv6 device provisioning and traffic tunnelling.

    • Routing

      A route provides a device information so that it can forward a packet to a specific destination. You can configure static and dynamic routes on XG Firewall.

    • Authentication

      You can set up authentication using an internal user database or third-party authentication service. To authenticate themselves, users must have access to an authentication client. However, they can bypass the client if you add them as clientless users. The firewall also supports two-factor authentication, transparent authentication, and guest user access through a captive portal.

      • How to articles
      • Servers

        External servers authenticate users who are attempting to access the firewall and associated services.

        • Add a server

          When you add an authentication server, you define an external server and provide settings for managing access to it.

        • LDAP server

          Lightweight Directory Access Protocol is a networking protocol for querying and modifying directory services based on the X.500 standard.

        • Active Directory server

          Using Microsoft Active Directory, you can register the firewall as a Windows domain and create an object for it on the primary domain controller.

        • RADIUS server

          Remote Authentication Dial In User Service is a protocol that allows network devices such as routers to authenticate users against a database.

        • TACACS+ server

          Terminal Access Controller Access Control System, is a proprietary protocol offered by Cisco Systems. It provides detailed accounting information and administrative control over authentication and authorization processes.

        • eDirectory server

          Novell eDirectory is an X.500-compatible directory service for managing access to resources on multiple servers and devices on a network.

      • Services

        Select the authentication servers for the firewall and other services such as VPN. You can configure global authentication settings, as well as settings for Kerberos and NTLM, web client, and RADIUS single sign-on. Web policy actions let you specify where to direct unauthenticated users.

      • Groups

        Groups contain policies and settings that you can manage as a single unit. With groups, you can simplify policy management for users. For example, you may want to create a grouping of settings that specifies a surfing quota and limits the access time for guest users.

      • Users

        The firewall distinguishes between end users, who connect to the internet from behind the firewall, and administrator users, who have access to firewall objects and settings.

      • One-time password

        You can implement two-factor authentication using one-time passwords, also known as passcodes. Passcodes are generated by Sophos Authenticator or any third-party authenticator on a mobile device or tablet without the need for an internet connection. When users log on, they must provide a password and a passcode.

      • Web authentication

        You can use Active Directory SSO or the captive portal to authenticate users. Users will then appear in logging and reporting and will be used as matching criteria in firewall rules and web policies.

      • Guest users

        Guest users are users who do not have an account and want to connect to your network in order to access the internet. You can add (register) guest users or allow them to register themselves through the guest user portal. You can print credentials or send them through SMS. After authentication, the guest user is granted access according to the selected policies or is redirected to the captive portal.

      • Clientless users

        Clientless users are not required to authenticate using a client to access the internet. Instead, the firewall authenticates these users by matching a user name to an IP address.

      • Guest user settings

        Guest users are users who do not have an account and want to connect to your network in order to access the internet. You can add (register) guest users or allow them to register themselves through the guest user portal. Use these settings to enable guest users to register through the guest user registration page and to configure guest user authentication settings and default group.

      • Client downloads

        Use these settings to download the clients and components that support single sign-on, transparent authentication, and email encryption.

      • STAS

        Sophos Transparent Authentication Suite (STAS) enables users on a Windows domain to sign in to XG Firewall automatically when signing in to Windows. This eliminates the need for multiple sign-ins and for SSO clients on each client device.

      • Sophos Authentication for Thin Client (SATC)

        About Sophos Authentication for Thin Client (SATC).

      • Troubleshooting authentication

        How to investigate and resolve common authentication issues.

    • System services

      Use system services to configure the RED provisioning service, high availability, and global malware protection settings.

    • Profiles

      Profiles allow you to control users' internet access and administrators' access to the firewall. You can define schedules, access time, and quotas for surfing and data transfer.

    • Hosts and services

      You can define and manage system hosts and services.

    • Administration

      Administration allows you to manage device licenses and time, administrator access, centralized updates, network bandwidth and device monitoring, and user notifications.

    • Backup and firmware

      You can manage the configuration, firmware versions, hotfixes, and pattern updates.

    • Certificates

      Certificates allows you to add certificates, certificate authorities, and certificate revocation lists.

    • Logs

      Logs provide insight into network activity and system events that let you identify security issues and see which of the configured rules apply. You can send logs to a syslog server or view them through the log viewer. Using data anonymization, you can encrypt identities in logs and reports.

    • Open Source Software Attributions
  • User portal help
  • Command line help
  • Startup help
  • High availablity startup guide
  • XG Firewall virtual and software appliances help
  • Support

    You can get help in various ways.

  • Open Source Software Attributions
  • Copyright notice
  1. Home
  2. Administrator help
  3. Authentication

    You can set up authentication using an internal user database or third-party authentication service. To authenticate themselves, users must have access to an authentication client. However, they can bypass the client if you add them as clientless users. The firewall also supports two-factor authentication, transparent authentication, and guest user access through a captive portal.

  4. Servers

    External servers authenticate users who are attempting to access the firewall and associated services.

Servers

External servers authenticate users who are attempting to access the firewall and associated services.

Use these settings to define servers and manage access to them.

  • To import Active Directory user groups, click Import Import button.
  • LDAP servers
  • Active Directory servers
  • RADIUS servers
  • TACACS servers
  • eDirectory servers
How to
  • Add a server

©  Sophos Limited.

Give feedback

Machine translation disclaimer