Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Security management and best practices

Here are the best practices when configuring the firewall to protect your network.

Segregate your networks and apply IPS policies

Separate your networks so any internet-facing services, such as web servers or remote access servers, are on a network segment and zone other than your main LAN network. Place internet-facing services such as these in a DMZ zone and configure firewall rules to block connections from the DMZ to the LAN.

You can also segment other LAN zones as required by using smaller subnets, assigning these to separate LAN zones, and configuring firewall rules to manage traffic between these networks.

In the following example, the network isn't segmented, allowing the infection to spread easily between endpoints.

Unsegmented network.

Sophos Firewall prevents infection in one area from spreading to other areas by separating the network into segments, such as the DMZ and LAN networks.

Segmented network.

Doing this and applying an IPS policy to rules that govern traffic between these networks reduces the risk of malware or hackers being able to move laterally through your networks if they do manage to perform a successful initial attack. It also provides more time for the threat to be detected and mitigated.

Apply an IPS policy to a firewall rule.

Lock down remote access

Where possible, only allow access to internal resources over a VPN connection and don't use port forwarding. If you must use port forwarding, make sure you apply an IPS policy to the rule-handling traffic.

Configure SSL/TLS inspection rules

Configure an SSL/TLS inspection rule to scan most network traffic, with exceptions configured only for services to which SSL scanning will cause problems.

For further details about SSL/TLS inspection rules and how to configure them, see SSL/TLS inspection rules.

Only allow authenticated users to connect to the internet from your LAN

When configuring firewall rules to handle user traffic, make sure that you select Match known users. This ensures that only authenticated users can access external resources from within your LAN network.

Select users and groups.

Only use NAT for those services that are explicitly needed

Network Address Translation (NAT) allows you to pass traffic easily between different networks. However, only configure NAT rules for services that require it and not for ANY service. Doing this cuts down the surface area malware or hackers can target if one part of your network is breached.

For further information about NAT rules and how to configure them, see NAT rules.

Isolate the infected system automatically

Use Security Heartbeat to monitor systems and automatically isolate those that show signs of infection or compromise. Security Heartbeat stops the compromised systems from connecting to others on your network and clean systems from connecting to those that may have been compromised.

Configure Sophos Security Heartbeat in the firewall rule.