Skip to content
Last update: 2022-03-11


Sophos Firewall uses interfaces to connect to your network. If you have a physical device, you have at least four physical interfaces in the form of network ports. If you have a virtual device, you need at least two physical network ports.

Sophos Firewall always has one default interface configured on initial start-up using the IP address If you used the initial setup assistant, then you may have changed this already and set up additional interfaces. For example, a WAN interface to access the internet.

Interfaces are assigned a zone. Zones are separated network segments that don't allow traffic to flow between them without a dedicated firewall rule in place.

The assigned zone determines the network permissions that are assigned to network traffic on that interface. The following zones are available:

Zone Description
LAN The LAN zone contains your main internal network where most of your client computers will reside and has the least restrictive default permissions.
WAN The WAN zone connects to the internet. An interface in this zone is normally assigned a public IP address. However, if you have deployed Sophos Firewall behind another router a private IP address may still be used. By default only those permissions required to allow traffic out to the internet are allowed on this zone.
DMZ The DMZ zone is a more restricted internal network zone normally used for hosts such as web servers. This lets you allow access to web services from the internet without allowing access to your main internal LAN network.
WiFi The Wi-Fi zone is like the LAN zone and is assigned to all wireless networks. It has many services enabled by default to allow connected endpoints access to the internet and other domain services. This is the interface to which you connect your access points.

Permissions for zone services are controlled by the device access settings in Administration > Device access.

Permissions for specific networks are controlled by Firewall rules, which are set up in Rules and policies > Firewall rules.

Back to top