HelpDesk
sign in

Sophos Firewall: Best Practices

Creation date: 9/18/2024 10:03 AM    Updated: 9/18/2024 10:03 AM    best practice firewall securing firewall sophos
Print...

Sophos Firewall: Best practices

KBA-000007644Jul 12, 202425 people found this article helpful



Overview

This article describes the best practices for Sophos Firewall configurations.

The following sections are covered:


Product and Environment

Sophos Firewall

Deployment

  1. Always connect the Sophos Firewall WAN interface with a router via a switch and not with a crossover cable to avoid auto-negotiation problems between the Sophos Firewall WAN interface and the router.
  2. By default, Sophos Firewall sends periodic ping requests to its default gateway to check connectivity to the internet. It is recommended to change this setting so that the Sophos Firewall sends ping requests to the default gateway as well as to multiple hosts on the internet that are permanently running such as 8.8.8.8 and 1.1.1.1, and will only declare the WAN link as down if all of them are ping unreachable.

    In the example below, Port2 is the Sophos Firewall WAN interface and 10.176.200.253 is the default gateway. Sophos Firewall will declare WAN Port2 as down if the default gateway, 8.8.8.8 and 1.1.1.1 becomes ping unreachable for 10 seconds.
  3. If the device has a browser-based proxy setting, make sure that the configured HTTP proxy port is the same in both the Sophos Firewall and the device browser. By default, Sophos Firewall is configured for port 3128.
  4. For security purposes, Gateway mode is preferred because it uses NAT Policies to secure private addresses of internal or DMZ networks.
  5. If Sophos Firewall is deployed in Bridge Mode:
    • Do not configure the Sophos Firewall IP address as a Gateway IP address. If this happens, users will not be able to access the internet.
    • Do not terminate both ports in the same L2 switch. The switch would become unstable if it receives packets of the same MAC address from more than one switch port.
  6. It is recommended to use the High Availability feature of the Sophos Firewall for maximum network uptime.
    For more information, go to https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/HAHighAvailability.html.
  7. For wireless networks, ensure maximum security by using WPA or WPA2 protocols rather than WEP.
  8. Do not broadcast the SSID of your wireless networks to avoid unauthorized users from entering into the network.

Administration

  1. Access to Sophos Firewall should be carefully monitored and protected. This can be done by changing the default administration settings such as the following:
    • Administrator passwords
    • Port used to access the appliance
    • Access protocols (Use secure protocols like SSH and HTTPS)
  2. Create multiple administrator profiles for special-purpose administrators like VPN Administrator, Security Administrator, Audit Administrator, etc. Each administrator should be assigned only the required permissions according to their role in the organization.
  3. It is recommended to disable administrative access to the Sophos Firewall from all zones except the internal LAN zone or management zone. Even from LAN or management zone, use secured protocols like HTTPS and SSH for GUI and CLI access.
  4. Check regularly for firmware releases and upgrade the Sophos Firewall to the latest firmware available.
  5. Take a regular backup of the Sophos Firewall. Also, make sure you take a backup before any changes are to be made in the configuration of the appliance.
  6. Test your firewall rules and policies regularly.
  7. Conduct internal audits to check the health of the appliance.
  8. Enable login security in terms of:
    • Enabling password complexity for the administrator.
    • Restricting the number of sign-in attempts to prevent brute force attacks.

Firewall

  1. Create a firewall rule for DNS IP Addresses if devices are configured with a public DNS IP address.
  2. Create a firewall rule to allow required and critical traffic across each zone because, by default, traffic across each zone is dropped by the Sophos Firewall, except for LAN to WAN traffic. This will be applicable in both bridge and gateway mode. For example, if the mail server is placed in the DMZ zone, then the Sophos Firewall will not allow access to the mail server from the LAN and WAN zone.
    • To access specific applications running on the mail server, create the necessary firewall rule from each zone.
    • Create a firewall rule to give external access to the mail server.
  3. Create a firewall rule to allow access to and from applications running on DMZ because, by default, traffic from LAN to DMZ is dropped.
  4. If the Sophos Firewall is configured in Bridge mode and the DHCP server is running in the WAN zone of the Sophos Firewall, then create a firewall rule to allow packets from the DHCP server to the LAN to lease IP addresses on devices.
  5. If the MX IP is bound to the WAN port of the Sophos Firewall, create NAT and Virtual Host rules to map the private IP address of the mail server with the MX IP.
  6. If the LAN zone has Routed Networks, then create static routes in the Sophos Firewall to forward requests to and from the Routed Networks over the internet.
  7. If the Sophos Firewall is configured for multiple Internet Service Providers (i.e. multiple gateways) then:
    • To improve browsing speed and reduce latency, create a firewall rule to route the DNS IP address requests through a specific Gateway. For example, if the DNS IP address is from ISP1 and DNS request is going to ISP2, then latency will increase and the time taken to resolve the site name will also increase.
    • If access to certain applications like VPN applications, SAP, or ERP application is allowed from a specific IP address, create a firewall rule to route the application request from the specific IP address only.
    • Create a NAT policy to bind the mail server IP Address with MX IP. This will establish the connection as well as reduce the chances of return MX check problem.
  8. It is recommended to bypass DoS screening for traffic-intensive servers like VOIP and FTP to avoid dropping of legitimate traffic.
  9. Disable NAT policies for WAN to LAN rule for Mail Server to avoid making it an open relay.

Authentication

  1. If the Sophos Firewall is integrated with one or more external authentication servers, make sure the servers are selected for firewall authentication and are in the order of preference.
  2. In the case of AD integration with Single Sign-On enabled, create clientless users for servers like VOIP servers, MFDs, etc. whose manual authentication is not feasible.
  3. After importing groups from AD, modify the order of the groups according to preference. Any user, who is a part of multiple groups, will be mapped to the first matching group on the Sophos Firewall. Refer also to https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/AuthenticationActiveDirectoryGroupBehavior.html .

IPS

  1. Create custom IPS policies with relevant signatures to decrease packet latency and improve performance.
  2. It is recommended to apply IPS policy in WAN to LAN firewall rules for servers hosted in the network to protect them against known and unknown attacks.

VPN

  1. Create VPN to LAN firewall rules to enable Threat Free Tunnelling (i.e. protect the network from malicious traffic through the VPN tunnel). In these rules, NAT policies should be disabled to allow access to internal resources.
  2. For additional security, use CHAP and MSCHAP Handshaking Protocols for PPTP remote access VPN.
  3. If VPN connectivity is to be configured between a Head Office and multiple Branch Offices, create a Hub and Spoke VPN configuration (i.e. create virtual tunnels from each Branch Office directly to the Head Office).

Antivirus

  1. For scanning of HTTP and HTTPS traffic, configure the Web proxy scanning mode as Real-time rather than Batch. The Real-time scan mode allows virus scanning of files as soon as their download starts while the Batch scan mode waits for the download of the complete file before scanning.
  2. Configure the Sophos Firewall to disallow access to HTTPS websites with invalid certificates.

Antispam

  1. Configure the Sophos Firewall to “Accept” oversized emails to avoid dropping of emails that might be useful.
  2. Enable Quarantine digest to allow users to manage quarantined mails by themselves.
  3. Configure the Sophos Firewall to verify the IP Reputation of senders of all emails to improve Antispam performance.

QoS

  1. Create appropriate QoS policies for mission-critical applications.
  2. Assign the highest priority to real-time traffic like VOIP and the lowest priority to bulky protocols like FTP or P2P file transfer to manage bandwidth better.


Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.


Get help for this page