XG Firewall Features

Sophos XG Firewall ÌÌ Dynamic firewall rule support for endpoint health

(Sophos Security Heartbeat) to automatically isolate
Highlights
or limit network access to compromised endpoints
ÌÌ Purpose-built user interface with interactive control
center utilizing traffic-light indicators (red, yellow, green) ÌÌ Synchronized Application Control to automatically,
to instantly identify what needs attention at-a-glance identify, classify and control all unknown Mac/
Windows applications on the network
ÌÌ The Control Center offers instant insights into endpoint
health, unidentified Mac and Windows applications, ÌÌ Cloud Application Visibility enables Shadow IT discovery
cloud applications and Shadow IT, suspicious instantly and offers one-click traffic shaping
payloads, risky users, advanced threats, network
ÌÌ Policy test simulator tool to enable firewall rule and web
attacks, objectionable websites, and much more.
policy simulation and testing by user, IP and time of day
ÌÌ Optimized two-clicks-to-anywhere navigation
ÌÌ User Threat Quotient for identifying risky users based
ÌÌ Policy Control Center Widget monitors policy activity on recent browsing behavior and ATP triggers
for business, user and network policies and tracks
ÌÌ Application Risk Meter provides and overall risk factor
unused, disabled, changed and new policies
based on the risk level of applications on the network
ÌÌ New unified policy model combines all business,
ÌÌ Configuration API for all features
user and network firewall rules onto a single screen
for RMM/PSA integration
with grouping, filtering and search options
ÌÌ Discover Mode (TAP mode) for seamless integration for
ÌÌ Streamlined firewall rule management for large
trials and PoCs with support for Synchronized Security
rule sets with grouping with at-a-glance mouse-
over feature and enforcement indicators ÌÌ Full-featured centralized management with
Sophos Firewall Manager available as a
ÌÌ All firewall rules provide an at-a-glance summary of the
hardware, software, or virtual appliance
applied security and control for AV, Sandboxing, SSL, IPS,
Web, App, Traffic Shapping (QoS), routing, and Heartbeat ÌÌ Easy streamlined setup wizard to enable quick out-
of-the box deployment in just a few minutes
ÌÌ Pre-defined IPS, Web, App, and Traffic Shaping
(QoS) policies enable quick setup and easy
Base Firewall
customization for common deployment scenarios
(e.g. CIPA, typical workplace policies, and more) General Management
ÌÌ Purpose-built streamlined user interface and firewall
ÌÌ IPS, Web, App, and Traffic Shaping (QoS) policies
rule management for large rule sets with grouping with
snap-into firewall rules and can be edited in-
at-a-glance rule feature and enforcement indicators
place providing a powerful but intuitive model for
configuring and managing security and control ÌÌ Two-factor authentication (One-time-password) support
for administrator access, user portal, IPSec and SSL VPN
ÌÌ Policy Templates for common business
applications including Microsoft Exchange, ÌÌ Advanced trouble-shooting tools in
SharePoint, Lync, and much more defined in GUI (e.g., Packet Capture)
XML enabling customization and sharing.
ÌÌ High Availability (HA) support clustering two
ÌÌ Sophos Security Heartbeat connecting Sophos devices in active-active or active-passive mode.
endpoints with the Firewall to share health status
ÌÌ Full command-line-interface (CLI) accessible from GUI
and telemetry to enable instant identification
of unhealty or compromised endpoints ÌÌ Role-based administration
XG Firewall Features

ÌÌ Automated firmware update notification with easy ÌÌ VLAN DHCP support and tagging
automated update process and roll-back features
ÌÌ Multiple bridge support
ÌÌ Reusable system object definitions for
ÌÌ WAN link balancing: multiple Internet connections,
networks, services, hosts, time periods,
auto-link health check, automatic failover, automatic
users and groups, clients and servers
and weighted balancing, and granular multipath rules
ÌÌ Self-service user portal
ÌÌ Wireless WAN support (n/a in virtual deployments)
ÌÌ Configuration change tracking
ÌÌ 802.3ad interface link aggregation
ÌÌ Flexible device access control for services by zones
ÌÌ Full configuration of DNS, DHCP and NTP
ÌÌ Email or SNMP trap notification options
ÌÌ Dynamic DNS
ÌÌ SNMP and Netflow support
ÌÌ IPv6 Ready Logo Program Approval Certification
ÌÌ Central managment support from Sophos Firewall
ÌÌ IPv6 tunnelling support including 6in4, 6to4, 4in6,
Manager or Sophos Cloud Firewall Manager
and IPv6 rapid deployment (6rd) through IPSec
ÌÌ Backup and restore configurations: locally, via FTP
or email; on-demand, daily, weekly or monthly Base Traffic Shaping and Quotas
ÌÌ Flexible network or user based traffic shaping (QoS)
ÌÌ API for third party integration
(enhanced Web and App traffic shaping options are
ÌÌ Remote access option for Sophos Support included with the Web Protection Subscription)

ÌÌ Cloud-based license management via MySophos ÌÌ Set user-based traffic quotas on upload/download
or total traffic and cyclical or non-cyclical
Firewall, Networking, and Routing
ÌÌ Real-time VoIP optimization
ÌÌ Stateful deep packet inspection firewall
ÌÌ DSCP marking
ÌÌ FastPath Packet Optimization

ÌÌ User, group, time, or network based policies Secure Wireless

ÌÌ Simple plug-and-play deployment of Sophos
ÌÌ Access time polices per user/group
wireless access points (APs) — automatically
ÌÌ Enforce policy across zones, networks, or by service type appear on the firewall control center

ÌÌ Zone isolation and zone-based policy support. ÌÌ Central monitor and manage all APs and wireless
clients through the built-in wireless controller
ÌÌ Default zones for LAN, WAN, DMZ, LOCAL, VPN, and WiFi
ÌÌ Bridge APs to LAN, VLAN, or a separate
ÌÌ Custom zones on LAN or DMZ
zone with client isolation options
ÌÌ Customizable NAT policies with IP masquerading
ÌÌ Multiple SSID support per radio including hidden SSIDs
and full object support to redirect or forward
multiple services in a single rule ÌÌ Support for the latest security and encryption
including WPA2 Personal and Enterprise
ÌÌ Flood protection: DoS, DDoS and portscan blocking
ÌÌ Channel width seletion option
ÌÌ Country blocking by geo-IP
ÌÌ Support for IEEE 802.1X (RADIUS authentication)
ÌÌ Routing: static, multicast (PIM-SM)
and dynamic (RIP, BGP, OSPF) ÌÌ Support for 802.11r (fast transition)

ÌÌ Upstream proxy support ÌÌ Hotspot support for (custom) vouchers,

password of the day, or T&C acceptance
ÌÌ Protocol independent multicast
routing with IGMP snooping ÌÌ Wireless guest Internet access with
walled garden options
ÌÌ Bridging with STP support and
ARP broadcast forwarding ÌÌ Time-based wireless network access
XG Firewall Features
ÌÌ Wireless repeating and bridging meshed
network mode with supported APs
ÌÌ Automatic channel selection background optimization
ÌÌ Support for HTTPS login
ÌÌ Rogue AP detection
Authentication
ÌÌ Transparent, proxy authentication (NTLM/
Kerberos) or client authentication
ÌÌ Authentication via: Active Directory,
eDirectory, RADIUS, LDAP and TACACS+
ÌÌ Server authentication agents for Active
Directory SSO, STAS, SATC
ÌÌ Client authentication agents for
Windows, Mac OS X, Linux 32/64
ÌÌ Authentication certificates for iOS and Android
ÌÌ Single sign-on: Active directory, eDirectory
ÌÌ Authentication services for IPSec, L2TP, PPTP, SSL
ÌÌ Captive Portal
User Self-Serve Portal
ÌÌ Download the Sophos Authentication Client
ÌÌ Download SSL remote access client (Windows)
and configuration files (other OS)
ÌÌ Hotspot access information
ÌÌ Change user name and password
ÌÌ View personal internet usage
ÌÌ Access quarantined messages and manage user-based
block/allow sender lists (requires Email Protection)
Base VPN Options
ÌÌ Site-to-site VPN: SSL, IPSec, 256- bit AES/3DES,
PFS, RSA, X.509 certificates, pre-shared key
ÌÌ L2TP and PPTP
ÌÌ Remote access: SSL, IPsec, iPhone/iPad/
Cisco/Andriod VPN client support
ÌÌ IKEv2 Support
ÌÌ SSL client for Windows and configuration
download via user portal
IPSec Client (available separately)
ÌÌ Authentication: Pre-Shared Key (PSK), PKI
(X.509), Smartcards, Token and XAUTH
ÌÌ Encryption: AES (128/192/256), DES, 3DES
(112/168), Blowfish, RSA (up to 2048 Bit), DH
groups 1/2/5/14, MD5 and SHA-256/384/512
ÌÌ Intelligent split-tunneling for optimum traffic routing
ÌÌ NAT-traversal support
ÌÌ Client-monitor for graphical overview
of connection status
ÌÌ Multilingual: German, English, and French
Sandstom Protection Subscription
Sandstorm Cloud Sandbox Protection
ÌÌ Full integration into your Sophos
security solution dashboard
ÌÌ Inspects executables and documents containing
executable content (including .exe, .com, and .dll, .doc,
.docx, docm and .rtf and PDF) and archives containing
any of the file types listed above (including ZIP, BZIP,
GZIP, RAR, TAR, LHA/LZH, 7Z, Microsoft Cabinet)
ÌÌ Aggressive behavioral, network, and memory analysis
ÌÌ Detects sandbox evasion behavior
ÌÌ Machine Learning technology with Deep
Learning scans all dropped executable files
ÌÌ Includes exploit prevention and Cryptoguard
Protection technology from Sophos Intercept X
ÌÌ In-depth malicious file reports and
dashboard file release capability
ÌÌ Optional data center selection and flexible
user and group policy options on file type,
exclusions, and actions on analysis
ÌÌ Supports one-time download links
Network Protection Subscription
Intrusion Prevention (IPS)
ÌÌ High-performance, next-gen IPS deep packet
inspection engine with selective IPS patterns
that can be applied on a firewall rule basis for
maximum performance and protection
ÌÌ Top rated by NSS Labs
ÌÌ Thousands of signatures
ÌÌ Support for custom IPS signatures
ÌÌ IPS Policy Smart Filters that enable dynamic policies
which automatically update as new patterns are added
XG Firewall Features

ATP and Security Heartbeat™ ÌÌ Live Protection real-time, in-the-cloud

ÌÌ Advanced Threat Protection (Detect and block network lookups for the latest threat intelligence
traffic attempting to contact command and control
ÌÌ Second independent malware detection
servers using multi-layered DNS, AFC, and firewall)
engine (Avira) for dual-scanning
ÌÌ Sophos Security Heartbeat™ instantly identifies
ÌÌ Real-time or batch mode scanning
compromised endpoints including the host, user,
process, incident count, and time of compromise ÌÌ Pharming Protection

ÌÌ Sophos Security Heartbeat™ policies can limit ÌÌ HTTP and HTTPS scanning and enforcement
access to network resources or completely isolate on any network and user policy with fully
compromised systems until they are cleaned up customizable rules and exceptions

ÌÌ SSL protocol tunnelling detection and enforcment

Remote Ethernet Device (RED) VPN
ÌÌ Central Management of all RED devices ÌÌ Certificate validation

ÌÌ No configuration: Automatically connects ÌÌ High performance web content caching

through a cloud-based provisioning service
ÌÌ Forced caching for Sophos Endpoint updates
ÌÌ Secure encrypted tunnel using digital X.509
ÌÌ File type filtering by mime-type, extension and active
certificates and AES256-encryption
content types (e.g. Activex, applets, cookies, etc.)
ÌÌ Virtual Ethernet for reliable transfer of
ÌÌ YouTube for Schools enforcement
all traffic between locations
ÌÌ SafeSearch enforcement (DNS-based)
ÌÌ IP address management with centrally defined
for major search engines
DHCP and DNS Server configuration
ÌÌ Web keyword monitoring and enforcement to log,
ÌÌ Remotely de-authorize RED devices
report or block web content matching keyword
after a select period of inactivity
lists with the option to upload customs lists
ÌÌ Compression of tunnel traffic
ÌÌ Block Potentially Unwanted Applications
ÌÌ VLAN port configuration options (RED 50)
Cloud Application Visibility
Clientless VPN ÌÌ Control Center widget displays amount of data uploaded
ÌÌ Sophos unique encrypted HTML5 self-service portal with and downloaded to cloud applications categorized
support for RDP, HTTP, HTTPS, SSH, Telnet, and VNC as new, sanctioned, unsanctioned or tolerated

ÌÌ Discover Shadow IT at a glance

Web Protection Subscription
ÌÌ Drill down to obtain details on users, traffic and data
Web Protection and Control
ÌÌ Fully transparent proxy for anti- ÌÌ One-click access to traffic shaping policies
malware and web-filtering
ÌÌ Filter cloud application usage by category or volume
ÌÌ Enhanced Advanced Threat Protection
ÌÌ Detailed customizable cloud application
ÌÌ URL Filter database with millions of sites across usage report for full historical reporting
92 categories, backed by SophosLabs
Application Protection and Control
ÌÌ Surfing quota time policies per user/group
ÌÌ Synchronized App Control to automatically,
ÌÌ Access time polices per user/group identify, classify and control all unknown Windows
and Mac applications on the network
ÌÌ Malware scanning: block all forms of viruses,
web malware, trojans, and spyware on ÌÌ Signature-based application control with
HTTP/S, FTP and web-based email patterns for thousands of applications

ÌÌ Advanced web malware protection ÌÌ Cloud Application Visibility and

with JavaScript emulation Control to discover Shadow IT
XG Firewall Features

ÌÌ App Control Smart Filters that enable dynamic policies Email Quarantine Management
which automatically update as new patterns are added ÌÌ Spam quarantine digest and notifications options

ÌÌ Micro app discovery and control ÌÌ Malware and spam quarantines with search and
filter options by date, sender, recipient, subject, and
ÌÌ Application control based on category, characteristics
reason with option to release and delete messages
(e.g., bandwidth and productivity consuming),
technology (e.g., P2P) and risk level ÌÌ Self-serve user portal for viewing and
releasing quarantined messages
ÌÌ Per-user or network rule application
control policy enforcement
Email Encryption and DLP
ÌÌ Patent-pending SPX encryption for
Web and App Traffic Shaping
one-way message encryption
ÌÌ Enhanced traffic shaping (QoS) options by web category
or application to limit or guarantee upload/download or ÌÌ Recipient self-registration SPX password management
total traffic priority and bitrate individually or shared
ÌÌ Add attachments to SPX secure replies

ÌÌ Completely transparent, no additional

Email Protection Subscription software or client required

Email Protection and Control ÌÌ DLP engine with automatic scanning of emails
ÌÌ E-mail scanning with SMTP, POP3, and IMAP support and attachments for sensitive data

ÌÌ Reputation service with spam outbreak ÌÌ Pre-packaged sensitive data type content
monitoring based on patented Recurrent- control lists (CCLs) for PII, PCI, HIPAA, and
Pattern-Detection technology more, maintained by SophosLabs

ÌÌ Block spam and malware during the SMTP transaction

Web Server Protection Subscription
ÌÌ Spam greylisting
Web Application Firewall Protection
ÌÌ Recipient verification for mistyped email addresses ÌÌ Reverse proxy

ÌÌ Second independent malware detection ÌÌ URL hardening engine with deep-linking

engine (Avira) for dual-scanning and directory traversal prevention

ÌÌ Live Protection real-time, in-the-cloud ÌÌ Form hardening engine

lookups for the latest threat intelligence
ÌÌ SQL injection protection
ÌÌ Automatic signature and pattern updates
ÌÌ Cross-site scripting protection
ÌÌ Smart host support for outbound relays
ÌÌ Dual-antivirus engines (Sophos and Avira)
ÌÌ File-Type detection/blocking/scanning of attachments
ÌÌ HTTPS (SSL) encryption offloading
ÌÌ Accept, reject or drop over-sized messages
ÌÌ Cookie signing with digital signatures
ÌÌ Detects phishing URLs within e-mails
ÌÌ Path-based routing
ÌÌ Use pre-defined content scanning rules or create
ÌÌ Outlook anywhere protocol support
your own custom rules based on a variety of criteria
with granular policy options and exceptions ÌÌ Reverse authentication (offloading) for form-based
and basic authentication for server access
ÌÌ TLS Encryption support for SMTP, POP, and IMAP
ÌÌ Virtual server and physical server abstraction
ÌÌ Append signature automatically to
all outbound messages ÌÌ Integrated load balancer spreads
visitors across multiple servers
ÌÌ Email archiver
ÌÌ Skip individual checks in a granular fashion as required
ÌÌ Individual user-based block and allow sender
lists maintained through the user portal
XG Firewall Features

ÌÌ Match requests from source networks

or specified target URLs

ÌÌ Support for logical and/or operators

ÌÌ Assists compatibility with various configurations

and non-standard deployments

ÌÌ Options to change Web Appliaction

FIrewall performance parameters

ÌÌ Scan size limit option

ÌÌ Allow/Block IP ranges

ÌÌ Wildcard support for server paths

ÌÌ Automatically append a prefix/suffix for authentication

Logging and Reporting

NOTE: XG Firewall reporting is included at no extra charge
but individual log, report, and widget availability may be
dependent on their respective protection module license.

ÌÌ Hundreds of on-box reports with custom report

options: Dashboards (Traffic, Security, and User
Threat Quotient), Applications (App Risk, Blocked
Apps, Synchronized Apps, Search Engines, Web
Servers, Web Keyword Match, FTP), Network and
Threats (IPS, ATP, Wireless, Security Heartbeat,
Sandstorm), VPN, Email, Compliance (HIPAA,
GLBA, SOX, FISMA, PCI, NERC CIP v3, CIPA)

ÌÌ Current Activity Monitoring: system health, live users,

IPsec connections, remote users, live connections,
wireless clients, quarantine, and DoS attacks

ÌÌ Report anonymization

ÌÌ Report scheduling to multiple recipients by

report group with flexible frequency options

ÌÌ Export reports as HTML, PDF, Excel (XLS)

ÌÌ Report bookmarks

ÌÌ Full log viewer with retention customization by category

XG Firewall Features

XG Firewall Features by Subscription Summary

FullGuard Plus (included in TotalProtect Plus)

FullGuard (included in TotalProtect)

EnterpriseGuard Plus
Features (included in EnterpriseProtect Plus)
(as listed above)
EnterpriseGuard
(included in EnterpriseProtect)

Sandstorm Network Web Server

Base Firewall Protection Protection Web Protection Email Protection Protection
General Management (incl. HA) ●
Firewall, Networking and Routing ●
Base Traffic Shaping and Quotas ●
Secure Wireless ●
Authentication ●
Self-Serve User Portal ●
Base VPN Options ●
IPSec Client Sold seperately
Sandstorm Protection ●
Intrusion Prevention (IPS) ●
ATP and Security Heartbeat™ ●
Remote Ethernet Device (RED) VPN ●
Clientless VPN ●
Synchronized Application Control ●
Web Protection and Control ●
Application Protection and Control ●
Cloud Application Visibility ●
Web and App Traffic Shaping ●
Email Protection and Control ●
Email Quarantine Management ●
Email Encryption and DLP ●
Web Application Firewall Protection ●
Logging and Reporting ● ● ● ● ● ●

United Kingdom and Worldwide Sales North American Sales Australia and New Zealand Sales Asia Sales
Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168
Email: [email protected] Email: [email protected] Email: [email protected] Email: [email protected]

© Copyright 2018. Sophos Ltd. All rights reserved.

Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.

16-12 FLNA (SM)