![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
| Protect | 209
3. Select the users or groups.
4. Click Apply.
Figure 215: Quarantine Digest
Legacy Mode
Policies
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows configuration of SMTP Route and Scan Policies, SMTP Malware Scan Policies, SMTP Spam Scan
Policies and POP-IMAP Scan Policies:
• SMTP Route and Scan Policies (MTA Mode)
• SMTP Malware Scan Policies (Legacy Mode)
• SMTP Spam Scan Policies (Legacy Mode)
• POP3-IMAP Scan Policies (MTA and Legacy Mode)
SMTP Route and Scan Policies
SMTP Route and Scan policies appear only when MTA (Mail Transfer Agent) mode is enabled. MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Device allows you to create SMTP Route and Scan policies which can be used to protect multiple Domains on your internal Email Server(s). Using these policies, device protects the server(s) from remote attacks and additionally provide powerful virus scanning, email encryption and email filtering services.
Click Add Policy and then SMTP Route & Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Malware Scan Policies
SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
SMTP Malware Scan policies allow you to define action to be taken on emails if they are virus-infected or contain a protected attachment. Based on the action defined in rule, such emails can be delivered as they are, dropped, or cleaned and then delivered or quarantined.
| Protect | 210
A Malware Scan policy defines:
• whether to quarantine the email
• whether sender, receiver or administrator are to be notified
• whether to block the email containing a specified file type
• what action is to be taken if email is infected or contains a protected attachment: deliver as it is, drop, clean and then deliver
Note: You can also view the Quarantine from Protect > Email > SMTP Quarantine page.
A default SMTP Malware Scan policy named default-smtp-av is pre-configured in the device and applied to all
SMTP traffic as soon as you subscribe to the Email Protection Module. We recommend that you create separate rules fine-tuned to your specific network requirements to minimize the possibility of threats.
Click Add Policy and then SMTP Malware Scan to add a new policy. To update an existing policy, click the desired policy.
SMTP Spam Scan and POP-IMAP Scan Policies
SMTP Spam Scan policies appear only when Legacy mode is enabled.
POP-IMAP Scan policy is available in both MTA and Legacy modes.
When you subscribe to the Email Protection Module, SMTP Spam Scan and POP-IMAP Scan policies can be configured for particular senders and recipients.
A policy defines the action to be taken if an email is detected as Spam, Probable Spam, part of Virus Outbreak or
Probable Virus Outbreak.
To reduce the risk of losing legitimate messages, the Spam Quarantine repository (a storage location) provides administrators with a way to automatically quarantine emails that are identified as spam. This helps in managing spam and probable spam quarantined mails so that the user can take appropriate actions on such emails.
A default POP-IMAP Scan policy named default-pop-av is pre-configured in the device and applied to all POP3/S and IMAP/S traffic so that whenever a virus gets detected in an email, the virus-affected attachment is stripped from the email and the email body is replaced with a notification message.
Detection of Spam attributes
The device uses Content Filtering, and premium and standard Realtime Blackhole Lists (RBLs) to check for the spam attributes in SMTP/S, POP3/S and IMAP/S emails:
• Premium
• Standard
RBL is a list of IP Addresses whose owners refuse to stop the proliferation of spam, that is, owners who are responsible for spam or are hijacked for spam relay. The device checks each RBL for the connecting IP Address. If the IP Address matches one on the list, then the specified action in the policy is taken.
Add SMTP Malware Scan Policy
SMTP Malware Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The Add SMTP Malware Scan Policy page allows you to configure scan policy to detect malware in Email traffic and take appropriate action.
1. Go to Email > Policies, click Add policy and then click SMTP Malware Scan.
2. Enter a Name to identify the scan rule.
3. Enter Email Address/Domain Group details.
Sender
Select the sender name from the list of users.
Select Any if the rule is to be applied on all the senders.
You can also add RBLs or list of Email addresses by clicking Create New link.
Recipient
Select the recipient name from the list of users.
Select Any if the rule is to be applied on all the recipients.
You can also add RBLs or list of Email addresses by clicking Create New link.
Figure 216: Email Address/Domain Group
4. Enter Attachment Filter details.
Block File Types
Select file types to be blocked as an attachment to remove all the files that are a potential threat and to prevent virus attacks.
More than one file type can be selected using ctrl/shift keys.
Device contains a default list of File Types, with each Type containing relevant file extensions.
Refer to Email > File Type to view the list of file extensions which can be blocked.
Select All to block Emails with any type of attachments.
Select None to allow Emails with any type of attachments.
MIME Whitelist
If one or more File Type is selected in Block File Type, this field is populated with the corresponding MIME Headers that belong to selected File Type(s).
Select the MIME Header(s) of the selected File Type(s). Only selected headers are to be allowed while the rest in the selected File Type are to be blocked during Anti-virus scanning of Email attachments.
Figure 217: Attachment Filter
5. Specify Malware Filter details.
Scanning
Select the scanning action.
Available Actions:
| Protect | 211
Disable: Emails are not scanned. Enable: Emails are scanned by the device's anti-virus engine.
Note:
In Sophos Firewall XG105, Cyberoam CR500iNG, and Sophos UTM SG105, and higher models, Enable is replaced by the following options.
Single Anti-Virus: The primary anti-virus engine scans the emails.
Dual Anti-Virus: The primary and secondary engines scan emails sequentially.
Select the Primary Anti-Virus Engine from Protect > Email > General Settings >
Malware Protection.
Action (Available only if Scanning is enabled)
Enable action to be taken on the mails received, from the available options:Quarantine: If enabled, copies the Email to the quarantine file list. Email is either delivered to recipient or dropped, as per configured Recipient Action.You can view the Email details like sender and receiver of the Email in the Quarantine. Administrator can access the Quarantine from Email > SMTP Quarantine while user can access from their respective User Portal.Notify Sender: If enabled, the original message is withheld by the Device and a notification is sent to the sender informing that the Email was infected. The sender will receive the notification only if the Receiver Action is configured as
Don't Deliver.
Default - Disable
Delivery Option for Infected Attachment/Protected Attachment (Available only if Scanning is enabled)
Recipient Action
Select the action to be taken on the message that is detected to be Infected, Suspicious or includes a
Protected Attachment.
Available Options:
Don't Deliver: Receiver will not receive the message and will also not receive the notification regarding the infected Email.Deliver Original: Receiver receives the original Email.Remover and
Deliver: Infected part of the Email is removed before delivering. Receiver will also receive the notification stating that the Email was infected and infected portion of the Email is removed. Not applicable for Blocked Attachments (Block File Type).
Note: Protected attachments are not scanned but receiver will be notified, if not specified otherwise.
Notify Administrator
Select the action to notify the Administrator for the message detected to be Infected, Suspicious or includes a Protected Attachment.
Available Options:
Don't Deliver: Administrator will not be notified about the infected Email.Send Original:
Administrator receives the original Email.Remove Attachment: Recipient receives message without attachment and the Administrator receives the notification that the Email attachment was infected and removed before delivering Email.
Note: Protected attachments are not scanned but receiver will be notified, if not specified otherwise.
| Protect | 212
| Protect | 213
Figure 218: Malware Filter
6. Click Save.
Add SMTP Spam Scan Policy
SMTP Spam Scan policies appear only when Legacy mode is enabled. The device acts as a transparent proxy.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The Add SMTP Scan Policy page allows you to configure scanning policy to detect incoming and outgoing spam in email traffic and take appropriate action.
1. Go to Email > Policies, click Add Policy and then click SMTP Spam Scan.
2. Enter a Name for the policy.
3. Enter Email Address/Domain Group details.
Sender
Specify Email Address(es) of the Sender(s). You can select from:
Contains: Specify keywords to be matched with Sender Email Addresses. The rule applies to
Address(es) containing those keywords. For example, if the keyword "mail" is specified, the rule will apply to Sender Email Addresses [email protected], [email protected], etc.
Equals: Specify the exact Email Address(es) of the Sender(s).
You can also add RBLs, a list of Email Addresses or keywords using the Create New link.
Recipient
Specify Email Address(es) of the Recipient(s). You can select from:
Contains: Specify keywords to be matched with Recipient Email Addresses. The rule applies to
Address(es) containing those keywords. For example, if keyword "mail" is specified, the rule will apply to Recipient Email Addresses [email protected], [email protected], etc.
Equals: Specify the exact Email Address(es) of the Recipient(s).
You can also add RBLs, a list of Email Addresses or keywords using Create New link.
Figure 219: Email Address/Domain Group
4. Select the Filter Criteria.
Inbound Email is
All the Emails that are received by the users in their inbox are referred to as Inbound.
If you select Inbound Spam, all the Emails received by the users are scanned for spam and viruses by the Device.
The specified action will be taken if the Device has identified the Inbound Email to be one of the following:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Outbound Email is
Emails that are sent by the user in the network to a remote user on another Email system, are referred as Outbound.
If you select Outbound Spam, all the Emails sent by the local users are scanned for spam and viruses by the Device before being delivered.
The specified action will be taken if the Device has identified the Outbound Email to be one of the following:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Source IP/Network Address
Specify the action to be taken when the Email sender IP Address matches the specified IP Address.
Destination IP/Network Address
Specify the action to be taken when the Email recipient IP Address matches the specified IP
Address.
Sender Remote Blacklist
Specify the action to be taken when the sender is listed in the specified RBL Group.
Message Size
The specified action will be taken if the Email size matches the specified size.
Message Header
The specified action will be taken if the message header equals or contains the specified text.
Contains: Specify keywords to be matched with Message Header. The rule applies to Header(s) containing those keywords.
Equals: Specify the exact Header(s) to be scanned.
You can scan message header for Spam in:
Subject: The specified action will be taken if the header contains the matching subject. From: The specified action will be taken if the header contains the matching text in the From address. To: The specified action will be taken if the header contains the matching text in the To address. Other: The specified action will be taken if the matching text is found in the headers.
| Protect | 214
Data Control List
The specified action will be taken if the message contains data matching with the configured
. You can create Data Protection Policies at Email > Data Control List.
Note: Data Protection is applicable on outbound emails only.
None
Select this to create a rule for email between a specific sender and recipient without any conditions.
You can set actions for SMTP/S and POP/S-IMAP/S mails only on the basis of sender and recipient.
| Protect | 215
Figure 220: Filter Criteria
5. Select the Action.
Action
Select action to be taken for the SMTP/S traffic.
Available Options:
Reject: Email is rejected and a rejection notification is sent to the Email sender. Accept (Not
available for Outbound Spam): Email is accepted and delivered to the intended recipient. The
Administrator can bind an SPX Template to this action so that the Email is delivered to the intended recipient after being SPX-encypted.
Note: SPX Encryption is applicable on outbound emails only.
Change Recipient: Email is accepted but is not delivered to the intended recipient for whom the message was originally sent. Email is sent to the recipient specified in the spam policy. Prefix
Subject (Not available for Outbound Spam): Email is accepted and delivered to the intended recipient but after tagging the subject line. The Administrator can bind an SPX Template to this action so that the Email is delivered to the intended recipient after being SPX-encrypted. Tagging content is specified in the To field. You can customize subject tagging in such a way that the
recipient knows that the is a spam Email. For Example, Contents to be prefixed to the original subject: ‘Spam notification from the Device –' Original subject: ‘This is a test’ Recipient will receive Email with the subject line: ‘Spam notification from the Device - This is a test’ Drop: Email is rejected but a rejection notification is not sent to the Email sender.
SPX Template
If the action selected is Accept, Prefix Subject or Accept with SPX, select the SPX Template to be applied to the Email. You can create
Note: SPX Encryption is applicable on outbound emails only.
Quarantine
If this is enabled, the device does not deliver Email but copies it to the quarantine file list. You can view the Email details like the sender and recipient in the quarantined file list.
| Protect | 216
6. Click Save.
Add POP-IMAP Scan Policy
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Add a POP-IMAP scan policy to detect incoming and outgoing spam in POP/S and IMAP/S traffic.
1. Go to Protect > Email > Policies and click POP-IMAP Scan.
2. Enter a Name for the policy.
3. Enter email address or domain group details.
Sender
To specify the sender email addresses, select from the following options:
Contains: Specify the keywords to be matched with the senders' email addresses. Example:
If you specify the keyword 'mail', the rule applies to senders' email addresses such as [email protected], [email protected].
Equals: Specify the senders' exact email addresses.
To add a list of keywords or email addresses, click Create New.
Recipient
To specify the recipient email addresses select from the following options:
Contains: Specify the keywords to be matched with the recipient email addresses. Example:
If you specify the keyword 'mail', the rule applies to recipient email addresses such as [email protected], [email protected].
Equals: Specify the recipients' exact email addresses.
To add a list of keywords or email addresses, click Create New.
Figure 221: Email Address/Domain Group
4. Select from the following Filter Criteria based on which the specified action is to be taken:
Inbound Email is
Select from the following options:
Spam Probable Spam Virus Outbreak Probable Virus Outbreak
Source IP/Network Address
Sender's IP address matches the specified IP address.
Message Size
Sender's email size matches the specified restriction of message size.
Message Header
Select from the following message headers to match the specified keyword:
Subject From To Other
Select the type of keyword match from the following options:
Contains: Specify the keywords to be matched with the message header.
Equals: Specify the exact match to the actual headers.
None
Select to create a policy between specific senders and recipients without imposing any other condition.
| Protect | 217
Figure 222: Filter Criteria
5. Select the action.
Action
Action to be taken from the following options:
Available Options:
| Protect | 218
Accept: Email is accepted and delivered to the intended recipient. Prefix Subject: Email is accepted and delivered to the intended recipient after adding a prefix to the subject line. Specify the prefix in the To field. You can set the prefix to indicate the filter criteria.
Example:
Original subject line: Test mail
Tagged content: Probable Spam
Recipient receives email with the subject line: 'Probable Spam: Test mail'
6. Click Save.
Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM and Sophos Firewall
Models.
You can create a Data Control List of confidential data by selecting from the Content Control List (CCL). The device provides CCLs based on expert definitions for common financial and personally identifiable data types (example: credit card and social security numbers, postal and email addresses).
Subsequently, you can use Data Control Lists to set Data Protection for emails.
Add a Data Control List
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This feature is available in Cyberoam Models CR15iNG and above, and all Sophos UTM Models.
Add Data Control List allows you to create a list of confidential data types. The device provides Content Control
Lists (CCL) based on expert definitions for common financial and personally identifiable data types.
1. Go to Protect > Email > Data Control List and click Add.
2. Enter the name.
3. Select the CCLs (Content Control List) from the list. Filter the CCLs based on Type and Region.
| Protect | 219
Figure 223: Data Control List
4. Click Save.
SMTP Quarantine
SMTP Quarantine is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
The SMTP Quarantine allows you to filter the quarantined emails. The page displays all the emails quarantined by the device if they are found to be:
• From a blocked Source IP Address
• Destined to a blocked Destination IP Address
• Virus-infected
• Oversized
• Containing a Blocked Header
• Containing unscannable content or a protected attachment
• blocked by an RBL
• blocked by a Data Protection (DP)
• Spam
• Found malicious by Sandstorm
• quarantined due to any other reason
Use the filter to search for mails from the list of quarantined emails.
The filter result displays a list of all the quarantined emails based on the filter criteria.
Total utilization displays the percentage of the quarantine area used by quarantined emails. Once the quarantine repository is full older emails are purged.
Quarantine Digest
| Protect | 220
The Quarantine Digest is an email containing a list of quarantined emails filtered by the device and held in the user's quarantine area. If configured, the user receives a Quarantine Digest as per the frequency set in Email > Quarantine
Digest. The digest also provides a link to the User Portal from where the user can access quarantined emails and take the required action.
Releasing Quarantined Email
Either the Administrator or the user can release the quarantined Emails. Administrator can release the quarantined
Emails from the Quarantine Area while the user can release them from his User Portal. Released quarantined
Emails are delivered to the intended recipient’s inbox. The Administrator can access the Quarantine Area from
Email > SMTP Quarantine, while user can logon to the User Portal and access the Quarantine Area from SMTP
Quarantine. If Quarantine Digest is configured, user will receive Digest of the quarantined mails as per the configured frequency.
Note:
• Virus-infected emails and the emails found malicious by Sandstorm cannot be released.
• To delete Sandstorm related emails, you need Read-Write permission for Sandstorm Activity.
Figure 224: SMTP Quarantine
Encryption
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
What is SPX Encryption?
SPX (Secure PDF Exchange) encryption is a next-generation version of email encryption. It is clientless and extremely easy to set up and customize in any environment. Using SPX encryption, email messages and any attachments sent to the Device are converted to a PDF document, which is then encrypted with a password. You can configure the Device to allow senders to select passwords for the recipients, or the server can generate the password for the recipient and store it for that recipient, or the server can generate one-time passwords for recipients.
When SPX encryption is enabled, there are two ways in which emails can be SPX encrypted:
• The user can download the Sophos Outlook Add-in from User Portal. After having it installed, an Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a single message, the user needs to click the
Encrypt button and then write and send the message.
Note:
If you do not use Outlook you can also trigger SPX encryption by setting the header field
X-Sophos-SPX-Encrypt to "yes".
• In the Data Protection feature, you can enforce SPX encryption of Emails containing sensitive data (see Email >
Policies > SMTP Policy).
| Protect | 221
The encrypted message is then sent to the recipient's mail server. Using any PDF reader, the recipient can decrypt the message with the password that was used to encrypt the PDF. SPX-encrypted email messages are accessible on all popular smartphone platforms that have native or third-party PDF file support, including Android, iOS, Blackberry and Windows Mobile devices.
The SPX-encrypted email contains a Reply button which links to the SPX Reply Portal. Using the SPX Reply Portal, the recipient is able to answer to the email in a secure way.
SPX Configuration
Default SPX Template
Select the SPX Template to be used by default. The Default Template is used if any user explicitly
SPX-encrypts an email and no template is selected in the Content Scanning Rule.
The user can SPX-encrypt an Email by:
• Manually setting the Email header X-Sophos-SPX-Encrypt to "yes".
• Installing the Sophos Outlook Add-on and clicking Encrypt before sending the Email.
If the Default SPX Template is set to None, then SPX encryption is not applied to Email.
Keep Unused Password for
Enter the expiry time in days of an unused password.
For example, if Keep Unused Password for is set to 3 days, the password will expire at 0 o'clock 3 days after being generated if no SPX encrypted message has been sent for a specific recipient.
Default: 30 days
Allow Password Registration for
Enter the time in days after which the link to Password Registration Portal expires.
Default: 10 days
Send Error Notification To
Specify whom to send a notification when an SPX error occurs. You can send the notification to the sender or you can send no notification at all. Error messages will always be listed in the SMTP log.
Figure 225: SPX Configuration
SPX Portal Settings
Hostname
Enter the IP Address or Domain on which the Password Registration Portal is hosted.
Allowed Network(s)
Enter the networks from which password registration requests will be accepted.
Port
Enter the port on which the SPX Password Registration Portal should listen.
| Protect | 222
Default: 8094
Figure 226: SPX Portal Settings
SPX Password Reset
Reset Password for
Enter the Email Address for the recipient for whom you want to reset the password. New SPX email to this address requires the recipient to obtain a new password from the sender.
Figure 227: Password Reset
SPX Templates
The SPX template defines the layout of the PDF file, password settings and recipient instructions. You can also define different SPX templates. So, if you are managing various customer domains, you can assign them customized SPX templates containing, for example, different company logos and texts.
This page allows you to add, edit and delete SPX templates.
Figure 228: SPX Templates
Add SPX Templates
SPX Encryption is available in Sophos Firewall XG105 and higher models, Cyberoam CR25iNG and higher models, and all Sophos UTM Models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
This page allows you to define new SPX Templates or modify existing templates.
1. Go to Protect > Email > Encryption > SPX Templates and click Add.
2. Enter parameter values for the following basic settings.
Name
Specify the name to uniquely identify the template. The name should be a string containing alphanumeric and special characters EXCEPT forward slash (/), backslash (\), comma (,), double quote (") and single quote (').
Description
Specify details of the template.
Organization Name
Specify the organization name to be displayed on notifications concerning SPX sent to the administrator or the email sender, depending on your settings.
PDF Encryption
Select the encryption standard of the PDF file.
Page Size
Select the page size of the PDF file.
| Protect | 223
Figure 229: General Settings
3. Enter Password Settings.
Password Type
Select how you want to generate the password for accessing the encrypted email message. The sender always has to take care of transferring the password in a safe way to the recipient, unless you select Specified by recipient.
Available Options:
Specified by Sender:
If you select this, the email sender should provide the password. The sender has to enter the password into the Subject field, using the following format:
[secure:<password>]<subject text> where <password> is the password to open the encrypted PDF file and <subject text> is the random subject. Of course, the password will be removed by the Device before the email is sent to the recipient.
Generated one-time password for every email:
The Device automatically creates a new password for each affected email. An email notification is mailed to the sender containing instructions and the one-time generated password.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Generated and stored for recipient:
The Device automatically creates a recipient-specific password when the first email is sent to a recipient. This password will be sent to the sender. With the next email, the same password is used automatically. The password will expire when it is not used for a configured time period, and it can
be reset by the administrator, see
.
The HTML content of this Email can be customized from Notification Subject and Notification
Body. You can reset to the default content by clicking Reset .
Specified by recipient:
If you select this, the email recipient should provide the password. The recipient receives an email notification containing a link leading to the Password Registration Portal to register a password and the Sender receives a failure notification. After registration, the recipient is able to view the current encrypted mail and any future encrypted mails using the same password from this or other senders from the same organization.
Note: The Recipient's password generated via Specified by recipient method and
Generated and stored for recipient are mutually exclusive. The recipient will have to use the respective password when email is received after SPX Encryption using different methods.
| Protect | 224
Figure 230: Password Settings
4. Specify Recipient Instructions:
Instructions for Recipient
The body of the email that is sent from the Device to the email recipient containing instructions concerning the encrypted email. Simple HTML markup and hyperlinks are allowed. You can also use variables, e.g.,
%%ORGANIZATION_NAME%%
Tip: The Default SPX Template on this tab contains all available variables and gives a useful example of recipient instructions. The variables used are:
• ENVELOPE_TO: The recipient for whom the password is generated.
• PASSWORD: The password to open SPX encrypted Email
• ORGANIZATION_NAME: The name provided in the Organization Name field.
• SENDER: The sender of the email.
• REG_LINK: The link to the Registration Portal for registering the password.
| Protect | 225
Figure 231: Recipient Instructions
General Settings
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Email Configuration allows you to configure the general settings Email traffic. This page contains the following sections.
SMTP Deployment Mode
MTA mode is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
Click button to switch to MTA/Legacy Mode.
In MTA Mode, Device acts as a Mail Transfer Agent (MTA). In Legacy Mode, Device acts as a transparent proxy.
When acting as an MTA, Device is responsible for routing Emails to and from the protected Email Server(s). In this state Device allows you to:
• configure relay of inbound and outbound Emails from Email > Relay Settings.
• set up multiple SMTP Profiles to protect multiple Domains on your internal Email Server or multiple Email
Servers from Email > Policies > SMTP Policies.
• view email messages that are either waiting for delivery or have produced an error in the Email > Mail Spool.
• view the logs for all the emails processed by the Device from Email > Mail Logs.
Default: MTA Mode is enabled.
Note:
• On enabling MTA Mode, a firewall rule to allow SMTP/SMTPS traffic is automatically created.
• If you have migrated from CyberoamOS to SFOSv16 OR SFOSv15 to SFOSv16, Legacy Mode will be enabled by default.
Figure 232: SMTP Deployment Mode
Banner Settings
Append Banner to All Outbound Messages
Enable to add a banner at the end of all outgoing Email messages.
The banner is appended ONLY when SMTP and SMTPS Scanning is enabled in the relevant
Business Application Policy(s).
Email Banner
Specify a banner to be added to all outgoing Emails. Only text banners are allowed.
Example:
This email contains confidential information. You are not authorized to copy the contents without the consent of the sender. Please do not print this email unless it is absolutely necessary. Spread environmental awareness.
| Protect | 226
Figure 233: Banner Settings
SMTP Settings
SMTP Hostname
Specify the SMTP hostname to be used in HELO and SMTP banner strings. By default, Device uses
'Sophos' as hostname.
Note: For Legacy Mode, this hostname is applicable only to system-generated notification emails.
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through SMTP/S will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size scanning restriction to 51200 KB.
Action for Oversize Email
Specify the action for Oversize Emails.
Available Options
Accept: All the oversize mails are forwarded to the recipient without scanning.Reject: All the oversize mails are rejected and sender is notified.Drop: All the oversized mails are dropped, without notifying the sender.
Bypass Spam Check for SMTP/S Authenticated Connections (Available in Legacy Mode only)
Enable to bypass Spam Scanning for Email messages received over SMTP/S connections authenticated by the Email Server.
Verify Sender's IP Reputation
Click to verify the reputation of the sender IP Address. When enabled, the Device dynamically checks the sender’s IP Address of all Emails. If the IP Address is found to be responsible for
sending spam email or malicious contents, the Device takes action as per the configured Scanning
Rules.
If enabled, specify an action for Confirmed Spam Emails and Probable Spam Emails.
Available Options
Accept: All the spam Emails are forwarded to the recipient after scanning as per the configuration.
Reject: All the spam mails are rejected and a notification is sent to the Email sender. Drop: All the spam mails are dropped, without notifying the sender.
As it is a global option, if spam scanning is enabled, all the mails will first be subjected to IP
Reputation filtering followed by filtering based on actions configured in the spam policy.
Default - Disable
SMTP DoS Settings
Enable to configure SMTP DoS Settings which protect the network from SMTP DoS Attacks.
If this is enabled, specify values for Maximum Connections, Maximum Connections/Host,
Maximum Emails/Connection, Maximum Recipients/Email, Email Rate per Minute/Host and
Connections Rate per Second/Host.
Maximum Connections (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections that can be established with the Email Server.
Default - 1024
Acceptable Range - 1 - 20000
Maximum Connections/Host (Available if SMTP DoS Settings Enabled)
Specify maximum number of connections allowed to the Email Server from a particular host.
Default - 64
Acceptable Range - 1 - 10000
Maximum Emails/Connection (Available if SMTP DoS Settings Enabled)
Specify maximum number of Emails that can be sent in a single connection.
Default - 512
Acceptable Range - 1 - 1000
Maximum Recipients/Email (Available if SMTP DoS Settings Enabled)
Specify maximum number of recipientsfor a single Email.
Default - 100
Acceptable Range - 1 - 256
Email Rate per Minute/Host (Available if SMTP DoS Settings Enabled)
Specify number of Emails to be sent from a particular host in one minute.
Default - 512
Acceptable Range - 1 - 20000
Connection Rate per Second/Host (Available if SMTP DoS Settings Enabled)
Specify number of connections allowed to the Email Server from a particular host in one second.
Default - 8
Acceptable Range - 1 - 20000
| Protect | 227
Figure 234: SMTP Settings
POP/S and IMAP/S Settings
Don't Scan Emails Greater Than
Specify maximum file size (in KB) for scanning. Files exceeding this size received through POP/
IMAP will not be scanned.
Default - 1024 KB
Specify 0 to increase the default file size restriction to 10240 KB.
Recipient Headers
Specify Header value to detect recipient for POP3/IMAP.
Default - Delivered-To, Received, X-RCPT-TO
| Protect | 228
Figure 235: POP/S and IMAP/S Settings
SMTP TLS Configuration
TLS Certificate
Select the CA Certificate or Server Certificate for scanning SMTP traffic over SSL from the available options.
Available Options
Default ApplianceCertificate SecurityAppliance_SSL_CA List of custom CA Certificates and
Server Certificates, if added. You can create the custom CA Certificate from Certificates >
Certificate Authorities and custom Server Certificate from Certificates > Certificates.
Allow Invalid Certificate
If enabled, SMTP over SSL connections will be allowed with an invalid certificate from the Email
Server. Disable this option to reject such connections.
Default - Enable
Require TLS Negotiation with Host/Net
Select the remote host (Email Server) or network from available options on whose connections
TLS encryption is to be enforced. In other words, the Device will always initiate TLS-secured connections when Emails are to be sent to selected hosts/networks. If TLS is enforced but connection cannot be established, then Emails to that remote host/network are discarded.
Require TLS Negotiation with Sender Domain
Specify the Sender Domain(s) on whose Email connections TLS encryption is to be enforced.
Sender Domain is the domain of the Email sender. Emails from the specified Sender Domain will be sent over TLS-encrypted connections only. If TLS is enforced but connection cannot be established, then Emails from that sender domain are discarded.
Skip TLS Negotiation Hosts/Nets
Select the remote host (Email Server) or network from available options on whose connections TLS encryption is to be skipped or bypassed. When configured, SMTP connections to selected hosts will be established in clear text and unencrypted.
| Protect | 229
Figure 236: SMTP TLS Configuration
POP and IMAP TLS Configuration
TLS Certificate
Select the CA for scanning POP and IMAP traffic over SSL from the available options.
Available Options
DefaultSecurityAppliance_SSL_CAList of custom CAs if added. You can create the custom CA from Certificates > Certificate Authorities.
Allow Invalid Certificate
If enabled, POP and IMAP over SSL connections will be allowed with invalid certificate from the
Mail Server. Disable to reject such connections.
Default - Enable
Figure 237: POP and IMAP TLS Configuration
Email Journaling (Available in Legacy Mode only)
Email being one of the most important communication and business tools in use by organizations, email journaling has become an integral part of every organization.
Using the Device's Email Journaling, the administrator can store all incoming Emails, or Emails for a specific recipient or a group of recipients and thereby keep a close watch over data leakage.
| Protect | 230
| Protect | 231
The device can journal all Emails intended for single or multiple recipients and can forward them to a single administrator or multiple administrators.
This section displays a list of the archivers created and provides options to
,
update the parameters of existing archiver
, or delete the archiver. You can filter the list based on recipient name.
Figure 238: Email Journaling
Spam Check Exceptions
To bypass spam scanning of certain domains, define the domains as Spam Check Exceptions. The page lists all the domains configured to be exempted from spam scanning.
It also provides the options to add a new domain and delete an existing domain.
Figure 239: Spam Check Exceptions
Malware Protection
Malware Protection is available in Sophos Firewall XG105, Cyberoam CR500iNG, Sophos UTM SG105, and higher models.
Sophos Firewall offers dual anti-virus scanning, wherein traffic is scanned by two (2) anti-virus engines. Traffic is first scanned by the primary engine, and then by the secondary engine.
Primary Anti Virus Engine
Select the primary anti-virus engine for traffic scanning. For dual scan, packets are first scanned by the primary engine and then by the secondary engine. For single scan, only the primary engine is used.
Available OptionsSophosAvira
Note: Selecting Avira will disable Sandstorm in all SMTP Policies with Single Anti-Virus Scanning.
Figure 240: Malware Protection
Advanced SMTP Settings (Available in MTA Mode only)
Reject invalid HELO or missing RDNS
Select this option if you want to reject hosts that send invalid HELO/EHLO arguments or lack
RDNS entries. Select Do strict RDNS checks if you want to additionally reject email from hosts with invalid RDNS records. An RDNS record is invalid if the found hostname does not resolve back to the original IP address.
Scan Outgoing Mails
Enable to scan all outgoing email traffic. Email is quarantined if found to be malware infected, or marked as Spam.
| Protect | 232
Figure 241: Advanced SMTP Settings
Add Email Journal
Email Journal is available only in Legacy mode (device acts as transparent proxy).
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Add Email Journal allows you to forward copies of emails of specific recipients to a different email address, for example, to an administrator.
1. Go to Protect > Email > General Settings and click Add under Email Journaling.
2. Enter a name.
3. In the Recipient box, select Any to journal all incoming emails. Alternately, select the address groups, copies of whose emails are to be forwarded to a different email address.
4. In the Send Copy Of Email To box, enter the email address to which a copy of emails is to be forwarded.
5. Click Save.
Figure 242: Email Archiver
Address Groups
Policies are applied on Email Addresses. To make configuration easier and simpler, the Administrator can group the addresses that require the same scanning policy. The policy applied to the address group is applicable to all the group members. Hence when the group is used in a number of rules, it becomes much easier to add or remove addresses from the group rather than updating individual rules. Hence, just with the one update, the Administrator can re-align the rules.
An Address Group is a grouping by:
| Protect | 233
• Email Address or Domain
• IP Address
• RBL (Real time black hole List) (applicable only for the spam email)
An address can be a member of multiple groups.
An RBL is a list of IP Addresses whose owners are responsible for spam or are hijacked for a spam relay. These IP
Addresses might also be used for spreading viruses. The Device checks each RBL for the connecting IP Address and the action configured in the policy is taken if the IP Address is found in any of the RBL lists. The Administrator can directly use the two default RBL groups shipped with the Device or update them as per their requirement:
• Premium RBL Services
• Standard RBL Services
The Address Group page displays a list of all the default and custom groups and provides options to add a new group, update the parameters, import addresses in the existing group, or delete the group. You can sort the list based on address group name.
Add Address Group
1. Go to Protect > Email > Address Group and click Add.
2. Enter a name and description.
3. Group Type: Select to add email addresses or domains to the address group.
Available Options:
RBL (IPv4) or RBL(IPv6):
Select to add RBLs of IPv4 or IPv6 addresses or domain names.
If the connecting IP address is found on the RBL, the device takes the action specified by the relevant policy.
Email Address/Domain:
Select to add the email address or domain name.
Import: Select to upload a CSV or text file.
Manual: Select to add individual email addresses or domains.
Note:
• You can import a maximum of 400 email addresses or domains in a single file.
• Invalid and duplicate entries are not imported.
| Protect | 234
Figure 243: Address Group
4. Click Save.
File Types
A file type is a classification that is determined by file extension and MIME header. You can include file types in web policies to control access to files that match the specified criteria. The default file types contain some common criteria and you can create additional types.
Using File Types with Policy Rules
You can create file types to control access to files on a more granular level. For example, you may want to allow access to SQL files but deny access to all other database files. In this case, you would create a file type for SQL files and a policy that specifies the following rules in the following order:
1. Allow access to SQL files
2. Block access to all database files
Add File Type
1. Go to Protect > Web > File Type and click Add.
2. Type a name.
3. (Optional) Select a template.
You can select from predefined or custom file types. If you do not wish to use a template, choose Blank.
4. Specify the file extension and MIME header.
| Protect | 235
Figure 244: Add File Type
Quarantine Digest
Quarantine Digest is available only in Sophos Firewall XG105, Cyberoam CR25iNG, Sophos UTM SG105, and higher models.
This feature requires a subscription. It can be configured but cannot be enforced without a valid Email
Protection subscription.
Quarantine Digest allows you to set the frequency at which the digest email is sent to the user. You can enable or disable user access to quarantined emails on the user portal. You can also enable quarantine digest for all users or to specific users and groups.
Quarantine Digest provides the date and time of message receipt, sender and recipient's email addresses and subject of the message.
Quarantine Digest Settings for All Users
1. Go to Protect > Email > Quarantine Digest.
2. Select Enable Quarantine Digest to email the digest to all users.
a. Set the Email Frequency of the digest. Set the interval, time, and day of week, based on the selection.
b. In the From Email Address box, enter the address from which the email is to be sent.
c. In the Display Name box, specify the name of the quarantine digest sender.
d. Click Send Test Email. Enter the To Email Address and click Send.
e. To set the IP address of the user portal, select the Reference User Portal IP from the list.
Note: Users located behind the selected port can click the "My Account" link in the digest email to gain access to quarantined emails on the user portal. Others can access the user portal by typing https://
<IP Address of SF Device> in the browser.
Example: If Port1 is selected as the Reference User Portal IP, only users located behind Port1 will be redirected to the user portal when they click on "My Account".
3. Click Apply.
Override Quarantine Digest Settings for Specific Users
1. Go to Protect > Email > Quarantine Digest.
2. Click Change User's Quarantine Digest Settings, to apply the settings to specific users or groups.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice