![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
Name
Enter a name to identify the Custom IPS Signature.
Protocol
Select IPS protocol from the list.
Available Options:TCPUDPICMPALL
Custom Rule
Specify IPS Signature definition.
Signature definition must begin with a keyword followed by the value enclosed between the double quotes and must end with semicolon (;)
Format: Keyword: "value";
For example, content: "USER JOHN";
If traffic with the content USER JOHN is detected, action defined in the policy will be taken.
Refer to Appendix B – IPS - Custom IPS Pattern Syntax for more details on creating IPS Pattern.
Severity
Select the level of severity from the available options.CriticalMajorModerateMinorWarning
Recommended Action
Specify action to be taken on the selected policy when matching pattern is found.
Available Actions:
Allow Packet - Check each packet before taking action. Drop Packet - Drop packets. Drop Session
- Terminate entire session instead of scanning all the session packets to save resources and avoid getting high number of alerts. Reset - Send TCP reset packet to the originator. Bypass Session -
Scan initial packets only. If the initial packets match the pattern then the rest of the session packets are not scanned and the traffic is allowed to pass.
In all the cases, device generates the log and alerts the Network Administrator.
| Protect | 126
Figure 136: Add Custom IPS Signature
3. Click Save.
DoS & Spoof Prevention
The device provides several security options that cannot be defined by the security policies. This includes protection from several kinds of “Denial of Service attacks”. These attacks disable computers and circumvent security.
A Denial of Service (DoS) attack is a method that hackers use to prevent or deny legitimate users access to a service.
| Protect | 127
DoS attacks are typically executed by sending many request packets to a targeted server (usually Web, FTP, or Mail server), which floods the server's resources, making the system unusable. Their goal is not to steal the information but disable or deprive a device or network so that users no longer have access to the network services/resources.
All servers can handle a traffic volume up to a maximum, beyond which they become disabled. Hence, attackers send a very high volume of redundant traffic to a system so it cannot examine and allow permitted network traffic. Best way to protect against the DoS attack is to identify and block such redundant traffic. Below are some DoS settings which can be used for identifying DoS attack:
Packet rate per Source
Total number of connections or packets allowed to a particular user.
Burst rate per Source
Maximum number of packets allowed to a particular user at a given time.
Packet rate per Destination
Total number of connections or packets allowed from a particular user.
Burst rate per Destination
Maximum of packets allowed from a particular user at a given time.
How it works
When the burst rate is crossed, the device considers it as an attack. The device provides DoS attack protection by dropping all the excess packets from the particular source/destination. The device will continue to drop the packets till the attack subsides. Because the device applies threshold value per IP address, traffic from the particular source/ destination will only be dropped while the rest of the network traffic will not be dropped at all.
Time taken to re-allow traffic from the blocked source/destination = time taken to subside the attack + 30 seconds
For example:
Packet rate per source: 100 packets per second
Burst rate per source: 200 packets per second
When the user starts sending requests, initially he will be able to send 200 packets per second but once the 200 packets are received, in the next phase the user will only be able to send 100 packets per second. So in the next phase, if the user sends 150 packets per second, the device will consider it as an attack and drop 50 (150 -100) packets. The device will then only accept traffic from the user 30 seconds after having dropped the packets.
Threshold values
The device uses packet rate and burst rate values as a threshold value to detect DoS attacks. These values depend on various factors like:
• Network bandwidth
• Nature of traffic
• Capacity of servers in the network
These values are applicable to the individual source or destination requests per user/IP address and not globally to the entire network traffic. For example, if the source rate is 2500 packets/minute and the network consists of 100 users then each user is allowed a packet rate of 2500 packets per minute
Configuring high values will degrade the performance and too low values will block the regular requests. Hence it is very important to configure appropriate values for both source and destination IP address.
Spoof Protection General Settings
You can configure a MAC and/or IP address pair entry in the IP-MAC trusted list to improve the security of your network. Using MAC address filtering makes it more difficult for a hacker to guess and use a random MAC address or spoof a MAC address to gain access to your network as the traffic does not even reach your firewall.
Similarly, it is also possible to filter packets based on the IP-MAC pair. It prevents hosts which try to violate trusted
IP-MAC. To make the restriction more granular, you can enable restriction on the zones.
Enable Spoof Prevention
If enabled, the device provides 3 ways to prevent spoofing using an IP-MAC trusted list:
• IP Spoofing – Packets will be dropped if a matching route entry is not available.
• MAC Filter – Packets will be dropped if the MAC addresses are not configured as trusted
MAC.
• IP-MAC Pair Filter – Packets will be dropped if either IP or MAC address does not match with any entry in the IP-MAC trusted list. Packets will be allowed if both IP and MAC address are not defined as an entry in the IP-MAC trusted list.
Restrict Unknown IP on Trusted MAC (Only applicable if Spoof Prevention is enabled)
Enable the option, if you want to drop traffic from any IP address not in the trusted list for the trusted MAC address.
By default, it is disabled. When disabled, traffic from any IP address not in the trusted list will be allowed even if it is coming for the trusted MAC address.
Zone
IP Spoofing
WAN
No
DMZ
Yes
WiFi
Yes
LAN
Yes
Enable at least for one zone.
The device will reverse lookup for the route of the source network and, if not available, packets will be dropped and logged.
Default: disabled for all zones
| Protect | 128
Zone LAN
MAC Filter
Note: To enable
MAC
Filtering, you need to
a trusted
MAC address.
it is
If enabled, to be enabled for at least one zone.
Default: disabled for all zones
Yes all the requests from the
MAC address not configured in the trusted list, please make sure
It restricts the access of your network to the external hosts.
As the device will drop to include
MAC addresses of all your internal devices.
WAN
Yes
DMZ
Yes
WiFi
Yes
| Protect | 129
Zone
IP-MAC
Pair Filter
LAN
Yes
• MAC address differs for the trusted
IP address and
• IP address differs for the trusted
MAC address
The device will drop the request considering it as a spoofed request if: it is
If enabled, to be enabled for at least one zone.
Default: disabled for all zones
IP-
MAC pair does not exist in the trusted list.
in the list.
Request is dropped if the
But, the request will be allowed if
IP or
MAC address does not exist at all
WAN
No
DMZ
Yes
WiFi
Yes
| Protect | 130
Figure 137: Spoof Protection General Settings
Spoof Protection Trusted MAC
You can enable MAC address and/or IP address pair filtering to improve security. By enabling filtering, you define the devices that can access your network. It is also possible to import the trusted MAC list through a CSV (Comma
Separated Value) file. When a user attempts to access the network, the device checks the MAC address and/or IP address from the list. User gets access to the network only if the MAC address and/or IP address are in the trusted
MAC list, else the request is rejected.
The Spoof Prevention Trusted MAC section displays a list of all the MAC addresses configured as trusted MAC.
The page also provides options to
a new MAC address, update the existing addresses, and
the list of addresses.
DoS Settings
Attack definition can be defined both for source and destination.
SYN Flood
SYN Flood is the attack in which large numbers of connections are sent so that the backlog queue overflows. The connection is created when the victim host receives a connection request and allocates some memory resources to it. A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the SYN flood definition and control the allowed number of packets.
Source Traffic Dropped displays number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
Click on the link Click Here to view DoS attacks status. You will be redirected to Protect >
Intrusion Prevention > DoS Attacks. Then click SYN Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
UDP Flood
User Datagram Protocol (UDP) Flood links two systems. It hooks up one system’s UDP charactergenerating service, with another system’s UDP echo service. Once the link is made, the two systems are tied up exchanging a flood of meaningless data.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the UDP flood definition and control the allowed number of packets.
| Protect | 131
Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
Click on the link Click Here to view DoS attacks status. It will redirect you to Protect > Intrusion
Prevention > DoS Attacks and Click UDP Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
TCP Flood
TCP attack sends huge amount of TCP packets so that the host/victim computer cannot handle, thereby denying service to legitimate TCP users.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the TCP flood definition and control the allowed number of packets.
Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
ICMP/ICMPv6 Flood
ICMP/ICMPv6 attack sends huge amounts of packet/traffic so that the protocol implementation of the host/victim computer cannot handle, thereby preventing legitimate packets from getting through to their destination.
Configure packet rate (packets/minute) and burst rate (packets/second) for source and destination.
Select Apply Flag check box to apply the ICMP flood definition and control the allowed number of packets.
Source Traffic Dropped displays the number of source packets dropped in case source packet rate control is applied.
Destination Traffic Dropped displays the number of packets dropped in case destination packet rate control is applied
Click on the link Click Here to view DoS attacks status. It will redirect you to Protect > Intrusion
Prevention > DoS Attacks and Click ICMP/ICMPv6 Flood to view the real-time updates on flooding. It displays the source IP address - which was used for flooding and IP address which was targeted.
Dropped Source Routed Packets
Select Apply Flag check box to enable. This will block any source routed connections and prevent any packets with an internal address from entering your network.
Disable ICMP/ICMPv6 Redirect Packet
An ICMP redirect packet is used by routers to inform the hosts what the correct route should be. If an attacker is able to forge ICMP redirect packets, he or she can alter the routing tables on the host and possibly weaken the security of the host by causing traffic to flow via another path.
Disable the option to prevent the attacker from forging ICMP redirect packets.
Default: enabled
ARP Hardening
If enabled, the device will send an ARP reply only if the destination IP address is a local address configured on the incoming interface and both the sender and destination IP address are in the same subnet.
| Protect | 132
Figure 138: DoS Settings
DoS Bypass Rule
The device allows to bypass the DoS rule in case you are sure that the specified source will not be used for flooding or the device ignores flooding coming from the specified source. By default, VPN zone traffic is also subjected to
DoS inspection. You can also bypass DoS inspection of the traffic coming from certain hosts of the VPN zone.
The DoS Bypass Rule section displays a list of all the bypass rule.
Add a Trusted MAC Address
This page allows you to add a trusted MAC address.
1. Go to Protect > Intrusion Prevention > DoS & Spoof Protectionand click Add under the Spoof Protection
Trusted MAC section.
2. Enter trusted MAC address details.
MAC Address
Specify a MAC address to be added to the Trusted MAC list.
IPv4 Address
Specify an IPv4 address that is to be bound to the MAC address. Packets will be rejected if either
MAC or IPv4 address does not match.
Available Options:Static – Specify an IP Address to be bound to the MAC address. Packets will be rejected if either MAC or IP address does not match. Multiple IP addresses separated by comma can be provided.DHCP – MAC address will be bound to the IP address leased by the device DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated.
To unbind the IPv4 address, select None.
IPv6 Address
Specify an IPv6 address that is to be bound to the MAC address. Packets will be rejected if either
MAC or IPv6 address does not match.
Available Options:Static – Specify an IP Address to be bound to the MAC address. Packets will be rejected if either MAC or IP address does not match. Multiple IP addresses separated by comma can be provided.DHCP – MAC address will be bound to the IP address leased by the device DHCP server as and when the IP is leased. Entry will be updated automatically when the leased IP address is updated.
To unbind the IPv6 address, select None.
| Protect | 133
Figure 139: Add Trusted MAC
3. Click Save.
Import Trusted MAC Addresses
Instead of adding the trusted entries individually, the device provides a facility to import the trusted list from a CSV
(Comma Separated Value) file.
The format for the CSV file should be as follows:
1. First row of the CSV file has to be the header row: MAC address, IP association, IP address.
2. The rest of the rows are values corresponding to the header fields .
3. Blank rows will be ignored.
4. An error message is displayed only for invalid rows.
5. Format of values:
• Compulsory fields: MAC address and IP association.
• Optional fields: IP address.
• IP association must be Static or DHCP or None.
• For Static IP association, IP address must be available.
• For None/DHCP type of IP association, IP address is not required.
• For invalid MAC/IP address or IP association entry will be discarded.
• Use comma to insert multiple static IP addresses.
1. Go to Protect > Intrusion Prevention > DoS & Spoof Protectionand click Import under the Spoof Protection
Trusted MAC section to import a CSV file.
2. Browse trusted MAC address file.
Trusted MAC Address File
To choose a CSV file, click the file selection button against Trusted MAC Address File.
3. Click Upload File to upload CSV file.
Figure 140: Import Trusted MAC Address CSV File
Create a DoS Bypass Rule
This page allows you to create a DoS bypass rule.
| Protect | 134
1. Go to Protect > Intrusion Prevention > DoS & Spoof Protection and click Add under the DoS Bypass Rule section.
2. Enter bypass rule details.
IP Family
Select the IP family of the traffic to be bypassed.
Source IP/Netmask (available only if selected IP Family is IPv4)
Specify the source IP/Netmask.
Specify * if you want to bypass entire network.
Destination IP/Netmask (available only if selected IP Family is IPv4)
Specify the destination IP/Netmask.
Specify * if you want to bypass entire network.
Source IP/Prefix (available only if selected IP Family is IPv6)
Specify the source IP/prefix.
Specify * if you want to bypass entire network.
Destination IP/Prefix (available only if selected IP Family is IPv6)
Specify the destination IP/prefix.
Specify * if you want to bypass entire network.
Protocol
Select the protocol whose traffic is to be bypassed if generated from the specified source to destination.
Available Options:TCPUDPICMPAll Protocols
For example, if you select TCP protocol then DoS rules will not be applied on the TCP traffic from the specified source to destination.
Source Port
Specify port number for the source.
Specify * if you want to bypass entire network.
Destination Port
Specify port number for the destination.
Specify * if you want to bypass entire network.
| Protect | 135
Figure 141: Add DoS Bypass Rule
3. Click Save.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice