Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
| Configure | 395
This menu covers the following topics:
•
on page 395: Manage external servers for authentication
•
or the Captive Portal.
•
on page 412:Set up policies and assign them to a number of users
•
on page 416: Manage user accounts for access to the device
•
: Configure the one-time password (OTP) service.
•
: Customize Captive Portal through which users can log in
•
on page 429: Manage users accessing the device without user account
•
on page 435: Manage user accounts for clientless access
•
: Configure general parameters to provide secured Internet access for guest users
•
on page 443: Download clients from different platforms to interact with the device
Servers
The Authentication Server menu allows the management of databases and backend servers for external user authentication services.
External user authentication enables you to validate user accounts against existing user databases or directory services on other servers of your network.
Authentication services currently supported are:
• Novell's eDirectory
• Microsoft's Active Directory
• RADIUS
• TACACS+
• LDAP
This page displays a list of all existing authentication servers. For each server the list shows:
Name
Displays the name of the authentication server.
IP
Displays the IP address of the authentication server.
Port
Displays the port of the authentication server.
Type
Displays the type of the authentication server.
Domain/Admin
Displays the domain or admin of the authentication server.
Add External Server
This page describes the authentication servers to be added. It covers the following topics:
Active Directory
Active Directory (AD) is Microsoft's implementation of a directory service and is a central component of Windows
2000/2003 servers. It stores information about a broad range of resources residing on a network, including users, groups, computers, printers, applications, services, and any type of user-defined objects. As such it provides the means of centrally organize, manage, and control access to these resources. The Active Directory authentication method allows you to register Sophos XG Firewall at a Windows domain, thus creating an object for Sophos
XG Firewall on the primary domain controller (DC). Sophos XG Firewall is then able to query user and group information from the domain.
| Configure | 396
Note: Sophos XG Firewall supports Active Directory 2003 and newer.
on page 398
LDAP
LDAP, an abbreviation for Lightweight Directory Access Protocol, is a networking protocol for querying and modifying directory services based on the X.500 standard. Sophos XG Firewall uses the LDAP protocol to authenticate users for several of its services, allowing or denying access based on attributes or group memberships configured on the LDAP server.
RADIUS
RADIUS, the acronym of Remote Authentication Dial In User Service, is a widespread protocol for allowing network devices such as routers to authenticate users against a central database. In addition to user information,
RADIUS can store technical information used by network devices, such as supported protocols, IP addresses, routing information, and so on. This information constitutes a user profile, which is stored in a file or database on the RADIUS server. The RADIUS protocol is very flexible, and servers are available for most operating systems.
The RADIUS implementation on Sophos XG Firewall allows you to configure access rights on the basis of proxies and users. Before you can use RADIUS authentication, you must have a running RADIUS server on the network.
Whereas passwords are encrypted using the RADIUS secret, the username is transmitted in plain text.
TACACS+
TACACS+, the acronym of Terminal Access Controller Access Control System, is a proprietary protocol by Cisco
Systems, Inc. and provides detailed accounting information and administrative control over authentication and authorization processes. Whereas RADIUS combines authentication and authorization in a user profile, TACACS
+ separates these operations. Another difference is that TACACS+ utilizes the TCP protocol (port 49) while
RADIUSClosed uses the UDPClosed protocol.
on page 402
eDirectory
Novell eDirectory is an X.500 compatible directory service for centrally managing access to resources on multiple servers and computers within a given network. eDirectory is a hierarchical, object-oriented database that represents all the assets in an organization in a logical tree. Those assets can include people, servers, workstations, applications, printers, services, groups, and so on.
Add LDAP Server
This page describes how to add a LDAP server.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select LDAP Server.
3. Specify the LDAP server details:
Server Name
Specify a descriptive name for the LDAP server.
Server IP/Domain
Specify an IP address or domain for the LDAP server.
Port
Specify the port of the LDAP server.
Default: 389
Version
Select the version of the LDAP server.
Default: 3
Anonymous Login
Enable to send anonymous requests to the LDAP server.
Disable to bind user with the server.
Username (not available if Anonymous Login is selected)
Enter user name. The username must be specified as a full distinguished name (DN) in LDAP notation, using commas as delimiters (e.g., uid=root,cn=user).
Password (not available if Anonymous Login is selected)
Specify a password for the user.
Connection Security
Select the connection security for the LDAP server:
• Simple: User credentials will be send unencrypted, as plaintext. This connection security is selected by default.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Validate Server Certificate (not available for Simple connection security)
Enable to validate the certificate on the external server.
Client Certificate (not available for Simple connection security)
Select a client certificate from the list to establish a secured connection. If you do not want a client certificate, select None.
Default: ApplianceCertificate
Note: You can manage client certificates under Protect > Web Server >
Certificates.
Base DN
Enter the Base DN for the LDAP server. The Base DN is the starting point relative to the root of the
LDAP tree where the users are included who are to be authenticated. Note that the Base DN must be specified by the Fully Distinguished Name (FDN) in LDAP notation, using commas as delimiters
(e.g., O=Example,OU=RnD).
Get Base DN
Click Get Base DN if you are not aware about the Base DN. The Base DN is automatically retrieved from the directory.
Authentication Attribute
Specify an authentication attribute for searching the LDAP directory. The user authentication attribute contains the actual login name each user is prompted for, for example by remote access services.
Display Name Attribute
Specify the name for the LDAP server which is displayed as LDAP username.
Email Address Attribute
Specify the alias for the configured email address which is displayed to the user.
Group Name Attribute
Specify the alias for the configured group name which is displayed to the user.
| Configure | 397
Expiry Date Attribute
Specify the user expiry date displayed to the user. The attribute specifies how long a user account is valid.
| Configure | 398
Figure 379: Add LDAP Server
4. Click Test Connection to check the connectivity between LDAP and Sophos XG Firewall. It also validates the
LDAP server user credentials.
5. Click Save.
Add Active Directory Server
This page describes how to add an Active Directory server.
Active Directory allows the device to map the users and groups from ADS for the purpose of authentication on a
Windows platform.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select Active Directory.
Note: If a user is required to authenticate using AD, the device needs to communicate with the AD server for authentication.
3. Specify the Active Directory server details.
Server Name
Enter a unique name for the Active Directory server.
Server IP
Specify an IP address for the Active Directory server.
Port
Specify the port of the Active Directory server.
Default: port 389.
NetBIOS Domain
Specify a NetBIOS domain for the Active Directory server.
ADS Username
Specify a username for the admin user of the Active Directory server.
Password
Specify a password for the admin user of the Active Directory server.
Connection Security
Select the type of security to be implemented on the established connection.
It provides a method to login to the external server by sending the username and password in encrypted format instead of plaintext.
• Simple: User credentials will be send unencrypted as plaintext.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Note: We strongly recommend using the encryption method to protect the user credentials.
Validate Server Certificate (not available for Simple connection security)
Enable to validate the certificate on the external server.
Display Name Attribute
Specify the name for the AD server which is displayed as AD username.
Email Address Attribute
Specify the alias for the configured email address which is displayed to the user.
Domain Name
Specify the domain name for which the query is to be added.
Search Queries
Click Add to enter the search query. Use the Move Up and Move Downbuttons to rearrange the search queries in the list. Use Remove to remove the selected item.
Note: If you do not know the search DN, refer to
| Configure | 399
| Configure | 400
Figure 380: Add Active Directory Server
4. Click Test Connection to check the connectivity between the Active Directory server and Sophos XG Firewall. It also validates the Active Directory server user credentials.
5. Click Save.
NetBIOS Name, FQDN and Search DN
This page describes how a Search DN is built.
The settings have to be performed on an AD (Windows) server.
1. Go to Start > All Programs > Administrative Tools > Active Directory Users and Computers.
2. Right-click the required domain and go to the Properties tab.
Search DN is based on the FQDN. For example, if the FQDN is "google.com", then the Search DN will be
DC=google, DC=com.
Figure 381: Search Query
Import AD User Group
This page describes how to import Active Directory groups from the Windows platform into the device.
| Configure | 401
1.
Go to Configure > Authentication > Servers and click against the AD server from which AD groups are to be imported.
The Import Group Wizard Help appears.
2. Specify a Base DN. Appliance fetches AD groups or OU groups from the specified Base DN.
3. Select the AD groups or OU groups to be imported in the appliance. Hold downCtrl to select multiple groups. The appliance already available in the device will not be imported.
4. Select various policies (surfing quota, traffic shaping, web filter, application filter, network traffic and SSL VPN) and user authentication timeout group members. Selected policies are attached to all imported groups. If you want to specify different policies for different groups, do not enable the policy. For example if you want to specify different Internet policies to filter policies to different groups, do not enable Attach to all the Groups.
5. If you do not want to apply common policies which are valid for all groups, specify policies to be applied to each group individually.
If groups are imported successfully, a "successful" message will be displayed; else the appropriate error message will be displayed. This message remains even if you close the wizard.
6. Click Close to end the wizard.
If a user is member of multiple AD groups, then the policies are applied to the first group the user is member of.
Therefore, the device browses through the group ordered list from top to bottom to determine the user's group membership. The first group that matches is considered the group of the user and that group policies are applied to the user.
Using the wizard, you can reorder the groups to change the membership preference.
Add RADIUS Server
This page describes how to add a RADIUS server.
1. Go to Configure > Authentication > Servers and click Add.
2. As Server Type, select RADIUS Server.
3. Specify the RADIUS server details:
Server Name
Specify a descriptive name for the RADIUS server.
Server IP
Specify an IP address for the RADIUS server.
Authentication Port
Specify the authentication port of the RADIUS server.
By default, this is port 1812.
Enable Accounting
Enable accounting on the RADIUS server.
Sophos XG Firewall sends the following information to the RADIUS server as soon as the user logs in:
• Accounting start request
• User login time
Sophos XG Firewall sends the following information to the RADIUS server the moment the user logs out:
• Accounting stop request
• User logout time
Note: Supported client types: Windows client, HTTP client, Linux client, Android, iOS, iOS HTTP client, Android HTTP client, API client.
Note: The accounting stop message is not sent to the RADIUS server when Sophos
XG Firewall shuts down or reboots.
Accounting Port (available only if Enable Accounting is active)
Specify a RADIUS port number through which Sophos XG Firewall can communicate with the
RADIUS server.
Shared Secret
Specify the shared secret which is a text string that serves as a password between a RADIUS client and a RADIUS server.
Group Name Attribute
Specify the alias for the configured group name which is displayed to the user.
| Configure | 402
Figure 382: Add RADIUS Server
4. Click Test Connection to check the connectivity between the RADIUS server and Sophos XG Firewall. It also validates the RADIUS server user credentials.
5. Click Save.
Add TACACS+ Server
This page describes how to add a TACACS+ server.
1. Go to Configure > Authentication > Serversand click Add.
2. As Server Type, select TACACS+ Server.
3. Specify the TACACS+ server details:
Server Name
Specify a descriptive name for the TACACS+ server.
Server IPv4
Specify an IP address for the TACACS+ server.
Port
Specify the port of the TACACS+ server.
By default, this is port 49.
Shared Secret
Specify the shared secret which is a text string that serves as a password between a TACACS+ client and a TACACS+ server.
| Configure | 403
Figure 383: Add TACACS+ Server
4. Click Test Connection to check the connectivity between the TACACS+ server and Sophos XG Firewall. It also validates the TACACS+ server user credentials.
5. Click Save.
Add eDirectory Server
This page describes how to add an eDirectory server.
1. Go to Configure > Authentication > Serversand click Add.
2. As Server Type, select eDirectory.
3. Specify the eDirectory server details:
Server Name
Specify a descriptive name for the eDirectory server.
Server IP/Domain
Specify an IP address or domain for the eDirectory server.
Port
Specify the port of the eDirectory server.
By default, this is port 389.
Username
Specify a username for the eDirectory server.
Password
Specify a password for the eDirecory server.
Connection Security
Select the connection security for the eDirectory server:
• Simple: User credentials will be send unencrypted as plaintext.
• SSL: Secure Sockets Layer. This is the most common method used for secured connection. The
Port will then change from 389 (LDAPClosed) to 636 (ldaps = LDAP over SSL).
• TLS: Transport Layer Security. Same secure connection as SSL but uses the default port.
Base DN
Specify the Base DN for the eDirectory server. The Base DN is the starting point relative to the root of the eDirectory tree where the users are included who are to be authenticated. Note that the Base
DN must be specified by the full distinguished name (DN) in LDAP notation, using commas as delimiters (e.g., O=Example,OU=RnD).
Get Base DN
Click Get Base DN if you are not aware about the Base DN. The Base DN is automatically retrieved from the directory.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice