Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
Icons Meaning
Delete rule (not applicable for default rules)
Insert a new rule above
Insert a new rule below
Move rule. To move the rule, click the icon and drag-and-drop at the required position (not applicable for default rules).
Collapse rule
Understanding the List of Firewall Rules
All added rules are available in the form of a list. Each rule in the list presents a quick snapshot of the rule. To view rule details, click to expand the view. Which items are available in the collapsed or expanded view is shown below.
Items in collapsed view:
• Rule Name: name of the rule
• In/Out: amount of traffic (in bytes) coming in or going out using the particular rule
• Firewall Rule features: status of Schedule, heartbeat, IPS and traffic shaping
• Source: source zone
• Destination: destination zone
• What: shows protected domains/services
• Action: status of protected servers, status of web and application protection for user
Additional items in expanded view:
• ID: rule ID
• User's Policy Applied: status of application filter, web policy, AV and AS scanning, NAT policy and route through gateway, if configured
• Firewall Rule Summary: summary of the added rule
While configuring any Firewall Rule, hover mouse over the following objects to see additonal details of it:
• Source/Destination Zones
• Schedule
• Services
• Source/Destination Networks
• Hosted Address
• Allowed/Blocked Client Networks
• Protected Server(s)
• Protected Zone
User / Network Rule
User/Network Rule is used to define access rights and protection to the network objects/hosts. In a nutshell, if you want to control traffic by source, service, destination, zone, then use a Network Rule. Additionally, the administrator has the option to attach user identity to a rule in order to customize access of assorted hosts/servers. Such an identity based rule is considered a User Rule.
You can view or add a User/Network Rule for IPv4 and IPv6 traffic.
| Protect | 52
1.
Add User / Network Rule (IPv4)
2.
Add User / Network Rule (IPv6)
Add User/Network Rule (IPv4)
This page allows you to create firewall rules to control traffic that uses the IPv4 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.
1. Go to Protect > Firewall and select IPv4. using the filter switch.
2. Click +Add Firewall Rule and User/Network Rule.
3. Enter the rule introduction details.
Rule Name
Enter a name for the rule.
Description
Enter a description for the rule.
Rule Position
Specify the position of the rule from the available options.
Available Options:
Top Bottom
Action
Specify an action for the rule traffic from the available options. Accept – Allow accessDrop –
Silently discardReject – Deny access (“ICMP port unreachable” message is sent to the source)
When sending a response it might be possible that the response is sent using a different interface than the one on which the request was received. This may happen depending on the routing configuration done on the device.
For example: If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and no specific route is defined, the device will send a response to these hosts using the default route. Hence, the response will be sent through the WAN port.
| Protect | 53
Figure 27: About This Rule
4. Enter the Source details.
Source Zones
Select the source zones allowed to the user.
A new zone can be created directly from this page itself or from Configure > Network > Zones page.
Source Networks and Devices
Select the source networks/devices allowed to the user.
A new network host can be created directly from this page itself or from System > Hosts and
Services.
During Scheduled Time
Select the schedule allowed to the user.
A new schedule can be created directly from this page itself or from the System > Profiles >
Schedule page.
Figure 28: Source
5. Enter the Destination and Services details.
Destination Zones
Select the destination zones allowed to the user.
Destination Networks
Select the destination networks allowed to the user.
A new network host can be created directly from this page itself or from System > Hosts and
Services.
Services
Select the services allowed to the user.
A new service can be created directly from this page itself or from the System > Hosts and
Services > Services page.
| Protect | 54
Figure 29: Destination
6. Enter Identity details. Follow this step if you want to configure a User Rule.
Match known users
Select to enable a rule based on the user identity.
Show captive portal to unknown users (available only if Match known users is selected)
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups(available only if Match known users is selected)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting. (only available if Match known users is selected)
Select to exclude user traffic activity from data accounting. In other words, the traffic allowed through this rule will not be accounted towards data transfer for the user.
By default, user’s network traffic is considered in data accounting.
Figure 30: Identity
7. Enter Malware Scanning details (available only if Action selected for the traffic is Accept).
Scan HTTP
Enable HTTP traffic scanning.
Decrypt & Scan HTTPS
Enable HTTPS traffic decryption and scanning.
Detect zero-day threats with Sandstorm
Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).
Scan FTP
Enable FTP traffic scanning.
8. Enter Advanced settings details (available only if Action selected for the traffic is Accept).
a) Specify policies for User Applications.
Intrusion Prevention
Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Protect > Intrusion Prevention > IPS Policies page.
Traffic Shaping Policy
User's traffic shaping policy will be applied automatically if Match known users is selected.
You need to select traffic shaping policy for the rule if Match known users is not selected.
Web Policy
Select a web policy for the rule.
A new web policy can be created directly from this page itself or from the Protect > Web > Policies page.
Apply Web Category based Traffic Shaping Policy
Click to restrict bandwidth for the URLs categorized under the Web category.
A three step configuration is required as follows:
1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Web Categories.
2. Now, on this page assign the created policy to Web Policy.
3. Select Apply Web Category based Traffic Shaping Policy to apply the rule.
Application Control
Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Protect > Applications > Application Filter page.
Apply Application-based Traffic Shaping Policy
Click to restrict bandwidth for the applications categorized under the Application category.
| Protect | 55
A three step configuration is required as follows:
1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Applications.
2. Now, on this page assign the created policy to Application Control.
3. Select Apply Application-based Traffic Shaping Policy to apply the rule.
| Protect | 56
Figure 31: User Applications
b) Configure Synchronized Security settings.
Minimum Source HB Permitted
Select a minimum health status that a source device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Block clients with no heartbeat
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can restrict a source device's access to certain services and networks.
Enable/disable the option to require the sending of heartbeats.
Minimum Destination HB Permitted (not available if the only Destination Zone selected is WAN)
Select a minimum health status that a destination device must have to conform to this rule. Health status can be either Green, Yellow or No Restriction. If the health criterion is not met, access and privileges defined in this rule will not be granted to the user.
Note: You can use the option if you have selected multiple zones along with WAN.
Block request to destination with no heartbeat (not available if the only Destination Zone selected is
WAN)
Heartbeat-capable devices can be required to send information on their health status in defined intervals - this is called a heartbeat.
Based on that information, you can block requests to destinations not sending heartbeat.
Enable/disable the option to require the sending of heartbeats.
Note: You can use the option if you have selected multiple zones along with WAN.
| Protect | 57
Figure 32: Synchronized Security
c) Enter NAT and Routing details.
Rewrite source address (Masquerading)
Select if you want to re-write the source address or specify a NAT policy.
Default: Disabled
Use Gateway Specific Default NAT Policy (available only if Masquerading is selected)
Select to override the default NAT policy with a gateway specific policy.
Override default NAT policy for specific Gateway (available only if Use Gateway Specific Default
NAT Policy is selected)
Select to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
Use Outbound Address (available only if Rewrite source address is selected)
Select the NAT policy to be applied from the list of available NAT policies.
A new NAT policy can be created directly from this page itself or from the System > Profiles >
Network Address Translation page.
Default: MASQ.
MASQ (Interface Default IP)
• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.
• (Interface Default IP) will be displayed when multiple Destination Zones are selected.
Primary Gateway
Specify the Primary Gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Primary Gateway will display WAN Link Load
Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.
Backup Gateway
Specify the Backup Gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Backup Gateway will display None.
DSCP Marking
Select the DSCP Marking.
DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; source IP address, destination IP address, source port, destination port and the transport protocol.
For available options, refer to
| Protect | 58
Figure 33: NAT & Routing
9. Define logging option for the user application traffic.
Log Firewall Traffic
Select to enable logging of permitted and denied traffic.
Figure 34: Log Traffic
10. Click Save.
Add User / Network Rule (IPv6)
This page allows you to create firewall rules to control traffic that uses the IPv6 protocol. The firewall rules control traffic between internal and external networks and protect the network from unauthorized access. The device determines the rule to be applied based on the source and destination zone you configure in the firewall rule. Use this page to create identity-based firewall rules by applying them to users.
1. Go to Protect > Firewall and select IPv6. using the filter switch.
2. Click +Add Firewall Rule and User / Network Rule.
3. Specify the policy introduction details.
Rule Name
Enter a name for the rule.
Description
Specify a description for the rule.
Rule Position
Specify the position of the rule from the available options.
Available Options:
Top Bottom
Action
Specify an action for the rule traffic from the available options. Accept – Allow accessDrop –
Silently discardReject – Deny access (“ICMP port unreachable” message is sent to the source)
When sending a response it might be possible that the response is sent using a different interface than the one on which the request was received. This may happen depending on the routing configuration done on the device.
For example: If the request is received on the LAN port using a spoofed IP address (public IP address or the IP address not in the LAN zone network) and no specific route is defined, the device will send a response to these hosts using the default route. Hence, the response will be sent through the WAN port.
| Protect | 59
Figure 35: About This Rule
4. Specify Source details.
Source Zones
Select the source zones allowed to the user.
Source Networks and Devices
Select the source networks/devices allowed to the user.
A new network host can be created directly from this page itself by clicking Create new or from
System > Hosts and Services.
During Scheduled Time
Select the schedule allowed to the user.
A new schedule can be created directly from this page itself or from the System > Profiles >
Schedule page.
Figure 36: Source
5. Specify Destination and Services details.
Destination Zones
Select the destination zones allowed to the user.
Destination Networks
Select the destination networks allowed to the user.
A new network host can be created directly from this page itself by clicking Create new or from
System > Hosts and Services.
Services
Select the services(s) allowed to the user.
A new service can be created directly from this page itself or from the System > Hosts and
Services > Services page.
Figure 37: Destination
6. Specify Identity details.
Match known users
Select to enable a rule based on the user identity.
Show Captive Portal to unknown users
Select the check box to accept traffic from unknown users. Captive portal page is displayed to the user where the user can login to access the Internet.
Clear the check box to drop traffic from unknown users.
User or Groups(available only if Match known users is selected)
Select the user(s) or group(s) from the list of available options.
Exclude this user activity from data accounting (only available if Match known users is selected)
Select to enable/disable user traffic activity from data accounting.
By default, user’s network traffic is considered in data accounting. Select to exclude certain traffic user data accounting. The traffic allowed through this rule will not be accounted towards data transfer for the user.
Figure 38: Identity
7. Specify Malware Scanning details. (available only if Action for the traffic is Accept)
Scan HTTP
Enable HTTP traffic scanning.
Decrypt & Scan HTTPS
Enable HTTPS traffic decryption and scanning.
Detect zero-day threats with Sandstorm
Send files downloaded using HTTP or HTTPS for analysis by Sandstorm. Sandstorm protects your network against unknown and unpublished threats (“zero-day” threats).
8. Specify Advanced settings details (available only if Action for the traffic is Accept) a) Specify policies for user applications.
Intrusion Prevention (IPS)
Select an IPS policy for the rule. A new IPS policy can be created directly from this page itself or from Protect > Intrusion Prevention > IPS Policies page.
Traffic Shaping Policy
User's traffic shaping policy will be applied automatically if Match known users is selected.
| Protect | 60
You need to select traffic shaping policy for the rule if Match known users is not selected.
Web Policy
Select a web policy for the rule.
A new web policy can be created directly from this page itself or from the Protect > Web > Policies page.
Apply Web Category based Traffic Shaping Policy
Click to restrict bandwidth for the URLs categorized under the Web category.
A three step configuration is required as follows:
1. Create a traffic shaping policy on the System > Profiles > Traffic Shapingpage. Here, specify the Policy Association as Web Categories.
2. Now, on this page assign the created policy to Web Policy .
3. Select Apply Web Category based Traffic Shaping Policy to apply the policy.
Application Control
Select an application filter policy for the rule. A new application filter policy can be created directly from this page itself or from the Protect > Applications > Application Filter page.
Apply Application-based Traffic Shaping Policy
Click to restrict bandwidth for the applications categorized under the Application category.
A three step configuration is required as follows:
1. Create a traffic shaping policy from the System > Profiles > Traffic Shaping page. Here, specify the Policy Association as Applications.
2. Now, on this page assign the created policy to Application Control.
3. Select Apply Web based Traffic Shaping Policy to apply the policy.
| Protect | 61
Figure 39: User Applications
b) Specify Routing details.
Rewrite source address (Masquerading)
Disable if you do not want to re-write the source address or specify a NAT policy.
Default - Enabled
Use Gateway Specific Default NAT Policy (only if Masquerading is selected)
Click to override the default NAT policy with a gateway specific policy.
Override default NAT policy for specific Gateway (only if Use Gateway Specific Default NAT Policy
is selected )
Enable to specify gateway and corresponding NAT policy. Multiple gateways and NAT policies can be added.
Use Outbound Address (only if Rewrite source address is selected)
Select the NAT policy to be applied from the list of available NAT policies.
A new NAT policy can be created directly from this page itself or from the System > Profiles >
Network Address Translation page.
Default: MASQ.
MASQ (Interface Default IP)
• IP Address of the Destination Zone as configured in Configure > Network > Interfaces will be displayed instead of (Interface Default IP) when single Destination Zone is selected.
• (Interface Default IP) will be displayed when multiple Destination Zones are selected.
Primary Gateway
Specify the primary gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Primary Gateway will display WAN Link Load
Balance for WAN Destination Zone and None for other zones. In such case, firewall rule will not make routing decisions.
Backup Gateway
Specify the backup gateway. This is applicable only if more than one gateway is defined.
Note: On deletion of the gateway, Backup Gateway will display None.
DSCP Marking
Select the DSCP Marking.
DSCP (DiffServ Code Point) classifies flow of packets as they enter the local network depending upon QoS. Flow is defined by 5 elements; Source IP Address, Destination IP Address, Source port,
Destination port and the transport protocol.
For available options, refer to
| Protect | 62
Figure 40: NAT & Routing
9. Define logging option for the user application traffic.
Log Firewall Traffic
Click to enable logging of permitted and denied traffic.
Figure 41: Log Traffic
10. Click Save.
DSCP Value
DiffServ Code Point (DSCP) uses the 6 bits, thereby giving 2^6 = 64 different values (0 to 63). describes the standard
DSCP values. Remaining DSCP values can be customized as per the QoS requirement.
Decimal
22
24
26
28
30
32
14
16
18
20
0
8
10
12
DSCP
AF23
CS3
AF31
AF32
AF33
CS4
Default
CS1
AF11
AF12
AF13
CS2
AF21
AF22
Description
Best Effort
Class 1 (CS1)
Class 1, Gold (AF11)
Class 1, Silver (AF12)
Class 1, Bronze (AF13)
Class 2 (CS2)
Class 2, Gold (AF21)
Class 2, Silver (AF22)
Class 2, Bronze (AF23)
Class 3 (CS3)
Class 3, Gold (AF31)
Class 3, Silver (AF32)
Class 3, Bronze (AF33)
Class 4 (CS4)
| Protect | 63
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice