![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
| Protect | 242
Additional Information on Static URL Hardening and Form Hardening
It is best practice always to enable both static URL hardening and form hardening. These two functions are complementary, especially in the way that they prevent the issues you may have if you enable just one of them:
• Only form hardening is activated: When a webpage contains hyperlinks with appended queries (which is the case with certain CMSs), e.g. http://example.com/?view=article&id=1, such page requests are blocked by form hardening because it expects a signature, which is missing.
• Only static URL hardening is activated: When a web browser appends form data to the action URL of the form tag of a web form (which is the case with GET requests), the form data becomes part of the request URL sent to the web server, thereby rendering the URL signature invalid.
Activating both functions helps to solve the problem s those issues because if either form hardening or static URL hardening consider a request to be valid, the Web Application Protection accepts the request.
Authentication Policies
The Authentication Policies menu allows you to configure policies for direct authentication.
You can use the Web Application Firewall (WAF) to authenticate users immediately instead of leaving the authentication to the web servers. Via authentication profiles, the reverse authentication can be used to assign specific authentication settings to each site path route.
Note: You can also view and manage the WAF status on the System > Hosts and Services > Services page.
This page displays all existing web application authentication profiles. For each authentication policy, the list shows:
Name
Name of the authentication policy.
Add Authentication Policy
This page describes how to add a web app authentication policy.
1. Go to Protect > Web Server > Authentication Policies and click Add.
2. Enter a unique Name for the authentication profile.
3. Enter a Description for the authentication policy.
4. Specify the Client Authentication details.
Mode
Select how the users should authenticate at the Web Application Firewall.
• Basic: Users authenticate with HTTP basic authentication, entering username and password. In this mode, no session cookies will be generated and a dedicated logout is not possible.
Note: As the credentials are sent unencrypted in this mode we strongly recommend that you use this mode over HTTPS.
• Form: Users will be presented with a form where they have to enter their credentials. In this mode, session cookies will be generated and a dedicated logout is possible. The form template to be used can be selected in the Web App Auth Template list. Besides the default form template,
the list shows the forms that have been defined on the
page
Basic Prompt (available only if Basic mode is selected)
The realm is a unique string that provides additional information on the login page and is used for user orientation.
Note: These characters are allowed for the Basic Prompt: A-Z a-z 0-9 , ; . : - _ ' + = )
( & % $ ! ^ < > | @
Web App Auth Template (available only if Form mode is selected)
Select the form template that will be presented to the users for authentication. Form templates are defined on the
Users or Groups
Select the users or user groups that should be assigned to this web app authentication profile or create a new one. After assigning this profile to a site path route, these users will have access to the site path with the authentication settings defined in this profile. Typically, this would be a backend user group.
You can create a new user directly from this page or from the Configure > Authentication > Users page.
You can create a new group directly from this page or from the Configure > Authentication >
Groups page.
Note: Sometimes users should be required to use the user principal name notation
'user@domain' when entering their credentials, for example when using Exchange servers in combination with Active Directory servers.
5. Specify the Authentication Forwarding details.
Mode
Select how the Web Application Firewall authenticates against the web servers. The mode has to match the web servers' authentication settings.
• Basic: Authentication works with HTTP basic authentication, providing username and password.
• None: There is no authentication between WAF and the web servers. Note that even if your web servers do not support authentication, users will be authenticated via the frontend mode.
Username affix (available only if authentication forwarding mode Basic is selected)
Select the type of affix for the username and specify a value for it. Affixes are useful when working with domains and email addresses.
• None
• Prefix
• Suffix
• Prefix & Suffix
Note: Prefix and suffix will be added automatically if the user only enters his username. Prefix and suffix will not be added if the user enters them. Example: If the suffix is @testdomain.de and the user only enters the username test.user the suffix
@testdomain.de will be added. If the user enters [email protected] the suffix will be ignored.
Remove Basic Header (available only if authentication forwarding mode None is selected)
Enable this if you do not want to send the basic header from Sophos XG Firewall to the web server.
6. Specify the User Session details (available only if client authentication mode Form is selected).
Session Timeout
Enable to set a timeout for the user session, which will confirm the user's credentials by requiring the user to log in again if he does not perform any action.
Default: ON
Limit to (available only if Session Timeout is selected)
Set an interval for the session timeout.
Default: 5 minutes.
Session Lifetime
Enable to limit the time users may remain logged in, regardless of the activity in the meantime.
Default: ON
| Protect | 243
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice