Getting Started with

Application Control on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW4505: Getting Started with Application Control on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Application Control on Sophos Firewall - 1

 Getting Started with Application Control on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure application control ✓ The multiple layers of protection provided by
filters and apply them to firewall Sophos Firewall to detect and block attacks
rules. ✓ Configuring firewall rules

DURATION

15 minutes

In this chapter you will learn how to configure application control filters and apply them to firewall
rules.

Getting Started with Application Control on Sophos Firewall - 2

 Application Control Overview

Cloud Storage Peer-to-Peer

Video Streaming Social Media

Protect against risky

applications Guarantee bandwidth for
business applications
Block or limit
unproductive Sophos Firewall
applications

Computer

Many applications and tools used for day-to-day business are provided through cloud-based
services, so ensuring good Internet connectivity to employees is vital.

Alongside these business applications are every other type of application and service that can be
imagined, many of which are unproductive or can expose users and the company network to risks.

Sophos Firewall can protect against risky applications and either block or limit access to
unproductive applications, and at the same time guarantee that business applications have the
bandwidth they need.

Getting Started with Application Control on Sophos Firewall - 3

 Applications can be found in:
Application List PROTECT > Applications > Application list

Sophos Firewall comes with definitions for thousands of known applications, which you can filter
and view the details of in PROTECT > Applications > Application list.

Getting Started with Application Control on Sophos Firewall - 4

 Current connections can be monitored in:
Live Connections MONITOR & MANGE > Current activities > Live connections

The Live connections page lists all of the current applications making connections through the
Sophos Firewall. You can use the link in the ‘Total’ column to get more detailed information about
all of the connections for that application.

The live connections can be shown by application, username or source IP address, and the page
can be optionally set up to automatically refresh to give a real-time view.

Getting Started with Application Control on Sophos Firewall - 5

 Applications can be found in:
Application Filters PROTECT > Applications > Application filter

Application filters are sets of rules that can allow or deny access to applications. Unlike web
policies, application filter rules are not applied to users and groups, so the application filter will
apply to all users for the firewall rule it is used in.

Getting Started with Application Control on Sophos Firewall - 6

 Creating Application Filters

You can optionally select an existing

application filter as a template

Application filters are created in two stages.

First you create the application filter. Here you can optionally select an existing application filter as
a template.

You save the application filter and if you selected a template the rules will be copied over to the
new filter.

Getting Started with Application Control on Sophos Firewall - 7

 Creating Application Filters

You can now add rules to your

application filter

Drag and drop to reorder

You can now open the application filter and start adding rules or edit rules if you selected a
template.

Please note that the rules are processed in order, and you can rearrange them by dragging and
dropping.

Getting Started with Application Control on Sophos Firewall - 8

 Application Filter Rules

For each application filter rule, you select which applications it will apply to, set whether the action
for those applications is allow or deny, and optionally select a schedule for when the rule will be
active.

Selecting the applications in the rule is done by filtering the applications using the criteria provided
or using a free-text smart filter. When new applications are added that match the filters they will
automatically be included in the rule.

You can optionally choose to select individual applications rather than all applications included in
the filtered results, in this case newly added applications will not automatically be added to the
rule.

Getting Started with Application Control on Sophos Firewall - 9

 Application Filter Rules

Below the selected applications, you can choose whether this rule is to allow or deny them. You
can also select when this rule is active based on a schedule.

Getting Started with Application Control on Sophos Firewall - 10

 Apply an Application Filter

Once you have configured your application filter, it needs to be selected in a firewall rule in the
‘Other security features’ section.

Getting Started with Application Control on Sophos Firewall - 11

 Simulation: Create an Application Filter

In this simulation you will create a

custom application filter, apply it to
a firewall rule, then test the results.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppFilter/1/start.html

In this simulation you will create a custom application filter, apply it to a firewall rule, then test the
results.

[Additional Information]

https://training.sophos.com/fw/simulation/AppFilter/1/start.html

Getting Started with Application Control on Sophos Firewall - 12

 Synchronized App Control

I don’t recognize this traffic,

what application is it from?

Sophos Sophos Firewall Internet

Central
Managed
endpoint
Custom Business This is Custom Business
Application Application, and it is allowed

Synchronized app control can identify, classify and control previously unknown applications active
on the network. It uses the Security Heartbeat to obtain information from the endpoint about
applications that don’t have signatures or are using generic HTTP or HTTPS connections. This
solves a significant problem that affects signature-based app control on all firewalls today, where
many applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”.

Synchronized app control is not supported in active-active high availability deployments.

Getting Started with Application Control on Sophos Firewall - 13

 Managing Synchronized App Control

Synchronized app control is enabled when you register the Sophos Firewall with Sophos Central.

In the Control center there is a synchronized application control widget that provides an at-a-
glance indication of new applications that have been identified.

Getting Started with Application Control on Sophos Firewall - 14

 Categorizing Identified Applications
Identified applications are managed in:
PROTECT > Applications > Synchronized Application Control

Where possible, Sophos Firewall will automatically classify identified applications and they will be
controlled based on the current application filters you have in place.

Through the menu for the application you customize the classification.

Getting Started with Application Control on Sophos Firewall - 15

 Categorizing Identified Applications

Here you can see that OneDrive has been assigned to the application category ‘Storage and
Backup’. If you were blocking this category but wanted to allow OneDrive, you could choose to
move it to another category such as ‘General Business’.

Getting Started with Application Control on Sophos Firewall - 16

 Synchronized Application Control

1 month
3 months
6 months
9 months
12 months

You can configure clean up of the synchronized application control database to remove obsolete
applications that are no longer in use; this is done in PROTECT > Central synchronization.

You can choose how long to retain applications in the database from 1 month to 12 months.
Sophos Firewall will then run a daily check for applications older than the threshold and remove
them in batches of 100 every 5 minutes. Applications are also deleted from application filter
policies if they were added individually.

The time applications are retained for is since they were last detected by synchronized application
control. If the application is frequently used, then the last detection date will always be updated,
and the application will not be purged. This feature is designed to only purge applications that are
no longer in use, and therefore no longer being detected by synchronized application control.

Getting Started with Application Control on Sophos Firewall - 17

 Simulation: Use Synchronized App Control to Block an
Application

In this simulation you will reclassify

an application detected by
synchronized application control,
then test that it is blocked.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html

In this simulation you will reclassify an application detected by synchronized application

control, then test that it is blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html

Getting Started with Application Control on Sophos Firewall - 18

 Application Routing

Routing > SD-WAN Routing > Add

Applications can be added as a traffic selector for SD-WAN policy Routes.

To use this functionality you need to create an application object. An application object is a list of
applications selected using the same filtering criteria and options as for application filter rules.

In the example here, we have selected remote access applications that have been detected by
synchronized application control.

Getting Started with Application Control on Sophos Firewall - 19

 Cloud Applications

OneDrive OneDrive

Dropbox Dropbox

OneDrive is sanctioned
Dropbox is unsanctioned

Identify cloud Classify cloud Apply traffic shaping Block using application
applications being used applications rules control

Sophos Firewall has a lite cloud access security broker, or CASB, implementation, which helps to
identify risky behavior by providing insights into what cloud services are being used. You can then
take appropriate action by educating users or implementing application control or traffic shaping
policies to control or eliminate potential risky or unwanted behavior.

For example, if your company has a corporate Microsoft 365 and uses OneDrive for file storage,
and one user is consistently uploading data to Dropbox, that could be a red flag that needs further
investigation or policy enforcement. This practice of using unsanctioned cloud services is called
“Shadow IT”, a term you’ll often hear in association with CASB.

Getting Started with Application Control on Sophos Firewall - 20

 Cloud Applications in the Control Center

In Control center there is a widget that provides a visual summary of cloud application usage by
classification. This can be New, Sanctioned, Unsanctioned, or Tolerated.

The statistics show the number of cloud applications, and the amount of data in and out.

Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can
get more detailed information.

Getting Started with Application Control on Sophos Firewall - 21

 Cloud applications can be found in:
Cloud Applications PROTECT > Applications > Cloud applications

Here you can see all the cloud applications that have been detected, and filter them by
classification and category, and can be sorted either by volume of data or number of users.

You can expand each application to see which users have been using it, and how much data they
have transferred.

Getting Started with Application Control on Sophos Firewall - 22

 Classifying and Traffic Shaping

For each detected application you can select a classification and a traffic shaping policy.

By selecting a classification for the applications, you can then use this to customize reports to
show, for example, use of unsanctioned applications on your network.

Traffic shaping policies can be applied to either limit or guarantee bandwidth for applications.

Getting Started with Application Control on Sophos Firewall - 23

 Simulation: Categorize Cloud Applications on Sophos Firewall

In this simulation you will review

the cloud applications detected by
Sophos Firewall and classify them.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CloudApplications/1/start.html

In this simulation you will review the cloud applications detected by Sophos Firewall and classify
them.

[Additional Information]

https://training.sophos.com/fw/simulation/CloudApplications/1/start.html

Getting Started with Application Control on Sophos Firewall - 24

 Chapter Review

Application filters are an ordered list of rules that allow or deny applications based on
filter criteria. Application filters need to be applied in a firewall rule

Synchronized application control can detect unknown applications using Security

Heartbeat. Discovered applications are automatically classified and allowed or blocked
based on your application filters. You can also reclassify applications

Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network

Here are the three main things you learned in this chapter.

Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.

Synchronized application control can detect unknown applications using Security Heartbeat.
Discovered applications are automatically classified and allowed or blocked based on your
application filters. You can also reclassify applications.

Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network.

Getting Started with Application Control on Sophos Firewall - 29

Getting Started with Application Control on Sophos Firewall - 30
 Application Traffic Shaping on
Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW4515: Application Traffic Shaping on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Application Traffic Shaping on Sophos Firewall - 1

 Application Traffic Shaping on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure and apply a traffic ✓ Configuring Application Control on Sophos Firewall
shaping policy for applications. ✓ Configuring traffic shaping settings

DURATION

10 minutes

In this chapter you will learn how to configure and apply a traffic shaping policy for applications.

Application Traffic Shaping on Sophos Firewall - 2

 Applications can be found in :
Traffic Shaping Default PROTECT > Applications > Traffic shaping default

You can create and apply traffic shaping policies based on applications.

Here you can see the applications grouped by their category. You can apply traffic shaping policies
to a category of applications. You can also apply policies to individual applications, which will take
precedence over any category level traffic shaping policy.

Application Traffic Shaping on Sophos Firewall - 3

 Applications can be found in :
Traffic Shaping Default PROTECT > Applications > Traffic shaping default

When you choose to edit an application, you can select a compatible traffic shaping policy that will
override any other applied QoS policies for that application. From here, you can also edit or even
create new traffic shaping policies for the application.

Application Traffic Shaping on Sophos Firewall - 4

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

Traffic shaping policies can either be configured to limit the amount of bandwidth they can use,
perhaps to prevent video streaming impacting business, or to guarantee an amount of bandwidth
in the case of business-critical applications. As we mentioned in the previous slide, there are
several pre-defined traffic shaping policies that ship with the Sophos firewall. As can be seen, they
can be associated with standard firewall rules, applied to users, target web categories or applied to
an application.

Application Traffic Shaping on Sophos Firewall - 5

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

When you add a new traffic shaping policy, it is important to select the correct policy association.
This will determine where the policy can be applied in the Sophos firewall. For example, a user
policy cannot be applied to an application, and vice-versa.

Application Traffic Shaping on Sophos Firewall - 6

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

The rule type determines if we are going to limit or guarantee bandwidth for the selected traffic.
Selecting the Limit option is often used when you want to prevent users, applications, or other
connections from using too much bandwidth and affecting critical business communications. For
example, a limit rule can be created for streaming media to prevent services such as YouTube from
consuming too much data.

A Guarantee rule is used when you want to ensure that an application or type of traffic has enough
bandwidth to function properly, even at the expense of other services. If you have a business-
critical application or system, such as VoIP, we want to ensure that they have the necessary
amount of bandwidth to function uninterrupted no matter what. Using the VoIP example, if the
bandwidth for calls were suddenly reduced, it could cause stuttering during calls or even
disconnects. Imagine how that would look if you were on the line with a customer.

Application Traffic Shaping on Sophos Firewall - 7

 Traffic shaping policies are configured in :
Traffic Shaping Policies CONFIGURE > System Services > Traffic shaping

The next settings can be used to determine how much bandwidth to allocate. The upload and
download bandwidth can be controlled independently if desired. The amount of bandwidth can be
set, and the bandwidth can be controlled per individual (per user, application, connection, etc…) or
shared between them.

A priority can also be configured for the rule which will determine which traffic gets processed first
if there are multiple priorities of traffic in the queue. The highest priority traffic, defined by the
lowest number, will always be processed first.

Application Traffic Shaping on Sophos Firewall - 8

 Traffic Shaping Policies Example

Here is an example showing a guarantee rule for a critical business application. In this example, the
rule is created with an application policy association and set as type guarantee. Then the priority is
set to 1, which is business critical.

We want to ensure that any traffic matching this rule is processed before almost all other traffic.
Finally, we set our guarantee and limit numbers. As this is an individual rule, and not a shared rule,
the bandwidth numbers are set to the minimum and maximum bandwidth needed per user of the
application. This does require a good understanding of the applications data needs.

After saving the policy, it would need to be applied to the application or application group.

Application Traffic Shaping on Sophos Firewall - 9

 Applying Traffic Shaping

To enable the application traffic shaping, select Apply application-based traffic shaping policy in
the firewall rule where you have applied the application filter.

Application Traffic Shaping on Sophos Firewall - 10

 Simulation: Create an Application Traffic Shaping Policy

In this simulation you will configure

and apply a traffic shaping policy for
applications.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html

In this simulation you will configure and apply a traffic shaping policy for applications.

[Additional Information]

https://training.sophos.com/fw/simulation/AppTrafficShaping/1/start.html

Application Traffic Shaping on Sophos Firewall - 11

 Chapter Review

You can apply traffic shaping policies to categories of applications as well as individual
applications. Traffic shaping policies applied to individual applications will take
precedence over traffic shaping policies applied to the category

Traffic shaping policies can be created to either limit the amount of bandwidth available
to an application or guarantee bandwidth, even at the expense of other services

The upload and download bandwidth can be controlled independently and can either
be individual to the policy association (user, firewall rule, web category, application), or
shared between them

Here are the three main things you learned in this chapter.

You can apply traffic shaping policies to categories of applications as well as individual applications.
Traffic shaping policies applied to individual applications will take precedence over traffic shaping
policies applied to the category.

Traffic shaping policies can be created to either limit the amount of bandwidth available to an
application or guarantee bandwidth, even at the expense of other services.

The upload and download bandwidth can be controlled independently and can either be individual
to the policy association (user, firewall rule, web category, application), or shared between them.

Application Traffic Shaping on Sophos Firewall - 16

Application Traffic Shaping on Sophos Firewall - 17
 Getting Started with Remote
Access VPNs on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5005: Getting Started with Remote Access VPNs on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Remote Access VPNs on Sophos Firewall - 1

 Configuring SSL Remote Access VPNs on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure SSL and IPsec ✓ Protocols used for VPN access
remote access VPNs on Sophos ✓ Authentication servers, users and groups
Firewall.

DURATION

20 minutes

In this chapter you will learn how to configure SSL and IPsec remote access VPNs on Sophos
Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 2

 Remote Access VPNs

IPsec
Establish remote access IPsec
VPNs using the Sophos
Connect client or third-party
clients
SSL
Establish remote access SSL
VPNs using the Sophos
Connect client, legacy SSL VPN
client, or OpenVPN clients

Clientless SSL L2TP over IPsec PPTP

Provide access to internal Compatible with VPN client Support for legacy PPTP
services and resources using a built into Windows connections
browser (not recommended)

Sophos Firewall supports a range of common protocols for remote access VPNs.

The most used are IPsec and SSL, so in this chapter we will focus on these two, but it is useful to
remember that Sophos Firewall also supports L2TP over IPsec, which is compatible with the
Windows built-in VPN client, and PPTP, although we do not recommend you use it as it is less
secure.

Getting Started with Remote Access VPNs on Sophos Firewall - 3

 Additional information in
SSL and IPsec VPNs the notes

SSL Remote Access VPN IPsec Remote Access VPN

• Sophos Connect VPN Client for Windows • Sophos Connect VPN Client for Windows
and Mac OS X and Mac OS X

• Compatible with OpenVPN clients on all • Compatible with third-party IPsec VPN
platforms clients

• Support for multi-factor authentication • Support for multi-factor authentication

• Supports Synchronized Security • Supports Synchronized Security

• Split tunnelling and tunnel all • Split tunnelling and tunnel all

• Guided configuration wizard

Sophos Firewall’s SSL remote access VPN is based on OpenVPN, a full-featured VPN solution. The
encrypted tunnels between remote devices and the Sophos Firewall use both SSL certificates and
username and password to authenticate the connection, and you can also enable multi-factor
authentication for additional security.

The IPsec remote access VPN can be authenticated using a pre-shared key or digital certificate,
with users then authenticating with their username and password, and optionally multi-factor
authentication. As a standard IPsec VPN, it is compatible with third-party VPN clients.

For both the SSL and IPsec remote access VPNs we provide the Sophos Connect VPN client for
Windows and Mac OS X devices.

For SSL remote access VPNs, we still support the legacy Sophos SSL VPN Client; however, we
recommend upgrading to Sophos Connect when possible.

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/concepts/VPNSophosConnectClient.html

Getting Started with Remote Access VPNs on Sophos Firewall - 4

 SSL VPN Assistant

Sophos Firewall has a wizard to streamline and simplify the configuration of everything required
for remote access SSL VPNs. The assistant includes:
• Selecting the users and groups the policy will apply to
• Configuring the authentication servers
• Selecting the resources users will be able to access
• Choosing between split tunneling or tunnel all
• Selecting which zones can access the user portal to download the client and configuration
• And selecting which zones users can establish an SSL VPN from

As part of the assistant, a firewall rule will be created to control access to internal resources from
the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 5

 Demo: SSL VPN Assistant

In this demo you will see how to use

the SSL VPN assistant to quickly
configure remote access for users.

PLAY DEMO CONTINUE

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

In this demo you will see how to use the SSL VPN assistant to quickly configure remote access for
users.

[Additional Information]

https://training.sophos.com/fw/demo/SslVpnAssistant/1/play.html

In this short demo we will look at the SSL VPN assistant, which brings together the configuration of
the VPN profile, creation of a firewall rule, as well as several global settings, to make setting up SSL
VPNs quick and easy.

The SSL VPN assistant is launched from the Remote access VPN section on the SSL VPN tab.

The first screen here gives you an overview of some of the global SSL VPN settings. These can be
configured using the SSL VPN global settings link here.

Give the VPN a name, then select the users and groups that can use this connection. I will select
the Training group here.

Next, you can customize the authentication servers for SSL VPNs. I will remove local
authentication. This setting is global for SSL VPNs, and if you need to update it you will find it in
Authentication > Services.

Select the resources you want users to be able to access through the VPN. This will be used to
configure a firewall rule.

Getting Started with Remote Access VPNs on Sophos Firewall - 6

Choose whether the VPN will be the default gateway for all traffic, or whether you
will be using split tunnelling.

Select which zones can access the user portal, where users can download the SSL
VPN client and configuration files. Note that this is a global setting that can be found
in Administration > Device access.

Finally, select from which zones users can establish SSL VPNs from. This is also a
global setting in device access.

Review the configuration, then click Finish.

In addition to creating the SSL VPN configuration you can see here; the assistant also
created a firewall rule to limit the scope of access for VPN users to the resources
selected.

Getting Started with Remote Access VPNs on Sophos Firewall - 6

 Security Heartbeat over SSL VPN

Split tunnel or tunnel all option

To enable using the Security Heartbeat over the SSL VPN, you need to add the built-in
‘SecurityHeartbeat_over_VPN’ host object. This contains the public IP address used for Security
Heartbeat and will ensure it is routed over the VPN to Sophos Firewall.

Getting Started with Remote Access VPNs on Sophos Firewall - 7

 SSL VPN Settings

By default, Sophos Firewall uses

port 8443

By default, Sophos Firewall hosts the SSL VPN on port 8443, however this can be changed to a
different available port in the SSL VPN settings. Note that the SSL VPN can share port 443 with
other services on Sophos Firewall, such as the user portal and web application firewall rules.

You can modify the SSL certificate for the connection and override the hostname used in the
configuration files.

You can configure the IP lease range, DNS, WINS and domain name that will be used for clients that
connect.

In addition to this, there are several advanced connection settings such as the algorithms, key size,
key lifetime and compression options.

The SSL VPN settings are global for both remote access and site-to-site SSL VPNs; if you make
changes here you may need to update any SSL site-to-site VPNs you have configured.

Getting Started with Remote Access VPNs on Sophos Firewall - 8

 SSL VPN Client

Recommended VPN Client for

Windows and Mac OS X

Legacy SSL VPN client for Windows

Configuration for all platforms

Once an SSL VPN profile has been created for a user, they can download an SSL VPN client from
their User Portal. For Windows and Mac OS X we recommend using the Sophos Connect client.
There is also a legacy SSL VPN Client for Windows, and configuration download for all platforms.

Getting Started with Remote Access VPNs on Sophos Firewall - 9

 Additional information in the notes

Sophos Connect Client and Legacy SSL VPN Client

If the legacy SSL VPN client is not installed in the default location the
Sophos Connect installer will not detect it

The legacy SSL VPN client and Sophos Connect client cannot be installed on the same computer as
they will conflict with each other. To prevent this, when installing Sophos Connect it will check for
the legacy VPN in the default installation path and display an error if found.

If the legacy SSL VPN client has been installed to a non-default location the Sophos Connect
installer will not detect it. This may render both VPN clients inoperable due to the conflict.

[Additional Information]
The default installation path of the legacy SSL VPN client is: C:\Program Files (x86)\Sophos\Sophos
SSL VPN)

Getting Started with Remote Access VPNs on Sophos Firewall - 10

 Simulation: Configure an SSL Remote Access VPN

In this simulation you will configure

an SSL remote access VPN using the
assistant. You will then review the
configuration created and test your
VPN using the Sophos Connect
client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html

In this simulation you will configure an SSL remote access VPN using the assistant. You will then
review the configuration created and test your VPN using the Sophos Connect client.

[Additional Information]

https://training.sophos.com/fw/simulation/SslUserVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 11

 IPsec VPN Configuration

Quick links to IPsec profile, Sophos Connect client download, and logs

At the top of the tab for the IPsec remote access VPN are quick links that provide access to IPsec
profiles, the Sophos Connect client download, and logs.

Getting Started with Remote Access VPNs on Sophos Firewall - 12

 IPsec VPN Profiles

IPsec profiles contain the security configuration for the IPsec connection, such as the encryption
algorithms that will be supported.

Sophos Firewall provides a default profile for remote access; however, you can clone this and
create your own to meet your security requirements.

Getting Started with Remote Access VPNs on Sophos Firewall - 13

 IPsec VPN Configuration

Select the IPsec profile

Pre-shared keys or
digital certificate

Select the users and

groups that can connect

To configure the IPsec remote access VPN, start by enabling it and selecting which interface it will
listen for connections on.

Select the IPsec profile.

The VPN can be authenticated by either pre-shared keys or with a digital certificate.

Select the users and groups that will be able to authenticate to use the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 14

 IPsec VPN Configuration

IP range to use for the VPN

DNS servers

You need to configure the IP range that will be used for clients that connect, and optionally you can
also assign DNS servers.

Getting Started with Remote Access VPNs on Sophos Firewall - 15

 IPsec VPN Configuration

The advanced configuration can be found at the bottom of the page and allows you to configure
split tunneling, two-factor authentication, Security Heartbeat, and other connection settings.

Getting Started with Remote Access VPNs on Sophos Firewall - 16

 IPsec VPN Configuration

Download configuration files

Using the buttons at the bottom of the page you can export the configuration for the VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 17

 IPsec VPN Configuration

Only the .scx contains the

advanced settings

When you export the configuration from the web admin you will download an archive with two
files:
• .scx – that includes the advanced settings
• .tbg – which only contains the basic configuration and tunnels all traffic back to the Sophos
Firewall

Getting Started with Remote Access VPNs on Sophos Firewall - 18

 IPsec VPN Client

Sophos Connect client can be

downloaded from the user portal

The Sophos Connect client can also be downloaded from the user portal; however, the
configuration for the IPsec VPN needs to be provided by the admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 19

 Sophos Connect Client
Import the configuration file for either
IPsec or SSL

To use the Sophos Connect client you need to import a configuration file. This can be either for the
IPsec or SSL VPN.

Getting Started with Remote Access VPNs on Sophos Firewall - 20

 Sophos Connect Client
Connect Login Connection Details

You can then connect to the VPN.

When the Sophos Connect Client contacts the firewall, you will be prompted to authenticate.

Once connected, the details will be shown.

Getting Started with Remote Access VPNs on Sophos Firewall - 21

 Simulation: Configure an IPsec Remote Access VPN

In this simulation you will configure

an IPsec remote access VPN. You
will then test your VPN using the
Sophos Connect client.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html

In this simulation you will configure an IPsec remote access VPN. You will then test your VPN using
the Sophos Connect client.

[Additional Information]

https://training.sophos.com/fw/simulation/IpsecUserVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 22

 Additional information in
Deploying Sophos Connect the notes

Knowledgebase Article KB-000040793 Open KB-000040793

How to Deploy Sophos Connect via Group Policy Object (GPO)

1 Deploy the Sophos Connect MSI via a GPO script

2 Push the configuration as a file in the Windows Settings GPO

The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires
two elements to be configured.

First, you need to add the Sophos Connect MSI via a GPO, or group policy Object, script.

Secondly, you need to configure a Windows Settings file to push the configuration to the
endpoints.

[Additional Information]

Details on how to do this are covered in knowledgebase article KB-000040793.

https://support.sophos.com/support/s/article/KB-000040793

Getting Started with Remote Access VPNs on Sophos Firewall - 23

 Chapter Review

The VPN assistant streamlines the configuration of everything required for remote
access SSL VPNs

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings.
These settings are global and apply to site-to-site SSL VPNs

The Sophos Connect client supports both IPsec and SSL VPNs and can be downloaded
from both the web admin and user portal. The SSL VPN configuration is downloaded in
the user portal, whereas the IPsec VPN configuration is downloaded in the web admin

Here are the main things you learned in this chapter.

The VPN assistant streamlines the configuration of everything required for remote access SSL
VPNs.

The default port for SSL VPNs is 8443. This can be changed in the SSL VPN settings. These settings
are global and apply to site-to-site SSL VPNs.

The Sophos Connect client supports both IPsec and SSL remote access VPNs and can be
downloaded from both the web and user portal. The SSL VPN configuration is downloaded in the
user portal, whereas the IPsec VPN configuration is downloaded in the web admin.

Getting Started with Remote Access VPNs on Sophos Firewall - 28

Getting Started with Remote Access VPNs on Sophos Firewall - 29
 Advanced Sophos Connect
Configuration on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5010: Advanced Sophos Connect Configuration on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Sophos Connect Configuration on Sophos Firewall - 1

 Advanced Sophos Connect Configuration on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use advanced configuration ✓ Configuring Remote Access VPNs on Sophos
options with Sophos Connect on Firewall
Sophos Firewall.

DURATION

9 minutes

In this chapter you will learn how to use advanced configuration options with Sophos Connect on
Sophos Firewall.

Advanced Sophos Connect Configuration on Sophos Firewall - 2

 Sophos Connect Client
Sophos Connect VPN client for Windows and Mac OS X

Supports SSL and IPsec VPNs

Split tunneling and tunnel all (default)

Synchronized Security

Download the client from web admin and user portal

The Sophos Connect client is available for Windows and Mac OS X and supports both SSL and IPsec
remote access VPNs.

By default, the IPsec remote access configuration will tunnel all traffic over the VPN; however, this
can be customized to support split tunneling.

The Synchronized Security Heartbeat can be routed over the VPN, allowing you to tightly control
access to connected devices using the security settings in firewall rules for client VPN traffic.

The Sophos Connect client can be downloaded from both the web admin and the user portal;
however, the IPsec configuration can only be downloaded from the web admin and the SSL
configuration can only be downloaded from the user portal.

Advanced Sophos Connect Configuration on Sophos Firewall - 3

 Tunnel All and Split Tunnelling

TUNNEL ALL SPLIT TUNNELLING

For both IPsec and SSL remote access VPNs you can choose between tunnelling all the traffic back
to the firewall or using split tunnelling to only send traffic for specific networks and resources over
the VPN. This is controlled by the ‘Use as default gateway’ option in the VPN configuration. When
enabled, all traffic will be sent to the firewall, and when disabled, only selected traffic is routed
over the VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 4

 Synchronized Security

When configuring the VPN for split-tunnelling, you can make use of the Security Heartbeat over
the VPN by ensuring the built-in host object is included in the networks.

Advanced Sophos Connect Configuration on Sophos Firewall - 5

 IP Range and DNS: SSL

IP range to use for the VPN

DNS servers

SSL VPNs have a default address pool for clients that connect, which can be modified in the global
SSL VPN settings. Here, you can also define DNS servers so that connected clients can resolve
resources through the VPN.

When modifying this configuration, it is important to note that these settings apply to both the
remote access and site-to-site SSL VPNs.

Advanced Sophos Connect Configuration on Sophos Firewall - 6

 IP Range and DNS: IPsec

IP range to use for the VPN

DNS servers

For IPsec remote access VPNs there is no default IP address pool, and it is defined in the
configuration for the VPN. Here, you can also define the DNS servers for resolving hosts over the
VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 7

 Advanced IPsec Settings

Disable Use as default gateway and

add the networks for the VPN

Enable and configure

advanced features

IPsec remote access VPNs have an ‘Advanced settings’ section. Here, you can choose between split
tunnelling and tunnel all and define the networks for split tunnelling.

In addition to this, you can enable options such as multifactor authentication, which Sophos
recommends as best practice, automatic connection, and so forth.

Advanced Sophos Connect Configuration on Sophos Firewall - 8

 Advanced IPsec Settings

Only the .scx contains the

advanced settings

When you export the IPsec remote access VPN configuration from the web admin you will
download an archive with two files:
• .scx – that includes the advanced settings
• .tbg – which only contains the basic configuration and tunnels all traffic back to the Sophos
Firewall

Advanced Sophos Connect Configuration on Sophos Firewall - 9

 Automatic Provisioning

SOPHOS FIREWALL

Authenticate with the Establish the VPN

user portal connection

Open a provisioning
file (.pro) Download the
connection policy

SOPHOS CONNECT CLIENT

You can perform automatic provisioning of remote access VPN connections with Sophos Connect,
for both IPsec and SSL.

To do this, you start by creating a provisioning file with the details of the Sophos Firewall.

When the provisioning file is imported into Sophos Connect, the user is prompted to authenticate
with the user portal.

Sophos Connect can then download the connection policy and establish the VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 10

 Automatic Provisioning

Provisioning File (.pro)

[
{
"gateway": "<Enter your gateway hostname or IP address>",
"user_portal_port": 443,
"otp": false,
"auto_connect_host": "<Enter internal hostname or IP address>",
"can_save_credentials": true,
"check_remote_availability": false,
"run_logon_script": false
}
]

Here is an example of what a provisioning file would look like. As you can see, it is a basic JSON file
that includes the gateway hostname or IP address, the port for the user portal, and some other
connection details. This file must be saved with a .PRO extension.

When Sophos Connect is installed it creates a file association for .PRO files, which means that the
provisioning file can simply be double-clicked to import it into Sophos Connect.

Advanced Sophos Connect Configuration on Sophos Firewall - 11

 Additional information in
Automatic Provisioning the notes

The provisioning file supports…

✓Multiple gateways, selected by random, latency, or in order
✓Multiple connections
✓Two-factor authentication

Documentation
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

Beyond the basic provisioning file we just showed, it also supports:

• Multiple gateways, that can be selected either by random, based on latency, or in order
• Multiple connections
• And two-factor authentication

[Additional Information]
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-
us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

Advanced Sophos Connect Configuration on Sophos Firewall - 12

 Automatic Provisioning

Here you can see that when the user imports the provisioning file they are prompted to
authenticate. In this example, as the user is connecting to the WAN interface, they need to enter
the CAPTCHA for the user portal also.

Once authenticated, Sophos Connect will download the configuration and automatically connect to
the VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 13

 Automatic Provisioning
If the user portal
certificate is not
trusted users will see
a certificate error

If the user portal certificate is not trusted, users will see a certificate error when they open the
provisioning file.

To resolve this:
• Ensure that the certificate includes the hostname in the subject alternate names
• Then, deploy the CA certificate to the endpoints, or use a certificate from a trusted CA

Advanced Sophos Connect Configuration on Sophos Firewall - 14

 Automatic Provisioning

Detect a policy Download the Reconnect to

mismatch new the VPN
connection
policy

With automatic provisioning, if the VPN configuration is changed on Sophos Firewall, Sophos
Connect will detect the policy mismatch, download the connection policy, and reconnect to the
VPN.

Advanced Sophos Connect Configuration on Sophos Firewall - 15

 Automatic Provisioning

Users can also force an update to the policy through the menu in the Sophos Connect client.

Advanced Sophos Connect Configuration on Sophos Firewall - 16

 Additional information in
Deploying Sophos Connect the notes

Knowledgebase Article KB-000040793 Open KB-000040793

Deploy Sophos Connect using script via GPO

1 Deploy the Sophos Connect MSI via a GPO script

2 Push the configuration as a file in the Windows Settings GPO

The Sophos Connect client can be easily deployed using Active Directory Group Policy. This requires
two elements to be configured.

First, you need to deploy the Sophos Connect MSI through a Group Policy Object, specifically a
GPO script.

Secondly, you need to configure a Windows Settings file to push the configuration to the
endpoints.

[Additional Information]

Details on how to do this are covered in knowledgebase article KB-000040793.

https://support.sophos.com/support/s/article/KB-000040793

Advanced Sophos Connect Configuration on Sophos Firewall - 17

 Create a Group Policy Object

Create a new GPO for and link it in the OU that contains the computers you want to install to

We will take a quick look at how you can do this.

Start by creating a new GPO and linking it in the OU that contains the computers you want to
install Sophos Connect on to.

Advanced Sophos Connect Configuration on Sophos Firewall - 18

 1. Deploy the Sophos Connect MSI via a GPO Script
1. In the script path, create a batch
file to launch the installation of
Sophos Connect

2. Add the script to the GPO

Edit the GPO you created and navigate to Computer Configuration > Policies > Windows Settings >
Scripts. You need to add a startup script.

Click Show Files… to navigate to the script path, then create a batch file like the one shown here
using the code from the knowledgebase article. This will check if Sophos Connect is installed, and if
not, start the installation in the background.

Once you have created the script in the right location, click Add… to add the script to the GPO.

Advanced Sophos Connect Configuration on Sophos Firewall - 19

 2. Push the Configuration File via GPO Settings

Next, navigate to Computer Configuration > Preferences > Windows Settings > Files on the left.

Add a new file. Configure it to create a new file and give it the source and destination paths.

The source should be a configuration file on an accessible network path, here we are using an
automatic provisioning configuration file.

The destination should be the ‘import’ folder in the Sophos Connect installation directory.

Once this is done, Sophos Connect will be installed and configured automatically for users.

Advanced Sophos Connect Configuration on Sophos Firewall - 20

 Chapter Review

Both IPsec and SSL remote access VPNs support tunnel all and split tunnelling. This is
configured using the option ‘Use as default gateway’

Sophos Connect can retrieve the VPN configuration from the user portal by using an
automatic provisioning file. These connections can then be updated if changes are made
on Sophos Firewall

Sophos Connect can be deployed using Active Directory Group Policy. A startup script
can be used to check for and run the Sophos Connect installer, and a configuration file
can be copied to the import directory

Here are the main things you learned in this chapter.

Both IPsec and SSL remote access VPNs support tunnel all and split tunnelling. This is configured
using the option ‘Use as default gateway’.

Sophos Connect can retrieve the VPN configuration from the user portal by using an automatic
provisioning file. These connections can then be updated if changes are made on Sophos Firewall.

Sophos Connect can be deployed using Active Directory Group Policy. A startup script can be used
to check for and run the Sophos Connect installer, and a configuration file can be copied to the
import directory.

Advanced Sophos Connect Configuration on Sophos Firewall - 25

Advanced Sophos Connect Configuration on Sophos Firewall - 26
 Configuring Clientless Access
on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5020: Configuring Clientless Access on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Clientless Access on Sophos Firewall - 1

 Configuring Clientless Access on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create and manage ✓ Configuring Remote Access VPNs on Sophos
bookmarks for clientless SSL VPN Firewall
access.

DURATION

8 minutes

In this chapter you will learn how to create and manage bookmarks for clientless SSL VPN access.

Configuring Clientless Access on Sophos Firewall - 2

 Clientless Access Portal

Clientless SSL VPN connections can be found in the user portal and can be used to provide access
to internal resources without the need for a VPN client to be installed. They are in the VPN section
and will appear below any IPsec and SSL VPNs that have been enabled for the user.

This form of remote access is most useful for providing IT staff with access to internal systems
without exposing them directly to the Internet. For example, providing access to TELNET, SSH, and
RDP, so that IT staff can securely administer key pieces of infrastructure remotely.

Other examples for using this include providing special access for a user to a specific machine with
RDP, often for accounting or finance, or access to timesheets, client tracking, web-based ticking
systems and so forth.

Configuring Clientless Access on Sophos Firewall - 3

 Configuration

Assign bookmarks to users

and groups
2

Define the internal resources

as bookmarks
1

Configuration for Clientless SSL VPN is done in two parts:

• First you create bookmarks, which define the internal resources to be accessed
• Then you create policies to assign the bookmarks to users and groups

Configuring Clientless Access on Sophos Firewall - 4

 Bookmarks

Protocols
• RDP
• TELNET
• SSH
• FTP/FTPS
• SMB
• VNC

When you create the bookmarks, start by selecting the protocol in the ‘Type’ field, this will change
the remaining fields that need to be completed. Bookmarks can be created for: RDP, TELNET, SSH,
FTP, SMB, and VNC.

You can choose to enable automatic login for the bookmark, where you can provide a username
and password that will be used to connect to the resource. This will not be the username and
password for the person using the bookmark in the user portal.

It is important to note that each bookmark represents a session to a resource, so if you wanted to
give five people access to a resource, you would create a bookmark for each. You can enable
session sharing, which means that two users can use the bookmark at the same time, but there
will still only be a single session.

Configuring Clientless Access on Sophos Firewall - 5

 Bookmark Groups

You can also create bookmark groups, which can then be used to assign multiple bookmarks in a
policy.

Configuring Clientless Access on Sophos Firewall - 6

 Clientless Access

Select individual users and user

groups

Once the bookmarks have been created, and optionally added to bookmark groups, they need to
be assigned to a specific user or group using a policy. This simple policy has just three settings:
• A name for the policy
• The users and groups the policy applies to

Configuring Clientless Access on Sophos Firewall - 7

 Clientless Access

Select individual bookmarks and

bookmark groups

• And the bookmarks that can be used

Configuring Clientless Access on Sophos Firewall - 8

 Simulation: Configure Clientless SSL VPN Access

In this simulation you will configure

bookmarks and policies for
clientless SSL VPN access. You will
then login to the user portal to test
your configuration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ClientlessVpn/1/start.html

In this simulation you will configure bookmarks and policies for clientless SSL VPN access. You
will then login to the user portal to test your configuration.

[Additional Information]

https://training.sophos.com/fw/simulation/ClientlessVpn/1/start.html

Getting Started with Firewall and NT Rules on Sophos Firewall - 9

 Chapter Review

Clientless SSL VPN provides access to internal resources through bookmarks in the VPN
section of the user portal

Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. Each bookmark is
a single session for that resource

Policies assign bookmarks to users and groups

Here are the main things you learned in this chapter.

Clientless SSL VPN provides access to internal resources through bookmarks in the VPN section of
the user portal.

Bookmarks can be created for: RDP, TELNET, SSH, FTP, SMB, and VNC. Each bookmark is a single
session for that resource.

Policies assign bookmarks to users and groups.

Configuring Clientless Access on Sophos Firewall - 12

Configuring Clientless Access on Sophos Firewall - 13
 Introduction to Wireless
Protection on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW5505: Introduction to Wireless Protection on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Introduction to Wireless Protection on Sophos Firewall - 1

 Introduction to Wireless Protection on Sophos Firewall

In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
three modes of operation that ✓ Wireless network communication
can be used for the wireless ✓ Sophos Firewall deployment options
networks, the range of access
points supported, and which
appliances have built-in wireless.

DURATION

9 minutes

In this chapter you will learn the three modes of operation that can be used for the wireless
networks, the range of access points supported, and which appliances have built-in wireless.

Introduction to Wireless Protection on Sophos Firewall - 2

 Network connections
Company laptop access
Wireless Overview Guest laptop access

Internet
Company laptop connected to
the company wireless network Guest laptop connected to the
guest network

Sophos Firewall
Access
Point
Access RED
Point

Company laptop connected to

Internal computers and servers the company wireless network
connected to the network

With Sophos Firewall you can deploy and manage wireless access points giving you the same
control and security features that you have for wireless devices as those that are physically
connected to the network.

Sophos access points can be used to broadcast multiple wireless networks to keep traffic
separated, for example for corporate and guest networks.

You are not limited to managing wireless networks in the local office, you can deploy access points
in remote offices that are connected to the Sophos Firewall with a RED.

Introduction to Wireless Protection on Sophos Firewall - 3

 Client Traffic Modes: Bridge to AP LAN
Wireless
clients
Internet
Local Network

Traffic
Traffic

Traffic
Switch
Traffic Traffic

Sophos Management
Access point
Firewall

Sophos Firewall supports three different modes of operation for wireless networks; let’s take a
look at these client traffic modes, starting with Bridge to AP LAN.

The Bridge to APLAN configuration is used when traffic needs to be routed to the network that the
access point is directly connected to. With Bridge to AP LAN, the traffic is never sent to the Sophos
Firewall by the access point; instead, it simply takes the traffic and drops it right onto the LAN that
it is connected to. The Sophos Firewall is only used for management of the AP and to collect
logging information from the access point.

Introduction to Wireless Protection on Sophos Firewall - 4

 Client Traffic Modes: Bridge to VLAN
Wireless
clients
Internet
Local Network VLAN X
VALN Z Guest

VLAN X Traffic
Traffic

Traffic
Trunk port

VLAN Z Guest Traffic

Tagged traffic
VLAN Y Management Traffic Managed
Sophos Switch Access point
Firewall

Next is Bridge to VLAN.

In a Bridge to VLAN configuration, wireless traffic is tagged by the access point allowing upstream
switches, or the Sophos Firewall, to identify that the traffic is associated to a specific VLAN. This
allows the wireless network to extend that VLAN wirelessly.

The access point must be connected to a trunk or hybrid port on the switch so that it is able to
read the VLAN tags and route the traffic correctly.

Again, the Sophos Firewall still communicates with the access point for management and to collect
logging, but it may not necessarily be involved in routing the traffic.

Please note that to broadcast a bridge to VLAN wireless network, the access point must be
configured to use a VLAN for management traffic. The bridge to VLAN options only become
available once you have set a VLAN for management.

Introduction to Wireless Protection on Sophos Firewall - 5

 Client Traffic Modes: Separate Zone
Wireless
clients
Internet
Local Network VLAN X

Traffic
Traffic

Blocked by firewall
rule

VXLAN
Switch
Management
Sophos Access point
Firewall

Lastly, we have the Separate Zone configuration.

Separate zone allows an administrator to segment the wireless traffic without using a VLAN, which
is often very useful in smaller environments that may not use managed switches or have a complex
network environment but still want to secure wireless traffic, for example, for guest access. With a
separate zone configuration, all traffic is fed into a VXLAN tunnel by a wireless interface on the
Sophos Firewall. From there, the Sophos Firewall will treat it like any other traffic coming in
through an interface. By default, the interface is called wlan<NUMBER>. This traffic must then be
routed to any allowed networks, either internally or externally and rules need to be created to
allow this traffic.

When configuring a separate zone, you may also need to:

• Create a DHCP server for the wireless network on that interface
• Enable DNS for the zone
• Create firewall and NAT rules that include Web protection, IPS policies, and any other security
modules to protect the users

Introduction to Wireless Protection on Sophos Firewall - 6

 Access Point Models

APX series access points APX 120

APX 320
APX 530
APX 740

Legacy AP series access points AP 15

AP 55
Legacy AP series access points are AP 100
end of sales and are not supported on AP 100X
XGS series appliances

Sophos Firewall supports Sophos’ APX series access points that include support for 802.11 ac wave
2 as well as the legacy AP series access points.

Please note that the AP series access points are now end of sale and are not supported on XGS
series appliances.

Introduction to Wireless Protection on Sophos Firewall - 9

 Access Point Model Naming

MIMO capabilities
Next-gen access Range or model 2 = 2x2
Product Generation
point series 3 = 3x3
4 = 4x4

Example: APX 3 2 0

To help you understand the range of APX access points let’s take a look at their naming scheme.

The APX part of the model name is made up of AP for access point followed by the X. This denotes
that this model is next-gen. Any legacy models are referred to as the AP series.

The first number in the naming sequence refers to the range or model series, in this example we
use 3.

The second number denotes the MIMO capabilities of the model, in this example this is 2 for 2x2.

The last number is the product generation number, in this example this is 0.

This gives you the full name of the model, in this example; APX 320.

Introduction to Wireless Protection on Sophos Firewall - 10

 Access Point Models – APX Series
APX 120 APX 320 APX 530 APX 740

Deployment Indoor, desktop, wall or Indoor; desktop, wall or ceiling Indoor; desktop, wall or ceiling Indoor; desktop, wall or ceiling
ceiling mount mount mount mount
Maximum 300 Mbps + 867 Mbps 300 Mbps + 867 Mbps 450 Mbps + 1.3 Gbps 450 Mbps + 1.7 Gbps
Throughput
Multiple SSIDs 8 per radio 8 per radio 8 per radio 8 per radio
(16 in total) (16 in total) (16 in total) (16 in total)
LAN Interfaces 1x 12V DC-in 1 x RJ45 connector console 1 x RJ45 connector console serial 1 x RJ45 Connector console
1x RJ45 10/100/1000 serial port port serial port
Ethernet w/PoE 1 x RJ45 10/100/1000 1 x RJ45 10/100/1000 Ethernet 1 x RJ45 10/100/1000 Ethernet
Ethernet w/PoE Port port
1 x RJ45 10/100/1000 Ethernet 1 x RJ45 10/100/1000 Ethernet
w/PoE w/PoE
Support WLAN 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2
Standards
Power over Ethernet 802.3af 802.3af 802.3at 802.3at

Number of Radios 1x 2.4 GHz single band 1 x 2.4 GHz/5 GHz dual-band 1 x 2.4 GHz single band 1 x 2.4 GHz single band
1x 5 GHz single band 1 x 5 GHz single band 1 x 5 GHz single band 1 x 5 GHz single band
1 x Bluetooth low energy (BLE) 1 x Bluetooth low energy (BLE) 1 x Bluetooth low energy (BLE)
MIMO Capabilities 2x2 2x2 3x3 4x4

The APX series of Access Point models support WLAN Standard 802.11ac Wave 2.0, and all four
models are optimized for both wall and ceiling mount and are for indoor use.

Please note that the outdoor APX 320X is not supported on Sophos Firewall and requires Sophos
Central.

This table provides a more technical comparison of these models.

Introduction to Wireless Protection on Sophos Firewall - 11

 Deployment Guide
Video Conferencing
Basic Connectivity Mixed Browsing High Speed Connectivity
High Speed Connectivity

Approximate number of Approximate number of Approximate number of Approximate number of

clients: clients: clients: clients:
7-25 (2.4 GHz)
1-15 Up to 30 (5 GHz) 7-25 7-35+
Schools & Small Offices Medium size offices Large offices & Medium
Small companies
Unmanaged endpoints BYOD & COD Mobile Enterprise
Mix of mobile devices
& mobile devices devices Managed Endpoints

APX 120 APX 320 APX 530 APX 740

Now that you know the available access point models, you need to determine which model is best
to use based on your environment. We will focus on the APX range for access points.

Firstly, let’s split the types of activities wireless is used for into the following categories:

• Basic connectivity
• Mixed browsing
• High speed connectivity
• Video conferencing

Now, we can assign an approximate number of clients to those categories.

• For basic connectivity between 1 – 15 clients per access point is the recommended use
• For mixed browsing between 7-25 clients per access point and up to 30 clients in dual 5 GHz
• For high-speed connectivity between 7-25 clients per access point
• For video conferencing between 7-35+ clients per access point

So, let’s apply this to example deployments.

• For small companies that require basic coverage using a mixture of mobile devices – basic
connectivity will be recommended
• For environments such as schools and small offices using entry level endpoints and unmanaged
mobile devices – mixed browsing will be recommended
• For medium size offices using a mixture of BYOD and corporate owned mobile devices such as
iPads – High speed connectivity will be recommended
• For large offices and medium enterprise companies using managed endpoints made up of

Introduction to Wireless Protection on Sophos Firewall - 12

laptops and mobile devices – video conferencing/high speed will be recommended

Introduction to Wireless Protection on Sophos Firewall - 12

 Built-In Wireless

XGS 87w XGS 107w XGS 116w XGS 126w XGS 136w
Retail/SOHO Small office Small office Small branch office Growing branch office
Deployment
Desktop Desktop Desktop Desktop Desktop
Multiple SSIDs 8 per radio
Supported WLAN 802.11a/b/g/n/ac
Standards 2.4 GHz/5 GHz
Number of radios 1 1 1
(2nd WI-FI module available)
MIMO capabilities 2x2:2 2x2:2 2x2:2 3x3:3 3x3:3

In addition to the APX and AP access points, the desktop models of Sophos Firewall are available
with a built-in wireless access point that supports either 2.4Ghz or 5Ghz with a single radio.

The built-in wireless differs from the external access points by not connecting through a network
interface and instead appearing as a local device.

The coverage of the built-in wireless can be extended by connecting external Sophos access points
to the network.

Introduction to Wireless Protection on Sophos Firewall - 13

 Chapter Review

Sophos Firewall can manage wireless network traffic using three client traffic modes:
bridge to AP LAN, bridge to VLAN, and separate zone

Sophos Firewall supports the APX series and legacy AP series access points

The desktop models of XGS have an internal wireless variant that includes a single radio.
Larger desktop models include an option to add a second wireless radio module

Here are the main things you learned in this chapter.

Sophos Firewall can manage wireless network traffic using three client traffic modes: bridge to AP
LAN, bridge to VLAN, and separate zone.

Sophos Firewall supports the APX series and legacy AP series access points.

The desktop models of XGS have a wireless variant that includes a single radio. Larger desktop
models include an option to add a second wireless radio module.

Introduction to Wireless Protection on Sophos Firewall - 14

Introduction to Wireless Protection on Sophos Firewall - 15
 Deploying Wireless Protection
on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW5510: Deploying Wireless Protection on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Deploying Wireless Protection on Sophos Firewall - 1

 Deploying Wireless Protection on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to deploy access points and ✓ Modes of operation that can be used for Sophos
configure wireless networks. Firewall wireless networks
✓ Supported access points
✓ Sophos Firewall appliances that have built-in
wireless

DURATION

8 minutes

In this chapter you will learn how to deploy access points and configure wireless networks.

Deploying Wireless Protection on Sophos Firewall - 2

 Wireless Networks

Configuration deployed to access points to allow clients to connect

Define security and authentication requirements

Define network parameters

Wireless networks are the configuration that access points use to allow clients to connect. They
define the security and authentication requirements for devices that want to access the network
as well as network parameters such as IP range and gateway.

Deploying Wireless Protection on Sophos Firewall - 3

 Wireless networks are configured in:
Creating Wireless Networks PROTECT > Wireless > Wireless networks

No encryption
Visible network WEP Open
name WPA Personal/Enterprise
WPA2 Personal/Enterprise (recommended)

Separate Zone
Bridge to AP LAN
Bridge to VLAN

Configuration for separate zone wireless interface

Here you can see the main configuration for a wireless network. The main elements are:
• The SSID, which is the visible network name that devices will connect to
• The security mode, we recommend using WPA2 either with a passphrase or using a RADIUS
server to authenticate users by selecting Enterprise
• How to route client traffic, either to the same network as the access point, a specific VLAN or
directly back to the Sophos Firewall using a separate zone

Separate zone configuration is used to create a wireless interface on the Sophos Firewall. The
traffic for the wireless network is then routed back to that interface on the Sophos Firewall using a
VXLAN.

Deploying Wireless Protection on Sophos Firewall - 4

 Additional information in
Advanced Settings the notes

There are also several advanced settings that allow you to control options such as which bands the
network is broadcast on, when the network is available and whether clients can see each other on
the network.

[Additional Information]
Fast BSS (Base Service Set) Transition allows the key negotiation and the request for wireless
resources to happen concurrently, in order to enable fast and secure handoffs between base
stations to deliver seamless connectivity for wireless devices as they move around. This is
supported on WPA2 Personal and Enterprise networks only. The clients must also support 802.11r
as well.

To enable Fast Transition, use the option in the advanced settings of the wireless network
configuration.

Access points will announce support for both WPA-PSK/Enterprise and FT-PSK/Enterprise, so they
can perform normal roaming for clients which are not capable of Fast Transition.

Deploying Wireless Protection on Sophos Firewall - 5

 Additional information in
Access Point Discovery the notes

Discovery packet is sent to 1.2.3.4 so it is sent to the default gateway

DHCP IP address and gateway

Connect to ‘magic IP’
Intercept and respond
Sophos Access Point
Firewall

DHCP can be used to override the magic IP if the Sophos Firewall is not the default gateway

Before we jump into deploying access points it is useful to understand how the discovery process
works.

When an access point is connected to the network it will need a DHCP server to provide it with an
IP address, DNS server and gateway.

The access point will send a discovery packet to 1.2.3.4, which we refer to as the magic IP. This is a
valid Internet address and so will be routed to the default gateway.

If the Sophos Firewall is the default gateway, or on the route to the Internet, it can intercept and
respond to the discovery packet beginning the registration process.

If the Sophos Firewall is not the default gateway or on the route to the Internet, you need to
configure a special DHCP option with the IP address of the Sophos Firewall so the access point can
find it. There is additional information in the notes regarding this.

[Additional Information]
If the Sophos Firewall is not in the path to the Internet, for example, it is not the default gateway
for the network, then a special DHCP option to select the target Sophos Firewall is required:
{ OPTION_IP , 0xEA }, /* wireless-security-magic-ip */
By default, the Sophos Firewall will configure and pass this option if it is configured as a DHCP
server for the network.

When a Sophos AP is connected to the network, the AP uses DHCP request broadcasts. The AP
acting as a DHCP client uses a Parameter Request List in its DHCP Discover message which requests
certain parameters from the DHCP server. If the DHCP server provides the special parameter, code

Deploying Wireless Protection on Sophos Firewall - 6

234, wireless-security-magic-ip, it will be used as the IP address to connect to when
starting the control connection.

For more information see KB-000034799.

https://support.sophos.com/support/s/article/KB-000034799

Deploying Wireless Protection on Sophos Firewall - 6

 Deployment

1 Connect the access point to the network

2 Navigate to PROTECT > Wireless > Access points

3 Accept the pending access point

4 Assign wireless networks to broadcast

Once you have connected an access point to the network and the discovery process has taken
place you need to navigate to PROTECT > Wireless > Access points in the WebAdmin.

In the pending access points section, you will see any access points that have been discovered. You
need to accept the access point before it will be managed by the Sophos Firewall.

Please note that the access point may go offline after being accepted. This is normal as it may
perform a firmware upgrade directly after being accepted, in order to match the firmware of the
firewall. This normally takes between 5 – 10 minutes.

Deploying Wireless Protection on Sophos Firewall - 7

 Access Points

External access point

Built-in wireless

When working with built-in wireless on a Sophos Firewall, there is no need to accept the built-in
access point.

It is a local device that is always active when the wireless protection feature is active on the device.
It is named LocalWifi0, and the name cannot be modified.

Deploying Wireless Protection on Sophos Firewall - 8

 Broadcasting Wireless Networks
Use access point groups to assign wireless
Assign wireless networks to access points
networks

When you accept an access point you can select which wireless networks it will broadcast.
Alternatively, you can assign the access point to a group and use the group to manage which
wireless network the member access points will broadcast.

Sophos access points can broadcast up to 8 wireless networks per radio. Almost all access point
models have 2 radios and so can broadcast up to 16 networks. However, in most scenarios you will
want to broadcast the wireless networks on both 2.4Ghz and 5Ghz so you can effectively use up to
8 networks per access point.

Deploying Wireless Protection on Sophos Firewall - 9

 DNS and DHCP

Remember, for the Sophos Firewall to respond to DNS requests from devices connected to the
wireless network it must be enabled for the zone that network is in. This is done in SYSTEM >
Administration > Device access.

When creating a wireless network where there is no DHCP server, this is usually the case for guest
networks or where you have used a separate zone configuration, you will most likely want to
create a DHCP server on the Sophos Firewall.

Deploying Wireless Protection on Sophos Firewall - 10

 Simulation: Deploying an Access Point

In this simulation you will deploy an

access point on Sophos Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/DeployAp/1/start.html

In this simulation you will deploy an access point on Sophos Firewall.

Deploying Wireless Protection on Sophos Firewall - 11

 Chapter Review

Access points send discover packets to 1.2.3.4, which as an Internet routable address
sent to the default gateway, assumed to be the Sophos Firewall. This can be overridden
by DHCP if Sophos Firewall is not the default gateway

Access points will appear as pending in the web admin until they are accepted by an
administrator

Wireless networks define security and authentication requirements as well as network

parameters. Wireless networks need to be assigned to access points to start
broadcasting

Here are the three main things you learned in this chapter.

Access points send discover packets to 1.2.3.4, which as an Internet routable address sent to the
default gateway, assumed to be the Sophos Firewall. This can be overridden by DHCP if Sophos
Firewall is not the default gateway.

Access points will appear as pending in the web admin until they are accepted by an administrator.

Wireless networks define security and authentication requirements as well as network parameters.
Wireless networks need to be assigned to access points to start broadcasting.

Deploying Wireless Protection on Sophos Firewall - 14

Deploying Wireless Protection on Sophos Firewall - 15
 Wireless Authentication on
Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW5525: Wireless Authentication on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Wireless Authentication on Sophos Firewall - 1

 Wireless Authentication on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure RADIUS ✓ Deploying wireless networks on Sophos Firewall
authentication for wireless ✓ Configuring authentication on Sophos Firewall
networks using a Windows
Domain Controller.

DURATION

10 minutes

In this chapter you will learn how to configure RADIUS authentication for wireless networks using a
Windows Domain Controller.

Wireless Authentication on Sophos Firewall - 2

 Security Issue: WiFi Authentication

Attacker

Wireless networks can present a potential security issue as a potential attacker does not require
the physical access needed for wired networks; instead, they just need to be within wireless range
of the access point. Although the signal range of access points is not huge, typically around 50
meters or less, in many cases this is far enough to reach a vehicle parked in the street.

Most WiFi networks require the entry of a password, but this can be discovered by an attacker.
Providing a more secure form of authentication through WPA/WPA2 Enterprise, which requires
users to authenticate with their username and password, can greatly improve security.

Wireless Authentication on Sophos Firewall - 3

 Configure WPA/WPA2 Enterprise
Configure RADIUS authentication service

Can be on a Windows server or other RADIUS server

Remote Authentication Dial-In User Service (RADIUS) provides

centralized Authentication, Authorization, and Accounting

RADIUS is a client/server protocol that runs in the application layer

Sophos Firewall uses port 1812 to communicate with the RADIUS

server
RADIUS can act as the server component for 802.1X wireless
authentication

In order to configure a wireless network to use WPA/WPA2 Enterprise, you will first need to
configure a RADIUS server to handle the authentication; this could be your Windows server or any
other Radius server.

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides
centralized Authentication, Authorization, and Accounting for users connecting to a network
service.

RADIUS is a client/server protocol that runs in the application layer and can use either TCP or UDP
as transport and uses port 1812 by default. RADIUS can act as the server component for 802.1X
wireless authentication.

Wireless Authentication on Sophos Firewall - 4

 Additional information in
RADIUS Server Configuration the notes

To configure a Windows Server 2016 as a RADIUS server, you need to first install the ‘Network
Policy Server’ role.

The server should be configured to support 802.1X over secure wireless connections.

[Additional Information]
https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/127783/sophos-
firewall-configure-radius-for-enterprise-wireless-authentication-with-windows-server-2012

Wireless Authentication on Sophos Firewall - 5

 Configure the Sophos Firewall as a RADIUS Client

The Sophos Firewall must be added as a RADIUS Client.

Set the Sophos Firewall's IP address and the shared secret, which will be used when configuring
the Sophos Firewall later.

Wireless Authentication on Sophos Firewall - 6

 Configure Connection Request and Network Policies

The RADIUS server must be configured with a Connection Request Policy and a Network Policy that
allows the connection of the Sophos Firewall using its IP address.

Wireless Authentication on Sophos Firewall - 7

 Configure a Policy for Wireless User Authentication

The final stage is to create a Network Policy to define the methods required for wireless user
authentication. This defines two conditions: that the NAS Port Type is IEEE 802.11 and that the
Windows Group is Domain Users. On the Conditions tab, add Microsoft Protected EAP (PEAP). This
PEAP authentication method will be used to authenticate Wireless users.

Wireless Authentication on Sophos Firewall - 8

 Add the RADIUS Server as an Authentication Server
Add the RADIUS server on Sophos Firewall
CONFIGURE > Authentication > Servers

Once the RADIUS server has been configured it needs to be created in the Sophos Firewall. To add
a RADIUS server in the Sophos Firewall, go to CONFIGURE > Authentication > Servers.

Select the server type as ‘RADIUS Server’.

Enter a descriptive name in the ‘Server Name’ field that can be used to identify the server.

Enter the IP Address of the RADIUS server that will be used for authentication.

Use the default port of 1812 or enter a different port to use for communicating with the RADIUS
server.

Enter the shared secret password set on the RADIUS server for authentication of a RADIUS client.

Enter the alias for the configured group name which is displayed to the user.

Wireless Authentication on Sophos Firewall - 9

 Select the RADIUS Server for Enterprise Authentication
Select the RADIUS server in Advanced Settings
PROTECT > Wireless > Wireless settings
RADIUS servers are used for all wireless networks with enterprise
authentication

Once the RADIUS server has been added as an object in the Sophos Firewall, it can then be added
to the Wireless Global Settings in the Advanced Settings.

A second RADIUS server can also be configured either as a

backup or to use a different directory service. The firewall
will attempt to authenticate the user with the primary
RADIUS server and if it fails, will attempt to use the
secondary server.
The selected RADIUS servers are used for all wireless networks that are configured with enterprise
authentication.

Access points do not communicate directly with the RADIUS server for authentication, but only to
the Sophos Firewall. Port 414 is used for the RADIUS communication between the Sophos Firewall
OS and the access points.

Wireless Authentication on Sophos Firewall - 10

 Select Enterprise Authentication in the Wireless Network

To use the RADIUS server, you need to select WPA or WPA2 Enterprise as the security mode for the
wireless network. When the user connects to the wireless network they will need to authenticate
with their username and password, and Sophos Firewall will validate this using the RADIUS server.

Wireless Authentication on Sophos Firewall - 11

 Chapter Review

A RADIUS server will need to be added as an authentication server. This uses port 1812
by default

Primary and secondary RADIUS servers can be selected in the wireless settings, these
will be used for all wireless networks with enterprise authentication. Sophos Firewall
uses port 414 for the RADIUS communication with the access points

In the wireless network configuration, you need to select WPA or WPA2 Enterprise as
the security mode. This will prompt users connecting to authenticate with their
username and password

Here are the main things you learned in this chapter.

A RADIUS server will need to be added as an authentication server. Uses port 1812 by default.

Primary and secondary RADIUS servers can be selected in the wireless settings, these will be used
for all wireless networks with enterprise authentication. Sophos Firewall uses port 414 for the
RADIUS communication with the access points.

In the wireless network configuration, you need to select WPA or WPA2 Enterprise as the security
mode. This will prompt users connecting to authenticate with their username and password.

Wireless Authentication on Sophos Firewall - 14

Wireless Authentication on Sophos Firewall - 15
 Creating Hotspots on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5530: Creating Hotspots on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Creating Hotspots on Sophos Firewall - 1

 Creating Hotspots on Sophos Firewall
In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
three types of hotspot that you ✓ Deploying wireless networks on Sophos Firewall
can create on Sophos Firewall.

DURATION

8 minutes

In this chapter you will learn the three types of hotspot that you can create on Sophos Firewall.

Creating Hotspots on Sophos Firewall - 2

 Type of Hotspot

Terms of acceptance

Password of the day

Voucher

Hotspots can be used to provide a number of functions depending on how it is configured. There
are three hotspot types:
• Terms of use acceptance, where users have to agree to a set of terms before getting access
through the hotspot
• Password of the day, a password needs to be provided by users and it is generated daily
• Voucher, each user has their own voucher for access that can be used to limit access time or
data allowance

Hotspots are accessed after the device is connected to the network and do not replace the security
mode selected for wireless networks. They are deployed to interfaces on the Sophos Firewall,
whether that is a physical port or a wireless interface from a separate zone. This means that
hotspots are not limited to being used with wireless networks or Sophos access points.

Users can only access the hotspot to authenticate, and resources defined in the walled garden
hotspot settings until they are authenticated. Once authenticated, network access is controlled by
firewall rules.

Creating Hotspots on Sophos Firewall - 3

 Creating Hotspots

Any interface not in the

WAN zone

Policies to apply to traffic

from the hotspot

To configure a hotspot, start by selecting which interfaces it will apply to; this can be any interface
that is not in the WAN zone.

You can select policies to apply to the traffic coming from the hotspot. You will see where these
are used later.

Creating Hotspots on Sophos Firewall - 4

 Creating Hotspots

Force HTTPS for

authenticating with the
hotspot

Terms of acceptance
Password of the day
Voucher

When users access the hotspot using HTTP you can choose to redirect to HTTPS.

You need to select the hotspot type, each of which will have some associated configuration.

For voucher and password hotspots you need to select administrative users. These are users that
can manage the vouchers and password for the hotspot in the user portal. Note that these users
do not have to be administrators on the firewall.

Creating Hotspots on Sophos Firewall - 5

 Creating Hotspots

Terms can be enabled for

password of the day and
voucher hotspots

Customize the look of the

hotspot

If you are using a password of the day or voucher hotspot you can still enable a terms of use that
has to be accepted.

You can optionally redirect users to a specific URL after they have authenticated with the hotspot,
and you can customize the look of the hotspot.

Creating Hotspots on Sophos Firewall - 6

 Firewall and NAT

When you save the hotspot, a firewall rule and linked NAT rule will be created. In the firewall rule,
the policies that you selected when creating the hotspot will be applied.

Creating Hotspots on Sophos Firewall - 7

 Voucher Definitions

For voucher-based hotspots you can define different vouchers. All vouchers must have a validity
period but can also include time and data quotas.

Creating Hotspots on Sophos Firewall - 8

 Creating Vouchers

Vouchers are created for hotspots in the user portal by the administrative users selected in the
hotspot configuration.

To generate vouchers, select the hotspot, the voucher definition, and the number of vouchers to
create. You can optionally choose to print the vouchers with a QR code, and this will generate a
PDF you can print.

Creating Hotspots on Sophos Firewall - 9

 Creating Vouchers

Once vouchers have been created you can view and manage them at the bottom of the page.

Creating Hotspots on Sophos Firewall - 10

 Managing Passwords

Similarly, when using a password of the day, this can be managed through the user portal by the
selected administrative users. Here you can view the current password for a hotspot and generate
a new password.

Creating Hotspots on Sophos Firewall - 11

 Hotspot Settings

Automatically delete
expired vouchers

Select the certificate for

the hotspot

There are some hotspot specific settings where you can:

• Delete expired vouchers from the database after a given time period
• Select a certificate for the hotspot to use for authentication

Creating Hotspots on Sophos Firewall - 12

 Hotspot Settings

Limit access to internal

resources through the
hotspot

Download templates for

customizing the hotspot
and vouchers

Further down on the hotspot settings page you can configure a walled garden. This is the set of
resources that devices can access without authentication to the hotspot.

At the bottom of the page, you can download sign-in page templates and voucher templates and
change them to suit your branding and security requirements. For the voucher template we
support PDF version 1.5 and later.

Creating Hotspots on Sophos Firewall - 13

 Chapter Review

There are three types of hotspot: terms of acceptance, voucher, and password of the
day. Terms can optionally be enabled for voucher and password hotspots

Voucher-based hotspots require voucher definitions that specify the validity period and
can optionally also have time and data quotas

Vouchers and passwords can be managed in the user portal by the administrative users
selected in the hotspot configuration

Here are the main things you learned in this chapter.

There are three types of hotspot: terms of acceptance, voucher, and password of the day. Terms
can optionally be enabled for voucher and password hotspots.

Voucher-based hotspots require voucher definitions that specify the validity period and can
optionally also have time and data quotas.

Vouchers and passwords can be managed in the user portal by the administrative users selected in
the hotspot configuration.

Creating Hotspots on Sophos Firewall - 18

Creating Hotspots on Sophos Firewall - 19
 Configuring Wireless Mesh
Networks on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW5535: Configuring Wireless Mesh Networks on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Wireless Mesh Networks on Sophos Firewall - 1

 Configuring Wireless Mesh Networks on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create a mesh network on ✓ Configuring wireless access points on Sophos
Sophos Firewall. Firewall

DURATION

7 minutes

In this chapter you will learn how to create a mesh network on Sophos Firewall.

Configuring Wireless Mesh Networks on Sophos Firewall - 2

 Wireless Mesh Networks
Wireless Bridge
Ethernet 1 Ethernet 2

Root Access Point Mesh Access Point

Sophos Firewall

Wireless Repeater
Ethernet 1 Wireless Network

Root Access Point Mesh Access Point Wireless Clients

Sophos Firewall

Wireless Mesh Networking allows physical or wireless networks to be extended using a wireless
mesh. A mesh network can be created by dedicating one of the channels to the mesh and thus
forming a virtual Ethernet cable between the access points.

Once the mesh has been created, the mesh access point can then either be connected physically to
a network, thus creating a wireless bridge, or it can be configured to broadcast one or more
wireless networks, thus making it a wireless repeater. A mesh access point can also run in a mixed
mode where it is a wireless bridge and a wireless repeater.

Wireless mesh networks are extremely useful in areas where a cable cannot be run, for example, in
historic buildings where city code does not allow the drilling of holes in the floors or walls to run
cables. Another example would be to connect two offices in separate buildings that are in
proximity but where cables cannot be run between the buildings.

When an access point starts, it attempts to connect to the firewall through a wired LAN
connection. If it can do so, it assumes the role of the root access point. If it cannot, it assumes the
role of a mesh access point and joins the network as a client.

Configuring Wireless Mesh Networks on Sophos Firewall - 3

 Wireless Bridge

Wireless Bridge
Ethernet 1 Ethernet 2

Root Access Point Mesh Access Point

Sophos
Firewall

In a bridge configuration, you use a mesh network as a wireless connection between two Ethernet
networks. To establish a wireless bridge, you connect the second Ethernet segment to the Ethernet
interface of the mesh access point.

Configuring Wireless Mesh Networks on Sophos Firewall - 4

 Wireless Repeater

Wireless Repeater
Ethernet 1 Wireless Network

Root Access Point Mesh Access Point Wireless Clients

Sophos
Firewall

As a wireless repeater, there is still a wireless connection

between the root and mesh access points however the mesh
access point will broadcast any wireless networks assigned
to it.

Configuring Wireless Mesh Networks on Sophos Firewall - 5

 Support for Mesh Networks Features

Mesh Feature Access Point Models

APX120, APX320, APX530, APX740
2.4 GHz Mesh
AP15, AP50, AP55, AP100, AP100x
5 GHz Mesh AP50, APX120, APX320, APX530, APX740
Works if Ethernet link is
Yes
disconnected?
Multi-hop? Yes
Multiple MESH networks
Yes
on same AP?

All APX models support mesh networks at both 2.4 and 5 GHz. The table also shows the mesh
features supported by the legacy AP models.

Configuring Wireless Mesh Networks on Sophos Firewall - 6

 Additional information in
Configure a Wireless Bridge the notes

To set up the wireless bridge over the mesh network, navigate to Protect > Wireless > Mesh
Networks, and then add a mesh network.

The Frequency Band field allows you to select what band will be used to transmit the mesh
network. Generally, it is a good idea to use a different frequency band for the mesh network than
for the broadcasted wireless networks.

[Additional Information]

For more information about wireless bridge configuration see Knowledgebase article KB-
000035551.
https://support.sophos.com/support/s/article/KB-000035551

Configuring Wireless Mesh Networks on Sophos Firewall - 7

 Add Access Points to the Mesh Network

In the access points section, click the plus button to begin adding an access point to the mesh.

Configuring Wireless Mesh Networks on Sophos Firewall - 8

 Add Access Points to the Mesh Network

For AP series access points, you need to select whether it is a root or mesh access point.

First add a Root Access point, which will be the AP that remains connected to the Sophos Firewall
when the configuration is complete.

Next, add a second access point which will be a mesh access point. A mesh access point, after
having received its initial configuration and then being unplugged from Sophos Firewall, will
connect to a root access point via the mesh network. An access point can be a mesh access point
for only one mesh network.

It is crucial for the initial configuration that you plug the mesh access point (like every other access
point) into one of the ports in the allowed zones. This is configured in PROTECT > Wireless >
Wireless settings.

Configuring Wireless Mesh Networks on Sophos Firewall - 9

 Additional information in
Wireless Repeater Configuration the notes

1. Configure the AP as a wireless

bridge
2. Create a wireless network to
repeat
3. Edit access point to access mesh
network assignment

To configure the mesh as a wireless repeater, perform the same steps that would be used to
configure a wireless bridge. Once that is complete, simply add the wireless networks you would
like to broadcast to the mesh access points, instead of connecting the mesh access point to a
physical network.

It is possible to use the access point as both a wireless bridge and a wireless repeater. Simply
connect the mesh access point to a physical network and add a wireless network to the
configuration.

[Additional Information]

For more information on wireless repeater configuration, see Knowledgebase article KB-
000035551.
https://support.sophos.com/support/s/article/KB-000035551

Configuring Wireless Mesh Networks on Sophos Firewall - 10

 Chapter Review

Mesh networks can be used to bridge an Ethernet connection wirelessly, to repeat a

wireless network, or both

All APX series access points support mesh networking

Root access points are connected to the Sophos Firewall via an Ethernet connection,
mesh access points are connected wirelessly once they have received the configuration

Here are the main things you learned in this chapter.

Mesh networks can be used to bridge an Ethernet connection wirelessly, to repeat a wireless
network, or both.

All APX series access points support mesh networking.

Root access points are connected to the Sophos Firewall via an Ethernet connection, mesh access
points are connected wirelessly once they have received the configuration.

Configuring Wireless Mesh Networks on Sophos Firewall - 13

Configuring Wireless Mesh Networks on Sophos Firewall - 14