Skip to content

Protection policies

Using policies, you can define protection from vulnerability exploits, such as cookie, URL, and form manipulation.

Policies also mitigate common threats, such as application and cross-site scripting (XSS) attacks.

Sophos Firewall provides default policies for some common web services, for example Exchange Autodiscover.

Migrated protection policies

SFOS 18.0 has implemented changes in the categories and settings of web server rules and protection policies based on the OWASP ModSecurity Core Rule Set 3.0.

Sophos Firewall has merged some protection categories into a single category, mapped filter rules to new rule IDs, and introduced filtering strength levels.


If you turned on a category earlier, the new category in which it's merged is turned on during migration. For example, if a pre-migration policy has Protocol violations turned on and Protocol anomalies turned off, the post-migration category Protocol enforcement, which contains both categories, is turned on.

Pre-migration Post-migration
Protocol violations

Protocol anomalies

Request limits

HTTP policy
Protocol enforcement
Generic attacks

Tight security
Application attacks
Bad robots Scanner detection
Outbound Data leakage
Rigid filtering Filter strength with four levels of filtering.

Rigid filtering setting migrates to Level 1 (Most permissive) setting. We recommend that you evaluate your protection policies and change the setting, if necessary.
Trojans Removed the category.

Anti-virus scanning protects from trojans.
Rule IDs in Skip filter rules Rules have been mapped to new rule IDs. For skipped rules that map to a new rule ID, the new rule continues to be skipped after migration.

Unmapped rules and rules that have been removed or merged into a new rule are removed from the skip rule list.

More resources