0% found this document useful (0 votes)

160 views

03 Getting Started With Sophos Firewall

Uploaded by

fhernandez.cmasxalapa

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

160 views

03 Getting Started With Sophos Firewall

Uploaded by

fhernandez.cmasxalapa

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 226

Navigating and Managing

Sophos Firewall

Sophos Firewall
Version: 19.5v1

Sophos Firewall
FW1505: Navigating and Managing Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Navigating and Managing Sophos Firewall v1.0 - 1

Navigating and Managing Sophos Firewall

When you have completed this RECOMMENDED KNOWLEDGE AND EXPERIENCE

chapter, you will be familiar with ✓ Sophos Firewall configuration using the Initial
the Sophos Firewall WebAdmin Setup Wizard
and understand how it uses
objects as the building blocks for
the configuration of rules and
policies.

DURATION

11 minutes

When you have completed this chapter, you will be familiar with the Sophos Firewall WebAdmin
and understand how it uses objects as the building blocks for the configuration of rules and
policies.

Navigating and Managing Sophos Firewall v1.0 - 2

WebAdmin: Control Center

When you first login to the WebAdmin you are presented with the Control Center, which provides a
live view of what is happening on the Sophos Firewall, and allows you to quickly identify anything
that requires your attention.

The Control Center is broken down into six main areas.

• System, which shows the health of the firewall and services. Each item can be clicked to get
more detailed information.
• Traffic insight, which provides an at a glance overview of what is happening on the network and
the traffic being processed
• User and device insight, for the status of users and devices being protected by Sophos Firewall.
This section includes the User Threat quotient, which is a risk assessment of users based on
their behaviour.
• Active firewall rules displays the usage of firewall rules by type. Below the graph you can see
the state of firewall rules over the last 24 hours. Clicking these will take you to the firewall rules
filtering for the selected type of rule.
• Reports provides access to commonly used reports. These can either be opened by clicking on
the name of the report or downloaded using the icon to the right of each. It shows when the
report was last updated and the size of the file.
• And Messages, which displays alerts or information for the administrator, including security
warnings and new firmware updates. Messages are clickable to access the relevant
configuration.

Navigating and Managing Sophos Firewall v1.0 - 3

WebAdmin: Main Menu

Information on current activity,

reports and diagnostic tools

Down the left-hand side is the main menu for navigating the Sophos Firewall. This is divided into
four sections:

MONITOR & ANALYZE, provides access to information on the current activity on the Sophos
Firewall, and reports and diagnostic tools.

Navigating and Managing Sophos Firewall v1.0 - 4

WebAdmin: Main Menu

Configure rules policies and settings

related to protection features

PROTECT, for configuring the rules, policies and settings related to protection features.

Navigating and Managing Sophos Firewall v1.0 - 5

WebAdmin: Main Menu

Setup connectivity, routing,

authentication and global settings

CONFIGURE, where you setup connectivity, routing, authentication and global settings.

Navigating and Managing Sophos Firewall v1.0 - 6

WebAdmin: Main Menu

Device access settings, objects and

profiles that are used in rules and
policies

SYSTEM, which houses the device access settings, as well as objects and profiles that are used
within rules and policies.

Navigating and Managing Sophos Firewall v1.0 - 7

WebAdmin: Tabbed Navigation

Each section that is accessible from the main menu is further broken down into tabs for accessing
each area of configuration.

On some screens additional, less frequently used tabs, can be accessed using the ellipses on the
right-hand side of the tabs.

Navigating and Managing Sophos Firewall v1.0 - 8

WebAdmin: Advanced Settings

Display additional
Settings for reports

In the Reports section there is an additional, Show Reports settings option, that allows you to
access some of the less often used options.

When the settings are accessed, the screen will flip to the additional options. You can identify
when you are on this screen because the title bar at the top of the page will be yellow.

Navigating and Managing Sophos Firewall v1.0 - 9

WebAdmin: Admin Drop-Down Menu

Found in the top-right is the admin menu. Here you can reboot, shutdown, lock and logout of the
Sophos Firewall. This menu also provides links to the support website, the Sophos Firewall
licensing page, and web-based access to the console.

Navigating and Managing Sophos Firewall v1.0 - 10

WebAdmin: Help

Found on every screen on the Sophos firewall is a context sensitive link to the online help file.

When clicked, it opens a separate window. This online version of the help is fully interactive, and
can be browsed by selecting the various menu items in the left side menu. It can also be searched
using keywords. When a search result is selected it will load the appropriate section within the
help file.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html

Navigating and Managing Sophos Firewall v1.0 - 11

WebAdmin: Log Viewer

Next to the help link is the Log viewer, which opens in a new window to provide access to all log
files.

In the ‘Log viewer’ you can filter the logs and perform context sensitive actions. Other chapters in
the course will explore this in more detail.

Navigating and Managing Sophos Firewall v1.0 - 12

How-to Guides

View How-to videos

Clicking the How-to guides link in the Web Admin takes you to the Sophos Community page.

This provides a link to a library of videos that demonstrate how to perform common tasks on
Sophos Firewall.

Navigating and Managing Sophos Firewall v1.0 - 13

Objects

Objects are the building blocks for rules and policies

Define hosts, networks, services, groups and profiles

Can be created inline when configuring rules and policies

The Sophos Firewall uses objects as the building blocks for the configuration of rules and policies.
By defining reusable objects once for things such as hosts, services and networks, it can speed up
configuration, and simplify future changes by having a single place to make a change.

Objects can be created and edited ahead of time, but they can also be created inline when
configuring protection features. This means that you do not have to navigate away from what you
are configuring to create an object, because you will have the option to create it where you need
it.

There are two categories of object – hosts and services; and profiles. These can be found in the
SYSTEM section on the Sophos Firewall.

Navigating and Managing Sophos Firewall v1.0 - 14

Hosts
IP MAC FQDN

There are three types of host object on the Sophos Firewall: IP, MAC and FQDN

There are three types of host object on the Sophos Firewall: IP, MAC and FQDN.

Navigating and Managing Sophos Firewall v1.0 - 15

Hosts
IP MAC FQDN

IP version and host type cannot be

changed after creation

IP host groups can be used to group IP

host objects for IP addresses, networks
and IP ranges, but not IP lists

IP host objects can represent a single IP address, a subnet, a range of IP addresses or a list of IP
address, for either IPv4 or IPv6.

The object has a name and then must be configured by IP version (IPv4 or IPv6) and a type. Note
that the IP version and type cannot be modified after the object has been created.

You then provide the data for the type of object you selected. Note that IP address lists are comma
separated.

IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but
not IP lists.

Navigating and Managing Sophos Firewall v1.0 - 16

Hosts
IP MAC FQDN

Type cannot be changed after it has been

Lists are comma separated
created

MAC host objects can be created for individual MAC addresses or MAC address lists.

The MAC host object has a name and then must be configured for a specific type, either MAC
address or MAC list. This cannot be changed once the object has been saved.

MAC address lists are comma separated.

Navigating and Managing Sophos Firewall v1.0 - 17

Hosts
IP MAC FQDN

Supports wildcard prefix to resolve sub-

domains

Can be grouped with FQDN host groups

FQDN hosts are used to define fully qualified domain names.

FQDN host objects can include a wildcard prefix to resolve sub-domains, for example,
*.sophos.com.

FQDN host groups allow you to create a collection of FQDN host objects to further simplify the
using of objects in rules and policies.

Navigating and Managing Sophos Firewall v1.0 - 18

Services

Service based on
TCP and UDP ports

Service based on
IP protocol numbers

Service based on
ICMP types & codes

Service objects can be created for:

• TCP and UDP based on protocol, source and destination port,
• IP based on protocol number,
• ICMP and ICMPv6 based on the ICMP type and code.

Each service object is for a single type, and can contain one or more definitions.

You can also create groups of service objects.

Navigating and Managing Sophos Firewall v1.0 - 19

Country Groups

Sophos Firewall maintains a geo IP database that maps IP addresses to countries, and this is
automatically updated with the pattern definitions.

There are several predefined country groups that ship with Sophos Firewall, which can be edited.
You can also create custom groups of countries.

Navigating and Managing Sophos Firewall v1.0 - 20

Profiles
Schedule Access time
• Defines a period of time • Allow or deny action for a schedule
• Recurring or one-off

Surfing quota Network traffic quota

• Browsing time restrictions • Bandwidth restrictions
• Recurring or one-off • Separate upload/download or combined

Decryption IPsec
• Settings for TLS decryption • IKE parameters for establishing tunnels
between two firewalls

Device access
• Roles for administrators

Profiles are a collection of settings that can be defined and used when configuring protection
features.

There are profiles for:

• Schedule, which defines a period, either recurring or one-off,
• Access time, that defines an allow or deny action for a schedule,
• Surfing quota, which defines either recurring or one-off restrictions for browsing time,
• Network traffic quota, for upload and download bandwidth quota restrictions,
• Decryption, for controlling the decryption of TLS traffic,
• IPsec, to specify the IKE (Internet Key Exchange) parameters for establishing tunnels between
two firewalls,
• And Device access, which defines access roles for admins logging into the WebAdmin.

Navigating and Managing Sophos Firewall v1.0 - 21

Firmware Updates

Upload firmware

Boot firmware image

Boot with factory

default configuration

Sophos Firewall has two firmware slots, one for the current active firmware, and the other that can
be updated with a new version. This means that if an issue is encountered with the running
firmware, the previous version can be booted.

Firmware can be downloaded automatically or uploaded manually. When there is a new firmware
version you will be prompted to upgrade when you login.

As well as uploading new firmware, you can select which firmware version to boot, or choose to
boot one of the firmware versions with the default factory settings.

Navigating and Managing Sophos Firewall v1.0 - 22

Firmware Updates

Three free firmware updates

Mandatory updates during initial setup wizard do not count

Pattern updates are not affected

Firmware updates require a valid support license. For devices that do not have a valid support
license applied, a banner is shown on the firmware page that shows the number of free firmware
updates that are left.

Three free firmware updates are provided, and mandatory updates that are installed as part of the
initial setup wizard are not counted towards this. Pattern updates are not affected.

Navigating and Managing Sophos Firewall v1.0 - 23

Chapter Review

The main menu is the primary navigation tool and is divided into four sections. Pages are
further broken down into tabs for accessing each area of configuration

Every page provides a link to context sensitive help

Two types of object – hosts and services, and profiles – are used as the building blocks
for the configuration of rules and policies

Here are the three main things you learned in this chapter.

The main menu is the primary navigation tool and is divided into four sections. Pages are further
broken down into tabs for accessing each area of configuration.

Every page provides a link to context sensitive help.

The Sophos Firewall uses two types of object – hosts and services, and profiles - as the building
blocks for the configuration of rules and policies.

Navigating and Managing Sophos Firewall v1.0 - 28

Navigating and Managing Sophos Firewall v1.0 - 29
Getting Started with Zones
and Interfaces on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1515: Getting Started with Zones, Interfaces and Routing on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 1
Getting Started with Zones and Interfaces on Sophos
Firewall
in this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use Sophos Firewall ✓ Navigating and Managing the Sophos Firewall using
WebAdmin to configure network the WebAdmin
zones and interfaces.

DURATION

8 minutes

in this chapter you will learn how to use Sophos Firewall WebAdmin to configure network zones,
interfaces and routing.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 2
Interfaces and Zones

The firewall is shipped with physical and virtual interfaces

A physical interface is for example, Port1, PortA, or eth0

A virtual interface is a logical representation, for example an alias

A zone is a grouping of interfaces

The firewall is shipped with physical and virtual interfaces.

A physical interface is, for example, Port1, PortA, or eth0.

A virtual interface is a logical representation of an interface, for example an alias that allows you to
bind multiple IP addresses to a single physical interface.

A zone is a grouping of interfaces. When used with firewall rules, zones provide a convenient
method of managing security and traffic for a group of interfaces.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 3
Zones
Sophos Firewall
LAN 1

Internet
LAN Zone
DMZ WAN Zone
LAN 2

Hosted Servers Zone

We’ll start by looking at zones. Sophos Firewall is a zone-based firewall, and it is important to
understand what a zone is before we proceed to look at interfaces and routing.

When we talk about zones on the Sophos Firewall, we mean a logical group of networks where
traffic originates or is destined to.

Each interface is associated with a single zone, which means that traffic can be managed between
zones rather than by interface or network simplifying the configuration.

Interfaces and zones are not equivalent; multiple interfaces can be associated with a zone and
each zone can be made up of multiple networks.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 4
Zones are created and managed in:
Zones CONFIGURE > Network > Zones

LAN – most secure by default For internal networks

WAN –for external interfaces that provide Internet access

DMZ –for hosting publicly accessible servers
VPN – does not have a physical port or interface assigned to it

WiFi – for providing security for wireless networks

Sophos Firewall comes with five default zones, these are:

• LAN – this is the most secure zone by default and is for your internal networks.
• WAN – this zone is used for external interfaces that provide Internet access.
• DMZ – this zone is for hosting publicly accessible servers.
• VPN – this is the only zone that does not have a physical port or interface assigned to it. When a
VPN is established, either site-to-site or remote access, the connection is dynamically added to
the zone and removed when disconnected.
• WiFi – this zone is for providing security for wireless networks.

Except for the VPN zone, the default zones can be customized.

Zones are managed and created in CONFIGURE > Network > Zones.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 5
Creating Zones

Choose whether this is a LAN or

DMZ zone

Client authentication services

Access for managing the Sophos
Firewall

Other services provided by the

Network services
Sophos Firewall

Let’s look at how you can create your own zones.

When you create a custom zone, you can choose between two types of zones, LAN or DMZ, which
is used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type
zones as there can only be one of each of these.

You then customize the zone to define which services the Sophos Firewall provides and will be
accessible. This is broken down into four categories:
• Admin services, for accessing and managing the Sophos Firewall.
• Authentication services, for user authentication.
• Network services, for PING and DNS.
• And Other services, which controls access to things like the web proxy, wireless access point
management, and user portal.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 6
Activity
Match the zone with its description

This is the only zone that does not have a

WiFi
physical port or interface assigned to it

This zone is for hosting publicly accessible

LAN
servers

This zone is for providing security for

VPN
wireless networks

This is the most secure zone by default and

WAN
is for your internal networks

This zone is used for external interfaces that

DMZ
provide Internet access

Take a moment to test your knowledge and match the zone with its description.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 7
Network Interfaces

Now that you know how to create zones, we will look at Network Interfaces.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 9
Configuring Interfaces Interfaces are configured in:
CONFIGURE > Network > Interfaces

Interfaces can be given a friendly name

Interfaces must be assigned to a zone

By default, interfaces are named after their hardware device ID. However, you can give them a
friendly name to make identifying them easier.

To begin configuring the network settings, you must assign the interface to a zone. This will
determine what IP configuration can be set, as only interfaces in the WAN zone are configured with
a gateway.

You can configure interfaces either statically or by DHCP. IPv4 configuration also supports
configuration via PPPoE.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 10
Configuring Interfaces

Interfaces can be
configured for IPv4 or
IPv6 or both

You can configure interfaces with IPv4 or IPv6 or both.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 11
Interface Types
BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 bridged
interface for seamless communication between interfaces

ALIAS: An additional IP address added to an interface

VLAN: A virtual LAN interface created on an existing Sophos Firewall interface, used when the
Sophos Firewall needs to perform inter-VLAN routing or tagging

LAG: A group of interfaces acting as a single connection which can provide redundancy and
increased speed between two devices

RED: Used to connect Sophos’ Remote Ethernet Devices back to the Sophos Firewall

In addition to those used for configuring the network adapters in the Sophos Firewall, there are
several other interface types that can be created.

These are:
• Bridge
• Alias
• VLAN
• LAG
• And RED

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 12
Bridge Interface

Two physical ports are

assigned to this bridge
interface

We’ll look at two examples of these interfaces. The first is a bridge interface which bridges over
physical interfaces, such as ports or virtual interfaces, such as VLANs.

In this example, two physical interfaces are selected.

If ‘enable routing’ is selected, you must assign an IP address to the bridge interface.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 13
Alias Interface
An Alias interface is
added for the GuestAP
physical interface

An Alias interface is used to bind multiple IP addresses to a physical interface. In this example an
alias is added to the GuestAP interface and can then be seen in the interfaces listing page.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 14
Activity
Match the interface type with its description

An additional IP address added to an

Bridge
interface

Creates a transparent layer 2 or 3 interface

Alias
for seamless communication

Can provide redundancy and increased

VLAN
speed between two devices

Connects Sophos’ remote devices back to

LAG
the Sophos Firewall

Created on an existing interface and can be

RED
used to perform tagging

Take a moment to test your knowledge and match the interface type with its description.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 15
Interface Types

TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard
routing to be used to send traffic over the VPN

WiFi: A wireless network where traffic is routed back to the Sophos Firewall from the access
point instead of directly onto the network the access point is connected to

Additionally, you can create wireless interfaces and IPsec interfaces.

These two interface types are created as part of configuring other functionality on Sophos Firewall,
IPsec VPNs, and wireless networks using separate zone configuration.

Tunnel interfaces are created using a type of IPsec VPN that allows standard routing to be used to
send traffic over the VPN.

WiFi interfaces are created when a wireless network routes traffic back to the Sophos Firewall
using separate zone configuration, instead of to either the physical LAN the access point is
connected to, or a VLAN.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 17
Simulation: Create Zones and Interfaces

In this simulation you will configure

zones and interfaces on Sophos
Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ZonesAndInterfaces/1/start.html

In this simulation you will configure zones and interfaces on Sophos Firewall.

