Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add a firewall rule

Create firewall rules to allow or disallow traffic flow between zones and networks and apply security policies and actions.

Create rules for IPv4 or IPv6 networks. Specify the matching criteria, such as source, destination, services, and users during a time period. Select the policies and the scanning action to apply. Select the action to enforce on Synchronized Security endpoints and servers.

  1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
  2. Rules are turned on by default. You can turn off a rule if you don't want to apply its matching criteria.
  3. Enter the general details.

    Name Description
    Rule name Enter a name.
    Rule position

    Specify the position of the rule in the rule table:

    • Top
    • Bottom
    Sophos Firewall evaluates rules from the top down until it finds a match. Once it finds a match, it doesn’t evaluate subsequent rules. You can change the rule sequence in the rule table.
    Rule group Select a rule group or create one. The firewall rule will belong to this group.

    If you select Automatic, the firewall rule is added to an existing group based on the first match with rule type and source-destination zones.
    Action

    Select an action:

    • Accept: Allows traffic.
    • Drop: Drops traffic without notification. Currently, if you select Use web authentication for unknown users in the firewall rule, Sophos Firewall shows a block page rather than dropping web traffic silently. The behavior applies to traffic from all zones.
    • Reject: Drops traffic and sends an ICMP port unreachable message to the source for UDP and ICMP traffic. For TCP traffic, a TCP reset message is sent to the source.
    • Protect with web server protection: Select this and specify the web server protection details to control web application traffic.
    Preconfigured template

    If you’ve selected web server protection, select a template to apply:

    • None: Specify the web server protection details.
    • Exchange Autodiscover
    • Exchange Outlook Anywhere
    • Exchange General
    • Microsoft Lync
    • Microsoft Remote Desktop Gateway 2008 and R2
    • Microsoft Remote Desktop Web 2008 and R2
    • Microsoft Sharepoint 2010 and 2013
    Log firewall traffic

    To generate logs and report data that matches this rule, select this option.

    By default, logs are stored on the firewall.

    To add a syslog server and save logs on the server, select this option and go to System services > Log settings. See Log settings.

    To send logs to Sophos Central, you must select this option and go to the Sophos Central page and turn on Sophos Central services. See Sophos Central services overview.

    The firewall logs sessions if a connection is terminated due to a "Destroy" event. It doesn't log sessions if connections are terminated without a "Destroy" event, such as the loss of an internet connection.

    Note

    Review rule positions after a firewall rule is created automatically or manually to make sure the intended rule matches traffic criteria.

    Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and evaluated first. Later, if you manually create new firewall rules with Rule position set to Top, these rules are placed at the top of the rule table, changing rule positions. The policies and actions of the rule at the top will apply, which may lead to unplanned outcomes, such as failure in mail delivery or tunnels not being established, when matching criteria for the new and existing rules overlap.

  4. Select the source matching criteria.

    Name Description
    Source zones Select the zones from which traffic originates.
    Source networks and devices Select the source networks and devices or create new ones.
    During scheduled time Select a schedule or create one. Sophos Firewall matches the rule criteria during the time period and day of the week that you select.
  5. Enter the destination and service matching criteria.

    Name Description
    Destination zones Select the destination zones in which the traffic terminates.
    Destination networks Select the destination networks or create new ones.
    Services Select the services or create a new service. Services are a combination of protocols and ports.
  6. Specify the user identity criteria.

    Name Description
    Match known users Select to add user identity as a matching criterion.
    Use web authentication for unknown users Select to authenticate unknown users who try to access the web. These are users who’ve signed in to their endpoint devices, but have not been authenticated.

    To specify web authentication settings, go to Authentication > Web authentication. You can specify AD SSO (Kerberos and NTLM) or captive portal authentication.

    To turn on access to AD SSO and captive portal from the required zones, go to Administration > Device access.
    Users or groups Select the users and groups. The rule will then apply only to traffic originating from the specified users and groups.
    Exclude this user activity from data accounting Select to exclude the specified users’ traffic from data accounting.

    By default, Sophos Firewall adds traffic that matches the rule criteria to individual users’ data transfer.

    Use this if you don’t want to set a data usage limit on the specified users.
  7. Select Add exclusion to add exclusions to the rule. Sophos Firewall won’t match the specified criteria for the following objects:

    • Source zones
    • Source networks and devices
    • Destination zones
    • Destination networks
    • Services
  8. Select Create linked NAT rule if you want to enforce address translation for this rule’s source networks and devices.

    Linked NAT rules are source NAT rules and are listed in the NAT rule table. You can identify them by the firewall rule ID and name.

    You can change only the translated source and the outbound interface-specific source translation in a linked NAT rule. For the rest, Sophos Firewall applies the matching criteria of the firewall rule that it's linked to, including users and groups.

    Warning

    Linked NAT rules apply only to the traffic defined by the firewall rule to which they are linked. However, if the criteria of a NAT rule placed above the linked NAT rule matches the traffic, the former rule is applied. Sophos Firewall doesn’t evaluate subsequent rules once it finds a match.

  9. Select Web filtering to specify the settings.

    Select the web policy, malware and content scanning, and the filtering settings.

    Malware and content scanning: The settings specified in Web > General settings apply.

    Filtering: Select the settings to filter web traffic over common web ports. If you want to select web proxy filtering, you must first select a web policy or malware and content scanning for HTTP and decrypted HTTPS.

    Sophos Firewall identifies micro apps, such as Dropbox and Gmail attachment upload and download, based on their URLs. When you specify an application filter policy for these micro apps in the firewall rule and set the matching SSL/TLS inspection rule to decrypt, the DPI engine identifies micro apps based on the decrypted URL. This applies even if you set Web policy to None and turn off malware scanning and advanced threat protection. Sophos Firewall takes the action specified in the application filter policy.

    Sophos Firewall skips decryption, malware and content scanning, Zero-day protection analysis, and policy checks for the corresponding exceptions you specify in Web > Exceptions. Exceptions apply both to DPI and proxy modes. However, in DPI mode, web policies (including exceptions) only apply if one of the following is true:

    • A web policy is set.
    • Malware and content scanning is turned on.
    • ATP is turned on.

    If you set up web proxy filtering on bridge interfaces without an IP address, the traffic is dropped.

    Name Description
    Web policy Select a web policy or create one.
    Apply web category-based traffic shaping Select to apply the bandwidth settings specified for the web categories within the policy.
    Block QUIC protocol Blocks QUIC protocol by dropping outbound UDP packets to ports 80 and 443 for traffic that matches the rule's criteria. It's selected by default when you select a web policy or turn on scanning for HTTP and decrypted HTTPS.

    Chrome uses the protocol by default to establish sessions with Google services. QUIC traffic can't be scanned and bypasses web filtering.
    Scan HTTP and decrypted HTTPS Select to scan web traffic for malware.

    This option doesn't turn on HTTPS decryption. To ensure HTTPS traffic is decrypted for scanning, use SSL/TLS inspection rules in DPI mode or select Decrypt HTTPS during web proxy filtering.
    Use Zero-day protection If you selected scanning for HTTP and decrypted HTTPS, select to send files downloaded over HTTP or HTTPS for Zero-day protection analysis. Zero-day protection protects your network from zero-day (unknown and unpublished) threats.
    Scan FTP for malware Select to scan FTP traffic for malware.
    Use web proxy instead of DPI engine Select to use the web proxy to filter traffic only on ports 80 (HTTP) and 443 (HTTPS). The DPI engine continues to filter HTTP and SSL/TLS traffic on other ports. You require proxy mode to enforce SafeSearch and YouTube restrictions, to restrict sign-ins to Google Apps (example: Gmail, Drive) to certain domain accounts, to turn on pharming protection and web content caching, and to connect to a parent proxy.

    To use the DPI engine for web filtering, clear the check box. The DPI engine filters HTTP and SSL/TLS traffic on all ports. With this setting, Sophos Firewall uses direct mode. It applies SSL/TLS inspection rules to intercept, decrypt, and inspect encrypted traffic based on the rule-matching criteria and decryption profiles.

    To make sure that SSL/TLS inspection rules are turned on and to create SSL/TLS inspection rules, go to Rules and policies > SSL/TLS inspection rules.
    Decrypt HTTPS during web proxy filtering Turning on this option also decrypts HTTPS traffic in direct proxy mode.

    Tip

    You can create a firewall rule with web proxy filtering for pre-configured FQDN host groups to enforce SafeSearch, YouTube restrictions, and to restrict sign-ins to Google Workspace applications. To create this firewall rule, see the learning content linked to this page.

    Note

    You can use direct proxy mode even if you don't select Use web proxy instead of DPI engine. To use direct proxy mode, you must configure clients to use Sophos Firewall in their proxy settings. For information about using Sophos Firewall as a direct web proxy, go to Web proxy configuration in Web > General settings.

  10. Select Configure Synchronized Security Heartbeat to specify the Heartbeat settings. Specifying these controls allows you to protect endpoint devices and servers in your network through Sophos Firewall.

    Endpoint devices and services configured with Synchronized Security send a heartbeat, which provides information about their health status, to Sophos Firewall at pre-defined intervals.

    Name Description
    Minimum source HB permitted Select the minimum health status that a device from which traffic originates must maintain. If a device doesn’t send the minimum heartbeat, its user won’t receive the access defined in this rule.

    Green: Only endpoints sending this health status have access.

    Yellow: Only endpoints sending a green or yellow health status have access.

    No restriction: All endpoints have access, including those that aren’t sending a heartbeat or are sending a red status.
    Block clients with no heartbeat Select to block the devices that don’t send a heartbeat.
    Minimum destination HB permitted Select the minimum health status that a device receiving traffic must maintain. If a device doesn’t send the minimum heartbeat, its user won’t receive the access defined in this rule.

    Green: Only endpoints sending this health status have access.

    Yellow: Only endpoints sending a green or yellow health status have access.

    No restriction: All endpoints have access, including those that aren’t sending a heartbeat or are sending a red status.

    You can apply destination heartbeat control to devices in the internal network, not in the WAN zone.
    Block request to destination with no heartbeat Select to block the devices that don’t send a heartbeat.

    Note

    If you select Block clients with no heartbeat and add a web exception for policy checks under Web > Exceptions, web requests aren't blocked.

  11. Select the settings for the other security features. You can select or create new application control, IPS, and traffic shaping policies.

    Name Description
    Identify and control applications (App control) Select an application filter policy.
    Apply application-based traffic shaping policy Select to apply the bandwidth settings specified for the applications within the application category.
    Detect and prevent exploits (IPS) Select an IPS policy.
    Shape traffic Select a traffic shaping policy to apply a bandwidth guarantee or limit.

    If you’ve selected Match known users, the specified users’ traffic shaping policy is applied. In the absence of a user policy, the group policy is applied.
    DSCP marking

    Select the level of DSCP marking to mark packets for priority. For details, see DSCP value.

    • Expedited forwarding (EF): Priority queuing that ensures low delay and low packet loss. Suitable for real-time services.
    • Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns packets a higher priority than best-effort.
    • Class selector (CS): Backward compatibility with network devices that use IP precedence in type of service.
  12. To scan email content, select the protocols IMAP, IMAPS, POP3, POP3S, SMTP, and SMTPS.

    If you select a protocol here and haven’t added its standard ports to Services in this rule, select Add ports. The standard ports for the selected protocols are added to services.

  13. Click Save.

More resources