ET80-18 0v6-XG-Firewall-Engineer-Student-Handout

Prévia do material em texto

Hi there, this is the XG Firewall Overview module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall 18.0
ET801 – XG Firewall Overview
July 2020
Version: 18.0v2
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall 18.0
Module 1: XG Firewall Overview
Version: 18.0v2
Module 1: XG Firewall Overview - 1
This course is designed for technical professionals who will be demonstrating XG Firewall. It 
provides an overview of the protection XG Firewall provides including major capabilities and core 
configuration concepts. 
This course will take around 3 days to complete. 
About This Course
This course is designed for technical professionals who will be demonstrating 
XG Firewall. It provides an overview of the protection XG Firewall provides 
including major capabilities and core configuration concepts.
• This course will take around 3 days to completeCourse Duration
Module 1: XG Firewall Overview - 4
Prerequisites
There are no prerequisites for this course, however it is 
recommended that students should have the following knowledge 
and experience:
✓Practical knowledge of networking, including subnets, routing, VLANs, and VPNs
✓Experience configuring network security devices
✓Knowledge of fundamental encryption and hashing algorithms and certificates
There are no prerequisites for this course, however, it is recommended that students should have 
the following knowledge and experience: 
• Practical knowledge of networking, including subnets, routing, VLANs, and VPNs
• Experience configuring network security devices
• Knowledge of fundamental encryption and hashing algorithms and certificates
Module 1: XG Firewall Overview - 5
To complete the Sophos Central Engineer certified course, you must complete and pass the online 
assessment that is available in the training portal. 
You will have two and a half hours to complete the assessment, and can take four attempts to pass 
the assessment. The assessment may include questions on both theory and simulations.
You must complete and pass the online assessment if you wish to register for the XG Firewall 
Architect course.
Certification
To complete the Sophos Central Engineer certified course:
Complete and pass the 
assessment in the training portal
You have 2.5 hours to complete 
the assessment
You have 4 attempts to 
pass the assessment
The assessment may include 
questions on the theory or
simulations
Module 1: XG Firewall Overview - 6
When you see this icon you can find additional information in the notes of the student handout.
Additional Information
When you see this icon you can find 
additional information in the notes of the 
student handout
Additional information 
in the notes
Module 1: XG Firewall Overview - 7
A glossary of technical terms used throughout the course can be found in knowledge base article 
118500. https://sophos.com/kb/118500
Glossary of Technical Terms
A glossary of technical terms used throughout the course 
can be found in knowledgebase article 118500
https://sophos.com/kb/118500
Module 1: XG Firewall Overview - 8
This course is split into 12 modules, with simulations interspersed throughout the course to allow 
for practice of the content discussed in the previous modules.
Course Agenda
XG Firewall Overview1
Getting Started with XG Firewall2
Network Protection3
Site-to-Site Connections4
Authentication5
Web Protection6
Application Control7
Email Protection8
Remote Access9
Wireless Protection10
Logging and Reporting11
Central Management12
Module 1: XG Firewall Overview - 9
Reference Environment
LON-GW1.SOPHOS.WWW
WAN IP: 10.1.1.100 (/24)
NY-GW.SOPHOS.WWW
WAN IP: 10.2.2.200 (/24)
Head Office: London
LAN
LON-SRV2.SOPHOS.LOCAL
IP: 172.17.17.20 (/24)
Branch Office: New York
LAN
LON-CLIENT2.SOPHOS.LOCAL
IP: 172.17.17.22 (/24)
STORE.SOPHOS.DMZ
IP: 172.30.30.50 (/24)
LON-INTRANET.SOPHOS.LOCAL
IP: 172.25.25.41 (/24)
LON-DC.SOPHOS.LOCAL
IP: 172.16.16.10 (/24)
LON-INTRANET.SOPHOS.LOCAL
IP: 172.25.25.40 (/24)
NY-SRV.SOPHOS.LOCAL
IP: 192.168.16.30 (/24)
10.1.1.250 (/24)
10.2.2.250 (/24) M
P
LS
10.100.100.65 (/29)
10.100.100.70 (/29)
DMZ
INTRANET
XG Firewalls have the x.x.x.16 address on internal networks
This network diagram shows the environment that is used during the course and the simulations, 
you may find it useful for reference to provide additional context. This diagram can also be found in 
the simulation workbook.
Module 1: XG Firewall Overview - 11
Course Objectives
Once you complete this course, you will be able to:
Explain how XG Firewall protects against security threats
Configure firewall rules, policies and user authentication
Demonstrate threat protection and commonly used features
Perform the initial setup of an XG Firewall and configure the required network settings
Once you have completed this course, you will be able to: 
• Explain how XG Firewall protects against security threats
• Configure firewall rules, policies and user authentication
• Demonstrate threat protection and commonly used features
• Perform the initial setup of an XG Firewall and configure the required network settings
Module 1: XG Firewall Overview - 12
Feedback on our courses is always welcome. 
Please email us at globaltraining@sophos.com with your comments.
TRAINING FEEDBACK
Feedback is always welcome
Please email globaltraining@sophos.com
Module 1: XG Firewall Overview - 13
XG Firewall Overview
Anatomy of Attack
What is XG Firewall?
Zero Trust
Deployment Options
This first module introduces the Sophos XG Firewall including coverage on the deployment options 
available to you. We’ll then guide you through the anatomy of an attack to introduce key security 
technologies in XG Firewall and how they protect against common threats. Lastly, we’ll cover Zero 
Trust, explaining how this mindset helps prevent successful data breaches.
Module 1: XG Firewall Overview - 14
What is XG Firewall?
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Module 1: XG Firewall Overview - 16
What is XG Firewall?
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Next-Gen Firewall
Visibility, Protection, and 
Response
All-in-One Protection
Consolidate, Simplify, & Save
School Protection
Affordable, Simple Compliance 
& Control
SD-WAN & Branch
Retail, Branch Office, ICS & 
SD-WAN
Endpoint Integration
Synchronized Security & 
Automated Response
Public Cloud
Protection for Azure and Hybrid 
Networks
Sophos XG Firewall is a comprehensive network security device, with a zone-based firewall, and 
identity-based policies at its core. 
XG Firewall does not only protect wired networks, but as a wireless controller for Sophos access 
points, can provide secure wireless networking functionality.
Protection is provided through a single cloud-based platform, making day-to-day management of 
all your Sophos products (including XG firewall) easy and scalable.
There are features purpose built to help universities, higher education, K-12, and primary or 
secondary educational institutions overcome key challenges. For example, powerful web filtering 
policies, built-in policies for child safety and compliance.
With XG Firewall and SD-RED you are able to connect sites across yourgeographically-distributed 
network. 
XG Firewall works together with Sophos Central and Intercept X in real time. So when either XG 
Firewall or Intercept X identifies a threat, they work together to provide health and threat 
monitoring, lateral movement protection as well as synchronized application control and 
synchronized user ID. 
XG Firewall can be deployed using preconfigured virtual machines in the cloud where cloud servers 
can be secured, protecting them against hacking attempts.
Module 1: XG Firewall Overview - 17
What is XG Firewall?
W
h
at
 is
 X
G
 F
ir
ew
al
l?
See it
Stop it
Secure it
Expose Hidden Risks
Superior visibility into risky activity, suspicious traffic, and 
advanced threats helps you regain control of your network.
Stop Unknown Threats
Powerful next-gen protection technologies like deep learning 
and intrusion prevention keep your organization secure.
Isolate Infected Systems
Automatic threat response instantly identifies and isolates 
compromised systems on your network and stops threats from spreading.
XG Firewall includes a comprehensive built-in reporting engine, which allows you to easily drill 
down into reports to find the information you need.
It also provides comprehensive next-generation firewall protection that exposes hidden risks, 
blocks unknown threats, and automatically responds to incidents. 
Superior visibility into risky activity, suspicious traffic, and advanced threats helps you regain 
control of your network.
Powerful next-gen protection technologies like deep learning and intrusion prevention keep your 
organization secure.
Automatic threat response instantly identifies and isolates compromised systems on your network 
and stops threats from spreading.
Module 1: XG Firewall Overview - 18
See it
W
h
at
 is
 X
G
 F
ir
ew
al
l?
See it
The control center appears as soon as you sign in. It provides a single screen snapshot of the state 
and health of the security system with its traffic-light style indicators which immediately draw 
attention to what matters most. 
At a glance, you can see your top risks related to heartbeat, apps, payloads, users, threats, 
websites and attacks.
Module 1: XG Firewall Overview - 19
Stop it
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Stop it
Intrusion Prevention System
Web Protection & SSL Inspection
Sandboxing
Advanced Threat Protection
Synchronized SecurityApplication Visibility and Control
Email, DLP, Encryption 
Web Application Firewall
Wireless Protection RED and VPN
Deep learning
Next-Gen Firewall 
XG Firewall analyzes incoming and outgoing network traffic (for example, DNS requests, HTTP 
requests, and IP packets) for sophisticated attacks by using a full suite of protection technologies. 
These include:
• Powerful Sandstorm sandboxing
• Deep learning with artificial intelligence
• Top performing IPS
• Advanced threat and botnet protection
• Web protection with dual AV, JavaScript emulation and SSL inspection
All benefiting from over 30 years of threat intelligence data from Sophos Labs. 
Module 1: XG Firewall Overview - 20
Secure it
W
h
at
 is
 X
G
 F
ir
ew
al
l?
Secure it
Security Heartbeat™
XG Firewall Sophos Central
Phishing 
Email
Internet
XG Firewall
Malware Server
Servers
Ransomware Attack
Infected Host
Devices
Recent threats like Emotet and targeted ransomware, such as Matrix and SamSam, demonstrate 
the ways cybercriminals are constantly changing their tactics to stay effective and profitable. 
The next-gen advancements of XG Firewall and Intercept X, combined with the intelligence of 
Synchronized Security (which we’ll come onto later in the course) and easy management of all 
products within Sophos Central, are essential for maintaining protection and responding quickly to 
any attack.
Module 1: XG Firewall Overview - 21
Deployment Options
D
ep
lo
ym
en
t 
O
p
ti
o
n
s
Module 1: XG Firewall Overview - 22
Deployment Options
D
ep
lo
ym
en
t 
O
p
ti
o
n
s
Virtual
Retail, Branch Office, ICS & 
SD-WAN
Hardware
Visibility, Protection, and 
Response
Cloud
Synchronized Security & 
Automated Response
Software
Consolidate, Simplify, & Save
The Sophos XG Firewall can be deployed in four ways:
• As a hardware device. Sophos XG devices come pre-loaded and ready to go
• As software installed onto Intel compatible hardware
• As a virtual device running on the most common hypervisors, including VMware, Citrix, 
Microsoft Hyper-V and KVM
• And finally, XG Firewall can be deployed into the cloud on Azure and soon Amazon Web Services 
However you choose to deploy XG Firewall it uses the same software and provides the same 
functionality regardless of form-factor.
Module 1: XG Firewall Overview - 23
Supported Virtualization Platforms
https://sophos.com/kb/132088
VMware
• ESXi 6.5.0
Hyper-V
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2008 R2
Xen
• Xenserver 7.3
KVM
• CentOS 7.4.1708
D
ep
lo
ym
en
t 
O
p
ti
o
n
s
Before installing, turn off guest additions and services, and stop automated backups and snapshots
It is important to install XG Firewall on one of the supported virtualization platforms and their 
tested versions shown in article 132088. These platforms have been tested and are known to work 
with the Sophos Firewall Operating System (SFOS). 
Sophos XG Firewall: Supported virtualization platforms: https://sophos.com/kb/132088
Module 1: XG Firewall Overview - 24
XG Firewall is available as a preconfigured virtual machine within the Azure Marketplace. You can 
use Azure Resource Manager templates to speed up deployment, or customize the configuration to 
meet the specific needs of your environment.
Sophos offers two pricing options for XG Firewall on Azure. You can choose between pay-as-you-go 
(PAYG) or bring-your-own-license (BYOL). PAYG allows you to pay only for what you use, so you do 
not have to guess about capacity. There is no minimum commitment and you can stop at any time. 
BYOL allows you to use your existing investment in XG Firewall. When you purchase a 1-, 2-, or 3-
year XG Firewall license, you can use that license in conjunction with Azure.
The Azure cloud let’s you scale as you need. There’s no guessing about capacity, and you can use 
Azure Resource management templates to scale up and down based on user demand for 
applications. 
With Azure’s shared responsibility model, Azure secures the cloud and you are responsible for 
securing your applications and data. XG Firewall can help you with this, and in Azure, you still get 
the full XG Firewall that is the same product you can run on-premises.
Module 1: XG Firewall Overview - 25
Azure
D
ep
lo
ym
en
t 
O
p
ti
o
n
s • Deploy in minutes from Azure Marketplace
• Flexible Pricing – PAYG or BYOL
• Scalable
• Shared responsibility model
• Full XG Firewall
Anatomy of Attack
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Module 1: XG Firewall Overview - 26
We will now look at the protection features offered by Sophos XG firewall. To do this, we will show 
adversary tactics and techniques and how Sophos XG Firewall is able to stop complex attacks at 
each phase of an attack. 
By reviewing these techniques, you will get a better and more reliable understanding of Sophos’ 
ability to stop the attackers techniques at each of the phases.
Module 1: XG Firewall Overview - 27
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Attack Kill Chain
A
n
at
o
m
y 
o
f 
A
tt
ac
k
The first part of the anatomy of acyber attack is reconnaissance and weaponization. Hackers 
usually start by passively researching and gathering information about the target organization, for 
example, email addresses of key players in the organization such as CEOs and company directors. 
During passive reconnaissance the attacker is not touching your network or systems so there is 
nothing to detect.
They may actively look for network ranges, IP addresses, and domain names, using port scanners 
or finding information about the company being sold on the dark web. 
Weaponization is done on the attackers device so there is nothing to detect.
This stage of an attack is defined by the attacker being able to access your estate through an attack 
vector, for example an email, and deliver malware to a specific target. This is sometimes referred 
to as delivering a weaponized bundle to a target.
Module 1: XG Firewall Overview - 28
Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Reconnaissance
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Protecting Against The Delivery of Malware
Attackers will send emails to users asking them to click on a link, or go to a website that is 
compromised. This is referred to as Phishing. Typically in a phishing scam, you and many of your 
colleagues will receive an email that appears to come from a reputable organization and will 
sometimes include attachments which, if opened, can infect a device. Attackers will use social 
engineering tactics over social networks, emails, applications, phone calls, text messages and in 
person to get people to reveal sensitive information. Typically the attack is designed for some of 
the following purposes;
• Phishing credit-card account numbers and passwords
• Hacking private e-mails and chat histories
• Hacking websites of companies or organizations and destroying their reputation
• Computer virus hoaxes
• Convincing users to run malicious code
Many malware infections begin with a user visiting a specifically designed website that exploits 
one or more software vulnerabilities. This can be triggered by a user clicking on a link within an 
email or browsing the Internet. This type of infection will happen silently. 
Genuine websites can be compromised by attackers who place malicious advertisements on the 
site. In other cases traffic to the website may be redirected to the attackers server. The re-directed 
site is designed to look authentic and usually requests a username and password to login. 
You can find out more about social engineering and how it can be prevented by watching the video 
on Sophos’s Naked Security page: https://nakedsecurity.sophos.com/tag/social-engineering/ 
Module 1: XG Firewall Overview - 29
Email Attacks
Your Network
Infiltrate 
Cyber
Criminal
Attacker sends an 
email to the victim
Phishing Website
Attacker collects victims credentials
Data Theft
Attacker users victims credentials to 
access the legitimate website 
Victim 
Victim clicks on the 
email and goes to the 
phishing website
Exploit Kit
• Scans for vulnerabilities on the 
victims computer
• Exploit the vulnerabilities to 
download the exploits malicious 
code onto the system
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
nakedsecurity.sophos.com/tag/social-engineering
XG Firewall protects you by scanning HTTP and HTTPS traffic for unwanted content or malware. 
• Web Filtering provides pre-defined filters that automatically block access to categorized 
websites, such as gambling or pornography
• Live Protection provides real-time lookups to SophosLabs to check for any threats and prevent 
them from infecting the device/network
• Pharming Protection prevents users from being re-directed to fake or compromised websites
• Certificate validation validates websites certificates to ensure legitimacy
• File type filtering is based on MIME type, extension and active content types. This can be used 
to block macro enabled documents for example
• SafeSearch enforcement. SafeSearch is a feature of Google Search that acts as an automated 
filter of pornography and potentially offensive content
The Web Protection feature is customizable, for example, restricting users surfing quota and access 
time allows control over what users can have access to and when. If you wanted to restrict your 
users from being able to access websites that are not business essential you can place a restriction 
in the web policy that blocks access to non-business sites, for example social networking sites. 
Module 1: XG Firewall Overview - 30
Web Protection
Policies allow you to configure 
filters to automatically block 
categorized websites
If a user visits a blocked website 
they will not be able to get to 
the site
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
To protect against email attacks to your network, Email Encryption and Control can be used. 
The email scanning engine will scan all inbound emails for malicious content. You control what 
emails can be received into your network;
• IP Reputation is enabled allowing you to determine whether you accept, reject or drop emails 
that are sent from known spam senders
• File-Type detection is configured to scan and block specific file types. For example, you can 
block or quarantine any macro enabled files from being received by any senders
The email scanning engine will also detect phishing URLs within e-mails and block those emails 
accordingly. As well as scanning inbound and outbound emails for malicious content, the email 
protection allows you to encrypt emails so that you can send sensitive data securely out of your 
network.
It uses SPX encryption for one way message encryption and recipient self-registration SPX 
password management. This encryption is simple and secure and does not require certificates or 
keys. It also allows users to add attachments to SPX secure replies to allow your users to securely 
send files. 
Email protection also uses our Data Loss Protection (DLP) engine, which automatically scans emails 
and attachments for sensitive data. This is also a key benefit at the last stage of the attack which 
we’ll talk about later in the module.
Module 1: XG Firewall Overview - 31
Email Encryption and Control
Quarantine
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
Cyber Criminal
Email Servers
XF Firewall
Sophos Sandstorm uses next-gen sandbox technology with integrated deep learning, giving your 
organization an extra layer of security against ransomware and targeted attacks. It integrates with 
your XG Firewall and is cloud-delivered, so there’s no additional hardware required. It’s the best 
defense against the latest payload based malware lurking in phishing attacks, spam, and file 
downloads.
Let’s take a look at how Sophos Sandstorm tests for and identifies possible malware.
The Sophos XG Firewall accurately pre-filters traffic using all of the conventional security checks, 
including anti-malware signatures, known bad URLs and so forth, so only previously unseen 
suspicious files are submitted to Sandstorm ensuring minimal latency and end user impact.
If the file is executable or has executable content, the file is treated as suspicious. The XG Firewall 
sends the file hash to Sophos Sandstorm, to determine if it has been previously analyzed.
If the file has been previously analyzed, Sophos Sandstorm passes the threat intelligence to the XG 
Firewall. Here, the file will be delivered to the user’s device or blocked, depending on the 
information provided by Sophos Sandstorm.
The XG Firewall keeps a local cacheof file hashes and the results in a local database to prevent 
unnecessary lookups.
Finally, the XG Firewall uses the detailed intelligence supplied by Sophos Sandstorm to create deep, 
forensic reports on each threat incident.
Module 1: XG Firewall Overview - 32
Sandstorm
Suspect Control Report
Determine Behavior
Sophos Sandstorm
HASH
XG Firewall
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
If the hash has not been seen before, a copy of the suspicious file is sent to Sophos Sandstorm. 
Here, the file is executed and its behavior is monitored. Once fully analyzed, Sophos Sandstorm 
passes the threat intelligence to the XG Firewall which will determine if the file is allowed or 
blocked.
As with previous threats, a report is created for the threat incident.
Module 1: XG Firewall Overview - 33
Sandstorm
Suspect Control Report
Determine Behavior
Sophos Sandstorm
XG Firewall
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
Deep Learning
Millions of Samples Learned 
Model
(Deep 
Learning)
Model trained to determine features of a file
PE File Deep Learning Engine
Malicious
Legitimate
OR
Features of the 
Files Defined
Vendor
Size
Printable Settings
Windows EXE
Documents with macros
PDFs with scripts
Features of the 
Files Labelled
Metadata
Import
Contextual Byte
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
Amongst the layers of protection within our sandbox is something called deep learning, which 
protects against the latest unseen advanced threats like ransomware, cryptomining, bots, worms, 
hacks, breaches, and APTs without using signatures.
Deep Learning uses a set of algorithms that try to replicate the way a human brain would solve a 
problem. By looking at the features of an object, it makes a decision as to what that object is.
Let’s relate this to securing your network. The deep learning model is trained on millions of 
samples of known good and bad files, some examples shown here. It is taught the features (the 
size, compression setting, printable strings, vendor and so forth) of these files which are then 
labelled. The model is then trained to determine the features of a file to create a learned model. 
When a file is then tested with this model, deep learning evaluates portable executable (PE) files 
on a machine at the time of execution within the sandbox. The engine predicts if the file is 
malicious or legitimate based on the file characteristics, which have been learnt from the samples 
the model has been trained on. The prediction is returned and the file is categorized as malicious 
or legitimate. 
Module 1: XG Firewall Overview - 34
Application Control works on several levels to help protect your network, the most obvious of 
these is reducing the attack surface by controlling what applications are allowed. For example, 
users cannot download infected files through peer-to-peer applications if you are blocking them.
Application Control can be used to block:
• Unwanted applications
• Some applications are non-malicious and possibly useful in the right context, but are not 
suitable for company networks. Examples are adware, tools for administering PCs 
remotely, and scanners that identify vulnerabilities in computer systems
• Peer-to-peer networking applications
• P2P applications can contain vulnerabilities. Peer-to-peer applications act as servers as 
well as clients, meaning that they can be more vulnerable to remote exploits
• High risk applications
• Sophos categorizes all applications, this means that you can apply the high risk 
application control policy and it will block all (and any new) application categorized as 
high risk
• For example, proxy and web storage applications are often high risk
• Very high risk applications
• In the same way as for high risk category, the very high rick category allows you block all 
applications classified as very high risk
• An example of these applications would be TOR proxy, SuperVPN and AppVPN
Module 1: XG Firewall Overview - 35
Application Control
Configure Application Rules to restrict 
access to specific applications
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Delivery
On average, 60% of application traffic is going unidentified. Static application signatures don’t work 
for custom, obscure, evasive, or any apps using generic HTTP or HTTPS. Synchronized App Control 
on XG Firewall automatically identifies all unknown applications enabling you to easily block the 
apps you don't want and prioritize the ones you do.
What this means is that you can now identify – and deal with – the unknown threats and 
unwanted apps that are running on their network, putting organization at risk and impacting user 
productivity.
Module 1: XG Firewall Overview - 36
Synchronized App Control
A
n
at
o
m
y 
o
f 
A
tt
ac
k
XG Firewall sees app traffic that does not 
match a signature
Automatically categorize and control 
where possible or admin can manually set 
category or policy to apply
Sophos Endpoint shares app name, path and 
even category to XG Firewall for classification
Delivery
Users continue to be the easiest target for attackers but an army of trained, phishing-aware 
employees can provide you with a human firewall against these threats. Let’s look at the next 
stage, Exploitation, which is defined by leveraging a vulnerability to execute code on a victim’s 
machine. An exploit is basically a method or a tool used for abusing software bugs for nefarious 
purposes. 
Module 1: XG Firewall Overview - 37
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Protecting Against Exploits
A
n
at
o
m
y 
o
f 
A
tt
ac
k
By their very nature, web servers need to be accessible from the Internet, but this makes them 
targets for attackers who may be trying to extract data or install malware to compromise other 
users visiting the website.
Attacks can take many forms, including cross site scripting (XSS) attacks, using protocol violations 
and anomalies, cookie signing, SQL injection, or other generic attacks.
Module 1: XG Firewall Overview - 38
Web Server Protection
Attacker
XSS
Protocol Violations
SQL Injection
Generic Attacks
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation
Firewall
Web Servers
Internet
10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010
Sophos XG Firewall includes comprehensive Web Server Protection, which is bundled with 
preconfigured templates to make protecting commonly used web-facing servers like Microsoft 
Exchange as easy as possible. 
Web Server Protection acts as a reverse proxy protecting web servers on the internal network or 
DMZ from inbound traffic. Web Server Protection uses a web application firewall to filter traffic, 
harden forms, sign cookies, and scan for malware.
Web Server Protection can also authenticate incoming connections with a username and password 
before they even reach the web server.
Module 1: XG Firewall Overview - 39
Web Server Protection
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation
XG Firewall
Web Servers
Internet
10101010101010
0101010101010101010101
0101010101010101011010
1010101010101010101010
XSS
Protocol Violations
SQL Injection
Generic Attacks
Attacker
Vulnerabilities and Exploit Kits can be protected against using Intrusion Prevention Systems (IPS). 
IPS monitors network traffic as it passes through the XG Firewall for malicious activity. It logs the 
activity and attempts to block and prevent the infection and then reports the activity.
Note that Intrusion Preventionis not designed to replace applying software patches to fix bugs and 
security vulnerabilities.
Module 1: XG Firewall Overview - 40
Intrusion Prevention System (IPS)
Endpoint
XG Firewall
Internet
Monitors network traffic for malicious 
activity
Blocks and reports activities to prevent 
network infections
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation
This attack phase is where the installed malware makes a connection to a Command and Control 
server or a C2C server.
In a typical APT lifecycle, the communication with the Command and Control host is a repeated 
process. This allows malware to adapt as more knowledge is gained by the attacker. 
Some of the more complex malware like Emotet includes communication to remote servers for 
further instructions/updates or to upload/download further files.
Module 1: XG Firewall Overview - 41
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACHA
n
at
o
m
y 
o
f 
A
tt
ac
k
Exploitation and Command and Control Connections
Advanced Threat Protection (ATP) monitors global outgoing traffic. It blocks outgoing network 
traffic attempting to contact command and control servers. This prevents remote access Trojans 
from reporting back to their malicious servers. 
If ATP detects a threat an alert will be recorded and the number of detections shown in the control 
center. The administrator can then check the alert for additional information about the threat such 
as:
• The affected devices IP address
• The affected devices hostname
• The threat and number of times the rule was triggered
• The user and offending process
This process allows the administrator to clean up the threat while the device is isolated, protecting 
the rest of the network from becoming infected. 
Module 1: XG Firewall Overview - 42
Advanced Threat Protection (ATP)
Computers
XG Firewall
Internet
Detects and blocks 
malicious outgoing 
traffic
Globally monitors all 
outgoing traffic
Records an alert in 
the Control Centre of 
the XG Firewall
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Allows isolation of the device 
and threat clean up
Command and 
Control
This stage of the attack anatomy varies depending upon the type of malware, for example a 
ransomware attack will look to encrypt data and demand ransom. Whereas spyware tends to log 
the keystrokes of victims and gain access to passwords or intellectual property.
Next, we’ll review some of the protection components which form part of XG Firewall to detect 
malicious threats.
Module 1: XG Firewall Overview - 43
Reconnaissance Weaponization
Harvesting e-mail 
addresses, 
conference 
information, etc.
Coupling exploit 
with backdoor into 
deliverable payload
Delivery Exploitation
Delivering 
weaponized bundle 
to victim via email, 
web …
Leveraging a 
vulnerability or 
functionality to 
execute code on 
victim’s machine
PRE-BREACH
Installation
Command and 
Control
Behaviour
With ‘hands on 
keyboard’ access, 
intruders 
accomplish their 
goal
Command channel 
for remote 
manipulation of 
victim
Installing malware 
on the asset
POST-BREACH
Protecting Against Malicious Behavior
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Server Protection and Intercept X can be used to assign every device a health status. In the event a 
device is compromised, they can be automatically isolated from other parts of the network at the 
firewall, as well as blocking network connections between other healthy devices. This limits the 
fallout of a breach or the spread of malware or lateral movement of an attacker. Even on the same 
broadcast domain or network segment where the firewall has no opportunity to block the traffic. 
We’re effectively pushing isolation enforcement out to endpoints so they can help the firewall 
isolate any threats and keep the network secure. This will stop any threat or attacker attempting to 
move laterally.
Automatic Device Isolation 
Servers
Endpoint
Internet
A
n
at
o
m
y 
o
f 
A
tt
ac
k
XG instantly informs all healthy endpoints to 
ignore any traffic from a compromised 
device.
Security Heartbeat™ Infected 
Host
Behaviour
XG Firewall
Module 1: XG Firewall Overview - 44
Email Protection
A
n
at
o
m
y 
o
f 
A
tt
ac
k
Email protection stops data from being leaked outside of the organization by email. You can create 
data control lists from the content control list (CCL). CCLs are based on common financial and 
personally identifiable data types, for example, credit card or social security numbers, postal or 
email addresses. When XG Firewall finds a match for the specified information, it applies the action 
specified in the policy.
Module 1: XG Firewall Overview - 45
Digital security and physical security have many parallels. Think of a building and how it could be 
protected. If you were to build nothing but a giant wall, it may prove difficult to climb over but 
eventually someone will find a way to get over it (or under it).
Now consider a fortress. Armed guards, attack dogs, CCTV, tripwires, barbed wire, motion sensors. 
It may be possible to hop the wall, but you still have many additional hurdles ahead of you.
Single layers are simple to build but are also simple to bypass. Our goal has always been to build 
fortresses so that multiple security elements are present to detect movement across assets and for 
attacks to be detected and stopped.
Module 1: XG Firewall Overview - 46
Summary
A
n
at
o
m
y 
o
f 
A
tt
ac
k
NETWORK PROTECTION
Stop unknown and sophisticated Threats
Advanced networking protection
Automatically responds to incidents
Reconnaissance Weaponization Delivery Exploitation
PRE-BREACH
Installation
Command and 
Control
Behaviour
POST-BREACH
ADVANCED THREAT PROTECTION
Detect and block C&C traffic
APPLICATION CONTROL
Block undesired applications
Proxies, hacking tools, sniffers
Out of date browsers, office apps
MALWARE SCANNING
On-board antivirus engines
Sophos Sandstorm
DATA LOSS PREVENTION
Email
WEB PROTECTION
Prohibited website blocking
INTRUSION PREVENTION
Local Security Authority (LSASS)
Security Account Manager (SAM)
EMAIL PROTECTION
Inbound antivirus and anti-spam scanning 
(with SPF and DKIM)
SPX Email Encryption
SANDSTORM WITH DEEP LEARNING
Time of click URL Protection
WEB SERVER PROTECTION
Blocks known attack techniques
Active Adversary Mitigations
Reverse proxy authentication. 
SYNCHRONIZED SECURITY 
Heartbeat™ links your Sophos endpoints with XG Firewall
Automatic device isolation
Synchronized App Control
Identify Infected Systems
Monitor Network Health
Zero Trust
Ze
ro
 T
ru
st
Module 1: XG Firewall Overview - 47
Traditionally cybersecurity has involved creating a security perimeter and trusting that everything 
inside that perimeter is secure. This is a vulnerable design as once an attacker or unauthorized user 
gains access to a network, that individual has easy access to everything inside the network where 
they can progressively search for the key data and assets that are ultimately the target of their 
attack. 
The corporate network perimeter defensive line no longer exists. With increased attack 
sophistication and insider threats, organizations can’t guarantee that everything on the inside of 
their network can be trusted.
Zero Trust is a relatively new and evolving approach to network design but it's also part of a wider 
mind-set based on the principle of trusting nothing and checking everything. With zero trust, no 
user is trusted, whether inside or outside of the network.
Zero Trust Overview
TrustedZero Trust is a cybersecurity 
mindset based on the principle of 
trust nothing, check everything. 
Ze
ro
 T
ru
st
Module 1: XG Firewall Overview - 48
The rise of remote users who wish to work remotely, and use their own personal devices to access 
corporate data and resources on untrusted networks like coffee shops is increasing.
The use of SaaS apps, cloud platforms and services, leaves some data outside of the corporate 
perimeter. The use of public cloud platforms mean many of the devices or services that once ran 
within the corporate perimeter are now run outside of it. Basically secure every device you have as 
if was connected to the Internet. 
Zero Trust Overview
Trusted
SaaS
Remote Users
Ze
ro
 T
ru
st
Module 1: XG Firewall Overview - 49
Network Segmentation
XG Firewall
Internet
Devices
Sw
it
ch
Applications
Sw
it
ch
Users
Cloud Optix
Managed Threat Response
Server
Phish Threat
Email
Wireless
Intercept X
Encryption
Mobile
Ze
ro
 T
ru
st
On the firewall side, network segmentation or even micro-segmentation around your users, 
devices, apps, networks, and so on provides one of the key benefits of the Zero Trust strategy.
Dynamic policies are at the center of XG, with multiple sources of data available to leverage as part 
of a policy. Identity, time of day, network location, device health, network packet analysis – and 
more – all of these different sources of data can be used in different combinations depending on 
the scenario.
By segmenting your network into smaller and more granular subnets, and securing them together 
through your firewall helps to limit exposure in the event that one segment becomes 
compromised. In practice, it works great, but in some cases it can add unwanted expense, 
infrastructure, management overhead, and impact performance.
It takes a lot of technologies to secure all the resources and assets you’ll have on a network. There 
is no one single vendor, product, or technology that will solve all your problems. But Sophos 
certainly has a huge range of technologies to help you secure multiple resources and assets at the 
same time. 
Server Protection and Intercept X can be used to assign every device a health status. In the event 
one is compromised, the devices can be automatically isolated, as well as blocking network 
connections between devices to limit the fallout of a breach or the spread of malware or lateral 
movement of an attacker.
Our Managed Threat Response (MTR) service can monitor all user activity across the estate and 
identify potentially compromised user credentials.
Module 1: XG Firewall Overview - 50
Sophos Mobile, our UEM solution, can be used to support BYOD or managing all kinds 
of mobiles, laptops, and desktops. Compliance policies can be put in place to ensure 
a strong baseline configuration and any drift will cause that device to have its access 
to resources revoked automatically.
Sophos Central has you covered for all of these. Our cloud-native cybersecurity 
platform orchestrates all of our technologies in a single console, providing you with 
oversight of all technologies in a single place and APIs to wire together any other 
third-party technologies you are using
Module 1: XG Firewall Overview - 50
Lateral Movement Protection
XG Firewall
Internet
Infected Host
Endpoint
Local Area Network
Ze
ro
 T
ru
st
Application Server
Sw
it
ch
As shown in our Anatomy of Attack topic, Lateral Movement Protection, effectively provides an 
adaptive micro-segmentation solution. With Lateral Movement Protection, each individual 
endpoint is effectively on its own segment – able to be isolated in response to an attack or threat –
regardless of the network topology. 
XG Firewall uniquely integrates the health of connected hosts into your firewall rules, enabling you 
to automatically limit access to sensitive network resources from any compromised system until 
it’s cleaned up.
This is made possible by Synchronized Security which is our cross-portfolio approach to analyze 
system and network activity, adapt to scenarios through dynamic policy, and automate complex 
tasks like isolating machines and more.
Module 1: XG Firewall Overview - 51
Summary
There is no ‘inside’ the 
network
Trust nothing, verify 
everything
Security should 
adapt in real-time
Pretend you’re running your business from a coffee shop and all your devices are 
connected directly to the Internet.
Assume attackers are on both the inside and the outside and persist at all times. 
No user or device should be automatically trusted.
Identify. Control. Analyze. Secure.
Security policies should be dynamic and automatically change based on insight 
from as many sources of data as possible.
Ze
ro
 T
ru
st
At it’s essence, there’s a few major concepts for Zero Trust that you should keep in mind along your 
journey.
There is no “inside” the network. Pretend that you’re running your entire business from an 
untrusted location like a coffee shop and that all your devices are connected directly to the most 
dangerous of all networks - the public internet. By imagining this as the reality, we are forced to 
apply security in ways where we can’t rely on being behind a traditional corporate perimeter.
There will always be corporate “trusted” networks for administration and in-house systems but the 
goal is to keep ordinary users off of these networks, using app proxies and other technologies, 
drastically reducing the attack surface. 
Next, trust nothing, verify everything. Assume that there are attackers both on the inside of your 
networks and on the outside and they are there all the time, constantly trying to attack. No user or 
device should be automatically trusted. By imagining we’re under constant attack from every 
direction, we are pushed to build rock-solid authentication and authorization to the resources, 
layer the defenses, and constantly monitor and analyze everything happening across the estates.
Lastly, security should adapt in real-time. The security policies we put in place to achieve Zero Trust 
should be dynamic and automatically change based on insight from as many sources of data, from 
as many different technologies as possible. A static policy like THIS USER on THIS DEVICE can 
access THIS THING won’t protect you if that device has been compromised while that user is on it. 
If your policy also took into account device health, such as the identification of malicious 
behaviors, your policy could use this to dynamically adapt to the situation with zero effort from an 
admin. Our Synchronized Security products can share the unique insights they each have with one 
another, which enables us to have adaptive, dynamic policies, taking advantage of all these insights 
Module 1: XG Firewall Overview - 52
so that a policy is never static and easily circumnavigated.
Much of this is just good security policy and best practices which you may already be 
doing. Additionally, if you’ve prepared for GDPR, you’ve done a lot of this work 
already.
Module 1: XG Firewall Overview - 52
On completion of this module, you should now be able to perform the actions shown here. Please 
take a moment to review these.
If you are not confident that you have met these objectives, please review the material covered in 
this module.
List the deployment options available for the XG Firewall
Identify the features of the XG Firewall and how the protect against common threats
Module Review
Now that you have completed this module, you should be able to:
Module 1: XG Firewall Overview - 53
Hi there, this is the Getting Started with XG Firewall module for XG Firewall v18.0.
Sophos Certified Engineer
XG Firewall v18.0
ET801 – Getting Started with XG Firewall
July 2020
Version: 18.0v3
© 2020 Sophos Limited. All rights reserved. No part of this document may be used or reproduced 
in any form or by any means without the prior written consent of Sophos. 
Sophos and the Sophos logo are registered trademarks ofSophos Limited. Other names, logos and 
marks mentioned in this document may be the trademarks or registered trademarks of Sophos 
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no 
warranties, conditions or representations (whether express or implied) as to its completeness or 
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at 
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Sophos Certified Engineer
XG Firewall v18.0
Module 2: Getting Started with XG Firewall
Version: 18.0v3
Module 2: Getting Started with XG Firewall - 61
Getting Started with XG Firewall
Navigation and Management
• Navigating the WebAdmin
• Managing Objects
• Profiles
Interfaces and Routing
• Zones
• Interfaces
• Routing
DNS and DHCP
• Configuring DNS
• DHCP servers
• DHCP relay
Deployment and Setup
• Deployment options
• Console and WebAdmin
• Initial setup wizard
Device Access and 
Administration
• Device access
• Certificates
Common Deployment 
Scenarios
• Gateway, bridge and mixed mode
• Web server protection
In this module you will learn how to connect and configure an XG Firewall with the basic settings 
necessary to get up and running. You will begin to manage the XG Firewall with the WebAdmin and 
learn about the core concepts and objects ready to configure rules and policies in later modules.
Module 2: Getting Started with XG Firewall - 62
Common Deployment Scenarios
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Module 2: Getting Started with XG Firewall - 64
Gateway Mode
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
LAN zone DMZ zone
WAN zone
Internet
Port B
Port A Port C
Let’s take a minute to look at some of the most common ways it is deployed. 
The most common scenario is where you are looking to replace an aging firewall and need to 
protect your internal network. The XG Firewall is deployed to handle both the core routing and as 
the first-line of defense against network threats.
This is shown here with the XG Firewall in gateway mode. Port A is configured for the LAN zone, 
Port B for the WAN, and Port C for the DMZ. Any network threats trying to go to either the LAN or 
the DMZ zone will be stopped by the XG Firewall. 
This is the type of deployment we will be focusing on in this course.
Module 2: Getting Started with XG Firewall - 65
Port CPort A
WAN zone
Internet
Bridge Mode
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Existing Firewall 
+ Synchronized Security
+ Intrusion Prevention
+ Advanced Threat Protection
+ Bridging LAN and DMZ zones
LAN zone DMZ zone
Port B
Another common type of deployment is where there is an existing firewall that handles the WAN 
connectivity that is not going to be replaced. This is often done to add additional protection 
capabilities not offered by the existing firewall.
So that you do not need to change the IP address schema of the network the XG Firewall can be 
deployed in bridge mode, which is also known as transparent mode or inline mode.
In this mode the clients on the network are unware of the XG Firewall and traffic passes through 
without the IP address being changed, but still allowing XG Firewall to scan for and protect against 
threats.
Module 2: Getting Started with XG Firewall - 66
Port CPort A
WAN zone
Internet
Web Application Firewall
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Existing Firewall 
LAN zone DMZ zone
Port B
Web Server App ServerFile Server Database
Buffer Overflows
Privilege escalation
SQL injection
+ Web Application Firewall
XG Firewall may also be added to a network to protect web applications. There are often many 
components that make up a web application, including web servers, databases, file servers and so 
forth, but this means that there are also a wide range attacks that can be launched at them.
In the example here, the XG Firewall can protect the web application from common attacks 
including buffer overflows and SQL injection.
Module 2: Getting Started with XG Firewall - 67
Port C
Port B
WAN zone
Internet
Discover Mode
C
o
m
m
o
n
 D
ep
lo
ym
en
t 
Sc
en
ar
io
s
Existing Firewall 
LAN zone DMZ zone
Port A
Port D
Discover mode enabled port
Port A
Management port
+ Port Mirroring
+ Security Audit Report 
Switch
The last type of deployment we will look at is generally used for evaluating the capabilities of XG 
Firewall without the need to make any changes to the network. 
In this example, the XG Firewall is connected to a port on the switch that has port mirroring 
enabled, so that a copy of all the traffic is sent to the XG Firewall.
While the XG Firewall cannot influence the live traffic on the network, it can log and report on 
what is sees, and from this you can see the additional protection it can add to the network.
This is called discover mode.
Module 2: Getting Started with XG Firewall - 68
Deployment and Setup
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Module 2: Getting Started with XG Firewall - 69
Connecting the XG Firewall to the Network
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
SOPHOS
Protection
1/LAN
The default LAN port to connect 
to for initial configuration
2/WAN
The default WAN port
A different port can be selected in 
the initial setup wizard
To setup the XG Firewall you need to start by connecting to power and then connecting the LAN 
port and WAN ports.
On hardware XG Firewalls the default LAN and WAN ports will be marked. On software and virtual 
XG Firewalls these will be the first and second network cards.
You will have the option to modify these ports either during the initial setup or once the setup is 
complete.
Module 2: Getting Started with XG Firewall - 70
Command Line Interface (CLI)
Additional information 
in the notes
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
SSH Console
Default credentials:
• Username: admin
• Password: admin
These credentials are changed as part of the 
initial setup wizard
Although the XG Firewall is managed through a web interface, it also has a command line interface 
(CLI) that is accessible through SSH, a console connection, or you could use a monitor and 
keyboard to physically connect to the terminal. 
You may want to use the CLI to change the IP address of the management port to be in your LAN IP 
range so that you can connect to the WebAdmin to complete the initial setup wizard.
To login to the CLI use the password of the built-in ‘admin’ user. The default admin password is 
‘admin’; you change this as part of the initial setup wizard.
In the slide notes you can find the parameters for a console connection.
Console connection parameters:
• baud rate or speed: 38,400
• Data bits: 8
• Stop Bits: 1
• Parity and Flow Control: None or 0
Module 2: Getting Started with XG Firewall - 71
WebAdmin
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Default IP address: 172.16.16.16 (/24)
Port: 4444
WebAdmin URL: https://DeviceIP:4444
Sophos XG Firewall is configured and managed through a web interface. By default, the device’s IP 
address will be 172.16.16.16 and the WebAdmin on a Sophos XG firewall runs on port 4444. So to 
connect to the WebAdmin interface you would need to connect to HTTPS://172.16.16.16:4444 on 
a brand new device.
Note: you will receive a certificate error when connecting to the XG Firewall as it is using an 
untrusted self-signed certificate.
Module 2: Getting Started with XG Firewall - 72
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Set a new admin password
Update the firmware
Agree to the licence
Optionally:
• Restore a backup 
configuration
• Connect as high-
availability spare
We will now walk through the initial setup of an XG Firewall.
On the first page you set a new admin password and accept the terms and conditions. Note that if 
you are configuring this on behalf of someone else, they mustaccept the terms and conditions.
By default the XG Firewall will download and install the latest firmware as part of the initial setup, 
however you can deselect this to postpone it until later.
You also have the option to restore a configuration backup or connect the XG Firewall as an 
auxiliary device to a high-availability pair. Both of these options will provide a different initial setup 
to the full one we are going to show here.
Module 2: Getting Started with XG Firewall - 73
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Configure the Internet 
connection
This step is skipped if the 
WAN port is configured by 
DHCP
The XG Firewall requires an Internet connection for registration and, if selected, downloading the 
latest firmware.
You can choose which port to configure the WAN connection on, then you need to specify the IP 
address, subnet, DNS server and gateway. When you save these settings the XG Firewall will test 
the connectivity then allow you to continue with the initial setup.
Note that if the WAN port is connected to a network that provides DHCP this step will be skipped.
Module 2: Getting Started with XG Firewall - 74
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Enter a hostname
Set the time zone
You can enter a hostname for your XG Firewall and optionally modify the automatically selected 
time zone.
Module 2: Getting Started with XG Firewall - 75
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Register the XG Firewall
Enter the serial number, 
this is prefilled on hardware 
devices
Optionally:
• Start a trial
• Migrate a UTM license
• Defer registration
The next step is to register the XG Firewall.
If you have a serial number you can enter it to register your firewall. On hardware XG Firewalls this 
will be prefilled.
You also have the option to migrate an exiting UTM license, start a trial or defer the registration for 
30 days.
Deferring the registration can be useful if you are preparing an XG Firewall prior to taking it onsite. 
Note that when registration is deferred there are a number of features that you are unable to use.
To complete the registration you need to login with your Sophos ID, and then the XG Firewall will 
synchronize the license.
Module 2: Getting Started with XG Firewall - 76
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Configure the LAN network
Select which ports to bridge 
together to create the LAN
Select the gateway
Configure the IP address
Optionally enable DHCP
You have the option to configure the local network configuration, which is different depending on 
whether you are deploying a hardware or virtual or software XG Firewall. We will start by looking 
at hardware devices.
Here you can select which ports to use for the LAN, and all ports selected will be used to create a 
single bridged LAN interface.
You can select the gateway for the LAN network to either be the XG Firewall, or an existing 
gateway, in which case the LAN will be bridged to the WAN.
You can configure the IP address for the XG Firewall, and optionally enable DHCP. Note that DHCP 
cannot be enabled if the XG Firewall is bridging the LAN and WAN.
Module 2: Getting Started with XG Firewall - 77
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Configure the LAN network
Select the LAN port
Select the gateway mode
Configure the IP address
Optionally enable DHCP
For virtual and software devices the configuration is very similar, except instead of selecting ports 
to create a LAN bridge interface you select a single LAN port.
Module 2: Getting Started with XG Firewall - 78
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Enable protection in the 
default outbound firewall 
rule
As part of the initial setup wizard the XG Firewall will create a default firewall rule for outbound 
traffic. Here you have the option of enabling various security options for that firewall rule.
• Protect users from network threats will enable an IPS policy
• Protect users from the suspicious and malicious websites will enable a web policy
• Scan files that were downloaded from the web for malware will enable malware scanning
• And Send suspicious files to Sophos Sandstorm will enable Sandstorm scanning. This requires 
‘Protect users from the suspicious and malicious websites’ to be enabled
Module 2: Getting Started with XG Firewall - 79
Initial Setup Wizard
D
ep
lo
ym
en
t 
an
d
 S
et
u
p
Enter an email address and 
sender for notifications
Optionally specify an 
internal mail server for 
notifications
Optionally enable 
automatic backups and 
enter an encryption 
password
The last piece of configuration is for notifications and backups.
Here you configure recipient and sender email addresses for notifications. You can optionally 
choose to configure an internal email server to use for sending these.
You can also enable automatic backups, and to use this you need to set an encryption password for 
the backup files.
Module 2: Getting Started with XG Firewall - 80
Navigation and Management
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Module 2: Getting Started with XG Firewall - 81
WebAdmin: Control Center
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
When you first login to the WebAdmin you are presented with the Control Center, which provides a 
live view of what is happening on the XG Firewall allowing you to quickly identify anything that 
requires your attention.
The Control Center is broken down into six main areas:
• System
• Traffic insight
• User and device insight
• Active firewall rules
• Reports
• And Messages
System
Status icons for the XG Firewall’s health and services. Each item can be clicked to get more detailed 
information.
Traffic insight
Provides an at a glance overview of what is happening on the network and the traffic being 
processed.
User and device insight
Shows the status of users and devices being protected by XG Firewall. This section includes the 
User Threat quotient, which is a risk assessment of users based on their behaviour.
Active firewall rules
Displays the usage of firewall rules by type. Below the graph you can see the state of firewall rules 
Module 2: Getting Started with XG Firewall - 82
over the last 24 hours. Clicking these will take you to the firewall rules filtering for the 
selected type of rule.
Reports
Access to commonly used reports. These can either be opened by clicking on the 
name of the report or downloaded using the icon to the right of each. It shows when 
the report was last updated and the size of the file.
Messages
Alerts or information for the administrator including security warnings and new 
firmware updates. Messages are clickable to access the relevant configuration.
Module 1: XG Firewall Overview - 82
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t Information on current activity, 
reports and diagnostic tools
Down the left-hand side is the main menu for navigating the XG Firewall. This is divided into four 
sections:
MONITOR & ANALYZE, provides access to information, including the current activity on the XG 
Firewall, reports and diagnostic tools.
Module 2: Getting Started with XG Firewall - 83
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Configure rules policies and settings 
related to protection features
PROTECT, for configuring the rules, policies and settings related to protection features.
Module 2: Getting Started with XG Firewall - 84
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Setup connectivity, routing, 
authentication and global settings
CONFIGURE, where you setup connectivity, routing, authentication and global settings.
Module 2: Getting Started with XG Firewall - 85
WebAdmin: Main Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Device access settings, objects and 
profiles that are used in rules and 
policies
SYSTEM, which houses the device access settings, aswell as objects and profiles that are used 
within rules and policies.
Module 2: Getting Started with XG Firewall - 86
WebAdmin: Tabbed Navigation
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Each section that is accessible from the main menu is further broken down into tabs for accessing 
each area of configuration.
On some screens additional less frequently used tabs can be accessed using the ellipses on the 
right-hand side of the tabs.
Module 2: Getting Started with XG Firewall - 87
WebAdmin: Advanced Settings
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Display additional settings for 
reports and VPNs
In the Reports and VPN sections there are additional Show Report Settings and Show VPN Settings 
options that allow you to access some of the less often used options related to reports and VPNs.
When the settings are accessed, the screen will flip to the additional options. You can identify 
when you are on this screen by the yellow title bar at the top of the page.
Module 2: Getting Started with XG Firewall - 88
WebAdmin: Admin Drop-Down Menu
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Found in the top-right is the admin menu. Here you can reboot, shutdown, lock and logout of the 
XG Firewall. This menu also provides links to the support website, the XG licensing page and web-
based access to the console.
Module 2: Getting Started with XG Firewall - 89
WebAdmin: Help
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Found on every screen on the XG firewall is a context sensitive link to the online help file.
When clicked, it opens a separate window. This online version of the XG help is fully interactive and 
can be browsed by selecting the various menu items in the left side menu. It can also be searched 
for by keywords and when a search result is selected it will load the appropriate section within the 
help file.
http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/index.html
Module 2: Getting Started with XG Firewall - 90
WebAdmin: Log Viewer
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Next to the help link is the Log viewer, which opens in a new window to provide access to all of 
the log files. 
In the ‘Log viewer’ you can filter the logs and perform context sensitive actions. We will explore 
this in more detail throughout the course.
Module 2: Getting Started with XG Firewall - 91
How-to Guides
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
The last item in the top-right is the how-to guides. This links you to a library of videos on our 
website that demonstrate how to perform common tasks on the XG Firewall.
Module 2: Getting Started with XG Firewall - 92
Objects
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t Objects are the building blocks for rules and policies
Define hosts, networks, services, groups and profiles
Can be created inline when configuring rules and policies
The XG Firewall uses objects as the building blocks for the configuration of rules and policies. By 
defining reusable objects once for things such as hosts, services and networks, it can speed up 
configuration, and simplify future changes by having a single place to make a change.
Objects can be created and edited ahead of time, but they can also be created inline when 
configuring protection features. This means that you do not have to navigate away from what you 
are configuring to create an object, you will have the option to create it where you need it.
There are two types of object – hosts and services, and profiles. These can be found in the SYSTEM
section on the XG Firewall.
Module 2: Getting Started with XG Firewall - 93
Hosts
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
IP version and host type cannot be 
changed after it has been created
IP host groups can be used to group IP 
host objects for IP addresses, networks 
and IP ranges, but not IP lists
IP MAC FQDN
IP host objects can represent a single IP address, a subject, a range of IP addresses or a list of IP 
address, for either IPv4 or IPv6.
The object has a name and then must be configured by IP version (IPv4 or IPv6) and a type. Note 
that the IP version and type cannot be modified after the object has been created.
You then provide the data for the type of object you selected. Note that IP address lists are comma 
separated.
IP host groups can be used to group IP host objects for IP addresses, networks and IP ranges, but 
not IP lists.
Module 2: Getting Started with XG Firewall - 95
Hosts
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Type cannot be changed after it has been 
created
Lists are comma separated
IP MAC FQDN
MAC host objects can be created for individual MAC addresses or MAC address lists.
The MAC host object has a name and then must be configured for a specific type, MAC address or 
MAC list, this cannot be changed once the object has been saved.
MAC address lists are comma separated.
Module 2: Getting Started with XG Firewall - 96
Hosts
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Supports wildcard prefix to resolve sub-
domains
Can be grouped with FQDN host groups
IP MAC FQDN
FQDN hosts are used to define fully qualified domain names.
FQDN host objects can include a wildcard prefix to resolve sub-domains, for example, 
*.sophos.com.
FQDN host groups allow you create a collection of FQDN host objects to further simplify using 
objects in rules and policies.
Module 2: Getting Started with XG Firewall - 97
Services
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Service based on TCP and UDP ports
Service based on IP protocol numbers
Service based on ICMP 
types and codes
Service objects can be created for:
• TCP and UDP based on protocol, source and destination port
• IP based on protocol number
• ICMP and ICMPv6 based on the ICMP type and code
Each service object is for a single type, and can contain one or more definitions.
You can also create groups of service objects.
Module 2: Getting Started with XG Firewall - 98
Country Groups
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
The XG Firewall maintains a geo IP database that maps IP addresses to countries, and this is 
automatically updated with the pattern definitions.
There are a number of predefined country groups that ship with the XG Firewall, which can be 
edited. You can also create custom groups of countries.
Module 2: Getting Started with XG Firewall - 99
Schedule
• Defines a period of time
• Recurring or one-off
Access time
• Allow or deny action for a schedule
Profiles
N
av
ig
at
io
n
 a
n
d
 M
an
ag
em
en
t
Surfing quota
• Browsing time restrictions
• Recurring or one-off
Decryption
• Settings for TLS decryption
Device access
• Roles for administrators
Network traffic quota
• Bandwidth restrictions
• Separate upload/download or combined
Profiles are a collection of settings that can be defined and used when configuring protection 
features. There are profiles for:
• Schedule, which defines a period of time, either recurring or one-off
• Access time, that defines an allow or deny action for a schedule
• Surfing quota, which defines either recurring or one-off restrictions for browsing time
• Network traffic quota, for upload and download bandwidth quota restrictions
• Decryption, for controlling the decryption of TLS traffic
• And Device access, which defines access roles for admins logging into the WebAdmin
Module 2: Getting Started with XG Firewall - 100
Interfaces and Routing
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Module 2: Getting Started with XG Firewall - 101
DMZ
Zones
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
XG Firewall
LAN 1
LAN 2
LAN Zone
Hosted Servers Zone
Internet
WAN Zone
The XG Firewall is a zone-based firewall, and it is important to understand what a zone is before we 
proceed to look at interfaces and routing.
When we talk about zones on the XG Firewall, we mean a logical group of networks where traffic 
originates or is destined to. 
Each interface is associated with asingle zone, which means that traffic can be managed between 
zones rather than by interface or network simplifying the configuration.
Note that interfaces and zones are not equivalent; multiple interfaces can be associated with a 
zone and each zone can be made up of multiple networks.
Module 2: Getting Started with XG Firewall - 102
Zones
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Zones are created and managed in:
CONFIGURE > Network > Zones
The XG Firewall comes with five default zones, these are:
• LAN – this is the most secure zone by default and is for your internal networks
• WAN – this zone is used for external interfaces that provide Internet access
• DMZ – this zone is for hosting publicly accessible servers
• VPN – this is the only zone that does not have a physical port or interface assigned to it. When a 
VPN is established, either site-to-site or remote access, the connection is dynamically added to 
the zone and removed when disconnected
• WiFi – this zone is for providing security for wireless networks
With the exception of the VPN zone, the default zones can be customized.
Zones are managed and created in CONFIGURE > Network > Zones.
Module 2: Getting Started with XG Firewall - 103
Creating Zones
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g Choose whether this is a LAN or 
DMZ zone
Access for managing the XG 
Firewall
Client authentication services
Network services
Other services provided by the 
XG Firewall
Let’s take a look at how you can create your own zones.
When you create a custom zone you can choose between two types of zone, LAN or DMZ, which is 
used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type 
zones as there can only be one of each of these.
You then customize the zone to define which services the XG Firewall provides and will be 
accessible, this is broken down into four categories:
• Admin services, for accessing and managing the XG Firewall
• Authentication services, for user authentication
• Network services, for PING and DNS
• And Other services, which controls access to things like the web proxy, wireless access point 
management, user portal and so forth
Module 2: Getting Started with XG Firewall - 104
Configuring Interfaces
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Interfaces are configured in:
CONFIGURE > Network > Interfaces
Interfaces have to be assigned to a zone
Interfaces can be given a friendly name
Interfaces can be configured for IPv4 or 
IPv6 or both
Now that you know how to create zones we will look at configuring interfaces.
By default interfaces are named after their hardware device ID, however you can give them a 
friendly name to make identifying them easier.
To begin configuring the network settings you have to assign the interface to a zone, this will 
determine what IP configuration can be set, as only interfaces in the WAN zone are configured with 
a gateway.
You can configure interfaces with IPv4 or IPv6 or both, either statically or by DHCP. IPv4 
configuration also supports configuration via PPPoE.
Module 2: Getting Started with XG Firewall - 107
Interfaces Types
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 
bridged interface for seamless communication between interfaces
ALIAS: An additional IP address added to an interface
VLAN: A virtual LAN interface created on an existing XG interface, used when the XG Firewall 
needs to perform inter-VLAN routing or tagging
LAG: A groups of interfaces acting as a single connection which can provide redundancy and 
increased speed between two devices
RED: Used to connect Sophos’ Remote Ethernet Devices back to the XG Firewall
As well as being able to configure the network adapters in the XG Firewall, there are a number of 
other interface types that can be created. These are:
• Bridge
• Alias
• VLAN
• LAG
• RED
Module 2: Getting Started with XG Firewall - 108
TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard 
routing to be used to send traffic over the VPN
Interfaces Types
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
WIFI: A wireless network where traffic is routed back to the XG Firewall from the access 
point instead of directly onto the network the access point is connected to
Additionally, you can create wireless interfaces and IPsec interfaces. 
These two interface types are created as part of configuring other functionality on the XG Firewall, 
IPsec VPNs and wireless networks using separate zone configuration.
Tunnel interfaces are created using a type of IPsec VPN, that allows standard routing to be used to 
send traffic over the VPN.
WIFI interfaces are created when a wireless network routes traffic back to the XG Firewall using 
separate zone configuration instead of to either the physical LAN the access point is connected to 
or a VLAN.
These will be covered in more detail later in this course.
Module 2: Getting Started with XG Firewall - 109
WAN Link Manager
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
WAN link manager configured in:
CONFIGURE > Network > WAN link 
manager
Gateway type: Active or Backup
Failover and failback 
behaviour
Rules for detecting failed active 
gateways
The WAN Link Manager provides an at a glance view of the status of your WAN gateways. If you 
have multiple gateways you can configure them to be either active or backup, and for backup 
gateways configure the failover rules and behaviour.
Module 2: Getting Started with XG Firewall - 110
Routing
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Additional information 
in the notes
Configurable 
route 
precedence
SD-WAN Policy Routes
Static Routes
VPN Routes
Default Route (WAN Link Manager)
Directly 
Connected 
Networks
Dynamic 
Routing 
Protocols
Unicast 
Routes
P
re
ce
d
e
n
ce
One of the primary functions of a firewall is routing packets from one network to another. The XG 
Firewall supports multiple methods for building and dynamically controlling the routing, which fall 
into three main types of route; SD-WAN policy routes, VPN routes, and static routes, and these are 
processed in order.
Policy routes make decisions based on the properties of the traffic, such as source, destination and 
service.
VPN routes are created automatically when VPN connections are established with the XG Firewall.
Static routes define the gateway to use based on the destination network. This includes directly 
connected networks and routes added by dynamic routing protocols.
When no other routing rule has been matched the XG Firewall will send the packets on the default 
route, which is the gateway derived from load balancing configuration across active gateways.
Note that the precedence of policy routes, VPN routes and static routes can be modified on the 
command line.
[Additional Information]
The command for modifying the route precedence is: system route_precedence
The precedence within static routes is dependent on the 
specificity of the route and the distance metric. The more 
specific the route the higher the precedence, and the lower the 
distance the higher the precedence.
Module 2: Getting Started with XG Firewall - 111
Static Routes
In
te
rf
ac
es
 a
n
d
 R
o
u
ti
n
g
Network that is not directly connected to 
the XG Firewall
Gateway and interface to use to route the 
traffic
Static routes are configured in:
CONFIGURE > Routing > Static routes
Let’s take a look at an example of a static route.
If you have a network that is not directly connected to the XG Firewall, the XG Firewall would send 
traffic destined for it to the default gateway.
If the traffic needs to take a different route, you can use a static route. Here you define the 
network where the traffic is destined, and you define what IP address the traffic should be sent to 
and via which interface.
Module 2: Getting Started with XG Firewall - 112
SD-WAN Policy Routes
In
te
rf
ac
es
 a
n
d