Application Traffic Shaping on Sophos Firewall - 18

Chapter Review

A zone is a logical group of networks. Each firewall interface is associated with a single
zone, meaning that traffic can be managed using zones

Network interfaces are assigned to a zone, which determines what IP configuration

can be set

IPsec tunnel and wireless interface types are created as part of configuring other
functionality on Sophos Firewall. These use separate zone configuration

Here are the three main things you learned in this chapter.

A zone is a logical group of networks. Each firewall interface is associated with a single zone,
meaning that traffic management can be simplified using zones instead of interfaces and networks.

Network interfaces are assigned to a zone, which determines what IP configuration can be set.

IPsec tunnel and wireless interface types are created as part of configuring other functionality on
Sophos Firewall. These use separate zone configuration.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 21
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 22
Advanced Interface
Configuration on Sophos
Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]
Sophos Firewall
FW1520: Advanced Interface Configuration on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Sophos Firewall: Advanced Interface Configuration - 1

Advanced Interface Configuration on Sophos Firewall

In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
advanced configuration settings ✓ The types of interface supported by Sophos
that are available for physical Firewall
and virtual interfaces. ✓ Configuring firewall interfaces

DURATION

9 minutes

In this chapter you will learn the advanced configuration settings that are available for physical and
virtual interfaces.

Sophos Firewall: Advanced Interface Configuration - 2

Interfaces

The Sophos Firewall supports several different interface types that can be created.

These include:
• Physical and wireless interfaces
• Bridge
• VLAN
• Alias
• LAG (Link Aggregation)
• And RED

Sophos Firewall: Advanced Interface Configuration - 3

Edit Interface

The menu beside each interface allows you to edit and view settings such as MMS and MTU.

MTU (Maximum Transmission Unit) is the largest packet size that a network can transmit in bytes.
Packets larger than the specified value are divided into smaller packets before they are sent.

MSS (Maximum Segment Size) is the amount of data in bytes that can be transmitted in a TCP
packet.

Sophos Firewall: Advanced Interface Configuration - 4

Interface Link Settings Detection

Sophos Firewall will auto-detect and recommend link settings. In the ‘Advanced settings’ section of
the interface you can click Show recommended settings to see them, and them click Load
recommended configuration to update the settings to the recommended parameters.

This includes support for advanced port configurations for high-speed interfaces, and includes
forward error correction, FEC, for 40 gigabit interfaces in XGS 5500 and 6500.

Sophos Firewall: Advanced Interface Configuration - 5

MTU and MSS Configuration

You can configure the MTU and MSS for interfaces, and this includes support for jumbo frames
with more than 1500-byte payloads. This can be configured in the WebAdmin in the ‘Advanced
settings’ for the interface, or in the console as shown here.

Sophos Firewall: Advanced Interface Configuration - 6

Bridge Interfaces: VLAN Filtering

Define which VLANs can

pass across the bridge

Bridge interfaces include a few additional controls and settings that we will look at over the next
few slides, starting with filtering VLANs. This allows you to define which VLANs can pass across the
bridge without requiring an interface in the VLAN.

If you select filtering, but don't specify the permitted VLANs, Sophos Firewall drops tagged traffic
from all the VLANs. Please note that untagged traffic and system generated traffic will not be
affected by this filter.

Sophos Firewall: Advanced Interface Configuration - 7

Additional information in
Bridge Interfaces: Advanced Settings the notes

Permit ARP broadcast is

enabled by default Filter Ethernet Frames
using the 4-digit ID

Turn on Spanning
Tree Protocol (STP)

By default, bridge interfaces forward ARP (Address Resolution Protocol) broadcasts to discover the
destination MAC addresses.

In ‘Advanced settings’ you can clear the check box to prevent ARP broadcasts. You can use this
when there's a broadcast storm.

You can turn on STP (Spanning Tree Protocol) to prevent bridge loops, which occur when there's
more than one path between two bridge interfaces. Redundant paths can result in a broadcast
storm in the network. STP also enables failover to redundant paths dynamically when the primary
path fails.

The default setting for Filter Ethernet Frames allows all frame types to pass through the bridge.
You can optionally filter using the 4-digit hexadecimal ID. For example, 809B is for AppleTalk.
If you select filtering, but don't specify the permitted Ethernet frame types, Sophos Firewall drops
traffic for all Ethernet frames except the frame types specified in the additional notes, which are
always allowed.

[Additional Information]
Spanning Tree Protocol IEEE 802.1D RFC 7727.
One STP instance is created for the entire bridged network.

Drop Ethernet Frames: The drop setting doesn't affect the frames of ARP, IPv4, IPv6, 8021Q and
EXTE traffic, which are always allowed.

Sophos Firewall: Advanced Interface Configuration - 8

Additional information in
Bridge Interfaces with No IP Address the notes

Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic
matches a firewall rule with web proxy filtering, or if it matches a NAT rule. These dropped packets
are not logged.

[Additional Information]

To prevent NAT rules from causing the traffic to drop, follow these instructions:

• Go to Rules and policies > NAT rules and select the SNAT rule to edit.
• Select Override source translation for specific outbound interfaces.
• Set Outbound interface to the bridge interface without IP address.
• Set Translated source (SNAT) to Original and click Save.

Sophos Firewall: Advanced Interface Configuration - 9

VLANs
Create multiple VLAN interfaces on a single physical interface

Allows tagged and untagged traffic on the same interface

VLAN support follows IEEE 802.1q standards

Physical interface does not need to be configured

Supports up to 4096 VLANs

• 0, 1 and 4095 are reserved
• VLANs 2 – 4094 are configurable

You can create multiple VLAN interfaces on a single physical interface and allow for tagged as well
as untagged traffic on the same physical interface in the Sophos Firewall.

VLAN support on the Sophos Firewall follows the IEEE 802.1q standards with support for up to
4096 VLANS on the device. There a 3 reserved VLANs:

• VLAN 0 is used when a device needs to send priority-tagged frames but does not know the
specific VLAN it resides in
• VLAN 1 is reserved for the physical LAN
• VLAN 4095 is reserved as per the IEEE 802.1q standard. VLAN ID 4095 is a special purpose VLAN
ID. When configured it acts like a trunk port for the vSwitch

Sophos Firewall: Advanced Interface Configuration - 10

VLAN Configuration

Interface
and Zone

VLAN ID

IP address for the VLAN

interface

A VLAN can be created on a physical interface such as PortA, or eth0. The physical port does not
need to be configured with an IP address before a VLAN can be added to it, and you can add
multiple VLAN interfaces to a physical port.

A VLAN can also be created for a virtual interface such as bridge and LAG.

A zone must also be selected for the new VLAN network, and then a VLAN ID needs to be assigned
to the interface. Please note the valid ID range is listed next to the input box.

Finally, an IP address needs to be assigned to the new VLAN interface.

Sophos Firewall: Advanced Interface Configuration - 11

Additional information in
Link Aggregation the notes

Combine multiple ports/interfaces to create single logical interface

Advantages:
• Scales bandwidth usage according to the number of links
• Provides link redundancy with failover and failback
• Facilitates load sharing across links
• Requires no changes to the existing network deployment or additional hardware

Supported LAG modes:

• Active-Backup provides link failover
• LACP (802.3ad) provides failover and load balancing
• All connected device must support LACP
• Member interfaces must be the same type and speed
• All links must be full-duplex

Link Aggregation Groups (LAG) combine multiple physical links into a single logical link to increase
bandwidth and make automatic failover available.

Link aggregation provides the following advantages:

• Scales bandwidth usage according to the number of links used in the group
• Provides link redundancy with failover and failback for a continuous session
• Facilitates load sharing across links
• Requires no changes to the existing network deployment or any additional hardware

Sophos Firewall supports the following LAG modes:

• Active-Backup provides link failover.
• LACP (802.3ad) provides failover and load balancing. In this mode, traffic is distributed among
all links.
• LACP must be enabled at both ends of the link.
• All the member interfaces must be of the same type and have the same interface speed.
• All links must be full-duplex.

[Additional Information]
Note: Link Aggregation is also known as:
• Port trunking
• Link building
• NIC bonding
• NIC teaming

Link aggregation control protocol (LACP) is a part of the IEEE specification; it groups two or more
physical links into a single logical link. You must turn on LACP at both ends of the link for it to

Sophos Firewall: Advanced Interface Configuration - 12

function.
Link aggregation is a devices’ ability to combine multiple physical interfaces into one
single logical unit.

Sophos Firewall: Advanced Interface Configuration - 12

Link Redundancy
‘Active-Backup’ LAG mode managed by Sophos Firewall
Supports devices that do not understand LACP
Can failover between links of different speeds

The Active Backup LAG mode can be used with devices that do not support 802.3ad (LACP).

In active-backup, the Sophos Firewall manages the links, keeping one link active and the other in
an inactive backup state. Because of this, active-backup does not have the benefit of increased
bandwidth, only redundancy. However, it does allow for the option to failover between links for
different speeds.

Sophos Firewall: Advanced Interface Configuration - 13

Chapter Review

You can configure the MTU and MSS for interfaces using ‘Advanced settings’ in the
WebAdmin or from the console

You can create multiple VLAN interfaces on a single physical interface and allow for
tagged as well as untagged traffic on the same physical interface

LAG combines multiple physical links into a single logical link to increase bandwidth and
make automatic failover available

Here are the three main things you learned in this chapter.

You can create multiple VLAN interfaces on a single physical interface and allow for tagged as well
as untagged traffic on the same physical interface in the Sophos Firewall.

Link Aggregation Groups, (LAG), combine multiple physical links into a single logical link to increase
bandwidth and make automatic failover available.

Sophos Firewall: Advanced Interface Configuration - 18

Sophos Firewall: Advanced Interface Configuration - 19
Introduction to Routing and
SD-WAN on Sophos Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]
Sophos Firewall
FW1525: Introduction to Routing and SD-WAN on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Introduction to Routing and SD-WAN on Sophos Firewall - 1

Introduction to Routing and SD-WAN on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure routing and SD-WAN ✓ Navigating and Managing the Sophos Firewall using
on Sophos Firewall. the WebAdmin

DURATION

20 minutes

In this chapter you will learn how to configure routing and SD-WAN on Sophos Firewall.

Introduction to Routing and SD-WAN on Sophos Firewall - 2

Routing

Default route

Directly connected network

Where do I send this to reach its
destination?

When Sophos Firewall receives traffic, it needs to know where to send it so that it will reach its
destination. If the traffic is destined for a network that Sophos Firewall is connected to, then it will
know where to send it. Everything else will be sent to the default route, which is normally the ISP,
or Internet service provider.

Introduction to Routing and SD-WAN on Sophos Firewall - 3

Routing

Gateway

Indirectly
connected
network Where do I send this to reach its
destination?

If traffic is destined for a network that is not directly connected to the Sophos Firewall, by default it
will not know where to send it, and so it will be sent to the default route.

In the example shown here, we would need to create a route on the Sophos Firewall so that it
knows to send traffic that is destined for the indirectly connected network to the gateway for that
network.

Introduction to Routing and SD-WAN on Sophos Firewall - 4

Types of Configurable Route
STATIC SD-WAN DYNAMIC
The simplest type of Routing based on many Routes are learned by
configurable route attributes communicating with
other routing devices on
Traffic sent to specific Can route to specific the network
gateway based on gateway
destination only
Gateway health
monitoring

Can select a gateway

based on quality metrics
or load balancing

There are three types of configurable route you can create on Sophos Firewall:
• Static routes. These are the simplest type of route that send traffic to a specific gateway based
on the destination
• SD-WAN routes. These can route traffic based on more attributes, including the source, service,
application, and user. This can route to a specific gateway or backup gateway based on health
monitoring; alternatively, you can use a profile to select a gateway based on quality metrics or
load balancing
• Dynamic routes. These are routes that are learned by communicating with other routing devices
on the network

Introduction to Routing and SD-WAN on Sophos Firewall - 5

Static routes are configured in:
Static Routes CONFIGURE > Routing > Static routes

Network that is not directly connected to

the Sophos Firewall

Gateway and interface to use to route the

traffic

Let’s start by looking at an example of a static unicast route.

These are created in CONFIGURE > Routing > Static routes.

Enter the network and netmask of the destination traffic that will match this route. In this
example, any traffic to 192.168.16.0/24 will match.

Enter the IP address of the gateway to send the traffic to and select the port to send the traffic on.

Introduction to Routing and SD-WAN on Sophos Firewall - 6

Static routes are configured in:
Static Routes CONFIGURE > Routing > Static routes

Compare distances between

routing protocols

Route select between static routes

For each static route you can also set the administrative distance and metric to set the relative
priority. The administrative distance is used to compare distances between routing protocols; for
example, the administrative distance for OSPF is the shortest distance learned for a route. The
metric is used for route selection between static routes.

Introduction to Routing and SD-WAN on Sophos Firewall - 7

Simulation: Create a Static Route

In this simulation you will configure

a static route on Sophos Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/StaticRoutes/1/start.html

In this simulation you will configure a static route on Sophos Firewall.

Application Traffic Shaping on Sophos Firewall - 8

Gateways are configured in:
Gateways CONFIGURE > Routing > Gateways

To configure SD-WAN routes you need to start by creating the gateway you will be sending the
traffic to. This is done in CONFIGURE > Routing > Gateways.

On this page you can see all your gateways, both those that you have added here, and the
gateways configured for WAN interfaces.

Introduction to Routing and SD-WAN on Sophos Firewall - 9

Gateways are configured in:
Gateways CONFIGURE > Routing > Gateways

Gateway details

Gateway health
monitoring

When you add a gateway, start by specifying the IP address, the interface it can be reached on, and
optionally the zone it is in.

Further down the page you can configure the health monitoring for the gateway. This will be filled
in with the gateway IP address by default but can be customized to use a host accessed through
the gateway. You may need to do this if the gateway will not respond to PING or TCP requests from
Sophos Firewall.

Introduction to Routing and SD-WAN on Sophos Firewall - 10

SD-WAN routes are configured in:
SD-WAN Routes CONFIGURE > Routing > SD-WAN routes

SD-WAN routes are configured in two sections, the ‘Traffic selector’, which defines what traffic to
match on for the route, and the ‘Link selection settings’, which is used to determine the gateway to
use.

SD-WAN routes provide a much wider range of traffic selection criteria. You can select the traffic
you want to route based on:
• The interface it arrives at the Sophos Firewall on
• The source and destination networks
• The service
• DSCP marking
• User
• And application

Introduction to Routing and SD-WAN on Sophos Firewall - 11

SD-WAN routes are configured in:
SD-WAN Routes CONFIGURE > Routing > SD-WAN routes

In the ‘Link selection settings’ section you can choose between using an SD-WAN profile, which we
will cover shortly, or a primary and
backup gateway.

The SD-WAN route will use the gateway health status to determine which of the gateways to use,
preferring the primary gateway when it is available.

If you always want the traffic to be routed via a specific gateway and no other, you can optionally
enable Route only through specified gateways. This means the routing will not failover to an
alternative gateway even if it is unavailable.

Introduction to Routing and SD-WAN on Sophos Firewall - 12

Additional information in
Routing Precedence the notes

Health Check Routes

Static Routes
Precedence
Directly Dynamic
Unicast SSL VPN
Connected Routing Configurable
Routes Routes
Networks Protocols
route
precedence
SD-WAN Routes

IPsec VPN Routes

Default Route (WAN Link Manager)

Routes are processed in order of precedence. By default, this is health check routes first, then
static routes, SD-WAN routes, VPN routes, and finally the default route. Health check routes always
take precedence as routing traffic to check gateway health must be done independently of any
routes configured. The default route is the gateway derived from the load balancing configuration
across active gateways.

The precedence of routes, SD-WAN routes, VPN routes, and static routes can be modified on the
command line; however, the precedence within static routes is dependent on the specificity of the
route and the distance metric. The more specific the route the higher the precedence, and the
lower the distance the higher the precedence.

[Additional Information]
Routing behaviour documentation:
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyBe
havior/index.html

Introduction to Routing and SD-WAN on Sophos Firewall - 13

Additional information in
Routing Precedence the notes

console> system route_precedence show

Default routing Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes
console> system route_precedence set sdwan_policyroute vpn static

At the top of the SD-WAN routes page, the current route precedence is displayed. This can be
checked and modified via the console using the system route_precedence command.

[Additional Information]
To access the console, connect using SSH and login as admin. Choose option 4 for Console.

Introduction to Routing and SD-WAN on Sophos Firewall - 14

Multiple Internet Connections

ISP 1 ISP 2

Sophos Firewall supports environments with multiple WAN connections. When you add a WAN
connection in Sophos Firewall you must specify a gateway, you can then use the WAN link manager
to configure how the WAN connections are used.

Introduction to Routing and SD-WAN on Sophos Firewall - 15

WAN link manager configured in:
WAN Link Manager CONFIGURE > Network > WAN link manager

The WAN link manager provides an immediate view of the status of your WAN gateways. Through
this page you can access advanced settings for your WAN gateways to configure how they are
used.

Introduction to Routing and SD-WAN on Sophos Firewall - 16

WAN link manager configured in:
WAN Link Manager CONFIGURE > Network > WAN link manager

Gateway type: Active or Backup

Failover and failback

behaviour
Rules for detecting failed active
gateways

WAN gateways can be configured as either active or backup. Where there are multiple active
gateways, Sophos Firewall will load balance traffic between them. Where a gateway has been
configured as a backup, it will only be activated based on the configuration on this page, this could
be manually, or if any, all, or a specific gateway fails.

When a backup gateway is activated, it can inherit the weight of the gateway it is replacing, or you
can manually set the weight that it will be given.

You can configure how connections are handled when the active gateway comes back online,
either gradually serving new connections to the active gateway, or immediately switching all
connections to the active gateway. If all connections are immediately switched to the active
gateway when it comes back online, it can cause existing connections to be dropped and re-
established.

Further down the page you can define how Sophos Firewall can test if the gateway has failed, this
can use either PING or TCP connections to an IP address. You can also add multiple test conditions
so that if the test server is offline, it does not cause the gateway to failover.

Introduction to Routing and SD-WAN on Sophos Firewall - 17

SD-WAN Profiles

Latency 5ms

Latency 134ms

Traffic selection using SD-WAN routes

Link selection based on SLA

SD-WAN profiles provide link management that allow you to define routing strategies across
multiple gateways. Using SD-WAN profiles enables seamless and efficient routing and rerouting of
traffic based on the performance and stability of the link, optimizing network performance and
ensuring continuity.

For example, if you have multiple ISP connections, you can use SD-WAN profiles and policy routing
to ensure that business critical applications always use the best link.

Introduction to Routing and SD-WAN on Sophos Firewall - 18

SD-WAN Profiles

Latency 5ms

Latency 134ms

Load balancing using SD-WAN routes

Link selection based on SLA

Alternatively, you can choose to load balance the traffic between multiple connections and use the
SLA to determine which connections should be used.

Introduction to Routing and SD-WAN on Sophos Firewall - 19

SD-WAN Profiles

Source IP address
Destination IP address
Source and destination IP address
Connection

SD-WAN profiles are managed in CONFIGURE > Routing. Start by selecting the routing strategy,
which can be either first available gateway or load balancing.

When the load balancing mode is selected you can select the load balancing method used. You can
use ‘Round-robin’, which distributes the connections to each gateway in turn. Alternatively, you can
choose a session persistence type to use to route the traffic through the same gateway. You can
choose between:
• Source IP address
• Destination IP address
• Source and destination IP address
• Or connection

Introduction to Routing and SD-WAN on Sophos Firewall - 20

SD-WAN Profiles

Select up to 8 gateways

You can select up to 8 gateways, these can include custom gateways such as route-based VPN
gateways.

Introduction to Routing and SD-WAN on Sophos Firewall - 21

SD-WAN Profiles

If you are using load balancing, you can choose to weight the distribution of traffic across the
gateways. For example, you may want to do this if the connections are different speeds. By default,
all gateways are given a weight of one.

Introduction to Routing and SD-WAN on Sophos Firewall - 22

SD-WAN Profiles

Select performance criteria for SLA

The default SLA, service level agreement, selects the gateway with the best quality link based on
latency. You can change this to alternatively use jitter or packet loss for determining the quality of
the link.

For load balancing, the SLA can be used to select only the gateways that meet the minimum quality
settings that you select.

Introduction to Routing and SD-WAN on Sophos Firewall - 23

SD-WAN Profiles

Probe via Ping or TCP connection

Configure one or two probe targets

Customize the health

check settings

SD-WAN profiles provide granular options for monitoring the health of the link. Please note that
when you have an SLA enabled for the profile, you cannot disable the health check.

The health check can be done using either Ping or TCP, to either one or two probe targets. Where
TCP is selected, the port must be entered for the probe targets.

You may want to change the probe target, either in the case that the gateway does not respond to
PING, or to better test that the gateway is able to route through to the destination network. If you
are only testing the gateway, you are testing the interface closest the firewall, this does not test
that the outbound interface is also operational.

You can also refine the health checks by specifying the interval between checks, response time-
out, when to deactivate and activate gateways, and the sample size that is used for the SLA.

Introduction to Routing and SD-WAN on Sophos Firewall - 24

SD-WAN Profiles

From the SD-WAN profile page you can see immediately which gateway has been selected. You can
also get real-time status of the gateways by clicking the clipboard icon. The chart icon will take you
to the SD-WAN monitoring graphs.

Introduction to Routing and SD-WAN on Sophos Firewall - 25

SD-WAN Profiles

The SD-WAN monitoring graphs can be found in MONITOR & ANALYZE > Diagnostics > SD-WAN
performance.

Here you can see the distribution of the connections and data across the gateways. This data can
be reset if you are troubleshooting your SD-WAN profile configuration.

Introduction to Routing and SD-WAN on Sophos Firewall - 26

SD-WAN Profiles

Further down the page, the graphs provide current and historical data on latency, jitter, and packet
loss, for each of the gateways in the selected SD-WAN profile.

The view can be changed to show graphs for Live, the last 24 and 48 hours, the last week, or the
last month.

Introduction to Routing and SD-WAN on Sophos Firewall - 27

SD-WAN Profiles Demo

In these demos you will see how to

configure an SD-WAN profile for
multiple Internet connections.

PLAY FIRST AVAILBLE GATEWAY DEMO PLAY FIRST LOAD BALANCING DEMO CONTINUE

FIRST AVAILABLE GATEWAY: https://training.sophos.com/fw/demo/SdWanProfile/1/play.html

LOAD BALANCING: https://training.sophos.com/fw/demo/SdWanLoadBalancing/1/play.html

In these demos you will see how to configure an SD-WAN profile for multiple Internet connections.

Click Continue when you are ready to proceed.

Introduction to Routing and SD-WAN on Sophos Firewall - 28

Chapter Review

The default route precedence on Sophos Firewall is static routes, SD-WAN routes, VPN
routes, and then the default route. Static routes are comprised of directly connected
networks, dynamic routing protocols, and static unicast routes

WAN link manager is used to manage Internet links. You can configure links as active or
backup and customize failover and failback settings and health monitoring. Gateways is
used to create health monitored gateways for use with SD-WAN routes and profiles

SD-WAN profiles provide link management that allow you to define routing strategies
across multiple gateways, rerouting traffic based on the performance and stability of
the link, optimizing network performance and ensuring continuity

Here are the three main things you learned in this chapter.

The default route precedence on Sophos Firewall is static routes, SD-WAN routes, VPN routes, and
then the default route. Static routes are comprised of directly connected networks, dynamic
routing protocols, and static unicast routes.

The WAN link manager is used to manage Internet links. You can set links as active or backup, set
the failover and failback configuration, and customize the health monitoring. The Gateways page is
used to create health monitored gateways for use with SD-WAN routes and profiles.

SD-WAN profiles provide link management that allow you to define routing strategies across
multiple gateways, rerouting traffic based on the performance and stability of the link, optimizing
network performance and ensuring continuity.

Introduction to Routing and SD-WAN on Sophos Firewall - 33

Introduction to Routing and SD-WAN on Sophos Firewall - 34
Advanced Routing
Configuration on Sophos
Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]
Sophos Firewall
FW1530: Advanced Routing Configuration on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 1

Advanced Routing Configuration on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Firewall routes traffic, ✓ Configuring static routes
how to manage gateways, and ✓ Creating gateways and SD-WAN routes
how to configure SD-WAN
profiles and routes.

DURATION

30 minutes

In this chapter you will learn how Sophos Firewall routes traffic, how to manage gateways, and
how to configure SD-WAN profiles and routes.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 2

Additional information in
Routing the notes

Health Check Routes

Static Routes
Precedence
Directly Dynamic
Unicast SSL VPN
Connected Routing Configurable
Routes Routes
Networks Protocols
route
precedence
SD-WAN Routes

IPsec VPN Routes

Default Route (WAN Link Manager)

Sophos Firewall supports multiple methods for building and dynamically controlling the routing,
which fall into three main types of route; static routes, SD-WAN routes, and VPN routes, and these
are processed in order. In addition to this there are also the health check routes and the default
route. The health check routes are used to route the traffic for health probes independently of any
routes configured. The default route selects the gateway based on the configuration in the WAN
link manager.

Static routes define the gateway to use based on the destination network. This includes directly
connected networks, routes added by dynamic routing protocols, and routes created for SSL VPNs.

SD-WAN routes make decisions based on the properties of the traffic, such as source, destination
and service.

VPN routes are created automatically when policy-based IPsec VPN connections are established
with the Sophos Firewall.

Please note that the precedence of static routes, SD-WAN routes, and VPN routes can be modified
on the command line.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 3

PBR: Policy (SD-WAN) Based Route
RTG: Route Through Gateway
Packet Routing MLM: Multi Link Management

Mark if there is a
PBR match
Firewall rule
Traverse full routing matching done on Traverse full routing
and mark post-NAT zone and as per precedence
Destination zone pre-NAT IP PBR, VPN, Main, All

Packet NAT RTG -> NAT Packet

Pre-routing Firewall Routing
Arrives Lookup MLM Lookup Delivered

1 2 3 4 5 6 7 8
NAT lookup for Mark if there is a DNAT or Full NAT as
DNAT/Full NAT match for RTG per rule matched in
rules #3
If WAN traffic with or
Destination zone no PBR and no RTG NAT lookup for the
updated as per mark, then mark for best match SNAT or
DNAT MLM linked NAT rule

This diagram shows how routing is applied to packets by the Sophos Firewall.

After the packet arrives, the Sophos Firewall checks if it matches an SD-WAN route, and if so,
marks the packet. This is used later.
The full routing precedence is traversed, and the destination zone of the packet is marked.

The NAT lookup is performed as previously covered, and the destination zone is updated if a DNAT
or Full NAT rule is matched.

The packet is matched in the firewall based on the post-NAT zone and pre-NAT IP.

Sophos Firewall checks if there is a match for a route through gateway, these will be any migrated
SD-WAN routes created from gateways configured in firewall rules in v17.5.
If the traffic is destined for the WAN zone and no PBR or RTG has been matched, the packet is
marked for MLM.
MLM is the gateway derived from the load balancing configuration across active gateways.

The packet then traverses the full routing as per the precedence.

Lastly, there is a NAT lookup.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 4

PBR: Policy (SD-WAN) Based Route
RTG: Route Through Gateway
Packet Routing MLM: Multi Link Management

Match when
Sophos Firewall
XG135_XN02_SFOS 18.0.0# ip rul ls
sends traffic to
0: from all lookup local
itself
51: from all fwmark 0x4002 lookup gw2
51: from all fwmark 0x4001 lookup gw1 Match PBR if marked

Static routes 51: from all fwmark 0x4003 lookup gw3

including static, 53: from all lookup main
dynamic and 54: from all fwmark 0x200 lookup routeipsec0
directly connected 150: from all fwmark 0x8002 lookup gw2
150: from all fwmark 0x8001 lookup gw1 RTG and MLM
networks
150: from all fwmark 0x8003 lookup gw3
WAN interface 151: from 192.168.254.1 lookup wanlink2
IP addresses 151: from 10.101.102.127 lookup wanlink1 System generated traffic
220: from all iif lo lookup 220 and IPsec VPN
221: from all lookup multilink
Added by Linux 32766: from all lookup main No marking
kernel 32767: from all lookup default MLM for system generated traffic
Most traffic does not pass this point
IPv6 default route
Traffic generally will not reach this point

Here is an example of the routing table on Sophos Firewall. You can see that it uses a combination
of the source and fwmark to lookup gateways.

A few points to note:

• The orange boxes are added or managed by the kernel
• Packets are only marked for one of PBR, RTG or MLM
• If a packet is marked for RTG, the Sophos Firewall will still traverse the full route precedence,
but will not be able to match PBR because the fwmark will be different
• RTG will always have a lower precedence than VPN and static

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 5

Packet Routing

XG135_XN02_SFOS 18.0.0# ip route list table wanlink1

default via 10.1.1.250 dev PortB proto static src 10.1.1.100
prohibit default proto static metric 1

From the routing table you can then lookup the route table associated with each gateway as
shown here.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 6

Packet Routing
main
103.226.184.250 dev Port2_ppp proto kernel scope link src 10.250.18.43
192.168.30.0/24 via 192.168.100.2 dev Port1 proto zebra
routing policies 192.168.31.0/24 via 192.168.100.2 dev Port1 proto zebra
0 from all lookup local 192.168.100.0/24 dev Port1 proto kernel scope link src 192.168.100.1

1 From all fwmark 0x1001 lookup gw1

gw1
51 from all fwmark 0x4001 lookup gw1 routing tables
default via 103.226.184.250 dev Port2_ppp proto static
52 from all lookup main main prohibit default proto static metric 1
53 from all fwmark 0x200 lookup gw1
routeipsec0
gw2 gw2
150 from all fwmark 0x8001 lookup gw1
multilink default via 192.168.8.1 dev WWAN1 proto static
150 from all fwmark 0x8002 lookup gw2
prohibit default proto static metric 1
221 from all lookup multilink

multilink
default proto static
nexthop via 103.226.184.250 dev Port2_ppp weight 1
nexthop via 192.168.8.1 dev WWAN1 weight 1

By using the ip rule list and ip route list table commands you can navigate the
routing table tree to identify how traffic is being routed.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 7

Additional information in
Setting Routing Precedence the notes

• Route precedence can be managed on the console

console> system route_precedence show
• ByDefault
default,routing
static routes have the highest precedence
Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes
console> system route_precedence set sdwan_policyroute static vpn
console> system route_precedence show
Routing Precedence:
1. SD-WAN policy routes
2. Static routes
3. VPN routes
console>

By default, static routing has the highest priority; this can be viewed on the console, and changed if
necessary, using the system route_precedence command.

[Additional Information]

The commands for managing route precedence are:

system route_precedence show - Display current route precedence
system route_precedence set sdwan_policyroute vpn static - Set new
route precedence

Default route precedence:

• Static routes
• SD-WAN policy routes
• VPN routes

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 8

Gateway Management

WAN Link Manager Gateway Manager

All gateways, default WAN
Manage default gateways on gateways are also available
WAN links only here

Cannot create new gateways Add new gateways for use in

routing

Network > WAN link manager Routing > Gateways

There are two gateway management tools on the Sophos Firewall, the WAN link manager, and the
gateway manager.

The WAN link manager allows you to modify existing WAN gateways that are created when new
interfaces are added to the Sophos Firewall on the WAN zone. The WAN link manager does not
allow an admin to create new WAN links from this location; to add a new link, a new interface
would need to be created. Only modifications can be done here.

The Gateway manager allows you to create gateways on the Sophos Firewall that can forward
traffic to other networks. These gateways can be used to control the flow of traffic through the
Sophos Firewall by coupling these gateways with routing rules. WAN gateways do not need to be
created since they are automatically added when a WAN interface is created.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 9

CONFIGURE > Network > WAN link manager
WAN Link Manager

The WAN link manager allows you to configure Internet gateways to support failover and load
balancing.

Using failover, you can minimize the chance of a service disruption and ensure connectivity to the
Internet.

You can achieve failover using an active–backup configuration. In the event of a link failure, the
firewall reroutes traffic to available connections, and traffic is distributed among links according to
their assigned weights. During failover, the firewall monitors the health of the dead link and
redirects traffic to it once it is restored.

Load balancing allows you to optimize connectivity by distributing traffic among links. Traffic is
assigned according to the weight specified in the links. You can achieve load balancing using an
active-active configuration.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 10

WAN Link Manager

Active or backup
gateway

Gateway priority

When editing WAN gateways, you can set it as either active, in which case the firewall will use it to
route traffic, or backup, in which case the gateway will not be used.

The weight sets the priority of the gateway for allocating traffic. This value determines how much
traffic will pass through the link in relation to the other available links.

You can set the failover rules for the gateway. This determines how the firewall will test whether
the gateway is available, or if it needs to use another gateway.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 11

WAN Link Manager Failover Rules

By default, the failover rules will be configured with a single rule that will attempt to PING the
gateway IP address. You may need to change this if the gateway is configured not to respond to
PING requests.

You can configure failover rules using either PING or TCP connections. You can also choose to
include multiple rules that can be combined using AND, so failover will only happen if both tests
fail, or they can be combined using OR, where failover will happen if either test fails.

Having multiple failover tests can prevent a failover if the test server is unavailable. You can also
configure the tests to check access to services through the gateway and not just the availability of
the gateway itself.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 12

Backup Gateway

Activation method

Weight setting

Session handling

For backup gateways there are some additional options.

You can choose to activate the backup gateway either manually, which is the default option, or
dynamically if an active gateway fails. This can be if ANY gateway fails, if ALL gateways fail, or if a
specific gateway fails.

You can also choose for the backup gateway to inherit the weight of the failed active gateway or
use the configured weight.

The action on failback option can be used to control how sessions are handled if the active
gateway comes back online. You can choose to serve new connections through the restored
gateway, or force all connections, including current connections through the restored gateway.
Forcing current connections through the restored gateway can in some circumstances cause the
session to fail for that connection because the traffic is routing asynchronously.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 13

WAN Link Manager Traffic Report

By clicking on the report icon in the gateway row, you can view the traffic utilization for that
gateway. This can be either weekly, monthly, or for a custom time period.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 14

CONFIGURE > Routing > Gateways
Gateway Manager

The gateway manager on the Sophos Firewall allows the configuration of IPv4 and IPv6 gateways
for use with SD-WAN routes.

New gateways are added in CONFIGURE > Routing > Gateways.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 15

CONFIGURE > Routing > Gateways
Gateway Manager

To configure a gateway, enter the IP address and optionally select which interface should be used
to reach it. You can also select a zone, which we will cover later in this section.

Gateways can be monitored using a health check that will test whether the gateway is up by
pinging it at regular intervals, and email notifications can be enabled for when the gateway state
changes.

Please note, if health monitoring is not enabled, the Sophos Firewall will always assume the
gateway is available.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 16

Gateways
• Supported interfaces
• Supported interfaces IPv4 IPv6
Static ✓ ✓
DHCP ✓ ✓
PPPoE ✓
Bridge ✓ ✓
LAG (Link Aggregation Group) ✓ ✓
VLAN (Virtual LAN) ✓ ✓
WWAN (Wireless WAN) ✓
IPsec Tunnel (xfrm) ✓ ✓
• •Unsupported interfaces
Unsupported interfaces
o • IPsec,
IPsec, GRE,
GRE, IPIPTunnels,
Tunnels,SSLSSL
VPNVPN site-to-site
site-to-site

This table shows which interface types are supported for IPv4 and IPv6 gateways. IPsec, GRE, IP
Tunnels and SSL site-to-site VPNs are not supported.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 17

SD-WAN Routes
• SD-WAN routing influences routing table decisions
• Supports advanced routing scenarios
• Support for next-hop and interface-based gateway
• Configured using gateway hosts and SD-WAN route rules
• User and group application-based traffic selection criteria
• Synchronized SD-WAN
• SD-WAN profiles select the gateway based on the
link quality or load balance connections

Routing is usually determined by the destination of the traffic; however, SD-WAN routing allows
decisions to be based on other criteria, such as the source and traffic type.

There are two elements for configuring SD-WAN routing on the Sophos Firewall, gateways and SD-
WAN route rules.

If you have multiple Internet connections, routing can be defined through either the primary or
backup gateway WAN connection and can be configured for replay direction.

Synchronized SD-WAN offers additional benefits with SD-WAN application routing. It leverages the
added clarity and reliability of application identification that comes with the sharing of
Synchronized Application Control information between Sophos Central managed endpoints and
Sophos Firewall.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 18

SD-WAN Profiles

Configure for redundancy Provides redundancy and performance

Can use SLA to select best link Can use SLA to select gateways to include

SD-WAN profiles can be configured to use one of two routing strategies; first available gateway or
load balancing.

The first available gateway strategy will use the first gateway that has been selected that is online.
When paired with the SLA configuration it will switch between links to use the best quality link that
is available. This routing strategy can provide redundancy and quality.

Load balancing can provide both redundancy and performance by distributing traffic across all
available gateways. When paired with the SLA configuration, only gateways that meet the SAL are
included for load balancing. Gateways that do not meet the SLA will not be used.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 19

Load Balancing Modes
ROUND ROBIN All traffic is distributed between the gateways in turn

SESSION PERSISTENCE

Traffic from the same source IP address is always sent through the
SOURCE IP ADDRESS
same gateway

Traffic to the same destination IP address is always sent through the

DESTINATION IP ADDRESS
same gateway

SOURCE IP ADDRESS AND Traffic that has the same source and destination IP address is always
DESTINATION IP ADDRESS sent through the same gateway

CONNECTION Traffic for a connection is always sent through the same gateway

When you configure an SD-WAN profile using load balancing you can choose between either round
robin or session persistence.

When you select round robin, all traffic is distributed between the gateways in turn.

There are four session persistence modes that you can choose from:
• Source IP address, where the traffic that originates from an IP address is always sent through
the same gateway
• Destination IP address, where traffic destined from the same IP address is always sent through
the same gateway
• Source IP address and destination IP address, which sends traffic between a pair of source and
destination IP addresses through the same gateway
• And connection, which sends all traffic associated with a specific connection through the same
gateway

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 20

SD-WAN Profile SLA

Select performance criteria for SLA

Network latency, sometimes called lag, is the term used to describe how long data takes to reach
its destination.

Jitter measures the changes in the latency in a network connection, where zero milliseconds of
jitter is data being delivered at a constant latency, and five milliseconds of jitter would indicate that
the latency is not stable and can vary by five milliseconds. This can be caused by network
congestion.

Packet loss measures how many packets do not reach their destination as a percentage of packets
sent.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 21

SD-WAN Profile SLA

Configure a custom SLA using a mix of

latency, jitter, and packet loss

You also have the option to define a custom SLA that is based on any combination of latency, jitter,
and packet loss. For each of the criteria that you want to use you can define maximum values.

The default values are based on general web traffic, but examples of other traffic types can be seen
by hovering over the information icon for Recommended SLA values.

For example, you could configure an SLA for SIP that requires packet loss not to exceed 1%.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 22

SD-WAN Profile Health Check

Probe via Ping or TCP connection

Configure one or two probe targets

Customize the health

check settings

SD-WAN profiles provide granular options for monitoring the health of the link. Please note that
when you have an SLA enabled for the profile, you cannot disable the health check.

The health check can be done using either Ping or TCP, to either one or two probe targets. Where
TCP is selected, the port must be entered for the probe targets.

You can also refine the health checks by specifying the interval between checks, response time-
out, when to deactivate and activate gateways, and the sample size that is used for the SLA.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 23

SD-WAN Profile Health Check
The SLA sample size forms a sliding window for determining link performance

SLA Sample Size

Probes
Interval
between checks

First SLA verdict Link is down Link is up

Latency: 150ms (3 consecutive failures) (5 consecutive responses)
Jitter: 50ms Latency: 150ms
Loss: 0% Jitter: 50ms
Loss: 0%

In this example the sample size is 5. The default sample size is 30.

Let’s see how the health settings work with an example.

Here you can see the timeline for health check probes, and in this example, we are using a one
second interval between probes.

The SLA sample size forms a sliding window over time. The default sample size is 30, but in this
example, we are using 5.

Once the SLA sample size is reached, the first SLA verdict is returned, and it is updated on each
probe. The time taken to report the first verdict is the SLA sample size multiplied by the interval
between checks.

When there are three consecutive failures the firewall determines that the link is down.

If the link comes back up, the firewall will change its status after receiving the configured number
of consecutive responses, five in this example.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 24

SLA and Health Check Behavior for First Available Gateway

SLA Enabled Health Check Enabled Behavior

All gateways are assumed to be up and the first gateway

OFF OFF
will be used

OFF ON The first gateway that becomes available will be used

The gateway with the best quality based on the SLA will
ON ON
be used

SLA and health check can be independently configured. Let’s look at how these combine to control
the behavior when using the first available gateway strategy.

With the SLA and health check both disabled, all gateways are assumed to be up and the first
gateway will be used.

When the SLA is disabled but the health check is enabled, Sophos Firewall will use the first gateway
that becomes available.

And when both the SLA and health check are enabled, Sophos Firewall will start to use the gateway
with the best quality link based on the SLA.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 25

SLA and Health Check Behavior for Load Balancing

SLA Enabled Health Check Enabled Behavior

All gateways are assumed to be up and are included for

OFF OFF
load balancing

Load balance as soon as at least one gateway becomes

OFF ON
available

Load balance as soon as at least one gateway becomes

ON ON available that meets the SLA
Only include gateways that meet the SLA

Let’s see how this works when using load balancing.

With the SLA and health check both disabled, all gateways are assumed to be up and are included
for load balancing.

When the SLA is disabled but the health check is enabled, Sophos Firewall will start load balancing
as soon as at least one gateway becomes available.

And when both the SLA and health check are enabled, Sophos Firewall will start load balancing as
soon as at least one gateway becomes available, and only include the gateways that meet the SLA.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 26

SLA Behavior

What if no gateways meet the SLA?

FIRST AVAILABLE GATEWAY LOAD BALANCING

So what if no gateways meet the SLA?

If you are using the first available gateway routing strategy, Sophos Firewall will use the first
gateway in the list.

If you are using load balancing, Sophos Firewall will use all available gateways.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 27

SD-WAN Profiles

1Gbps

500Mbps
250Mbps

You can also apply weights to the gateways where higher numbers are preferred. You may want to
do this if your links have different amounts of bandwidth to help ensure that the traffic is
appropriately allocated between them. For example, you might have a fast primary link and two
slower links. You could weight these in a ratio dependant on their bandwidth.

So here we have 1 gigabit, 500 megabit, and 250 megabit connections. Each connection is half the
speed of the next fastest, so the weights could be applied by doubling for each link.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 28

SD-WAN Profiles

console> show routing reroute-connection

Reroute status of live connections: on

console> set routing reroute-connection

disable enable

Sophos Firewall uses connection rerouting to reroute traffic to another available gateway if a
gateway becomes unavailable. This is controlled in the console with the routing reroute-
connection setting. This will be enabled by default, but it can be checked and controlled via
the console on Sophos Firewall.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 29

SD-WAN Logging

In the log viewer there is an SD-WAN module that allows you to focus on log entries specific to SD-
WAN routing and health. Each log entry includes the SD-WAN rule ID and name for both the route
request and the reply.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 30

SD-WAN Routes

SD-WAN routes are configured in CONFIGURE > Routing > SD-WAN routes. Please note that
separate SD-WAN routes need to be created for IPv4 and IPv6.

SD-WAN routes are processed in order from the top down and the first match is used. SD-WAN
routes can be moved by dragging and dropping routes.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 31

SD-WAN Route Configuration

SD-WAN route configuration is made up of two parts, traffic selector and routing.

Traffic can be selected based on the incoming interface. Please note that if you unbind the
interface, the SD-WAN route will be deleted.

Source, destination and service selectors work in the same way as for firewall rules.

You can match based on the DSCP marking of packets.

• Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for
real-time services
• Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns
higher priority than best-effort
• Class selector (CS): Backward compatibility with network devices that use IP precedence in type
of service

You can also match on application objects and users or groups.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 32

SD-WAN Route Configuration

Select the gateway using an

SD-WAN profile

Manually select a primary and

backup gateway

In the ‘Link selection settings” you can choose to either select the gateway based on an SD-WAN
profile, or manually select a primary and backup gateway.

If you delete the primary gateway or the SD-WAN profile, the SD-WAN route will be deleted, and
the traffic will use WAN link load balancing.

If you delete the backup gateway, the backup gateway will be set to ‘None’.

Select Override gateway monitoring decision if you want to route traffic through the selected
gateway even if the gateway is down.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 33

SD-WAN Route Status
Primary or backup gateway is up, and the SD-WAN route is active

Gateways are down and the SD-WAN route is not active

Override gateway monitoring is off

Gateways are down and override gateway monitoring is on

The SD-WAN route is active

Hover over the status icon to

view the statuses of the
gateways and the gateway
monitoring setting

SD-WAN routes can have three statuses:

• Green when the primary or backup gateway is up, and the SD-WAN route is active
• Red when the gateways are down, and the SD-WAN route is not active and override gateway
monitoring is off
• Yellow when the gateways are down, and override gateway monitoring is on. The SD-WAN route
will be active in this case

You can see the status of the gateways and the monitoring setting by hovering your mouse over
the SD-WAN route status icon.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 34

Additional information in
the notes
Application-Based SD-WAN Routing Behaviour
• Application-based routing uses learned routes
• The first connection from an application is routed via default route
• Once learned, subsequent connections will adhere to application-based routes
• Note: learned application routes are flushed on reboot

• The DPI engine supports application-based routes for all applications

• The legacy web proxy does not support application-based routes for micro-apps
• Pattern applications and Synchronized Security applications are supported

• Application-based routes require an active Web Protection license

• One of the following conditions must be met:
• Application classification is on
• An application filter policy is applied to the firewall rule
• The application is part of the offload signatures, and is flowing through snort

Application-based routing works using learned routes, this means that for the very first connection
from an application it will be routed via the default route. Once the Sophos Firewall has learned
and cached the association between the application and route, all subsequent connections will
adhere to the application-based route.

The DPI supports application-based routing for all applications; however, the legacy web proxy
does not support this for micro-apps.

Application-based routes require an active Web Protection license and one of the following:
• Application classification is on, which it is by default
• An application filter is applied to the firewall rule
• Or the application is part of the offload signatures and is flowing through snort

[Additional Information]
In high availability, the cached application-based routing information is synchronized over the
dedicated HA link using multicast IP 226.1.1.1 on port 4455.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 35

SD-WAN Migrated IPv4 and IPv6 Policy Routes

The following rules apply to migrated routes:

• Sophos Firewall automatically prefixes the firewall rule ID to the SD-WAN route name
• Sophos Firewall uses the firewall rule ID to match traffic with migrated routes
• SD-WAN routes don’t have zone-based settings
• You cannot change the sequence of migrated SD-WAN routes, since they correspond
to the firewall rule sequence
• If you delete the firewall rule, the migrated SD-WAN route is deleted
• You can edit only the gateways and the gateway monitoring decision

Firewall rules no longer include routing settings. When you migrate from version 17.5 or earlier,
Sophos Firewall migrates the routing settings in firewall rules as migrated SD-WAN routes. You can
see them in the SD-WAN routing table. You can identify these migrated SD-WAN routes by the
firewall rule ID and name. Note that this also applies to restoring a backup configuration file that
was taken on version 17.5 or earlier.

The following rules apply to migrated routes:

• Sophos Firewall automatically prefixes the firewall rule ID to the SD-WAN route name
• Sophos Firewall uses the firewall rule ID to match traffic with migrated routes
• SD-WAN routes don’t have zone-based settings. When firewall rules specify the same source and
destination networks, but different zones, individual SD-WAN routes that correspond to the
firewall rules are created
• You can't change the sequence of migrated SD-WAN routes since they correspond to the firewall
rule sequence
• If you delete the firewall rule, the migrated SD-WAN route is deleted
• You can edit only the gateways and the gateway monitoring decision

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 36

Matching Reply Packets
SD-WAN routes will match reply packets
in new installations of Sophos Firewall

SD-WAN routes will not match reply packets

for upgrades or where a pre-v18 configuration file is restored

Enable and disable routing reply packets with SD-WAN routes via the console

SD-WAN routes will match reply packets in new installations of Sophos Firewall.

As this is a change of behavior from previous versions of Sophos Firewall, SD-WAN routes will not
match reply packets for upgrades or where a pre-v18 configuration file is restored.

You can view and set the behaviour for SD-WAN routes on the console using the commands shown
here.

[Additional Information]
show routing sd-wan-policy-route reply packet
set routing sd-wan-policy-route reply packet <enable|disable>

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 37

Zones for Custom Gateways
Assign any zone to a custom
gateway (except VPN)
-
Custom gateways don’t
participate in load balancing
-
Custom gateway zones are not
applied where a migrated SD-
WAN route applies to the traffic
-
VPN lookups are not performed
when the WAN zone is marked
through a gateway

You can create a virtual WAN zone on custom gateways for single arm usage after deployment. This
would primarily be in AWS or Azure. You can create more than one custom gateway attaching
different zones to each. Once configured, you can create access and security rules for traffic going
to these zones.

For example, in a single VPC/vNet deployment in AWS or Azure, you may use this where the
firewall serves as the next-hop for all traffic. It allows an admin to apply policies based on zones,
for example WAN to DMZ instead of WAN to WAN in single-arm deployments.

This configuration may also be used to add an extra layer of security to the internal network; for
example, all east-west traffic between the DMZ and the user network can be routed through the
firewall. The firewall can then enforce network security and validate access for that traffic.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 38

Zones for Custom Gateways
Custom gateway with zone

SD-WAN Route selecting traffic for gateway

Route precedence: SD-WAN Route must be first

Firewall rule to allow traffic

NAT rule to perform DNAT and SNAT

There are five things to configure to use zones for custom gateways.

First, you create the gateways with the custom zone attached, then you create SD-WAN routes to
select the traffic and route it through your custom gateway. You may need to configure the route
precedence so that SD-WAN routes match first.

You will need to create a firewall rule for the traffic, and finally a NAT Rule to perform DNAT and
SNAT on the traffic.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 39

Zones for Custom Gateways
SUBNET
SOPHOS FIREWALL

Single port configured in the WAN

172.16.16.16 zone
GATEWAY
SWITCH/
ROUTER 172.16.16.250

172.16.16.10
Custom gateway in LAN zone

Let’s look at an example.

Here we have a subnet 172.16.16.0/24. The Sophos Firewall has the IP address 172.16.16.16 in the
WAN zone and uses 172.16.16.250 as its default gateway. There is another server on the same
subnet with the IP address 172.16.16.10 that is in the LAN zone.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 40

Zones for Custom Gateways
SUBNET
SOPHOS FIREWALL

Inbound traffic is sent to Sophos Firewall

172.16.16.16

GATEWAY
SWITCH/
ROUTER 172.16.16.250

172.16.16.10

Inbound traffic is routed to the Sophos Firewall.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 41

Zones for Custom Gateways

We can now look at the configuration of this.

First, we have our gateways; GW is the default gateway on PortA in the WAN zone, and LAN is the
server we are have created the custom gateway for.

Custom gateways do not participate in load-balancing, so to use them you need to create SD-WAN
routes for the traffic. Here we have created the HTTP_LAN rule that will match all HTTP traffic and
route it to the custom gateway. So that the Sophos Firewall can still route HTTP traffic out to the
Internet we have also created an SD-WAN route that matches on traffic from the internal hosts and
sends it to the default gateway.

Remember, the default routing precedence is static routes, SD-WAN routes, and the VPN routes;
you may need to adjust this, so the SD-WAN routes take precedence.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 42

Zones for Custom Gateways

Here we have created a firewall rule that will allow HTTP traffic from the WAN to the LAN where it
is destined for the Sophos Firewall IP address.

We also have a NAT rule that DNAT and SNAT the inbound HTTP traffic, and a second NAT rule to
SNAT the outbound traffic from the LAN server.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 43

Zones for Custom Gateways
SFVUNL_HV01_SFOS 18.0.4 MR-4# conntrack -E | grep orig-dport=80
[NEW] proto=tcp proto-no=6 timeout=120 state=SYN_SENT orig-src=172.16.16.250
orig-dst=172.16.16.16 orig-sport=56060 orig-dport=80 [UNREPLIED] reply-
src=172.16.16.10 reply-dst=172.16.16.16 reply-sport=80 reply-dport=56060 mark=0x4001
id=3702756992 masterid=0 devin=PortA devout=PortA nseid=16777421 ips=0 sslvpnid=0
webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=2 natid=4 fw_action=1 bwid=0 appid=0
appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=2 outzone=1
devinindex=5 devoutindex=5 hb_src=0 hb_dst=0 flags0=0x400a0000200008
flags1=0x50400800000 flagvalues=3,21,41,43,54,87,98,104,106 catid=0 user=0 luserid=0
usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:15:5d:02:05:58
src_mac=00:15:5d:02:05:12 startstamp=1616516496 microflow[0]=INVALID
microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=5
tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state[0]=31
current_state[1]=0 vlan_id=0 inmark=0x8003 brinindex=0 sessionid=362
sessionidrev=27596 session_update_rev=2 dnat_done=3 upclass=0:0 dnclass=0:0
pbrid_dir0=3 pbrid_dir1=0 nhop_id[0]=65535 nhop_id[1]=65535 nhop_rev[0]=0
nhop_rev[1]=0 conn_fp_id=NOT_OFFLOADED

If we review the conntrack you can see that the zone for this connection is being changed from 2
(WAN) to 1 (LAN).

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 44

Chapter Review

Sophos Firewall marks incoming traffic with the matching routes and the destination
zone before DNAT is applied. Routes are then processed in order of precedence before
SNAT is applied

Sophos Firewall has the WAN link manager for configuring balancing and failover of
Internet links. There is also the gateway manager for creating and managing custom
gateways for SD-WAN routing

SD-WAN profiles provide link selection based on link quality and performance using
latency, jitter, packet loss, or a combination of all three. SD-WAN routes provide powerful
traffic selection options, that can leverage SD-WAN profiles for link selection

Here are the three main things you learned in this chapter.

Sophos Firewall marks incoming traffic with the matching routes and the destination zone before
DNAT is applied. Routes are then processed in order of precedence before SNAT is applied.

Sophos Firewall has the WAN link manager for configuring balancing and failover of Internet links.
There is also the gateway manager for creating and managing custom gateways for SD-WAN
routing.

SD-WAN profiles provide link selection based on link quality and performance using latency, jitter,
packet loss, or a combination of all three. SD-WAN routes provide powerful traffic selection
options, that can leverage SD-WAN profiles for link selection.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 49

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 50
Troubleshooting Routing on
Sophos Firewall

Sophos Firewall
Version: 19.0v2

[Additional Information]
Sophos Firewall
FW1540: Troubleshooting Routing on Sophos Firewall

June 2022
Version: 19.0v2

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Troubleshooting Routing on Sophos Firewall - 1

Troubleshooting Routing on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Firewall routes packets, ✓ Routing and SD-WAN on Sophos Firewall
and how to approach ✓ Using logs and packet capture to assist with root
troubleshooting routing related cause analysis
problems.

DURATION

17 minutes

In this chapter you will learn how Sophos Firewall routes packets, and how to approach
troubleshooting routing related problems.

Troubleshooting Routing on Sophos Firewall - 2

Additional information in
Routing the notes

Health Check Routes

Static Routes
Precedence
Directly Dynamic
Unicast SSL VPN
Connected Routing Configurable
Routes Routes
Networks Protocols
route
precedence
SD-WAN Routes

IPsec VPN Routes

Default Route (WAN Link Manager)

Routing requirements will be different in every scenario you encounter, so in this chapter we will
focus on explaining how the Sophos Firewall routes traffic, and the tools available for monitoring
and troubleshooting.

The Sophos Firewall supports multiple methods for building and dynamically controlling the
routing, which fall into three main types of route; static routes, SD-WAN policy routes, and VPN
routes, and these are processed in order.

Health check routes are used by Sophos Firewall to ensure that health probe traffic is sent through
the gateway that is being monitored and not being matched on any other route. These will always
take precedence.

Static routes define the gateway to use based on the destination network. This includes directly
connected networks, routes added by dynamic routing protocols, and routes created for SSL VPNs.

Policy routes make decisions based on the properties of the traffic, such as source, destination and
service.

VPN routes are created automatically when policy-based IPsec VPN connections are established
with the Sophos Firewall.

When no other routing rule has been matched the Sophos Firewall will send the packets on the
default route, which is the active gateway derived from the load balancing configuration across
active gateways.

Note that the precedence of static routes, policy routes, and VPN routes can be modified on the

Troubleshooting Routing on Sophos Firewall - 3

command line.

Troubleshooting Routing on Sophos Firewall - 3

PBR: Policy Based Route
RTG: Route Through Gateway
Packet Routing MLM: Multi Link Management

Mark if there is a
PBR match
Firewall rule
Traverse full routing matching done on Traverse full routing
and mark post-NAT zone and as per precedence
Destination zone pre-NAT IP PBR, VPN, Main, All

Packet NAT RTG -> NAT Packet

Pre-routing Firewall Routing
Arrives Lookup MLM Lookup Delivered

This diagram shows how routing is applied to packets by the Sophos Firewall.

After the packet arrives the Sophos Firewall checks if it matches an SD-WAN policy route, and if so,
marks the packet. This is used later.

The full routing precedence is traversed, and the destination zone of the packet is marked.

The NAT lookup is performed, and the destination zone is updated if a DNAT or Full NAT rule is
matched.

The packet is matched in the firewall based on the post-NAT zone and pre-NAT IP.

Sophos Firewall checks if there is a match for a route through gateway, these will be any migrated
SD-WAN policy routes created from gateways configured in firewall rules in v17.5.

If the traffic is destined for the WAN zone and no PBR or RTG has been matched, the packet is
marked for MLM.
MLM is the gateway derived from the load balancing configuration across active gateways.

The packet then traverses the full routing as per the precedence.

Lastly, there is a NAT lookup.

Troubleshooting Routing on Sophos Firewall - 4

PBR: Policy Based Route
RTG: Route Through Gateway
Packet Routing MLM: Multi Link Management
Match when
Sophos Firewall XG135_XN02_SFOS 18.0.0# ip rule list
sends traffic to 0: from all lookup local Select gateway for
itself or a 50: from all fwmark 0x1001 lookup gw1 health probe
broadcast address 50: from all fwmark 0x1002 lookup gw2
51: from all fwmark 0x4002 lookup gw2 Match PBR if marked
Static routes 51: from all fwmark 0x4001 lookup gw1
including static, 53: from all lookup main
dynamic and 54: from all fwmark 0x200 lookup routeipsec0
directly connected 150: from all fwmark 0x8002 lookup gw2
networks 150: from all fwmark 0x8001 lookup gw1 RTG and MLM
150: from all fwmark 0x8003 lookup gw3
WAN interface 151: from 192.168.254.1 lookup wanlink2
IP addresses 151: from 10.101.102.127 lookup wanlink1
220: from all iif lo lookup 220 System generated traffic
221: from all lookup multilink and IPsec VPN
Added by Linux
kernel 32766: from all lookup main
32767: from all lookup default
No marking
MLM for system generated traffic
IPv6 default route
Most traffic does not pass this point
Traffic generally will not reach this point

Here is an example of the routing table on Sophos Firewall. You can see that it uses a combination
of the source and fwmark, firewall mark, to lookup gateways.

To show the routing table, run ip rule list on the advanced shell.

A few points to note:

Troubleshooting Routing on Sophos Firewall - 5

Packet Routing

XG135_XN02_SFOS 18.0.0# ip route list table wanlink1

default via 10.1.1.250 dev PortB proto static src 10.1.1.100
prohibit default proto static metric 1

From the routing table you can then lookup the route table associated with each gateway as
shown here.

Troubleshooting Routing on Sophos Firewall - 6

1 From all fwmark 0x1001 lookup gw1

multilink
default proto static
nexthop via 103.226.184.250 dev Port2_ppp weight 1
nexthop via 192.168.8.1 dev WWAN1 weight 1

By using the ip rule list and ip route list table commands you can navigate the
routing table tree to identify how traffic is being routed.

Troubleshooting Routing on Sophos Firewall - 7

Packet Routing
SFVUNL_VM01_SFOS 19.0.0 EAP2-Build271# conntrack -L | grep 216.137.44
proto=tcp proto-no=6 timeout=116 state=LAST_ACK orig-src=192.168.250.37
orig-dst=216.137.44.126 orig-sport=50288 orig-dport=443 packets=9 bytes=953
reply-src=216.137.44.126 reply-dst=192.168.250.37 reply-sport=443 reply-
dport=50288 packets=9 bytes=5911 [ASSURED] mark=0x4005 use=1 id=3960153370
masterid=2924641482 devin= devout=PortG nseid=0 ips=0 sslvpnid=0 webfltid=13
appfltid=0 icapid=0 policytype=1 fwid=10 natid=2 fw_action=1 bwid=0 appid=100
appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x33 sigoffload=0 inzone=1
outzone=2 devinindex=0 devoutindex=11 hb_src=0 hb_dst=0
flags0=0x10c0020000280a0b flags1=0x90020a00000
flagvalues=0,1,3,9,11,19,21,41,54,55,60,85,87,93,104,107 catid=29 user=0
luserid=0 usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:0c:29:ac:be:7e
src_mac=00:0c:29:7d:03:ef startstamp=1647594231 microflow[0]=INVALID
microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=0
tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0
current_state[0]=2992 current_state[1]=2992 vlan_id=0 inmark=0x0 brinindex=0
sessionid=796 sessionidrev=9536 session_update_rev=4 dnat_done=0 upclass=0:0
dnclass=0:0 pbrid[0]=4 pbrid[1]=0 profileid[0]=2 profileid[1]=0
conn_fp_id=NOT_OFFLOADED

You can use the conntrack command in the advanced shell to see how packets are being
marked for routing and then use the previous commands to look up the gateway.

Troubleshooting Routing on Sophos Firewall - 8

Additional information in
Route Precedence the notes

• Route precedence can be managed on the console

• By default, static routes have the highest precedence

console> system route_precedence show

Default routing Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes

By default, static routing has the highest priority; this can be viewed on the console, and changed if
necessary, using the system route_precedence command.

[Additional Information]

The commands for managing route precedence are:

system route_precedence show - Display current route precedence
system route_precedence set sdwan_policyroute vpn static - Set new
route precedence

Default route precedence:

• Static routes
• SD-WAN policy routes
• VPN routes

Troubleshooting Routing on Sophos Firewall - 9

SD-WAN Policy Routes
• Policy routes on Sophos Firewalls upgraded from v17.5 or earlier do not
match on reply packets or system generated traffic
• Enable new behaviour via the console

console> set routing sd-wan-policy-route reply-packet enable

Turned on SD-WAN policy route for reply packets.
console> set routing sd-wan-policy-route system-generate-traffic
enable
Turned on SD-WAN policy route for system-generated traffic.

Version 18.0 of Sophos Firewall included two changes of behavior to policy routing:
1. Policy routes are applied to reply packets
2. Policy routes are applied to system generated traffic

As this was not the behavior in earlier versions of Sophos Firewall these behaviors are not enabled
when the Sophos Firewall has been upgraded. They can be enabled through the console using the
commands:
set routing sd-wan-policy-route reply-packet enable
set routing sd-wan-policy-route system-generate-traffic
enable

Note: for new installations of Sophos Firewall v18.0 and later these options are enabled by default.

Troubleshooting Routing on Sophos Firewall - 10

Health Checks
Gateway Health Check SD-WAN Profile Health Check

• Used by default routing (MLM), RTG • Independent of a gateway health check

• SD-WAN primary and backup • Each profile does independent health checks or
probing for all the selected gateways
• One does not override other’s decision

Sophos Firewall checks the health of gateways, which is used by the default routing and SD-WAN
routes when configured to use primary and backup gateways.

SD-WAN profiles also have health checks; these are independent of the gateway health checks, and
the health check for each profile is also independent of each other.

Troubleshooting Routing on Sophos Firewall - 11

SD-WAN Profile Probe Targets
The first probe target is used to perform the health check

If the first probe target is unavailable the second probe target is used

The second probe target will continue to be used until it becomes

unavailable, and then the firewall will try the first probe target again
If both probe targets are unavailable the health check fails, the gateway is
unavailable

SD-WAN profiles support two probe targets. When two probe targets are configured, Sophos
Firewall will use the first probe target for performing the health checks on the connections. If the
first probe target is unavailable, Sophos Firewall will use the second probe target. The second
probe target will continue to be used until in becomes unavailable, at which point Sophos Firewall
will try the first probe target again. If both probe targets are unavailable, the health check fails as
the gateway is unavailable.

Troubleshooting Routing on Sophos Firewall - 12

No Gateway Meets SLA for SD-WAN Profile

SLA not met

Link 1

Link 2
SLA not met Sophos
Internet SLA not met Firewall
Link 3

In some circumstances it is possible that all the configured gateways in an SD-WAN profile fail to
meet the configured SLA. In this case Sophos Firewall will use the first available gateway.

Where the links are of a poor quality, it may be necessary to use a custom SLA with higher values
that the links can achieve to get the desired routing outcomes.

Troubleshooting Routing on Sophos Firewall - 13

SD-WAN Log Viewer Columns

In the log viewer you can add columns to the firewall log to show which SD-WAN profile and SD-
WAN route is being used for each connection.

Troubleshooting Routing on Sophos Firewall - 14

SD-WAN Log Viewer

In the SD-WAN log you can see events for the SD-
WAN profile health checks and when routes
change.

Troubleshooting Routing on Sophos Firewall - 15

Additional information in
Profiles and Gateways in the Logs the notes

SFVUNL_VM01_SFOS 19.0.0 EAP2-Build271# conntrack -L | grep 216.137.44

When you are troubleshooting routing, you can check the log viewer to see which SD-WAN profile,
route, and gateway are being used, and the interface that the traffic is leaving the firewall on.

On the command line you can use conntrack to see the gateway mark and outbound port.

[Additional Information]

SFVUNL_VM01_SFOS 19.0.0 EAP2-Build271# conntrack -L | grep 216.137.44

proto=tcp proto-no=6 timeout=116 state=LAST_ACK orig-src=192.168.250.37 orig-
dst=216.137.44.126 orig-sport=50288 orig-dport=443 packets=9 bytes=953 reply-
src=216.137.44.126 reply-dst=192.168.250.37 reply-sport=443 reply-dport=50288 packets=9
bytes=5911 [ASSURED] mark=0x4005 use=1 id=3960153370 masterid=2924641482 devin=
devout=PortG nseid=0 ips=0 sslvpnid=0 webfltid=13 appfltid=0 icapid=0 policytype=1 fwid=10
natid=2 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x33
sigoffload=0 inzone=1 outzone=2 devinindex=0 devoutindex=11 hb_src=0 hb_dst=0
flags0=0x10c0020000280a0b flags1=0x90020a00000
flagvalues=0,1,3,9,11,19,21,41,54,55,60,85,87,93,104,107 catid=29 user=0 luserid=0 usergp=0
hotspotuserid=0 hotspotid=0 dst_mac=00:0c:29:ac:be:7e src_mac=00:0c:29:7d:03:ef
startstamp=1647594231 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0
ipspid=0 diffserv=0 loindex=0 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0
current_state[0]=2992 current_state[1]=2992 vlan_id=0 inmark=0x0 brinindex=0 sessionid=796
sessionidrev=9536 session_update_rev=4 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=4
pbrid[1]=0 profileid[0]=2 profileid[1]=0 conn_fp_id=NOT_OFFLOADED
proto=tcp proto-no=6 timeout=10796 state=ESTABLISHED orig-src=192.168.250.37 orig-
dst=216.137.44.126 orig-sport=50290 orig-dport=443 packets=91 bytes=5291 reply-
src=216.137.44.126 reply-dst=192.168.250.37 reply-sport=443 reply-dport=50290 packets=178

Troubleshooting Routing on Sophos Firewall - 16

bytes=246116 [ASSURED] mark=0x4005 use=1 id=3678974964
masterid=1192823739 devin= devout=PortG nseid=0 ips=0 sslvpnid=0 webfltid=13
appfltid=0 icapid=0 policytype=1 fwid=10 natid=2 fw_action=1 bwid=0 appid=100
appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x33 sigoffload=0 inzone=1
outzone=2 devinindex=0 devoutindex=11 hb_src=0 hb_dst=0
flags0=0x10c0020000280a0b flags1=0x90020a00000
flagvalues=0,1,3,9,11,19,21,41,54,55,60,85,87,93,104,107 catid=29 user=0 luserid=0
usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:0c:29:ac:be:7e
src_mac=00:0c:29:7d:03:ef startstamp=1647594231 microflow[0]=INVALID
microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0 ipspid=0 diffserv=0 loindex=0
tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0
current_state[0]=2992 current_state[1]=2992 vlan_id=0 inmark=0x0 brinindex=0
sessionid=302 sessionidrev=40632 session_update_rev=4 dnat_done=0 upclass=0:0
dnclass=0:0 pbrid[0]=4 pbrid[1]=0 profileid[0]=2 profileid[1]=0
conn_fp_id=NOT_OFFLOADED
conntrack v1.4.5 (conntrack-tools): 104 flow entries have been shown.

Troubleshooting Routing on Sophos Firewall - 16

Additional information in
Gateways in the Logs the notes

SFVUNL_VM01_SFOS 19.0.0 EAP2-Build271# conntrack -L | grep 216.137.44

Here you can see the log and conntrack output after a route change.

In the log you can see that the SD-WAN profile and route are the same, but the gateway and
outbound interface have changed.

In the conntrack output you can see that the gateway mark and the outbound interface have
changed.

[Additional Information]

SFVUNL_VM01_SFOS 19.0.0 EAP2-Build271# conntrack -L | grep 216.137.44

proto=tcp proto-no=6 timeout=10716 state=ESTABLISHED orig-src=192.168.251.82 orig-
dst=216.137.44.16 orig-sport=60176 orig-dport=443 packets=12 bytes=1736 reply-
src=216.137.44.16 reply-dst=192.168.251.82 reply-sport=443 reply-dport=60176 packets=12
bytes=6407 [ASSURED] mark=0x4006 use=1 id=2579810943 masterid=3796052363 devin=
devout=PortH nseid=0 ips=0 sslvpnid=0 webfltid=13 appfltid=0 icapid=0 policytype=1 fwid=10
natid=2 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0 hbappcatid=0 dpioffload=0x33
sigoffload=0 inzone=1 outzone=2 devinindex=0 devoutindex=12 hb_src=0 hb_dst=0
flags0=0x10c0020000280a0b flags1=0x90020a00000
flagvalues=0,1,3,9,11,19,21,41,54,55,60,85,87,93,104,107 catid=29 user=0 luserid=0 usergp=0
hotspotuserid=0 hotspotid=0 dst_mac=00:0c:29:ac:be:7e src_mac=00:0c:29:7d:03:ef
startstamp=1647617400 microflow[0]=INVALID microflow[1]=INVALID hostrev[0]=0 hostrev[1]=0
ipspid=0 diffserv=0 loindex=0 tlsruleid=0 ips_nfqueue=0 sess_verdict=0 gwoff=0 cluster_node=0
current_state[0]=3025 current_state[1]=3025 vlan_id=0 inmark=0x0 brinindex=0 sessionid=279
sessionidrev=801 session_update_rev=4 dnat_done=0 upclass=0:0 dnclass=0:0 pbrid[0]=4
pbrid[1]=0 profileid[0]=2 profileid[1]=0 conn_fp_id=NOT_OFFLOADED

Troubleshooting Routing on Sophos Firewall - 17

Additional information in
the notes
Application-Based Policy Routing Behavior
• Application-based routing uses learned routes
• The first connection from an application is routed via default route
• Once learned, subsequent connections will adhere to application-based routes
• Note: learned application routes are flushed on reboot

• The DPI engine supports application-based routes for all applications

• The legacy web proxy does not support application-based routes for micro-apps
• Pattern applications and Synchronized Security applications are supported

• Application-based routes require an active Web Protection license

The DPI supports application-based routing for all applications; however, the legacy web proxy
does not support this for micro-apps.

[Additional Notes]
In high availability, the cached application-based routing information is synchronized over the
dedicated HA link using multicast IP 226.1.1.1 on port 4455.

Troubleshooting Routing on Sophos Firewall - 18

Troubleshooting Application-Based Policy Routing
ipset -L appset
SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# ipset -L appset
Name: appset
Type: bitmap:appset
Revision: 0
Header: size 20000
Size in memory: 640064
References: 1
Members:
APPSETID=10004,TYPE=app
family:IPv4,proto:tcp,dstip:13.227.223.100,dstport:80,srcip:any
,srcport:any
APPSETID=1,TYPE=appobj
appid
10004

You can review the application policy route information with the command ipset -L appset
in the Advanced Shell.

Here you can see all the connection details for a specific application, ID 10004 in this case.

Below that you can see the defined application objects and the IDs of the applications.

Please note that application IDs above 10000 are applications identified by Synchronized
Application Control. Other application IDs are in the set that Sophos Firewall has detection for by
default.

Troubleshooting Routing on Sophos Firewall - 19

Network Resources Inaccessible 1

Head Office: London

LAN
LON-DC.SOPHOS.LOCAL
IP: 172.16.16.10 (/24)

LON-GW1.SOPHOS.WWW
WAN IP: 10.1.1.100 & 10.3.3.100 (/24)

10.100.100.65 (/29)
10.1.1.250 (/24)

MPLS
10.2.2.250 (/24)
10.3.3.250 (/24) 10.100.100.70 (/29)

Branch Office: New York NY-GW.SOPHOS.WWW

WAN IP: 10.2.2.200 & 10.3.3.200 (/24)
LAN
NY-SRV.SOPHOS.LOCAL
IP: 192.168.16.30 (/24)

Now that we have covered some of the key points of how the Sophos Firewall manages routing,
let’s consider an example where you are unable to access a resource on New York Server from
London DC over the MPLS.

Troubleshooting Routing on Sophos Firewall - 20

Network Resources Inaccessible 1

Here you can see that from London DC you cannot load a web page on New York Server.

Troubleshooting Routing on Sophos Firewall - 21

Network Resources Inaccessible 2
London Gateway 1

New York Gateway

The first thing to do is check the logs. Using the log viewer you can apply source IP, destination IP
and destination port filters to identify the traffic. As you can see here the traffic is allowed through
both London Gateway 1 and New York Gateway.

Troubleshooting Routing on Sophos Firewall - 22

Network Resources Inaccessible 2
London Gateway 1

The next step would be to perform a packet capture to see what is happening. Again, you can filter
the results. In the example here we are using a BPF, Berkley Packet Filter, string host
192.168.16.30 and port 80 to select the relevant traffic.

In the output from London Gateway 1 you can see the request coming from port A and leaving
through port G, this is the MPLS port.

Troubleshooting Routing on Sophos Firewall - 23

Network Resources Inaccessible 2
New York Gateway

Using the same BPF string on New York Gateway, in this case we see the traffic come in on port D,
the MPLS port, and leave through port B the WAN port. This is incorrect.

Troubleshooting Routing on Sophos Firewall - 24

Network Resources Inaccessible 2

Sophos Firmware Version SFOS 18.0.1 MR-1-Build396

console> system route_precedence show

Default routing Precedence:
1. SD-WAN policy routes
2. VPN routes
3. Static routes
console>
console> show routing sd-wan-policy-route reply-packet
SD-WAN policy route is turned off for reply packets.
console>
console> set routing sd-wan-policy-route reply-packet enable
Turned on SD-WAN policy route for reply packets.
console>

On New York Gateway we check the route precedence and can see that SD-WAN policy routes has
the highest precedence.

While we are logged in, we also check the configuration for reply packets and find it is not enabled.
This Sophos Firewall must have been upgraded from v17.5.

Enable SD-WAN policy routes for reply packets.

Troubleshooting Routing on Sophos Firewall - 25

Network Resources Inaccessible 3

In this case the issue has been resolved by enabling reply packets for SD-WAN policy routing.

If this had not resolved the issue the next step would have been to review the routes and routing
table on New York Server to see what route(s) may be incorrectly matching the traffic.

Troubleshooting Routing on Sophos Firewall - 26

Additional information in
Additional Tools the notes

console> tcpdump 'host 192.168.16.30 and port 80'

tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size
262144 bytes
09:03:23.168107 PortA, IN: IP 172.16.16.10.52963 > 192.168.16.30.80:
Flags [SEW], seq 1539452074, win 8192, options [mss 1460,nop,wscale
8,nop,nop,sackOK], length 0

Save output to a file

console> tcpdump ‘host 192.168.16.30 and port 80 –w /tmp/dump.pcap’

Upload file to server

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# scp /tmp/dump.pcap
user@servername:/folder/location/

There are a couple more useful tools for troubleshooting routing issues. The first is tcpdump. This
is a command line packet capture tool that can be used on the Console or Advanced Shell. You can
use a BPF (Berkley Packet Filter) string with tcpdump in the same way as with the packet capture in
the WebAdmin.

tcpdump output can be saved to a pcap file, which allows you to view the output of the tcpdump
command and analyze it using other packet analyzer tools, such as WireShark, on an external
computer.

For example, on the Console you can run:

tcpdump ‘host 192.168.16.30 and port 80 –w /tmp/dump.pcap’

You can then use SCP to copy the output to another server from the Sophos Firewall.
For example:
scp /tmp/dump.pcap user@servername:/folder/location/

[Additional Information]
When using tcpdump in the advanced shell you can use llh to print the link-level header on each
dump line.

Troubleshooting Routing on Sophos Firewall - 27

Additional Tools
SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# conntrack -L | grep 192.168.16.30
conntrack v1.4.5 (conntrack-tools): 29 flow entries have been shown.
proto=udp proto-no=17 timeout=7 orig-src=192.168.16.30 orig-
dst=172.16.16.10 orig-sport=58027 orig-dport=53 packets=1 bytes=65 reply-
src=172.16.16.10 reply-dst=192.168.16.30 reply-sport=53 reply-dport=58027
packets=1 bytes=131 mark=0x0 helper=dns use=1 id=3787356544 masterid=0
devin=PortG devout=LanBr nseid=0 ips=0 sslvpnid=0 webfltid=0 appfltid=0
icapid=0 policytype=1 fwid=6 natid=0 fw_action=1 bwid=0 appid=

SFVUNL_HV01_SFOS 18.0.1 MR-1-Build396# conntrack -E -p tcp --dport 443 -d

192.168.16.30
[NEW] proto=tcp proto-no=6 timeout=120 state=SYN_SENT orig-
src=172.16.16.10 orig-dst=192.168.16.30 orig-sport=56171 orig-dport=443

conntrack, which must be run on the advanced shell, can show current connection details.
conntrack -L will output all of the current connections at that point in time. The output can
be used with grep for filtering.
conntrack -E will continuously write updates to the screen. Each entry will be tagged as a
NEW connection, an UPDATE to an existing connection, a connection that is being DESTROYed, and
so forth. You can also apply filters to the command such as the protocol, port and destination.

Troubleshooting Routing on Sophos Firewall - 28

Chapter Review

The default route precedence is health check routes, static routes, SD-WAN policy
routes, VPN routes, then the default route derived from balancing active gateways

Route precedence for static, SD-WAN, and VPN routes can be changed on the console

Whether Sophos Firewall uses SD-WAN routes for reply traffic and system generated
traffic is controlled through the console

Here are the three main things you learned in this chapter.

The default route precedence is health check routes, static routes, SD-WAN policy routes, VPN
routes, then the default route derived from balancing active gateways.

Route precedence for static, SD-WAN, and VPN routes can be changed on the console.

Whether Sophos Firewall uses SD-WAN routes for reply traffic and system generated traffic is
controlled through the console.

Troubleshooting Routing on Sophos Firewall - 35

Troubleshooting Routing on Sophos Firewall - 36
Configuring DNS and DHCP on
Sophos Firewall

Sophos Firewall
Version: 19.0v2

[Additional Information]
Sophos Firewall
FW1545: Configuring DNS and DHCP on Sophos Firewall

June 2022
Version: 19.0v2

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 1

Configuring DNS and DHCP on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure the DNS and DHCP ✓ Navigating and Managing the Sophos Firewall using
settings on Sophos Firewall. the WebAdmin

DURATION

5 minutes

In this chapter you will learn how to configure the DNS and DHCP settings on Sophos Firewall.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 2

DNS on Sophos Firewall

There are three ways to assign DNS servers to Sophos Firewall:

1. From your DHCP server

2. From PPPoE interface settings sent by your Internet

provider

3. Manually, by assigning static server entries

Sophos Firewall needs to be able to resolve hostnames and IP addresses.

There are three ways to assign DNS servers to Sophos Firewall:

• From your DHCP server

• From PPPoE interface settings sent by your Internet provider
• Manually, by assigning static server entries

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 3

DNS is configured in:
DNS Settings CONFIGURE > Network > DNS

Select how Sophos

Firewall obtains DNS
servers

Set up to three
DNS servers for
IPv4 and IPv6

During the initial setup you will have to set a DNS server, this can be modified in CONFIGURE >
Network > DNS.

Here you can set how Sophos Firewall obtains its DNS server, and you can set up to three DNS
servers statically for IPv4 and IPv6.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 4

DNS Server

Preference between IPv4 and IPv6 DNS

servers

DNS records hosted by the Sophos

Firewall

Sophos Firewall also acts as a DNS server, using its configured DNS servers to resolve and respond
to requests. You can set how Sophos Firewall handles the preference between IPv4 and IPv6
lookups.

You can also configure DNS records on the Sophos Firewall itself. These can include a reverse
lookup from the IP address back to the hostname.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 5

DNS Request Routes

Set the DNS server to use to lookup hosts in the sophos.local domain

Set the DNS server to use to lookup IP addresses in the network 172.16.16.0/24

If the Sophos Firewall is configured to use your ISPs DNS servers, so that it can resolve hosts on the
Internet, you can override this for specific domains and networks by configuring DNS request
routes.

A DNS request route defines what DNS server should be used to lookup hosts in the selected
domain. Request routes can also be created for reverse lookups to define what DNS server should
be used to lookup IP addresses in the selected network.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 6

Simulation: Configure DNS Request Routes

In this simulation you will configure

DNS request routes on Sophos
Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ConfigureDNS/1/start.html

In this simulation you will configure DNS request routes on Sophos Firewall.

Application Traffic Shaping on Sophos Firewall - 7

Dynamic DNS is configured in:
Dynamic DNS CONFIGURE > Network > Dynamic DNS

If your ISP assigns your IP through DHCP, you can use a dynamic DNS provider to host a DNS record
for this IP address, and have the Sophos Firewall update the IP address associated with it.

To configure dynamic DNS, you enter the hostname, and select the WAN interface it should resolve
to. You then need to select your provider, and enter your login details.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 8

DHCP is configured in:
DHCP Server CONFIGURE > Network > DHCP

Each DHCP server is assigned to an interface

The range of IP address it will lease

Sophos Firewall can provide DHCP to any networks that are connected to it. Each DHCP server you
configure on the Sophos Firewall can be either IPv4 or IPv6 and is bound to an interface.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 9

DHCP Relay

The interface where the clients are located

The IP address of the DHCP server to relay

requests for

Sophos Firewall can also act as a DHCP relay, passing DHCP requests between clients and a DHCP
server on another network.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 10

Chapter Review

DNS servers can be assigned to Sophos Firewall using DHCP, from PPPoE interface
settings and manually

DNS request routes define what DNS server should be used to lookup hosts in the
selected domain

Sophos Firewall can provide DHCP to any networks that are connected to it. It can also
pass requests to another DHCP server.

Here are the three main things you learned in this chapter.

DNS servers can be assigned to Sophos Firewall using DHCP, from PPPoE interface settings and
manually.

A DNS request routes define what DNS server should be used to lookup hosts in the selected
domain.

Sophos Firewall can provide DHCP to any networks that are connected to it. It can also pass
requests to another DHCP server.

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 15

Configuring DNS and DHCP on Sophos Firewall 19.0v1 - 16
Managing Device Access and
Certificates on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1550: Managing Device Access and Certificates on Sophos Firewall

April 2022
Version: 19.0v1

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Managing Device Access and Certificates on Sophos Firewall - 1

Managing Device Access and Certificates on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to control access to admin ✓ Navigating and Managing the Sophos Firewall using
services and add a certificate to the WebAdminSophos
replace the default
‘ApplianceCertificate’.

DURATION

10 minutes

In this chapter you will learn how to control access to admin services and add a certificate to
replace the default ‘ApplianceCertificate’.

Managing Device Access and Certificates on Sophos Firewall - 2

Control Access to Local Services

Local services are management services of Sophos Firewall

Examples include Web admin and CLI consoles, and authentication services

Firewall rules cannot be used to control access to local services

Control access to the management services of Sophos Firewall from

custom and default zones using the local service ACL (Access Control List)

Local services are management services specific to the internal functioning of Sophos Firewall,
such as web admin and CLI consoles, and authentication services.

Firewall rules cannot be used to control traffic to these services.

You can control access to the management services of Sophos Firewall from custom and default
zones using the local service ACL (Access Control List).

Managing Device Access and Certificates on Sophos Firewall - 3

Device Access is configured in:
Device Access SYSTEM > Administration > Device Access

The zones which are allowed access to Admin services can be managed on the Device Access page
under the heading Local service ACL. The example shows that only the LAN and WiFi zones are
allowed access to Admin services using HTTPS and SSH. This section gives an easy and graphical
way to manage access to admin services as well as authentication, network, and other services
from any zone on the Sophos firewall.

Managing Device Access and Certificates on Sophos Firewall - 4

Best Practices

BEST PRACTICES

Sophos does not recommend allowing access to the web admin console (HTTPS), CLI console
(SSH), and the user portal from the WAN zone or over the SSL VPN port.

Even though you can enable access to admin services from these zones, the Webadmin will warn
you that this is not a safe practice.

If you must give access, best practices are provided in the Administrator Help.

[Additional Information]
Best practices: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html

Managing Device Access and Certificates on Sophos Firewall - 5

Local Service ACL Exception Rule

Add a Local service ACL

exception rule

The Local service ACL rules allow an administrator to quickly enable or disable access to a service
for a specific zone. While this is a simple way to enable access to these services, it does not allow
an administrator to securely grant access to services from untrusted zones. Or an administrator
may want to restrict access from specific IP addresses in a secure zone, for example, to prevent
guests from being able to see the User Portal login page.

To only allow specific hosts and networks to access the services, scroll down to Local service ACL
exception rule, and click Add.

Managing Device Access and Certificates on Sophos Firewall - 6

Local Service ACL Exceptions

In the example shown here, we are allowing access to the WebAdmin and SSH in the WAN zone,
but only from the specified IP address.

Managing Device Access and Certificates on Sophos Firewall - 7

Device Access for a Zone

We have looked at the built-in zones on the Sophos firewall. These include the LAN, WAN, VPN,
DMZ, and WiFi zones. While you can choose to use only these zones, you also have the option of
creating additional custom zones to further define your networks.

When you create or edit a zone from Network > Zones, you can also configure which services it can
access on the Sophos Firewall.

Managing Device Access and Certificates on Sophos Firewall - 8

Certificates for Firewall Management
Trusted certificate
Untrusted Default when using Central
Appliance Certificate Firewall Management

When you first connect to a Sophos firewalls webadmin console, you may notice that you get a
certificate error. This is not to say that your connection is insecure, but rather that the certificate is
untrusted by your machine.

This is because Sophos Firewall comes with a default certificate called ‘ApplianceCertificate’, this is
used to provide HTTPS for the Admin Portal, User Portal and SSL VPNs. The common name on this
certificate is the serial number of the appliance, and therefore you will almost certainly get a
certificate error when you login.

If you use Sophos Central to connect to Firewall Management, the certificate provided by Sophos
Central will be trusted.

Managing Device Access and Certificates on Sophos Firewall - 9

Certificates
Options for adding a certificate to Sophos Firewall:

1 Upload Upload a certificate signed by a trusted CA

2 Self-Signed Create a self-signed certificate that will be signed by the ‘Default’ signing CA

3 CSR Create a certificate signing request that will be signed by a trusted CA

Certificates can be added to Sophos Firewall and can then be selected to be used in place of the
default ‘ApplianceCertificate’.

There are three options for doing this:

1. Upload a certificate that has been signed by an external trusted certificate authority. This could
be a third-party company such as GlobalSign, or an internal enterprise certificate authority. To
upload a certificate, you need to provide the certificate, private key, and the passphrase for
decrypting the private key.
2. Generate a self-signed certificate. This will be generated and signed by the Sophos Firewall’s
own ‘Default’ signing certificate authority.
3. The third option is to generate a CSR and download it along with the private key and
passphrase. This is a signing request for a certificate that can be signed by either a third-party
company or an internal enterprise certificate authority. Once you have the certificate you can
then upload it to the Sophos Firewall.

Managing Device Access and Certificates on Sophos Firewall - 10

Adding a Locally Signed Certificate

Generate locally signed

certificate

IP addresses used for

SANs

In this example, the option to Generate locally-signed certificate has been selected and the
required information for the certificate has been entered. This must include the common name,
which is included in the Distinguished name, and one or more Subject Alternative Names. SANs
define the entities for which your certificate will be valid and can be DNS names or IP addresses.

Managing Device Access and Certificates on Sophos Firewall - 11

Certificates can be viewed in:
Certificates SYSTEM > Certificates > Certificates

The new certificate is now listed as well as the ‘ApplianceCertificate’.

Managing Device Access and Certificates on Sophos Firewall - 12

Select a Certificate

If you have created a new certificate or uploaded a public certificate to the firewall, it can be
assigned for use by the Webadmin and user portal.
Admin and user settings, under Administration, allows you to select another certificate using the
drop-down list.

Managing Device Access and Certificates on Sophos Firewall - 13

Verification Certificate Authorities
• Includes certificates for common trusted Internet root CAs
• Upload certificate for additional CAs

Sophos Firewall comes preconfigured with the certificates for common trusted Internet root
certificate authorities; these are used to verify the certificates of devices the Sophos Firewall
connects to.

You can also upload additional CA certificates that you want to trust, such as an internal enterprise
CA that signs the certificates for your internal servers.

Managing Device Access and Certificates on Sophos Firewall - 14

Simulation: Import CA Certificates

In this simulation you will import CA

certificates from an internal
certificate authority to Sophos
Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ImportCACertificates/1/start.html

In this simulation you will import CA certificates from an internal certificate authority to
Sophos Firewall.

Application Traffic Shaping on Sophos Firewall - 15

Signing Certificate Authorities
Two default signing CAs
• Default: Used for creating certificates
• SecurityApplicance_SSL_CA: Used for HTTPS scanning and email TLS/SSL connections
Upload additional CAs
• Provide certificate and private key
• Can be selected for use in Web and Email protection

Sophos Firewall also acts as a certificate authority, and so comes with two signing CAs.
• The ‘Default’ signing CA is used for creating and signing certificates.
• The ‘SecurityAppliance_SSL_CA’ is used for creating the certificates used in HTTPS web scanning
and securing TLS/SSL email connections.

You can upload additional signing CAs by providing the private key with the CA certificate when you
upload it. These CAs can then be selected for use in Web and Email Protection.
• The Email CAs can be separately selected for SMTPS and IMAPS & POPS. This is done in EMAIL >
General settings.
• The Web CA for HTTPS scanning can be selected in Web > Protection.

Managing Device Access and Certificates on Sophos Firewall - 16

Simulation: Deploy Sophos Firewall CA Certificates

In this simulation you will download

Sophos Firewall’s CA certificates and
deploy them using Active Directory
Group Policy.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/DeployCertificates/1/start.html

In this simulation you will download Sophos Firewall’s CA certificates and deploy them using Active
Directory Group Policy.

Application Traffic Shaping on Sophos Firewall - 17

Chapter Review

The zones which are allow access to Admin services can be managed on the Device
Access page. Local service ACL exception rules restrict by IP addresses or by network

Certificates can be added and used in place of the default ’ApplianceCertificate’

Sophos Firewall acts as a certificate authority with two signing CAs. ’Default’ creates and
signs certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web
scanning and securing TLS/SSL email connections

Here are the three main things you learned in this chapter.

The zones which are allowed access to Admin services can be managed on the Device Access page.
Local service ACL exception rules restrict by IP addresses or by network.

Certificates can be added to Sophos Firewall and used in place of the default ’ApplianceCertificate’
which generates a certificate error.

Sophos Firewall acts as a certificate authority with two signing CAs. ‘Default’ creates and signs
certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web scanning and
securing TLS/SSL email connections.

Managing Device Access and Certificates on Sophos Firewall - 22

Managing Device Access and Certificates on Sophos Firewall - 23
Considerations for Configuring
Device Access on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1555: Considerations for Configuring Device Access on Sophos Firewall

April 2022
Version: 19.0v1

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Considerations for Configuring Device Access on Sophos Firewall - 1

Considerations for Configuring Device Access on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to secure administrative access ✓ Using the Device Access page to manage the zones
to Sophos Firewall and configure which are allowed access to Admin services
when CAPTCHA is required for
login.

DURATION

10 minutes

In this chapter you will learn how to secure administrative access to Sophos Firewall and configure
when CAPTCHA is required for login.

Considerations for Configuring Device Access on Sophos Firewall - 2

WebAdmin

Default IP address: 172.16.16.16 (/24)

Port: 4444
WebAdmin URL: https://DeviceIP:4444

The Sophos Firewall can be accessed in multiple ways; the preferred method for most
administrative tasks is to use the WebAdmin.

By default, the devices’ IP address will be 172.16.16.16 and the WebAdmin on a Sophos Firewall
runs on port 4444. So, to connect to the WebAdmin interface you would need to connect to
HTTPS://172.16.16.16:4444 on a brand-new device.

The default administrator username is admin, and the password for this is set as part of the initial
setup.

Considerations for Configuring Device Access on Sophos Firewall - 3

User Portal
https://<Sophos Device IP Address>

There is also a User Portal which can be accessed using HTTPS on port 443.

Considerations for Configuring Device Access on Sophos Firewall - 4

Additional information in
Command Line Interface (CLI) the notes

SSH Console

Default credentials
Username: admin
Password: admin

This is changed as part of the initial

setup wizard

Although the Sophos Firewall is managed through a web interface, it also has a command line
interface (CLI) that is accessible through SSH or a console connection. You may want to use the CLI
to change the IP address of the management port to be in your LAN IP range so that you can
connect to the WebAdmin to complete the initial setup wizard.

To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is
‘admin’; you change this as part of the initial setup wizard.

[Additional Information]

Here are the parameters for a console connection.

Console connection parameters:

• baud rate or speed: 38,400
• Data bits: 8
• Stop Bits: 1
• Parity and Flow Control: None or 0

Considerations for Configuring Device Access on Sophos Firewall - 5

Additional information in
SSH Public Key Authentication the notes

• Authenticate SSH access using keys

• Supported
• Algorithms: RSA, DSA, ECDSA
• Key lengths: 1024, 2048, 4096
• Logged in
• /log/sshd.log

For deployments where multiple administrators will have access to the CLI, Public key
authentication can be used for SSH access. This provides access without needing to share the
admin password, and the public keys of multiple users can be uploaded. This also allows for better
logging and auditing as changes and actions will not all show as performed by ‘admin’.

Keys can be created using a tool such as PuTTY Key Generator on Windows, or ssh-keygen on Linux.
Sophos Firewall supports RSA, DSA and ECDSA keys of 1024, 2048 and 4096 bits in length. When
the SSH connection is authenticated using keys, the thumbprint of the key is logged in sshd.log
with the IP address that the connection was initiated from.

Here you can see a key that has been generated using PuTTY. The Public Key Authentication section
of Administration > Device access is used to add the public keys. To access the CLI, the
corresponding private key must be entered in the SSH tool.

[Additional Information]
Example log extract: /log/sshd.log:
[10269] Jul 20 09:20:45 Child connection from 172.16.16.10:49634
[10269] Jul 20 09:20:45 Pubkey auth succeeded for 'admin' with key sha1!!
cb:10:6e:38:37:27:e5:66:90:41:8a:36:c9:ae:53:ce:52:51:ca:05 from 172.16.16.10:49634

Considerations for Configuring Device Access on Sophos Firewall - 6

Zone-Based ACL

Device access allows an administrator to define what services are allowed or available in which
zones.

The default settings in device access allow minimal services in the WAN zone while allowing most
services in the LAN and WiFi zones. Best practice dictates that any services that are not needed
should be disabled for any zone in which they will not be used.

Services are grouped into four categories:

• Admin services, for administrative access to the Sophos Firewall.
• Authentication services, for clients to authenticate themselves with the Sophos Firewall.
• Network services, for clients to PING the firewall and use it as a DNS server.
• And other services, which includes various other services including wireless and VPN services,
access to the user portal, routing, proxy services, mail, and SNMP.

Considerations for Configuring Device Access on Sophos Firewall - 7

Local Service ACL Exceptions
Select Bottom or Top

Source Network/Host
and Destination Host

Services

The Device access page also allows you to create local service ACL exception rules. These rules let
an administrator allow or deny access to specific services for specific hosts or networks.
You begin by adding a name for the rule and then selecting whether the rule should be placed at
the bottom or top of the existing list of rules.

Device access ACLs are applied to either IPv4 or IPv6. If you want to do both you need to create
separate rules.

Select the network zone from which the traffic or requests will be originating, and the source
networks or hosts within the zone that are going to be allowed or blocked.

Select the services that the ACL will apply to, and finally, select whether this is an accept or drop
rule.

Considerations for Configuring Device Access on Sophos Firewall - 8

Local Service ACL Exception Rules

This shows the ACL Exception rules with the newly created one placed at the bottom. These rules
are processed in order and override the Local Service ACL rules.

Considerations for Configuring Device Access on Sophos Firewall - 9

Securing Administrative Access

The default Device Access settings allow anyone in the LAN zone to
access the login page for the WebAdmin and to connect to the SSH
login

Based on the default configuration of the device access section, if

you were to lock down the Sophos Firewall, what would you change?

The default Device Access settings allow anyone in the LAN zone to access the login page for the
WebAdmin if they know the address, and then to connect to the SSH login.

What could be done on the Sophos Firewall in order to secure these connections, assuming that
you would like to allow access to the WebAdmin or SSH through the LAN zone?

Based on the default configuration of the device access section, if you were to lock down the
Sophos Firewall, what would you change?

Considerations for Configuring Device Access on Sophos Firewall - 10

Securing Administrative Access

Disable unnecessary
Disable zone-based services in zones
access to admin services
Optionally create ACLs on Disable PING where
Create specific ACL managed switches or possible to help prevent
exception rules to allow routes for the admin discovery and probing
access to admin services services
from specific network Remove SMTP relay and
segments/hosts SNMP from any zone that
does not require it

The simplest step to take is to disable the zone-based access to admin services and to only allow
access using targeted ACL exception rules. Create specific ACL exception rules to allow access to
admin services from specific network segments/hosts.

In addition, you could create ACLs on managed switches to control access to the admin services.

You should disable unnecessary services in the zone.

Disable PING where possible to help prevent discovery and probing.

Remove SMTP relay and SNMP from any zone that does not require it.

Considerations for Configuring Device Access on Sophos Firewall - 11

CAPTCHA Configuration

We do not recommend disabling CAPTCHA in the WAN zone

Sophos Firewall displays a CAPTCHA on the WebAdmin and user portal login pages when they are
being accessed from the WAN zone and VPN zone. This is found to be very effective in preventing
automated attacks against the user portal and webadmin portals.

Disabling CAPTCHA in the WAN zone is not recommended.

Considerations for Configuring Device Access on Sophos Firewall - 12

Additional information in
CAPTCHA Configuration the notes

CAPTCHA can be enabled or disabled for VPN and WAN zone or just the VPN zone
console> system captcha-authentication-global show
Captcha authentication status:
Webadmin console: enabled
User portal: enabled
console> system captcha-authentication-vpn disable

Captcha authentication serves as an extra security defense against scripted

automated login attempts.

Are you sure you want to disable captcha authentication when they are exposed on
the VPN zone (Y/N) ?
y
Captcha authentication for the webadmin and user portal is disabled on the VPN
zone
console> system captcha-authentication-vpn enable
Captcha authentication for the webadmin and user portal is enabled on VPN zone

You can enable and disable the CAPTCHA either globally, for both the WAN and VPN zone, or just
for the VPN zone. You cannot disable access for just the WAN zone on its own.

The configuration is managed via the console using the commands shown here.

[Additional Information]

system captcha-authentication-global [show|enable|disable]

system captcha-authentication-vpn [show|enable|disable]

Considerations for Configuring Device Access on Sophos Firewall - 13

CAPTCHA Configuration
CAPTCHA can be enabled or disabled for the user portal and web admin console separately or together

console> system captcha-authentication-global disable for userportal

Captcha authentication serves as an extra security defense against scripted

automated login attempts.

Are you sure you want to disable captcha authentication (Y/N) ?

y
Captcha authentication for the user portal is disabled
console> system captcha-authentication-vpn show
Captcha authentication status on the VPN zone:
Webadmin console: enabled
User portal: disabled
console> system captcha-authentication-global enable for userportal
Captcha authentication for the user portal is enabled

You can also optionally specify to enable or disable it for the user portal or the WebAdmin by
appending for userportal or for webadminconsole to the commands:

Considerations for Configuring Device Access on Sophos Firewall - 14

Chapter Review

Public key authentication can be configured for secure access to the CLI. This allows
access without the need to share the admin password

Administrative access can be secured by disabling zone-based access to services and

creating local service ACL exception rules to allow access to admin services from specific
network segments/hosts

You can enable and disable the CAPTCHA either globally, for both the WAN and VPN
zone, or just the VPN zone. The configuration is managed via the console

Here are the three main things you learned in this chapter.

Public key authentication can be configured for secure access to the CLI. This allows access without
the need to share the admin password.

Administrative access can be secured by disabling zone-based access to services and creating local
service ACL exception rules to allow access to admin services from specific network
segments/hosts.

You can enable and disable the CAPTCHA either globally, for both the WAN and VPN zone, or just
for the VPN zone. The configuration is managed via the console.

Considerations for Configuring Device Access on Sophos Firewall - 21

Considerations for Configuring Device Access on Sophos Firewall - 22
Getting Started with Traffic
Shaping on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1565: Getting Started with Traffic Shaping on Sophos Firewall

April 2022
Version: 19.0v1

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Traffic Shaping on Sophos Firewall - 1

Network Traffic Shaping on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure the global settings ✓ Navigating and Managing the Sophos Firewall using
for traffic shaping, including the WebAdmin
default policy settings, and the
different types of traffic shaping
policy you can create.

DURATION

8 minutes

In this chapter you will learn how to configure the global settings for traffic shaping, including
default policy settings, and the different types of traffic shaping policy you can create.

Getting Started with Traffic Shaping on Sophos Firewall - 2

Traffic Shaping

What are some example scenarios where traffic shaping can be

deployed to help optimize and manage network performance?

Using traffic shaping policies, you can manage bandwidth and prioritize network traffic to reduce
the impact of heavy bandwidth usage.

What are some example scenarios where traffic shaping can be deployed to help optimize and
manage network performance?

Getting Started with Traffic Shaping on Sophos Firewall - 3

Traffic Shaping

Protect business continuity

Prioritize or guarantee bandwidth for cloud services

Limit bandwidth of non-business critical

heavy bandwidth applications

Control bandwidth usage from guest networks

Traffic shaping is primarily deployed to protect business continuity. With the increasing move to
using cloud services it is important to prioritize and guarantee bandwidth for these business critical
applications.

Another approach is to limit bandwidth of non-business critical heavy bandwidth applications, such
as streaming and downloads.

Traffic shaping is also a great tool for controlling the amount of bandwidth used by guest networks,
ensuring they do not impact more important business use.

Getting Started with Traffic Shaping on Sophos Firewall - 4

Traffic shaping settings are configured in :
Traffic Shaping Settings CONFIGURE > System Services > Traffic shaping settings

Sum of the maximum

bandwidth of all WAN links in
KBps

To start using traffic shaping you should first configure the general traffic shaping settings. It is
important to specify the settings found on the CONFIGURE > System Services > Traffic shaping
settings tab.

This includes the total WAN bandwidth available, which Sophos Firewall needs so it can allocate
bandwidth effectively. The total available WAN bandwidth is the sum of the maximum bandwidth
of all WAN links in KBps.

To view bandwidth usage, click Show bandwidth usage at the bottom of the page.

Getting Started with Traffic Shaping on Sophos Firewall - 5

Traffic shaping settings are configured in:
CONFIGURE > System services > Traffic shaping settings
Traffic Shaping Settings

The option Optimize for real-time (VoIP) gives priority to real-time traffic such as VoIP. If disabled,
priority will be applicable only for excess bandwidth, that is, bandwidth remaining after guaranteed
bandwidth allocation.

If ‘Optimize for Real-Time (VoIP)’ is enabled real-time traffic (Traffic Shaping policy with priority 0)
like VoIP will be given precedence over all other traffic.

As priority is given to the real time traffic, it is possible that some non-real-time traffic will not get
their minimum guaranteed bandwidth. Specifically, if the sum of Limit (max allowed) of all Traffic
Shaping policies (real-time and non real-time) is greater than total max-limit, then guaranteed
bandwidth of the real-time policies will be fulfilled but non-real-time might not get the minimum
guaranteed bandwidth.

Getting Started with Traffic Shaping on Sophos Firewall - 6

Traffic shaping settings are configured in:
CONFIGURE > System services > Traffic shaping settings
Traffic Shaping Settings

Default traffic shaping policy

for firewall.

The setting to Enforce guaranteed bandwidth should only be enabled if you would like to apply the
Default policy shown here to all traffic that does not have an explicit Traffic shaping policy applied
to it. If this option is enabled, you should take the time to configure the Default policy as well.

Enforce guaranteed bandwidth handles all Internet-bound traffic by the traffic-shaping policy
applied to it. If there is no policy applied to the traffic, it will be handled by the default policy.
• Enable this setting if you want to enforce bandwidth restriction on the traffic to which a traffic-
shaping policy is not applied
• Disable this setting if you do not want to enforce a bandwidth restriction on traffic to which a
traffic-shaping policy is not applied (it will handle traffic only on which a traffic-shaping policy is
applied)

If you have enabled Enforce guaranteed bandwidth you can configure the default policy to use for
traffic that does not have a traffic-shaping policy applied.
• Guarantee, is the minimum bandwidth available to the user
• Limit, is the maximum bandwidth available to the user
• Priority, can be set from 1 (highest) to 7 (lowest) depending on the traffic required to be shaped

Getting Started with Traffic Shaping on Sophos Firewall - 7

Traffic shaping policies are configured in:
CONFIGURE > System services > Traffic shaping
Traffic Shaping

What the traffic shaping policy

will be applied to

Traffic shaping policies are configured in CONFIGURE > System services > Traffic shaping.

Traffic shaping policies can be applied to either users, rules, web categories or applications, and
can be used to either limit or guarantee bandwidth.

You can choose to set bandwidth limits for upload and download either separately or combined.

The Priority field is used to set the traffic type to which bandwidth priority is to be allocated. By
default, priority is assigned to realtime traffic. When priority is allocated to real-time traffic, the
ability of non-real time policies to receive their guaranteed bandwidth is determined by the
bandwidth remaining in the total available bandwidth after real-time policies have been serviced.

Bandwidth usage can either be configured to be individual or shared. Individual applies the policy
to a single user, firewall rule, web category or application. Shared applied to policy to all the users,
firewall rules web categories or applications which have the policy assigned.

[Additional Information]
Rule type:
• Limit User cannot exceed the defined bandwidth limit
• Guarantee User is guaranteed the specified bandwidth and can draw on bandwidth up to the
specified limit, if available. Allowing users to draw on additional bandwidth can ensure constant
service levels during peak periods

Getting Started with Traffic Shaping on Sophos Firewall - 8

Traffic Shaping Policies Example

Let's look at an example policy. Here we have a policy to limit the bandwidth of streaming media
applications to 480p based on their web category as determined by the firewall.

We have set the association to Web categories and the Rule type to Limit. We then calculated the
bandwidth needed for 480p video to 1000 KB/s and set it as an individual limit, so each person
viewing a video will have enough bandwidth to view the video at 480p.

Finally, the Priority is set low. We have chosen a priority of 5 to make sure it is processed after any
business-critical applications.

Getting Started with Traffic Shaping on Sophos Firewall - 9

Applying Traffic Shaping - Web

Traffic shaping can also be applied to web categories under PROTECT > Web > Categories.

By editing a category, you can select a traffic shaping policy to apply to that web category,
independent of the firewall rule matched.

Getting Started with Traffic Shaping on Sophos Firewall - 10

Chapter Review

The total WAN bandwidth needs to be configured before using traffic shaping

You can configure a default traffic shaping policy for all traffic that does not have a policy
applied

Traffic shaping policies can be created for users, rules, web categories, and applications

Here are the three main things you learned in this chapter.

The total WAN bandwidth needs to be configured before using traffic shaping.

You can configure a default traffic shaping policy for all traffic that does not have a policy applied.

Traffic shaping policies can be created for users, rules, web categories, and applications.

Getting Started with Traffic Shaping on Sophos Firewall - 15

Getting Started with Traffic Shaping on Sophos Firewall - 16

Sophos 19
100% (6)
Sophos 19
3 pages
FW1510 19.0v1 Getting Started With Troubleshooting Sophos Firewall
No ratings yet
FW1510 19.0v1 Getting Started With Troubleshooting Sophos Firewall
28 pages
FW8005 19.0v1 Running and Customizing Reports On Sophos Firewall
No ratings yet
FW8005 19.0v1 Running and Customizing Reports On Sophos Firewall
16 pages
Introduction To Routing and SD-WAN On Sophos Firewall
No ratings yet
Introduction To Routing and SD-WAN On Sophos Firewall
30 pages
CCNA Routing and Switching
No ratings yet
CCNA Routing and Switching
26 pages
Getting Started With Sophos Firewall - Unidos
No ratings yet
Getting Started With Sophos Firewall - Unidos
116 pages
Navigating and Managing Sophos Firewall
No ratings yet
Navigating and Managing Sophos Firewall
25 pages
FW1505 20.0v1 Navigating and Managing Sophos Firewall
No ratings yet
FW1505 20.0v1 Navigating and Managing Sophos Firewall
33 pages
FW1505 21.0v1 Navigating and Managing Sophos Firewall
No ratings yet
FW1505 21.0v1 Navigating and Managing Sophos Firewall
35 pages
FW8505 20.0v1 Managing Sophos Firewall in Sophos Central
No ratings yet
FW8505 20.0v1 Managing Sophos Firewall in Sophos Central
36 pages
Managing Sophos Firewall in Sophos Central
No ratings yet
Managing Sophos Firewall in Sophos Central
32 pages
13 Central Firewall Management
No ratings yet
13 Central Firewall Management
54 pages
Sophos Client Firewall Version 1.5: User Manual
No ratings yet
Sophos Client Firewall Version 1.5: User Manual
67 pages
05
No ratings yet
05
3 pages
Install Configuration Sophos Firewall
No ratings yet
Install Configuration Sophos Firewall
23 pages
Sophos Control Center Startup
No ratings yet
Sophos Control Center Startup
8 pages
FW8015 19.0v1 Managing Logs and Notifications On Sophos Firewall
No ratings yet
FW8015 19.0v1 Managing Logs and Notifications On Sophos Firewall
18 pages
Sophos Firewall Securing Your Digital Fortress
No ratings yet
Sophos Firewall Securing Your Digital Fortress
16 pages
Sophos - Considerations For Deploying Sophos Firewall in Common Scenarios
No ratings yet
Sophos - Considerations For Deploying Sophos Firewall in Common Scenarios
22 pages
EO80-21.0v1-Sophos-Firewall-Engineer-Course-Overview
No ratings yet
EO80-21.0v1-Sophos-Firewall-Engineer-Course-Overview
5 pages
FW4010 20.0v1 Configuring Web Protection On Sophos Firewall
No ratings yet
FW4010 20.0v1 Configuring Web Protection On Sophos Firewall
32 pages
EO80 20.0v1 Sophos Firewall Engineer Course Overview
No ratings yet
EO80 20.0v1 Sophos Firewall Engineer Course Overview
5 pages
FW1020 20.0v1 Deploying Sophos Firewall Using The Initial Setup Wizard
No ratings yet
FW1020 20.0v1 Deploying Sophos Firewall Using The Initial Setup Wizard
19 pages
Sophos Firewall Virtual Appliance Getting Started Guide PDF
No ratings yet
Sophos Firewall Virtual Appliance Getting Started Guide PDF
21 pages
Slidesgo Unlocking The Fortress A Deep Dive Into Sophos Firewall Mastery 20241116134315TSdd
No ratings yet
Slidesgo Unlocking The Fortress A Deep Dive Into Sophos Firewall Mastery 20241116134315TSdd
14 pages
FW4010 19.5v1 Configuring Web Protection On Sophos Firewall
No ratings yet
FW4010 19.5v1 Configuring Web Protection On Sophos Firewall
32 pages
08 Web Protection2,3
No ratings yet
08 Web Protection2,3
45 pages
VWAF WebUI User Guide V3.5
No ratings yet
VWAF WebUI User Guide V3.5
685 pages
FW1525 20.0v1 Introduction To Routing and SD-WAN Sophos Firewall
No ratings yet
FW1525 20.0v1 Introduction To Routing and SD-WAN Sophos Firewall
32 pages
FW1525 21.0v1 Introduction to Routing and SD-WAN Sophos Firewall
No ratings yet
FW1525 21.0v1 Introduction to Routing and SD-WAN Sophos Firewall
34 pages
FW1525 19.5v1 Introduction To Routing and SD-WAN On Sophos Firewall
No ratings yet
FW1525 19.5v1 Introduction To Routing and SD-WAN On Sophos Firewall
30 pages
WINSEM2022-23 CSE3502 ETH VL2022230503077 Reference Material I 18-01-2023 Lect 8
No ratings yet
WINSEM2022-23 CSE3502 ETH VL2022230503077 Reference Material I 18-01-2023 Lect 8
32 pages
Practical Firewalls
100% (1)
Practical Firewalls
295 pages
12,13,14
No ratings yet
12,13,14
107 pages
12 Logging and Reporting
No ratings yet
12 Logging and Reporting
34 pages
Sophos Firewall
No ratings yet
Sophos Firewall
7 pages
Sophos Firewall Hardening Best Practices Guide
No ratings yet
Sophos Firewall Hardening Best Practices Guide
5 pages
Sns en SMC Administration - Guide v3.6
No ratings yet
Sns en SMC Administration - Guide v3.6
292 pages
FW1525 19.0v1 Introduction To Routing and SD-WAN On Sophos Firewall
No ratings yet
FW1525 19.0v1 Introduction To Routing and SD-WAN On Sophos Firewall
25 pages
EU80 19.0v3 Sophos Firewall Engineer Delta
No ratings yet
EU80 19.0v3 Sophos Firewall Engineer Delta
76 pages
EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta
No ratings yet
EU80 19.5v1 Sophos Firewall v19.5 Engineer Delta
57 pages
WFilter NGF White Paper
No ratings yet
WFilter NGF White Paper
25 pages
Varna Free University: Computer Networks Firewalls
No ratings yet
Varna Free University: Computer Networks Firewalls
28 pages
Introduction To Network Management
No ratings yet
Introduction To Network Management
45 pages
FW3510 19.0v1 Configuring Authentication Servers and Services On Sophos Firewall
No ratings yet
FW3510 19.0v1 Configuring Authentication Servers and Services On Sophos Firewall
28 pages
Cyber Security Practical - 2
No ratings yet
Cyber Security Practical - 2
15 pages
08 Web Protection1,2
No ratings yet
08 Web Protection1,2
46 pages
FW4005 19.0v1 Sophos Firewall Web Protection Overview
No ratings yet
FW4005 19.0v1 Sophos Firewall Web Protection Overview
14 pages
08 Web Protection1,3
No ratings yet
08 Web Protection1,3
27 pages
Sophos XG Firewall Virtual Appliance: Getting Started Guide
No ratings yet
Sophos XG Firewall Virtual Appliance: Getting Started Guide
10 pages
MIT 420 Chapter 9 Removed-3
No ratings yet
MIT 420 Chapter 9 Removed-3
50 pages
Configuration of Firewall-Om Chauhan
No ratings yet
Configuration of Firewall-Om Chauhan
6 pages
Lesson 1 - Network Defense Fundamentals
No ratings yet
Lesson 1 - Network Defense Fundamentals
3 pages
FW3510 20.0v1 Configuring Authentication Servers and Services On Sophos Firewall
No ratings yet
FW3510 20.0v1 Configuring Authentication Servers and Services On Sophos Firewall
28 pages
Professional Heroku Programming
From Everand
Professional Heroku Programming
Chris Kemp
4/5 (2)
CS205 - Information Security: Week 11
No ratings yet
CS205 - Information Security: Week 11
24 pages
McAfee NGFW Reference Guide For Firewall VPN Role v5-7
No ratings yet
McAfee NGFW Reference Guide For Firewall VPN Role v5-7
424 pages
Firewall New
No ratings yet
Firewall New
20 pages
Chapter 5 - Web and Eouter Management
No ratings yet
Chapter 5 - Web and Eouter Management
55 pages
BIG-IP_Network_Firewall__Policies_and_Implementations
No ratings yet
BIG-IP_Network_Firewall__Policies_and_Implementations
194 pages
Linux - a Secure Personal Computer for Beginners. Second Edition
From Everand
Linux - a Secure Personal Computer for Beginners. Second Edition
Mark Emerson
No ratings yet
Ospf DMVPN Anycast PDF
No ratings yet
Ospf DMVPN Anycast PDF
32 pages
Network Address Translation (NAT) : Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)
No ratings yet
Network Address Translation (NAT) : Khawar Butt Ccie # 12353 (R/S, Security, SP, DC, Voice, Storage & Ccde)
11 pages
MikroTik Routers and Wireless PDF
No ratings yet
MikroTik Routers and Wireless PDF
4 pages
Aws 100 Cca 31 en U3sg PDF
67% (3)
Aws 100 Cca 31 en U3sg PDF
659 pages
EG8143A5 Datasheet 01: Intelligent Routing-Type ONT Date: 2019-08-01
100% (2)
EG8143A5 Datasheet 01: Intelligent Routing-Type ONT Date: 2019-08-01
3 pages
Firewall Architectures: Packet Filtering Routers
No ratings yet
Firewall Architectures: Packet Filtering Routers
6 pages
CCNA 3 v70 Final Exam Answers Full Enterprise Networking Security and Automation PDF
No ratings yet
CCNA 3 v70 Final Exam Answers Full Enterprise Networking Security and Automation PDF
49 pages
Call Direct Cellular Solutions CD Series Cellular Router AT (V.250) Command Manual
No ratings yet
Call Direct Cellular Solutions CD Series Cellular Router AT (V.250) Command Manual
33 pages
Networking Faq
No ratings yet
Networking Faq
901 pages
V2801 Series Product Introduction
No ratings yet
V2801 Series Product Introduction
13 pages
Exam 156-115.80 Exam Title Check Point Certified Security Master - R80 Exam 8.0 Product Type 159 Q&A With Explanations
No ratings yet
Exam 156-115.80 Exam Title Check Point Certified Security Master - R80 Exam 8.0 Product Type 159 Q&A With Explanations
49 pages
Setup EC2 and VPC - AWS
No ratings yet
Setup EC2 and VPC - AWS
34 pages
Firepro Router Spec 1000
No ratings yet
Firepro Router Spec 1000
2 pages
NetSpartan - Report
No ratings yet
NetSpartan - Report
48 pages
Q2 A) Show (Include Descriptions) The Relevant Running Configuration For The Edge Router
No ratings yet
Q2 A) Show (Include Descriptions) The Relevant Running Configuration For The Edge Router
5 pages
Equipment Security (SRAN16.1 01)
No ratings yet
Equipment Security (SRAN16.1 01)
83 pages
As 65118
No ratings yet
As 65118
9 pages
Asterisk With Cisco IP Phones
No ratings yet
Asterisk With Cisco IP Phones
18 pages
Huawei E5785-92C Product Description
No ratings yet
Huawei E5785-92C Product Description
24 pages
System Administration
No ratings yet
System Administration
85 pages
Echolife: Digital Home, Creative Life
No ratings yet
Echolife: Digital Home, Creative Life
18 pages
01-Format Laporan Praktikum - Instalasi Sistem Operasi Jaringan
No ratings yet
01-Format Laporan Praktikum - Instalasi Sistem Operasi Jaringan
3 pages
Network Engineer: Profile
No ratings yet
Network Engineer: Profile
2 pages
SBC 5200 Datasheet
No ratings yet
SBC 5200 Datasheet
3 pages
1Z0-997 - Oracle Cloud Infrastructure Architect Professional
No ratings yet
1Z0-997 - Oracle Cloud Infrastructure Architect Professional
54 pages
Pa 3400 Series
No ratings yet
Pa 3400 Series
7 pages
Datasheet W520CX-M
No ratings yet
Datasheet W520CX-M
6 pages
Fortigate 200B Quickstart PDF
No ratings yet
Fortigate 200B Quickstart PDF
2 pages
1 It Infrastructure Project Phase I1
No ratings yet
1 It Infrastructure Project Phase I1
4 pages