![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
4. Specify the Advanced Settings.
Disconnect when tunnel is idle
Click to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
Idle session time interval (available only if Disconnect when tunnel is idle option is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable Range: 120 to 999
Apply
Click to accept and save the Cisco VPN client configuration.
Export Connection (available only if a Cisco VPN connection is configured)
Click to export Cisco VPN client configuration.
Once the .tgb file has been exported, it has to be passed to the client.
On the client side, the client needs the Sophos IPsec client to import the .tbg file and establish a connection to Sophos XG Firewall.
The Sophos IPsec VPN client may be downloaded from
https://www.sophos.com/en-us/support/utmdownloads.aspx
.
Note: You cannot export the connection when an external certificate is selected as
Remote Certificate.
Reset
Click to delete the entire Cisco VPN client configuration.
| Configure | 281
Figure 286: Advanced Settings
L2TP (Remote Access)
The L2TP Connections page displays a list of all the L2TP connections and you can sort the list based on the connection name. The page also provides the option to add a new connection, update existing connections, or delete a connection. The page displays the status of each connection as follows:
Connection Status
Active Connection
Description
Connection is active but not connected.
Click to initiate the connection.
Connection is active and connected.
Click to disconnect the connection. When you disconnect, the connection will be deactivated and to re-establish the connection, click again to activate the connection.
Connection is inactive. Click to activate the connection.
Add L2TP Connection
This page describes how to create an L2TP connection.
1. Go to Configure > VPN > L2TP (Remote Access) and click Add.
2. Specify the General Settings.
Name
Enter a unique name for the L2TP connection.
Description
Enter a description for the L2TP connection.
Policy
Select a policy to be used for the connection.
A new policy can be added by clicking Create New.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restart.
Available Options:
• Respond Only – Keeps the connection ready to respond to any incoming request.
• Disable – Keeps the connection disabled until the user activates it.
| Configure | 282
Figure 287: General Settings
3. Specify the Authentication Details.
Authentication Type
Select the authentication type. Authentication of the user depends on the type of connection.
Available Options:
• Preshared Key – Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. The remote peer uses the preshared key for decryption. On selecting this option the user shall has to provide the following details:
• Preshared Key – Specify the preshared key to be used. The preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Provide the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, the user will not be able to establish the connection.
• Digital Certificate – Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
| Configure | 283
Figure 288: Authentication Details
4. Specify the Local Network Details.
Local WAN Port
Specify the local port number that the local VPN peer uses to transport traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Local ID (available only if Authentication Type selected is Preshared Key)
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: DER ASN1 DN (X.509) can not be used for Preshared Key authentication.
If Digital Certificate is selected, the ID and its value is displayed automatically as specified in the
Local Certificate.
Figure 289: Local Network Details
5. Specify the Remote Network Details.
Remote Host
Specify the IP address or hostname of the remote end-point. Specify * for any IP address.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has a private/non-routable IP address.
At a time only one connection can be established behind one NAT-box.
Remote LAN Network
Select an IP addresses and netmask of the remote network which is allowed to connect to the device server through a VPN tunnel. Multiple subnets can be specified. Select IP hosts from the list of IP hosts available on the Admin console.
You can also add a new IP host by clicking Create New or on System > Hosts and Services > IP
Host.
Remote ID
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: DER ASN1 DN (X.509) can not be used for Preshared Key authentication.
| Configure | 284
Figure 290: Remote Network Details
6. Specify the Quick Mode Selectors.
Local Port
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Default: 1701
Acceptable range: 1 to 65535
To specify any local port, enter *.
Remote Port
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Default: *
Acceptable range: 1 to 65535
To specify any local port, enter *.
Figure 291: Quick Mode Selectors
7. Specify the Advanced Settings.
Disconnect when tunnel is idle
Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice