Skip to content

Add a protection policy

  1. Go to Web server > Protection policies and select Add.
  2. Enter a name.
  3. Specify the protection settings for the policy.

    Name Description
    Pass Outlook anywhere Allows external Microsoft Outlook clients to bypass web server protection to access the Microsoft Exchange Server.
    Mode Select the action to take for HTTP requests:
    • Monitor: Sophos Firewall logs monitored requests.
    • Reject
    Cookie signing Protects from cookie tampering.

    Cookie signing mitigates attempts to obtain private session data and engage in fraudulent activity by tampering with cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built from the primary cookie's name and value and a secret known only to Sophos Firewall. If a request can't provide the correct cookie pair, the cookie is dropped.
    Static URL hardening Specify the URLs you want to serve. These URLs can be accessed without requiring a URL hardening signature.

    This isn't effective for dynamic URLs created by the endpoint device, for example using JavaScript.

    Static URL hardening prevents users from manually constructing deep links that lead to unauthorized access. When an endpoint device requests a website, all static URLs of the website are signed using a procedure similar to cookie signing. In addition, the response from the web server is analyzed to determine links that are valid and can be safely requested going forward.

    When you turn on static URL hardening, the entries for URL paths become case-sensitive. For example, if you add the path /rule.html and users enter /Rule.html, Sophos Firewall reports that the signature can't be found.
    Form hardening Protects from web form rewriting.

    To prevent tampering with forms, Sophos Firewall saves the original structure of a web form and signs it. If the structure has changed when the form is submitted, Sophos Firewall rejects the request.
    Antivirus Protects web servers from viruses. If you turn on this setting, you can specify the following additional behaviors:
    • Mode: Select dual or single scan mode. If you want to apply single scan mode, select the scanning engine.
    • Direction: Select scanning for uploads, downloads, or both.
    • Block unscannable content: Turn on to block content that can't be scanned, for example, encrypted or corrupt files.
    • Limit scan size: Enter the file size. Sophos Firewall scans the requests up to the specified size. To scan every file, specify zero or leave this field blank.
      The scan size limit refers to the entire upload volume, not to a single file. For example, if you limit the scan size to 50 MB and make an upload containing files of 45, 5, and 10 MB, the last file won't be scanned and a virus in the last file won't be detected.
    Block clients with bad reputation Block clients that have a bad reputation according to real-time blackhole lists (RBLs) and GeoIP information. Skipping remote lookups for clients with bad reputation may result in improved performance.

    For RBLs, Sophos Firewall uses Sophos Extensible List (SXL) and SORBS. For GeoIP, it uses Maxmind. Sophos Firewall blocks clients that belong to the A1 (anonymous proxies or VPN services) and A2 (satellite ISP) classifications.


    Static URL hardening and Form hardening affect all files with HTML and XML content. This protection may corrupt binary and other files if they are specified as HTML or XML. To make sure these files aren't affected, change your web server’s settings to deliver them with a different content type, for example application/octet-stream.

  4. Turn on Common threat filter and specify the settings. Depending on the results, a notice or a warning is shown in the live log or the request is blocked directly.

    Name Description
    Filter strength Level 1 (Most permissive): Use this for deployments related to many websites and applications, and for standard security requirements. It generates minimal false positives. It's the default setting.

    Level 2: Provides additional protection, such as from regexp-based SQL and XSS injection, and checks extra keywords for code injections. Use this for better security coverage and for deployments with higher security requirements. It generates additional false positives that you need to handle.

    Level 3: Turns on additional rules and keyword lists. It also sets additional limits on the use of special characters. Use this for higher security requirements and based on your experience in handling false positives.

    Level 4 (Most restrictive): Places additional restrictions on special characters. Use this for deployments with very high security requirements. It generates a high level of false positives. We recommend that you troubleshoot these before you make the site live.

    Level 1 isn't logged. Levels 2 and higher are logged to /log/reverseproxy.log.

    To check the reverse proxy log, sign in with the command line interface.
    Skip filter rules To correct the false positives, add the rule ID that you want to skip.

    To see the rule IDs, check the reverse proxy log using the command line interface.
    Application attacks Performs tight security checks on requests, such as attempts to traverse prohibited paths.

    Sophos Firewall also searches for attempted command executions common to most attacks. After breaching a web server, an attacker usually tries to run commands on the server to escalate their privileges or manipulate data stores. Checking for these post-breach execution attempts allows Sophos Firewall to detect attacks that may go unnoticed, for example, attackers targeting a vulnerable service after gaining legitimate access.
    SQL injection attacks Checks for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.
    XSS attacks Checks for embedded script tags and code in request arguments.

    Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server.
    Protocol enforcement Enforces adherence to RFC standards for HTTP and HTTPS protocols. Violating these standards usually indicates malicious intent.

    Searches for common usage patterns. The absence of such patterns often indicates malicious requests. These patterns include HTTP headers, such as Host and User-Agent.

    Enforces reasonable limits on the number and range of request arguments. Overloading request arguments is a typical attack vector. Narrows the allowed usage of HTTP protocol. Web browsers typically use only a limited subset of the possible HTTP options. Disallowing the rarely used options prevents attacks that use these options.
    Scanner detection Checks for usage patterns characteristic of bots and crawlers. When you deny them access, possible vulnerabilities on your web servers are less likely to be discovered.
    Data leakage Prevents web servers from leaking information to the client. This includes error messages sent by servers, which attackers can use to gather sensitive information or detect specific vulnerabilities.


    Some types of data leakage are similar to application and SQL injection attacks. If you turned on Application attacks or SQL injection attacks, to ensure that Sophos Firewall protects your servers from attacks that you intend to block with these settings, we recommend that you turn on Data leakage.

  5. Click Save.