![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
| Configure | 289
The Add PPTP Member page allows you to select users who are to be allowed remote access through PPTP.
1. Go to Configure > VPN > PPTP (Remote Access) and click Add Member(s) to add users or user groups. A new window is displayed showing a list of users and user groups.
2. Select users or user groups who are to be allowed remote access through PPTP. You can add a single or multiple users or user groups.
3. Click Apply to add these users and user groups to the PPTP members list.
PPTP Members
The PPTP Members page allows you to view list of PPTP members and remove members for whom remote access through PPTP is to be disabled.
1. Go to Configure > VPN > PPTP (Remote Access) and click Show Members to view a list of PPTP members. A new window is displayed showing a list of PPTP users who who are allowed access through the PPTP connection.
2. Select the users for whom you want to disable PPTP access. You can select multiple users or user groups.
3. Click Delete.
IPsec Profiles
This IPsec Profiles page displays a list of all preconfigured and custom IPsec policies.
A policy describes the security parameters used for negotiations to establish and maintain a secure tunnel between two peers.
Before you set up your secure tunnels, to make their configuration faster and easier, you can create VPN policies that work on a global level. Rather than configuring the policy parameters for every tunnel you create, you can configure general policies and then later apply them to your secure tunnels.
Click Show Configuration to show all configuration tabs.
Authentication mode
To ensure secure communication, there are two phases to every IKE (Internet Key Exchange) negotiation - Phase 1
(Authentication) and Phase 2 (Key exchange).
The Phase 1 negotiation establishes a secure channel between peers and determines a specific set of cryptographic protocols, exchanges shared secret keys and encryption and authentication algorithm that will be used for generating keys.
The Phase 2 negotiation establishes a secure channel between peers to protect data. During Phase 2 negotiation, the protocol security association for the tunnel is established. Either of the peers can initiate Phase 1 or Phase 2 renegotiation at any time. Both can specify intervals after which to negotiate.
Key life
Lifetime of key is specified as key life.
Once the connection is established after exchanging authenticated and encrypted keys, connection is not dropped till the key life. If the key life of both the peers is not same then negotiation will take place whenever the key life of any one peer is over. This means intruder has to decrypt only one key to break in your system.
Key generation and key rotation are important because the longer the life of the key, the larger the amount of data at risk, and the easier it becomes to intercept more ciphered text for analysis.
Perfect Forward Secrecy (PFS)
It becomes difficult for a network intruder to get the big picture if keys are changing and they have to keep cracking keys for every negotiation. This is achieved by implementing PFS. By selecting PFS, new key will be generated for every negotiation and a new DH key exchange is included. So every time intruder will have to break yet another key even though he already knows the key. This enhances security.
| Configure | 290
Diffie-Hellman (DH) Group (IKE group)
Diffie-Hellman is a public-key cryptography scheme that allows peers to establish a shared secret over an insecure communications channel. Diffie-Hellman Key Exchange uses a complex algorithm and public and private keys to encrypt and then decrypt the data.
The Diffie-Hellmann Group describes the key length used in encryption. Group number is also termed as Identifiers.
14
15
16
2
5
DH Group
1
Key length (bits)
768
1024
1536
2048
3072
4096
If mismatched groups are specified on each peer, negotiation fails. The group cannot be switched during the negotiation.
Re-key Margin
Time before the next key is exchanged. Time is calculated by subtracting the time elapsed since the last key exchange from the key life. By turning Re-keying ‘Yes’, negotiation process starts automatically without interrupting service before key expiry.
Dead Peer Detection settings
Use to check whether device is able to connect the IP Address or not. Set time interval after which the status of peer is to be checked and what action to take, if peer is not alive.
Tunnel Negotiation
Negotiation process starts to establish the connection when local or remote peer wants to communicate with each other. Depending on the connection parameters defined, the key is generated which is used for negotiations. Lifetime of key is specified as Key life. Once the connection is established, connection is alive/active and data can be transferred up to the specified key life. Connection will be closed/deactivated once the key expires.
If the connection is to be activated again then the entire negotiation process is to be started all over again. Negotiation process can be started again automatically by either local or remote peer only if Allow Re-keying is set to ‘Yes’.
Set the re-keying time in terms of the remaining key life when negotiation is to be started automatically without interrupting the communication before key expiry. For example, if key life is 8 hours and Re-key margin time is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes of key usage.
Negotiation process will generate new key only if Perfect Forward Secrecy (PFS) is set to ‘Yes’. PFS will generate a new key from scratch and there will be no dependency between old and new key.
Re-keying
Yes
No
Result
Local and remote peer both will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
Only remote peer will be able to initiate request for connection. Depending on PFS, negotiation process will use same key or generate a new key.
Device provides 5 default policies and you can also create a custom policy to meet your organization’s requirement.
| Configure | 291
To make VPN connection configuration an easy task, following five preconfigured VPN policies are included for the frequently used VPN deployment scenarios:
• Road warrior
• L2TP
• Head office connectivity
• Branch office connectivity
• Default
It also provides option to add a new policy, update the parameters of an existing policy, or delete the policy. Instead of creating a policy from scratch, you can also create a new policy based on the already created policy by duplicating its parameters.
Duplicate - Click the icon in the Manage column against the VPN Policy to be duplicated. The Add VPN Policy window is displayed which has the same values for parameters as the existing policy. Click OK to add a new policy with modification in values for parameters.
Note: The default policy can be updated but cannot be deleted.
Create a New IPsec Policy
This page describes how to quickly configure a new IPsec policy.
The Add IPsec Policy menu allows you to manually enter details to add a IPsec policy.
1. Go to Configure > VPN > IPsec Profiles and click Add.
2. Specify the General Settings details.
Name
Enter a unique name for the IPsec policy.
Description
Enter a description for the IPsec policy.
Allow Re-keying
Enable Re-Keying to start the negotiation process automatically before key expiry. The process will start automatically at the specified time in re-key margin.
If enabled, the negotiation process can be initiated by both the local or remote peer. Depending on
PFS, the negotiation process will use the same key or generate a new key.
Key Negotiation Tries
Specify maximum key negotiation trials allowed. Set 0 for an unlimited number of trials.
Authentication Mode
Select an authentication mode. It is used for exchanging authentication information.
Available Options:Main Mode - Consists of 6 messages. It processes and validates the diffiehellman in 3 exchanges.Aggressive Mode - Consists of 3 messages. With Aggressive Mode, a tunnel can be established faster than using Main Mode as less number of messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use Aggressive Mode when remote peer has dynamic IP addresses.
Depending on Authentication Mode, the phase 1 parameters are exchanged for authentication purpose.
In Main Mode, the phase 1 parameters are exchanged in multiple rounds with encrypted authentication information while in Aggressive Mode phase1 parameters are exchanged in single messages without encrypted information.
Pass Data In Compressed Format
Enable to pass data in compressed format to increase throughput.
Figure 296: General Settings
3. Specify the Phase 1 details.
Encryption Algorithm
Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Supported Encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The Serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select an authentication algorithm that would be used by communicating parties for integrity of exchanged data for phase 1.
Maximum three combinations of encryption and authentication algorithms can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click the icon to add more than one combination of encryption and authentication algorithms.
Default: MD5
| Configure | 292
Note: We strongly recommend to use AES and SHA2 256 to reduce potential vulnerability.
DH Group (Key Group)
Select one Diffie-Hellman Group from 1, 2, 5, 14, 15 or 16. DH Group specifies the key length used for encryption.
• DH Group 1 uses 768-bit encryption
• DH Group 2 uses 1024-bit encryption
• DH Group 5 uses 1536-bit encryption
• DH Group 14 uses 2048-bit encryption
• DH Group 15 uses 3072-bit encryption
• DH Group 16 uses 4096-bit encryption
The remote peer must be configured to use the same group. If mismatched groups are specified on each peer, negotiation fails.
Key Life
Specify the key life in terms of seconds. Key life is the amount of time that will be allowed to pass before the key expires.
Default: 3600 seconds
Re-Key Margin
Specify the re-key margin. Set time in terms of the remaining key life. Re-key margin is the time when the negotiation process should be started automatically without interrupting the communication before the key expiry.
For example, if Key Life is 8 hours and Re-key Margin is 10 minutes then negotiation process will automatically start after 7 hours 50 minutes usage of key life.
Default: 120 seconds
Randomize Re-Keying Margin By
Specify the randomize re-keying time.
For example, if Key Life is 8 hours, Re-Key Margin is 10 minutes and Randomize Re-Keying time is 20% then the re-key margin will be 8 to 12 minutes and negotiation process will start automatically 8 minutes before the key expiry and will try up to 2 minutes after key expiry.
Default: 0%
Dead Peer Detection
Enable to check at regular interval whether peer is live or not.
Default: Enabled
Check Peer After Every (only if the Dead Peer Detection option is enabled)
Specify time after which the peer should be checked for its status. Once the connection is established, peer which initiated the connection checks whether another peer is live or not.
Default: 30 seconds
Wait For Response Upto (only if the Dead Peer Detection option is enabled)
Specify till what time (seconds) initiated peer should wait for the status response. If the response is not received within the specified time, the peer is considered to be inactive.
Default: 120 seconds
Action When Peer Unreachable (only if the Dead Peer Detection option is enabled)
Specify what action should be taken if peer is not active.
Available Options:Hold - Holds the connectionDisconnect - Closes the connectionRe-initiate -
Re-establishes the connection
| Configure | 293
Default: Disconnect
Figure 297: Phase 1
4. Specify the Phase 2 details.
Encryption Algorithm
Select the encryption algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported encryption algorithms: DES, 3DES, AES128, AES192, AES256, TwoFish, BlowFish, and Serpent.
3DES – Triple DES is a symmetric strong encryption algorithm that is compliant with the OpenPGP standard. It is the application of DES standard where three keys are used in succession to provide additional security.
AES – Advanced Encryption Standard offers the highest standard of security. The effective key lengths that can be used with AES are 128, 192 and 256 Bits. This security system supports a number of encryption algorithms.
Serpent – Serpent is a 128-bit block cipher i.e. data is encrypted and decrypted in 128-bit chunks variable key length to be 128, 192, or 256 bits. The serpent algorithm uses 32 rounds, or iterations of the main algorithm.
Serpent is faster than DES and more secure than Triple DES.
BlowFish – BlowFish is a symmetric encryption algorithm which uses the same secret key to both encrypt and decrypt messages. It is also a block cipher which divides a message into fixed length blocks during encryption and decryption. It has a 64-bit block size and a key length of anywhere from 32 bits to 448 bits and uses 16 rounds of main algorithm.
TwoFish – TwoFish is a symmetric key block cipher with a block size of 128 bits and key sizes up to 256 bits.
Authentication Algorithm
Select an authentication algorithm that would be used by communicating parties for integrity of exchanged data for phase 2.
Supported Authentication algorithms: MD5, SHA1
Maximum three combinations of encryption and authentication algorithm can be selected. The remote peer must be configured to use at least one of the defined combinations.
Click the icon to add more than one combination of encryption and authentication algorithm.
Default: MD5
| Configure | 294
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice