![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
| Protect | 183
The device offers comprehensive Email Security, preventing sophisticated forms of zero-hour threats and blended attacks involving spam, botnets, phishing, spyware and more. The basic email protection configuration includes:
• Creating policies to allow or deny email traffic to and from your Email Server.
• Apply Spam, Malware, Data and File protection on email traffic.
• SPX
• configuring an email threshold size for scanning
• specifying action to be taken if a virus is detected
• blocking mails based on sender or recipient
• blocking mails with certain file types.
SMTP Deployment Modes
SF can be deployed in Two (2) Modes:
• Legacy Mode
• MTA Mode
Legacy Mode
In Legacy Mode, SF acts as a transparent proxy that scans emails for malware and spam, applies SPX Encryption and
Data Protection. Refer to the following guides to see how SF can be configured to scan email traffic in Legacy Mode:
MTA Mode
In MTA Mode, SF acts as a Mail Transfer Agent. A Mail Transfer Agent (MTA) is a service that is responsible for receiving and routing emails to their specified destinations.
Deploy SF in MTA Mode when you want it to perform actual routing of emails as compared to Legacy Mode where
SF only forwards the email traffic as a proxy.
In MTA Mode, SF performs the following functions:
• Performs relaying and routing of emails. You can configure relaying of emails from Email > Relay Settings.
• Protects multiple Email Servers using SMTP Policies. From Email > Policies > SMTP Policies, you define the kind of protection you want to apply on each of your Email Domains.
• Displays email messages that are either waiting or failed to be delivered in the Email > Mail Spool.
• Displays logs for all the emails processed by the Device from Email > Mail Logs.
MTA Mode
Policies
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows configuration of SMTP Route and Scan Policies, SMTP Malware Scan Policies, SMTP Spam Scan
Policies and POP-IMAP Scan Policies:
• SMTP Route and Scan Policies (MTA Mode)
• SMTP Malware Scan Policies (Legacy Mode)
• SMTP Spam Scan Policies (Legacy Mode)
• POP3-IMAP Scan Policies (MTA and Legacy Mode)
SMTP Route and Scan Policies
SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Device allows you to create SMTP Route and Scan policies which can be used to protect multiple Domains on your internal Email Server(s). Using these policies, device protects the server(s) from remote attacks and additionally provide powerful virus scanning, email encryption and email filtering services.
| Protect | 184
Click Add Policy and then SMTP Route & Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Malware Scan Policies
SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
SMTP Malware Scan policies allow you to define action to be taken on emails if they are virus-infected or contain a protected attachment. Based on the action defined in rule, such emails can be delivered as they are, dropped, or cleaned and then delivered or quarantined.
A Malware Scan policy defines:
• whether to quarantine the email
• whether sender, receiver or administrator are to be notified
• whether to block the email containing a specified file type
• what action is to be taken if email is infected or contains a protected attachment: deliver as it is, drop, clean and then deliver
Note: You can also view the Quarantine from Protect > Email > SMTP Quarantine page.
A default SMTP Malware Scan policy named default-smtp-av is pre-configured in the device and applied to all
SMTP traffic as soon as you subscribe to the Email Protection Module. We recommend that you create separate rules fine-tuned to your specific network requirements to minimize the possibility of threats.
Click Add Policy and then SMTP Malware Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Spam Scan and POP-IMAP Scan Policies
SMTP Spam Scan policies appear only when Legacy mode is enabled.
POP-IMAP Scan policy is available in both MTA and Legacy modes.
When you subscribe to the Email Protection Module, SMTP Spam Scan and POP-IMAP Scan policies can be configured for particular senders and recipients.
A policy defines the action to be taken if an email is detected as Spam, Probable Spam, part of Virus Outbreak or
Probable Virus Outbreak.
To reduce the risk of losing legitimate messages, the Spam Quarantine repository (a storage location) provides administrators with a way to automatically quarantine emails that are identified as spam. This helps in managing spam and probable spam quarantined mails so that the user can take appropriate actions on such emails.
A default POP-IMAP Scan policy named default-pop-av is pre-configured in the device and applied to all POP3/S and IMAP/S traffic so that whenever a virus gets detected in an email, the virus-affected attachment is stripped from the email and the email body is replaced with a notification message.
Detection of Spam attributes
The device uses Content Filtering, and premium and standard Realtime Blackhole Lists (RBLs) to check for the spam attributes in SMTP/S, POP3/S and IMAP/S emails:
• Premium
• Standard
RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam, that is, owners who are responsible for spam or are hijacked for spam relay. The device checks each RBL for the connecting IP Address. If the IP Address matches one on the list, then the specified action in the policy is taken.
Add SMTP Route and Scan Policy
SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
SMTP route and scan policy allows you to protect emails from spam and malware, to SPX-encrypt emails and to provide data and file protection.
1. Go to Protect > Email > Policies and click Add Policy. Click SMTP Route & Scan.
2. Enter the Name.
3. Enter the Domains and Routing Target details.
Protected Domain
Select the domains. The policy applies to emails to and from the selected domains. To add a new domain, click Create New.
Emails received by users of the protected domains are Inbound Emails.
Emails sent out by users of the protected domains are Outbound Emails.
Emails sent among users of protected domains are Internal Emails.
Route By
Select the email server to forward the emails to. Select from the following server types:
Available Options:
Static Host: From the Host List, select the static IP addresses of the internal email servers. If the first host in the selected list is not reachable, the device forwards emails to the next host until it reaches the end of the list. To create a new host, click Create.MX: Select to route emails based on
MX records.
Global Action
Select the action.Accept: Accepts all emails to the specified domains. You can apply SPX encryption on outbound emails by selecting the SPX Template from the drop-down list.Reject:
Rejects all emails to the specified domains. Sender is notified.
| Protect | 185
Figure 185: Domains and Routing Target
4. Turn on Spam Protection.
You can enable protection for inbound and outbound spam, virus outbreak and blacklisted sender IP addresses through RBLs. Select the action to be applied to spam and probable spam emails.
Available Actions:
• None
• Warn: Delivers the email to the recipient after adding a prefix to the subject. Specify the prefix in Prefix
Subject.
• Quarantine
• Drop: Drops the email without sending a notification to the sender.
Default: Drop
Figure 186: Spam Protection
5. Turn on Malware Protection.
Scanning
Select the scanning action.
Available Actions:
Disable: Emails are not scanned. Enable: Emails are scanned by the device's anti-virus engine.
Note:
In Sophos Firewall XG105, Cyberoam CR500iNG, and Sophos UTM SG105, and higher models, Enable is replaced by the following options.
Single Anti-Virus: The primary anti-virus engine scans the emails.
Dual Anti-Virus: The primary and secondary engines scan emails sequentially.
Select the Primary Anti-Virus Engine from Protect > Email > General Settings >
Malware Protection.
Detect zero-day threats with Sandstorm (Sandstorm Module required)
Enable to send emails for Sandstorm analysis. Emails found clean by Sandstorm will be delivered to the recipient(s) while selected action will be applied on those found malicious.
Note: Cannot implement Sandstorm with Single Anti-Virus Scanning, if Avira is the
Primary Anti-Virus Engine. You can update it from Protect > General Settings >
Malware Protection or Configure > Configure > System Services > Malware
Protection.
Scanned File Size (available if Detect zero-day threats with Sandstorm is enabled)
Enter the size of files that can be analyzed by Sandstorm. Files with size greater than that will not be analyzed.
Anti-virus Action
Select the action to be taken against malicious emails.
Available Actions:
• None
• Warn: Delivers the email to the recipient after adding a prefix to the subject. Specify the prefix in Prefix Subject.
• Quarantine
• Drop: Drops the email without sending a notification to the sender.
| Protect | 186
Notify Sender
Select to notify the sender about the infected email.
Quarantine unscannable content
Select to quarantine emails that could not be scanned. These include corrupt, encrypted, compressed files, oversized emails, and emails not scanned due to an internal error.
| Protect | 187
Figure 187: Malware Protection
6. Turn on File Protection to filter specific attachments.
Block File Types
Select the type of attachments you want to block. The corresponding MIME headers populate the
MIME Whitelist.
To select more than one file type, press Ctrl+Shift.
The device contains a default list of file types with the relevant file extensions.
Refer to Email > ... > File Type to view the list of file extensions.
Select All to block emails with an attachment.
Select None to allow emails with an attachment.
MIME White List
Select the MIME headers to be allowed during the malware scan. Unselected headers are blocked.
Drop Message Greater Than
Enter the maximum file size (in KB) to be scanned by the device. Larger emails are dropped.
Default: 51200 KB
Figure 188: File Protection
7. Turn on Data Protection. (applicable only to outbound emails)
Data Control List
Select the list to be applied to scan emails for sensitive information.
Data Control Lists (DCL) can be created from the pre-configured Sophos Content Control List
(CCL), which provides common financial and personally identifiable data types, like credit card numbers, social security numbers, postal addresses, or email addresses.
You can create a list from Protect > Email > Data Control List.
Data Control List Action
Select the action to be taken against emails containing sensitive information.
Available Actions:
Accept: Accepts the email and delivers it to the recipient.
Accept with SPX: Accepts and SPX-encrypts the email before delivering it to the recipient. Select the SPX Template to be applied to the email. You can create
Email > Encryption.
Drop: Drops the email without sending a notification to the sender.
Notify Sender
Select to notify the sender that the email contains sensitive information.
Figure 189: Data Protection
Add POP-IMAP Scan Policy
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Add a POP-IMAP scan policy to detect incoming and outgoing spam in POP/S and IMAP/S traffic.
1. Go to Protect > Email > Policies and click POP-IMAP Scan.
2. Enter a Name for the policy.
3. Enter email address or domain group details.
| Protect | 188
Sender
To specify the sender email addresses, select from the following options:
Contains: Specify the keywords to be matched with the senders' email addresses. Example:
If you specify the keyword 'mail', the rule applies to senders' email addresses such as [email protected], [email protected].
Equals: Specify the senders' exact email addresses.
To add a list of keywords or email addresses, click Create New.
Recipient
To specify the recipient email addresses select from the following options:
Contains: Specify the keywords to be matched with the recipient email addresses. Example:
If you specify the keyword 'mail', the rule applies to recipient email addresses such as [email protected], [email protected].
Equals: Specify the recipients' exact email addresses.
To add a list of keywords or email addresses, click Create New.
| Protect | 189
Figure 190: Email Address/Domain Group
4. Select from the following Filter Criteria based on which the specified action is to be taken:
Inbound Email is
Select from the following options:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Source IP/Network Address
Sender's IP address matches the specified IP address.
Message Size
Sender's email size matches the specified restriction of message size.
Message Header
Select from the following message headers to match the specified keyword:
Subject From To Other
Select the type of keyword match from the following options:
Contains: Specify the keywords to be matched with the message header.
Equals: Specify the exact match to the actual headers.
None
Select to create a policy between specific senders and recipients without imposing any other condition.
| Protect | 190
Figure 191: Filter Criteria
5. Select the action.
Action
Action to be taken from the following options:
Available Options:
Accept: Email is accepted and delivered to the intended recipient. Prefix Subject: Email is accepted and delivered to the intended recipient after adding a prefix to the subject line. Specify the prefix in the To field. You can set the prefix to indicate the filter criteria.
Example:
Original subject line: Test mail
Tagged content: Probable Spam
Recipient receives email with the subject line: 'Probable Spam: Test mail'
6. Click Save.
Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM and Sophos Firewall
Models.
You can create a Data Control List of confidential data by selecting from the Content Control List (CCL). The device provides CCLs based on expert definitions for common financial and personally identifiable data types (example: credit card and social security numbers, postal and email addresses).
Subsequently, you can use Data Control Lists to set Data Protection for emails.
Add a Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM Models.
Add Data Control List allows you to create a list of confidential data types. The device provides Content Control
Lists (CCL) based on expert definitions for common financial and personally identifiable data types.
1. Go to Protect > Email > Data Control List and click Add.
2. Enter the name.
3. Select the CCLs (Content Control List) from the list. Filter the CCLs based on Type and Region.
| Protect | 191
Figure 192: Data Control List
4. Click Save.
SMTP Quarantine
SMTP Quarantine is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The SMTP Quarantine allows you to filter the quarantined emails. The page displays all the emails quarantined by the device if they are found to be:
• From a blocked Source IP Address
• Destined to a blocked Destination IP Address
• Virus-infected
• Oversized
• Containing a Blocked Header
• Containing unscannable content or a protected attachment
• blocked by an RBL
• blocked by a Data Protection (DP)
• Spam
• Found malicious by Sandstorm
• quarantined due to any other reason
Use the filter to search for mails from the list of quarantined emails.
The filter result displays a list of all the quarantined emails based on the filter criteria.
Total utilization displays the percentage of the quarantine area used by quarantined emails. Once the quarantine repository is full older emails are purged.
Quarantine Digest
| Protect | 192
The Quarantine Digest is an email containing a list of quarantined emails filtered by the device and held in the user's quarantine area. If configured, the user receives a Quarantine Digest as per the frequency set in Email > Quarantine
Digest. The digest also provides a link to the User Portal from where the user can access quarantined emails and take the required action.
Releasing Quarantined Email
Either the Administrator or the user can release the quarantined Emails. Administrator can release the quarantined
Emails from the Quarantine Area while the user can release them from his User Portal. Released quarantined
Emails are delivered to the intended recipient’s inbox. The Administrator can access the Quarantine Area from
Email > SMTP Quarantine, while user can logon to the User Portal and access the Quarantine Area from SMTP
Quarantine. If Quarantine Digest is configured, user will receive Digest of the quarantined mails as per the configured frequency.
Note:
• Virus-infected emails and the emails found malicious by Sandstorm cannot be released.
• To delete Sandstorm related emails, you need Read-Write permission for Sandstorm Activity.
Figure 193: SMTP Quarantine
Mail Spool
Mail Spool appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in
Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Mail Spool displays emails that are waiting to be delivered. You can delete or retry sending these emails. This page does not display discarded emails.
1. Specify the filter criteria.
2. You can delete or retry sending the filtered emails.
Note:
• To delete or retry sending Sandstorm-related emails, you need Read-Write permission for Sandstorm
Activity.
• The device retries sending emails for three days. At the end of an additional four days, it discards the emails. You can view the discarded emails from Mail Logs.
Mail Logs
Mail Logs appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in
Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Mail Logs allows you to view and filter email logs.
1. Specify the filter criteria.
2. Specify the criteria for Result Filter to display logs based on delivery status.
3. Specify the criteria for Reason Filter to display logs based on the scan result.
4. Click Filter.
| Protect | 193
Figure 194: Mail Logs
Encryption
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
What is SPX Encryption?
SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the Device are converted to a PDF document, which is then encrypted with a password. You can configure the Device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.
When SPX encryption is enabled, there are two ways in which emails can be SPX encrypted:
• The user can download the Sophos Outlook Add-in from User Portal. After having it installed, an Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a single message, the user needs to click the
Encrypt button and then write and send the message.
Note:
If you do not use Outlook you can also trigger SPX encryption by setting the header field
X-Sophos-SPX-Encrypt to "yes".
• In the Data Protection feature, you can enforce SPX encryption of Emails containing sensitive data (see Email >
Policies > SMTP Policy).
The encrypted message is then sent to the recipient's mail server. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, iOS, Blackberry and Windows Mobile devices.
The SPX-encrypted email contains a Reply button which links to the SPX Reply Portal. Using the SPX Reply Portal, the recipient is able to answer to the email in a secure way.
SPX Configuration
Default SPX Template
Select the SPX Template to be used by default. The Default Template is used if any user explicitly
SPX-encrypts an email and no template is selected in the Content Scanning Rule.
The user can SPX-encrypt an Email by:
• Manually setting the Email header X-Sophos-SPX-Encrypt to "yes".
• Installing the Sophos Outlook Add-on and clicking Encrypt before sending the Email.
If the Default SPX Template is set to None, then SPX encryption is not applied to Email.
Allow Secure Reply for
Enter the maximum time (in days) in which recipient can securely reply to an SPX-encrypted email using the SPX Reply Portal.
Keep Unused Password for
Enter the expiry time in days of an unused password.
For example, if Keep Unused Password for is set to 3 days, the password will expire at 0 o'clock 3 days after being generated if no SPX encrypted message has been sent for a specific recipient.
Default: 30 days
Allow Password Registration for
Enter the time in days after which the link to Password Registration Portal expires.
Default: 10 days
Send Error Notification To
Specify whom to send a notification when an SPX error occurs. You can send the notification to the sender or you can send no notification at all. Error messages will always be listed in the SMTP log.
| Protect | 194
Figure 195: SPX Configuration
SPX Portal Settings
Host Name
Enter the IP Address or Domain on which the Password Registration Portal is hosted.
Allowed Network(s)
Enter the networks from which password registration requests will be accepted.
Port
Enter the port on which the SPX Password Registration Portal should listen.
Default: 8094
| Protect | 195
Figure 196: SPX Portal Settings
SPX Password Reset
Reset Password for
Enter the Email Address for the recipient for whom you want to reset the password. New SPX email to this address requires the recipient to obtain a new password from the sender.
Figure 197: Password Reset
SPX Templates
The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing, for example, different company logos and texts.
Figure 198: SPX Templates
Add SPX Templates
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows you to define new SPX Templates or modify existing templates.
1. Go to Protect > Email > Encryption > SPX Templates and click Add.
2. Enter parameter values for the following basic settings.
Name
Specify the name to uniquely identify the template. The name should be a string containing alphanumeric and special characters EXCEPT forward slash (/), backslash (\), comma (,), double quote (") and single quote (').
Description
Specify details of the template.
Organization Name
Specify the organization name to be displayed on notifications concerning SPX sent to the administrator or the email sender, depending on your settings.
PDF Encryption
Select the encryption standard of the PDF file.
Page Size
Select the page size of the PDF file.
| Protect | 196
Figure 199: General Settings
3. Enter Password Settings.
Password Type
Select how you want to generate the password for accessing the encrypted email message. The sender always has to take care of transferring the password in a safe way to the recipient, unless you select Specified by recipient.
Available Options:
Specified by Sender:
If you select this, the email sender should provide the password. The sender has to enter the password into the Subject field, using the following format:
[secure:<password>]<subject text> where <password> is the password to open the encrypted PDF file and <subject text> is the random subject. Of course, the password will be removed by the Device before the email is sent to the recipient.
Generated one-time password for every email:
The Device automatically creates a new password for each affected email. An email notification is mailed to the sender containing instructions and the one-time generated password.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Generated and stored for recipient:
The Device automatically creates a recipient-specific password when the first email is sent to a recipient. This password will be sent to the sender. With the next email, the same password is used automatically. The password will expire when it is not used for a configured time period, and it can
be reset by the administrator, see
.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Specified by recipient:
If you select this, the email recipient should provide the password. The recipient receives an email notification containing a link leading to the Password Registration Portal to register a password and the Sender receives a failure notification. After registration, the recipient is able to view the current encrypted mail and any future encrypted mails using the same password from this or other senders from the same organization.
Note: The Recipient's password generated via Specified by recipient method and
Generated and stored for recipient are mutually exclusive. The recipient will have to use the respective password when email is received after SPX Encryption using different methods.
| Protect | 197
Figure 200: Password Settings
4. Specify Recipient Instructions:
Instructions for Recipient
The body of the email that is sent from the Device to the email recipient containing instructions concerning the encrypted email. Simple HTML markup and hyperlinks are allowed. You can also use variables, e.g.,
%%ORGANIZATION_NAME%%
Tip: The Default SPX Template on this tab contains all available variables and gives a useful example of recipient instructions. The variables used are:
• ENVELOPE_TO: The recipient for whom the password is generated.
• PASSWORD: The password to open SPX encrypted Email
• ORGANIZATION_NAME: The name provided in the Organization Name field.
• SENDER: The sender of the email.
• REG_LINK: The link to the Registration Portal for registering the password.
Figure 201: Recipient Instructions
5. Enable SPX Portal Settings
Enable SPX Reply Portal
Click to enable users to securely reply to SPX-encrypted emails using the SPX Reply Portal. You also have the option to Include Original Body into Reply.
| Protect | 198
Figure 202: SPX Portal Settings
General Settings
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Email Configuration allows you to configure the general settings Email traffic. This page contains the following sections.
SMTP Deployment Mode
MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Click button to switch to MTA/Legacy Mode.
In MTA Mode, Device acts as a Mail Transfer Agent (MTA). In Legacy Mode, Device acts as a transparent proxy.
When acting as an MTA, Device is responsible for routing Emails to and from the protected Email Server(s). In this state Device allows you to:
• configure relay of inbound and outbound Emails from Email > Relay Settings.
• set up multiple SMTP Profiles to protect multiple Domains on your internal Email Server or multiple Email
Servers from Email > Policies > SMTP Policies.
• view email messages that are either waiting for delivery or have produced an error in the Email > Mail Spool.
• view the logs for all the emails processed by the Device from Email > Mail Logs.
Default: MTA Mode is enabled.
Note:
• On enabling MTA Mode, a firewall rule to allow SMTP/SMTPS traffic is automatically created.
• If you have migrated from CyberoamOS to SFOSv16 OR SFOSv15 to SFOSv16, Legacy Mode will be enabled by default.
Figure 203: SMTP Deployment Mode
Banner Settings
Append Banner to All Outbound Messages
Enable to add a banner at the end of all outgoing Email messages.
The banner is appended ONLY when SMTP and SMTPS Scanning is enabled in the relevant
Business Application Policy(s).
Email Banner
Specify a banner to be added to all outgoing Emails. Only text banners are allowed.
Example:
This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.
| Protect | 199
Figure 204: Banner Settings
SMTP Settings
SMTP Hostname
Specify the SMTP hostname to be used in HELO and SMTP banner strings. By default, Device uses
'Sophos' as hostname.
Note: For Legacy Mode, this hostname is applicable only to system-generated notification emails.
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size scanning restriction to 51200 KB.
Action for Oversize Email
Specify the action for Oversize Emails.
Available Options
Accept: All the oversize mails are forwarded to the recipient without scanning.Reject: All the oversize mails are rejected and sender is notified.Drop: All the oversized mails are dropped, without notifying the sender.
Bypass Spam Check for SMTP/S Authenticated Connections (Available in Legacy Mode only)
Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.
Verify Sender's IP Reputation
Click to verify the reputation of the sender IP Address. When enabled, the Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for sending spam email or malicious contents, the Device takes action as per the configured Scanning
Rules.
If enabled, specify an action for Confirmed Spam Emails and Probable Spam Emails.
Available Options
Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration.
Reject: All the spam mails are rejected and a notification is sent to the Email sender. Drop: All the spam mails are dropped, without notifying the sender.
As it is a global option, if spam scanning is enabled, all the mails will first be subjected to IP
Reputation filtering followed by filtering based on actions configured in the spam policy.
Default - Disable
SMTP DoS Settings
Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.
If this is enabled, specify values for Maximum Connections, Maximum Connections/Host,
Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and
Connections Rate per Second/Host.
Maximum Connections (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections that can be established with the Email Server.
Default - 1024
Acceptable Range - 1 - 20000
Maximum Connections/Host (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections allowed to the Email Server from a particular host.
Default - 64
Acceptable Range - 1 - 10000
Maximum Emails/Connection (Available if SMTP DoS Settings Enabled)
Specify maximum number of Emails that can be sent in a single connection.
Default - 512
Acceptable Range - 1 - 1000
Maximum Recipients/Email (Available if SMTP DoS Settings Enabled)
Specify maximum number of recipientsfor a single Email.
Default - 100
Acceptable Range - 1 - 256
Email Rate per Minute/Host (Available if SMTP DoS Settings Enabled)
Specify number of Emails to be sent from a particular host in one minute.
Default - 512
Acceptable Range - 1 - 20000
Connection Rate per Second/Host (Available if SMTP DoS Settings Enabled)
Specify number of connections allowed to the Email Server from a particular host in one second.
Default - 8
Acceptable Range - 1 - 20000
| Protect | 200
Figure 205: SMTP Settings
POP/S and IMAP/S Settings
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/
IMAP will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size restriction to 10240 KB.
Recipient Headers
Specify Header value to detect recipient for POP3/IMAP.
Default - Delivered-To, Received, X-RCPT-TO
| Protect | 201
Figure 206: POP/S and IMAP/S Settings
SMTP TLS Configuration
TLS Certificate
Select the CA Certificate or Server Certificate for scanning SMTP traffic over SSL from the available options.
Available Options
Default ApplianceCertificate SecurityAppliance_SSL_CA List of custom CA Certificates and
Server Certificates, if added. You can create the custom CA Certificate from Certificates >
Certificate Authorities and custom Server Certificate from Certificates > Certificates.
Allow Invalid Certificate
If enabled, SMTP over SSL connections will be allowed with an invalid certificate from the Email
Server. Disable this option to reject such connections.
Default - Enable
Require TLS Negotiation with Host/Net
Select the remote host (Email Server) or network from available options on whose connections
TLS encryption is to be enforced. In other words, the Device will always initiate TLS-secured connections when Emails are to be sent to selected hosts/networks. If TLS is enforced but connection cannot be established, then Emails to that remote host/network are discarded.
Require TLS Negotiation with Sender Domain
Specify the Sender Domain(s) on whose Email connections TLS encryption is to be enforced.
Sender Domain is the domain of the Email sender. Emails from the specified Sender Domain will be sent over TLS-encrypted connections only. If TLS is enforced but connection cannot be established, then Emails from that sender domain are discarded.
Skip TLS Negotiation Hosts/Nets
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.
| Protect | 202
Figure 207: SMTP TLS Configuration
POP and IMAP TLS Configuration
TLS Certificate
Select the CA for scanning POP and IMAP traffic over SSL from the available options.
Available Options
DefaultSecurityAppliance_SSL_CAList of custom CAs if added. You can create the custom CA from Certificates > Certificate Authorities.
Allow Invalid Certificate
If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the
Mail Server. Disable to reject such connections.
Default - Enable
Figure 208: POP and IMAP TLS Configuration
Email Journaling (Available in Legacy Mode only)
Email being one of the most important communication and business tools in use by organizations, email journaling has become an integral part of every organization.
Using the Device's Email Journaling, the administrator can store all incoming Emails, or Emails for a specific recipient or a group of recipients and thereby keep a close watch over data leakage.
| Protect | 203
| Protect | 204
The device can journal all Emails intended for single or multiple recipients and can forward them to a single administrator or multiple administrators.
This section displays a list of the archivers created and provides options to
,
update the parameters of existing archiver
, or delete the archiver. You can filter the list based on recipient name.
Figure 209: Email Journaling
Spam Check Exceptions
To bypass spam scanning of certain domains, define the domains as Spam Check Exceptions. The page lists all the domains configured to be exempted from spam scanning.
It also provides the options to add a new domain and delete an existing domain.
Figure 210: Spam Check Exceptions
Malware Protection
Malware Protection is available in Sophos Firewall XG105, Cyberoam CR500iNG, Sophos UTM SG105, and higher models.
Sophos Firewall offers dual anti-virus scanning, wherein traffic is scanned by two (2) anti-virus engines. Traffic is first scanned by the primary engine, and then by the secondary engine.
Primary Anti Virus Engine
Select the primary anti-virus engine for traffic scanning. For dual scan, packets are first scanned by the primary engine and then by the secondary engine. For single scan, only the primary engine is used.
Available OptionsSophosAvira
Note: Selecting Avira will disable Sandstorm in all SMTP Policies with Single Anti-Virus Scanning.
Figure 211: Malware Protection
Advanced SMTP Settings (Available in MTA Mode only)
Reject invalid HELO or missing RDNS
Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack
RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.
Scan Outgoing Mails
Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.
| Protect | 205
Figure 212: Advanced SMTP Settings
Address Groups
Policies are applied on Email Addresses. To make configuration easier and simpler, the Administrator can group the addresses that require the same scanning policy. The policy applied to the address group is applicable to all the group members. Hence when the group is used in a number of rules, it becomes much easier to add or remove addresses from the group rather than updating individual rules. Hence, just with the one update, the Administrator can re-align the rules.
An Address Group is a grouping by:
• Email Address or Domain
• IP Address
• RBL (Real time black hole List) (applicable only for the spam email)
An address can be a member of multiple groups.
An RBL is a list of IP Addresses whose owners are responsible for spam or are hijacked for a spam relay. These IP
Addresses might also be used for spreading viruses. The Device checks each RBL for the connecting IP Address and the action configured in the policy is taken if the IP Address is found in any of the RBL lists. The Administrator can directly use the two default RBL groups shipped with the Device or update them as per their requirement:
• Premium RBL Services
• Standard RBL Services
The Address Group page displays a list of all the default and custom groups and provides options to add a new group, update the parameters, import addresses in the existing group, or delete the group. You can sort the list based on address group name.
Add Address Group
1. Go to Protect > Email > Address Group and click Add.
2. Enter a name and description.
3. Group Type: Select to add email addresses or domains to the address group.
Available Options:
RBL (IPv4) or RBL(IPv6):
Select to add RBLs of IPv4 or IPv6 addresses or domain names.
If the connecting IP address is found on the RBL, the device takes the action specified by the relevant policy.
Email Address/Domain:
Select to add the email address or domain name.
Import: Select to upload a CSV or text file.
Manual: Select to add individual email addresses or domains.
Note:
• You can import a maximum of 400 email addresses or domains in a single file.
• Invalid and duplicate entries are not imported.
| Protect | 206
Figure 213: Address Group
4. Click Save.
Relay Settings
Relay Settings appears only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in
Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
You can configure an SF Device to act as an email relay, allowing mail servers to send emails through it. You can specify the criteria for one or all parameters.
1. Specify the criteria for Host Based Relay to allow or block the specified hosts/networks from using the device as email relay.
a) To set Allow Relay from Hosts/Networks, select from the list.
Note: Do not select Any. This causes the device to act as an open relay server, allowing anyone on the
Internet, including spammers to send messages through the device.
b) To set Block Relay from Hosts/Networks, select from the list.
2. Specify the criteria for Upstream Host to select the upstream hosts/networks from which the device allows or blocks inbound emails.
| Protect | 207 a) To set Allow Relay from Hosts/Networks, select from the list. If all of your inbound emails are routed via an upstream filtering service or ISP, enter their IP addresses here. Select Any to accept emails directly from the sender.
b) To set Block Relay from Hosts/Networks, select from the list.
Note:
• For Allow Relay from Hosts/Networks, only emails that are destined to an internal domain are accepted.
• The device allows hosts/networks specified in the Allow list even when they are part of the Block list.
This can happen when you select a group or network that they belong to, or 'Any' in the Block list.
3. Specify the Authenticated Relay Settings to allow only authenticated users and groups to use the device as email relay.
a) Select Enable Authenticated Relay.
b) Select the Users or Groups from the list.
4. Click Apply.
File Types
A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.
Using File Types with Policy Rules
You can create file types to control access to files on a more granular level. For example, you may want to allow access to SQL files but deny access to all other database files. In this case, you would create a file type for SQL files and a policy that specifies the following rules in the following order:
1. Allow access to SQL files
2. Block access to all database files
Add File Type
1. Go to Protect > Web > File Type and click Add.
2. Type a name.
3. (Optional) Select a template.
You can select from predefined or custom file types. If you do not wish to use a template, choose Blank.
4. Specify the file extension and MIME header.
| Protect | 208
Figure 214: Add File Type
Quarantine Digest
Quarantine Digest is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Quarantine Digest allows you to set the frequency at which the digest email is sent to the user. You can enable or disable user access to quarantined emails on the user portal. You can also enable quarantine digest for all users or to specific users and groups.
Quarantine Digest provides the date and time of message receipt, sender and recipient's email addresses and subject of the message.
Quarantine Digest Settings for All Users
1. Go to Protect > Email > Quarantine Digest.
2. Select Enable Quarantine Digest to email the digest to all users.
a. Set the Email Frequency of the digest. Set the interval, time, and day of week, based on the selection.
b. In the From Email Address box, enter the address from which the email is to be sent.
c. In the Display Name box, specify the name of the quarantine digest sender.
d. Click Send Test Email. Enter the To Email Address and click Send.
e. To set the IP address of the user portal, select the Reference User Portal IP from the list.
Note: Users located behind the selected port can click the "My Account" link in the digest email to gain access to quarantined emails on the user portal. Others can access the user portal by typing https://
<IP Address of SF Device> in the browser.
Example: If Port1 is selected as the Reference User Portal IP, only users located behind Port1 will be redirected to the user portal when they click on "My Account".
3. Click Apply.
Override Quarantine Digest Settings for Specific Users
1. Go to Protect > Email > Quarantine Digest.
2. Click Change User's Quarantine Digest Settings, to apply the settings to specific users or groups.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice