Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Protect | 145

Note: This setting is applicable only when the ‘No Explicit Content’ web policy is set to ‘Block’.

Enforce additional image filters

Restrict image search results to images with a Creative Commons license.

HTTPS Decryption and Scanning

HTTPS Scanning Certificate Authority (CA)

Specify the certificate authority for securing scanned HTTPS connections.

Block unrecognized SSL protocols

Prevent traffic that avoids HTTPS scanning by using invalid SSL protocols.

Block invalid certificates

Connect only to sites with a valid certificate.

Advanced

Configure advanced web protection such as caching behavior and proxy settings.

Web Content Caching

Enable web content cache

Keep a copy of frequently visited sites to reduce bandwidth consumption and improve performance.

Always cache Sophos Endpoint updates

Keep a copy of Sophos Endpoint updates to improve performance on your network.

Note: If this option is disabled you may experience network congestion when many endpoints attempt to download updates from the Internet at the same time.

Web Proxy Configuration

The firewall intercepts traffic transparently and enforces web protection (for example, policies and malware scanning) when the web proxy service is enabled for a network zone. By default, the service is enabled for LAN and WiFi zones. In transparent mode, the firewall allows HTTP traffic on port 80 and HTTPS traffic on port 443 only.

However, you can also configure the firewall to act as a proxy for configured web browsers by specifying a web proxy listening port. Users who are behind the proxy must specify the LAN or WiFi address and port in the web proxy configuration settings of their browsers. (Refer to the browser documentation for details.)

Specify the web proxy listening port and allowed destination ports when you want the firewall to act as a web proxy for configured web browsers.

Note: IPS policy is applicable on the traffic between proxy and WAN, but not between user and proxy.

Note: Traffic shaping policy is not applicable on the direct proxy traffic.

Web Proxy Listening Port

Specify the port on which the web proxy will listen for HTTP connection requests.

Allowed Destination Ports

The firewall may receive requests to connect to remote servers using a non-standard port. Specify the ports on which the proxy will allow connection. (This setting applies only when the web proxy listening port is set.)

CAUTION: Allowing connection on non-standard ports may pose a security risk.