Getting Started with

Application Control on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW4505: Getting Started with Application Control on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Application Control on Sophos Firewall - 1

 Getting Started with Application Control on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure application control ✓ The multiple layers of protection provided by
filters and apply them to firewall Sophos Firewall to detect and block attacks
rules. ✓ Configuring firewall rules

DURATION

15 minutes

In this chapter you will learn how to configure application control filters and apply them to firewall
rules.

Getting Started with Application Control on Sophos Firewall - 2

 Application Control Overview

Cloud Storage Peer-to-Peer

Video Streaming Social Media

Protect against risky

applications Guarantee bandwidth for
business applications
Block or limit
unproductive Sophos Firewall
applications

Computer

Many applications and tools used for day-to-day business are provided through cloud-based
services, so ensuring good Internet connectivity to employees is vital.

Alongside these business applications are every other type of application and service that can be
imagined, many of which are unproductive or can expose users and the company network to risks.

Sophos Firewall can protect against risky applications and either block or limit access to
unproductive applications, and at the same time guarantee that business applications have the
bandwidth they need.

Getting Started with Application Control on Sophos Firewall - 3

 Applications can be found in:
Application List PROTECT > Applications > Application list

Sophos Firewall comes with definitions for thousands of known applications, which you can filter
and view the details of in PROTECT > Applications > Application list.

Getting Started with Application Control on Sophos Firewall - 4

 Current connections can be monitored in:
Live Connections MONITOR & MANGE > Current activities > Live connections

The Live connections page lists all of the current applications making connections through the
Sophos Firewall. You can use the link in the ‘Total’ column to get more detailed information about
all of the connections for that application.

The live connections can be shown by application, username or source IP address, and the page
can be optionally set up to automatically refresh to give a real-time view.

Getting Started with Application Control on Sophos Firewall - 5

 Applications can be found in:
Application Filters PROTECT > Applications > Application filter

Application filters are sets of rules that can allow or deny access to applications. Unlike web
policies, application filter rules are not applied to users and groups, so the application filter will
apply to all users for the firewall rule it is used in.

Getting Started with Application Control on Sophos Firewall - 6

 Creating Application Filters

You can optionally select an existing

application filter as a template

Application filters are created in two stages.

First you create the application filter. Here you can optionally select an existing application filter as
a template.

You save the application filter and if you selected a template the rules will be copied over to the
new filter.

Getting Started with Application Control on Sophos Firewall - 7

 Creating Application Filters

You can now add rules to your

application filter

Drag and drop to reorder

You can now open the application filter and start adding rules or edit rules if you selected a
template.

Please note that the rules are processed in order, and you can rearrange them by dragging and
dropping.

Getting Started with Application Control on Sophos Firewall - 8

 Application Filter Rules

For each application filter rule, you select which applications it will apply to, set whether the action
for those applications is allow or deny, and optionally select a schedule for when the rule will be
active.

Selecting the applications in the rule is done by filtering the applications using the criteria provided
or using a free-text smart filter. When new applications are added that match the filters they will
automatically be included in the rule.

You can optionally choose to select individual applications rather than all applications included in
the filtered results, in this case newly added applications will not automatically be added to the
rule.

Getting Started with Application Control on Sophos Firewall - 9

 Application Filter Rules

Below the selected applications, you can choose whether this rule is to allow or deny them. You
can also select when this rule is active based on a schedule.

Getting Started with Application Control on Sophos Firewall - 10

 Apply an Application Filter

Once you have configured your application filter, it needs to be selected in a firewall rule in the
‘Other security features’ section.

Getting Started with Application Control on Sophos Firewall - 11

 Simulation: Create an Application Filter

In this simulation you will create a

custom application filter, apply it to
a firewall rule, then test the results.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppFilter/1/start.html

In this simulation you will create a custom application filter, apply it to a firewall rule, then test the
results.

[Additional Information]

https://training.sophos.com/fw/simulation/AppFilter/1/start.html

Getting Started with Application Control on Sophos Firewall - 12

 Synchronized App Control

I don’t recognize this traffic,

what application is it from?

Sophos Sophos Firewall Internet

Central
Managed
endpoint
Custom Business This is Custom Business
Application Application, and it is allowed

Synchronized app control can identify, classify and control previously unknown applications active
on the network. It uses the Security Heartbeat to obtain information from the endpoint about
applications that don’t have signatures or are using generic HTTP or HTTPS connections. This
solves a significant problem that affects signature-based app control on all firewalls today, where
many applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”.

Synchronized app control is not supported in active-active high availability deployments.

Getting Started with Application Control on Sophos Firewall - 13

 Managing Synchronized App Control

Synchronized app control is enabled when you register the Sophos Firewall with Sophos Central.

In the Control center there is a synchronized application control widget that provides an at-a-
glance indication of new applications that have been identified.

Getting Started with Application Control on Sophos Firewall - 14

 Categorizing Identified Applications
Identified applications are managed in:
PROTECT > Applications > Synchronized Application Control

Where possible, Sophos Firewall will automatically classify identified applications and they will be
controlled based on the current application filters you have in place.

Through the menu for the application you customize the classification.

Getting Started with Application Control on Sophos Firewall - 15

 Categorizing Identified Applications

Here you can see that OneDrive has been assigned to the application category ‘Storage and
Backup’. If you were blocking this category but wanted to allow OneDrive, you could choose to
move it to another category such as ‘General Business’.

Getting Started with Application Control on Sophos Firewall - 16

 Synchronized Application Control

1 month
3 months
6 months
9 months
12 months

You can configure clean up of the synchronized application control database to remove obsolete
applications that are no longer in use; this is done in PROTECT > Central synchronization.

You can choose how long to retain applications in the database from 1 month to 12 months.
Sophos Firewall will then run a daily check for applications older than the threshold and remove
them in batches of 100 every 5 minutes. Applications are also deleted from application filter
policies if they were added individually.

The time applications are retained for is since they were last detected by synchronized application
control. If the application is frequently used, then the last detection date will always be updated,
and the application will not be purged. This feature is designed to only purge applications that are
no longer in use, and therefore no longer being detected by synchronized application control.

Getting Started with Application Control on Sophos Firewall - 17

 Simulation: Use Synchronized App Control to Block an
Application

In this simulation you will reclassify

an application detected by
synchronized application control,
then test that it is blocked.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html

In this simulation you will reclassify an application detected by synchronized application

control, then test that it is blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html

Getting Started with Application Control on Sophos Firewall - 18

 Application Routing

Routing > SD-WAN Routing > Add

Applications can be added as a traffic selector for SD-WAN policy Routes.

To use this functionality you need to create an application object. An application object is a list of
applications selected using the same filtering criteria and options as for application filter rules.

In the example here, we have selected remote access applications that have been detected by
synchronized application control.

Getting Started with Application Control on Sophos Firewall - 19

 Cloud Applications

OneDrive OneDrive

Dropbox Dropbox

OneDrive is sanctioned
Dropbox is unsanctioned

Identify cloud Classify cloud Apply traffic shaping Block using application
applications being used applications rules control

Sophos Firewall has a lite cloud access security broker, or CASB, implementation, which helps to
identify risky behavior by providing insights into what cloud services are being used. You can then
take appropriate action by educating users or implementing application control or traffic shaping
policies to control or eliminate potential risky or unwanted behavior.

For example, if your company has a corporate Microsoft 365 and uses OneDrive for file storage,
and one user is consistently uploading data to Dropbox, that could be a red flag that needs further
investigation or policy enforcement. This practice of using unsanctioned cloud services is called
“Shadow IT”, a term you’ll often hear in association with CASB.

Getting Started with Application Control on Sophos Firewall - 20

 Cloud Applications in the Control Center

In Control center there is a widget that provides a visual summary of cloud application usage by
classification. This can be New, Sanctioned, Unsanctioned, or Tolerated.

The statistics show the number of cloud applications, and the amount of data in and out.

Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can
get more detailed information.

Getting Started with Application Control on Sophos Firewall - 21

 Cloud applications can be found in:
Cloud Applications PROTECT > Applications > Cloud applications

Here you can see all the cloud applications that have been detected, and filter them by
classification and category, and can be sorted either by volume of data or number of users.

You can expand each application to see which users have been using it, and how much data they
have transferred.

Getting Started with Application Control on Sophos Firewall - 22

 Classifying and Traffic Shaping

For each detected application you can select a classification and a traffic shaping policy.

By selecting a classification for the applications, you can then use this to customize reports to
show, for example, use of unsanctioned applications on your network.

Traffic shaping policies can be applied to either limit or guarantee bandwidth for applications.

Getting Started with Application Control on Sophos Firewall - 23

 Simulation: Categorize Cloud Applications on Sophos Firewall

In this simulation you will review

the cloud applications detected by
Sophos Firewall and classify them.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CloudApplications/1/start.html

In this simulation you will review the cloud applications detected by Sophos Firewall and classify
them.

[Additional Information]

https://training.sophos.com/fw/simulation/CloudApplications/1/start.html

Getting Started with Application Control on Sophos Firewall - 24

 Chapter Review

Application filters are an ordered list of rules that allow or deny applications based on
filter criteria. Application filters need to be applied in a firewall rule

Synchronized application control can detect unknown applications using Security

Heartbeat. Discovered applications are automatically classified and allowed or blocked
based on your application filters. You can also reclassify applications

Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network

Here are the three main things you learned in this chapter.

Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.

Synchronized application control can detect unknown applications using Security Heartbeat.
Discovered applications are automatically classified and allowed or blocked based on your
application filters. You can also reclassify applications.

Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network.

Getting Started with Application Control on Sophos Firewall - 29

Getting Started with Application Control on Sophos Firewall - 30
 Application Traffic Shaping on
Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW4515: Application Traffic Shaping on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Application Traffic Shaping on Sophos Firewall - 1

 Application Traffic Shaping on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure and apply a traffic ✓ Configuring Application Control on Sophos Firewall
shaping policy for applications. ✓ Configuring traffic shaping settings

DURATION

10 minutes

In this chapter you will learn how to configure and apply a traffic shaping policy for applications.

Application Traffic Shaping on Sophos Firewall - 2

 Applications can be found in :
Traffic Shaping Default PROTECT > Applications > Traffic shaping default

You can create and apply traffic shaping policies based on applications.

Here you can see the applications grouped by their category. You can apply traffic shaping policies
to a category of applications. You can also apply policies to individual applications, which will take
precedence over any category level traffic shaping policy.

Application Traffic Shaping on Sophos Firewall - 3

 Applications can be found in :
Traffic Shaping Default PROTECT > Applications > Traffic shaping default

When you choose to edit an application, you can select a compatible traffic shaping policy that will
override any other applied QoS policies for that application. From here, you can also edit or even
create new traffic shaping policies for the application.

Application Traffic Shaping on Sophos Firewall - 4

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

Traffic shaping policies can either be configured to limit the amount of bandwidth they can use,
perhaps to prevent video streaming impacting business, or to guarantee an amount of bandwidth
in the case of business-critical applications. As we mentioned in the previous slide, there are
several pre-defined traffic shaping policies that ship with the Sophos firewall. As can be seen, they
can be associated with standard firewall rules, applied to users, target web categories or applied to
an application.

Application Traffic Shaping on Sophos Firewall - 5

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

When you add a new traffic shaping policy, it is important to select the correct policy association.
This will determine where the policy can be applied in the Sophos firewall. For example, a user
policy cannot be applied to an application, and vice-versa.

Application Traffic Shaping on Sophos Firewall - 6

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

The rule type determines if we are going to limit or guarantee bandwidth for the selected traffic.
Selecting the Limit option is often used when you want to prevent users, applications, or other
connections from using too much bandwidth and affecting critical business communications. For
example, a limit rule can be created for streaming media to prevent services such as YouTube from
consuming too much data.

A Guarantee rule is used when you want to ensure that an application or type of traffic has enough
bandwidth to function properly, even at the expense of other services. If you have a business-
critical application or system, such as VoIP, we want to ensure that they have the necessary
amount of bandwidth to function uninterrupted no matter what. Using the VoIP example, if the
bandwidth for calls were suddenly reduced, it could cause stuttering during calls or even
disconnects. Imagine how that would look if you were on the line with a customer.

Application Traffic Shaping on Sophos Firewall - 7

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

The next settings can be used to determine how much bandwidth to allocate. The upload and
download bandwidth can be controlled independently if desired. The amount of bandwidth can be
set, and the bandwidth can be controlled per individual (per user, application, connection, etc…) or
shared between them.

A priority can also be configured for the rule which will determine which traffic gets processed first
if there are multiple priorities of traffic in the queue. The highest priority traffic, defined by the
lowest number, will always be processed first.

Application Traffic Shaping on Sophos Firewall - 8

 Traffic Shaping Policies Example

Here is an example showing a guarantee rule for a critical business application. In this example, the
rule is created with an application policy association and set as type guarantee. Then the priority is
set to 1, which is business critical.

We want to ensure that any traffic matching this rule is processed before almost all other traffic.
Finally, we set our guarantee and limit numbers. As this is an individual rule, and not a shared rule,
the bandwidth numbers are set to the minimum and maximum bandwidth needed per user of the
application. This does require a good understanding of the applications data needs.

After saving the policy, it would need to be applied to the application or application group.

Application Traffic Shaping on Sophos Firewall - 9

 Applying Traffic Shaping

To enable the application traffic shaping, select Apply application-based traffic shaping policy in
the firewall rule where you have applied the application filter.

Application Traffic Shaping on Sophos Firewall - 10

 Simulation: Create an Application Traffic Shaping Policy

In this simulation you will configure

and apply a traffic shaping policy for
applications.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html

In this simulation you will configure and apply a traffic shaping policy for applications.

[Additional Information]

https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html

Application Traffic Shaping on Sophos Firewall - 11

 Chapter Review

You can apply traffic shaping policies to categories of applications as well as individual
applications. Traffic shaping policies applied to individual applications will take
precedence over traffic shaping policies applied to the category

Traffic shaping policies can be created to either limit the amount of bandwidth available
to an application or guarantee bandwidth, even at the expense of other services

The upload and download bandwidth can be controlled independently and can either
be individual to the policy association (user, firewall rule, web category, application), or
shared between them

Here are the three main things you learned in this chapter.

You can apply traffic shaping policies to categories of applications as well as individual applications.
Traffic shaping policies applied to individual applications will take precedence over traffic shaping
policies applied to the category.

Traffic shaping policies can be created to either limit the amount of bandwidth available to an
application or guarantee bandwidth, even at the expense of other services.

The upload and download bandwidth can be controlled independently and can either be individual
to the policy association (user, firewall rule, web category, application), or shared between them.

Application Traffic Shaping on Sophos Firewall - 16

Application Traffic Shaping on Sophos Firewall - 17