Sophos Firewall Security Configuration Guide
This comprehensive guide will help you securely configure your Sophos firewall following industry best practices and Sophos recommendations.
1. Initial Setup and Access Control
Change Default Admin Credentials
Change default administrative credentials immediately:
- Navigate to Administration → Admin Settings
- Change the default admin password
- Create additional admin accounts with unique usernames
- Disable the default admin account after creating alternatives
Warning: Default credentials are publicly known and represent a critical security vulnerability.
Enable HTTPS Administration
Ensure web administration uses HTTPS only:
- Go to Administration → Admin Settings → Admin Console
- Disable HTTP access
- Enable HTTPS only
- Upload or generate a valid SSL certificate
- Configure strong TLS settings
Restrict Admin Access
Limit administrative access to trusted networks:
- Navigate to Administration → Admin Settings → Admin and User Settings
- Configure allowed networks for admin access
- Disable admin access from WAN
- Consider using a dedicated management VLAN
- Enable two-factor authentication for admin accounts
2. Firewall Rule Configuration
Default Deny Policy
Implement a default deny policy:
- Start with denying all traffic
- Allow only necessary services explicitly
- Apply the principle of least privilege
- Document the business justification for each rule
Firewall Rule Best Practices
Configure rules following these guidelines:
- Use specific source and destination addresses
- Avoid "Any" sources and destinations when possible
- Enable logging on critical rules
- Use user-based rules where applicable
- Group related rules using rule groups
- Regular review and cleanup of unused rules
Tip: Navigate to Rules and Policies → Firewall Rules to manage your firewall rules.
Application Control
Leverage Sophos Application Control:
- Go to Rules and Policies → Application Control
- Create application filter policies
- Block high-risk applications
- Control bandwidth for specific applications
- Monitor application usage via reports
3. Intrusion Prevention System (IPS)
Enable IPS
Configure IPS for threat protection:
- Navigate to Protect → Intrusion Prevention
- Enable IPS
- Select appropriate IPS policy (Server Protection, Desktop/Laptop)
- Enable automatic signature updates
- Configure firewall rules to use IPS policies
IPS Policy Configuration
Customize IPS policies for your environment:
- Start with recommended policies
- Add custom signatures if needed
- Configure exceptions for false positives
- Review IPS events regularly
- Enable blocking mode after tuning
4. Web and Email Protection
Web Protection
Configure web filtering and protection:
- Navigate to Protect → Web → Policies
- Create web filter policies
- Block malicious and high-risk categories
- Enable HTTPS scanning (with proper certificates)
- Configure content control policies
- Enable Google, YouTube, and Bing SafeSearch
Advanced Threat Protection (ATP)
Enable ATP/Sandstorm for zero-day protection:
- Go to Protect → Sandstorm
- Enable Sandstorm analysis
- Configure file types for scanning
- Set up notification policies
- Review sandstorm reports regularly
Email Protection
If using Sophos email protection:
- Enable SPF, DKIM, and DMARC checks
- Configure spam filtering policies
- Enable attachment scanning
- Block dangerous file types
- Configure data loss prevention (DLP) rules
5. VPN Configuration
SSL VPN Security
Secure SSL VPN configuration:
- Navigate to Configure → VPN → SSL VPN
- Use strong encryption (AES-256)
- Enable two-factor authentication
- Configure client traffic restrictions
- Limit concurrent connections
- Enable session timeout
- Regular review of VPN access logs
IPsec VPN Security
For site-to-site IPsec VPN:
- Use IKEv2 protocol
- Configure strong encryption (AES-256)
- Enable Perfect Forward Secrecy (PFS)
- Use certificate-based authentication when possible
- Set appropriate SA lifetimes
- Enable Dead Peer Detection (DPD)
6. Network Protection
VLAN Configuration
Implement network segmentation:
- Create separate zones for different security levels
- Configure DMZ for public-facing servers
- Isolate guest networks
- Separate IoT devices
- Implement management VLAN
DNS Security
Configure secure DNS settings:
- Go to Configure → Network → DNS
- Use trusted DNS servers
- Enable DNS security features
- Configure DNS over TLS if available
- Enable DNS request logging for analysis
DHCP Security
Secure DHCP configuration:
- Use DHCP reservations for critical servers
- Configure appropriate lease times
- Enable DHCP snooping if supported
- Limit DHCP scope to required addresses
7. Authentication and User Management
Configure Directory Services
Integrate with Active Directory or LDAP:
- Navigate to Authentication → Services
- Configure AD or LDAP server connection
- Use secure LDAP (LDAPS) when possible
- Configure user group mappings
- Test authentication thoroughly
Multi-Factor Authentication
Enable MFA for enhanced security:
- Go to Authentication → Two-Factor Authentication
- Enable two-factor authentication
- Configure supported authentication methods
- Enforce MFA for admin accounts
- Consider MFA for remote access users
8. Logging and Monitoring
Configure Log Settings
Enable comprehensive logging:
- Navigate to Configure → System Services → Log Settings
- Enable logging for all critical components
- Configure log severity levels
- Set up remote syslog server
- Enable log forwarding to SIEM if available
Generate and Review Reports
Regular reporting is essential:
- Go to Reports for various security reports
- Schedule automatic report generation
- Review threat reports weekly
- Analyze top blocked threats
- Monitor bandwidth usage
- Review VPN usage reports
Configure Notifications
Set up alerting for critical events:
- Navigate to Configure → System Services → Notification List
- Add notification recipients
- Configure email notifications
- Set alert thresholds appropriately
- Test notification delivery
9. System Maintenance
Regular Updates
Keep firmware and signatures updated:
- Enable automatic firmware updates (test first)
- Enable automatic pattern updates
- Schedule updates during maintenance windows
- Review release notes before major updates
- Maintain configuration backups before updates
Backup Configuration
Regular backups are critical:
- Navigate to Backup & Firmware → Backup & Restore
- Create manual backups regularly
- Configure automatic backup schedule
- Store backups securely offline
- Encrypt backup files
- Test restore procedures periodically
High Availability
For critical environments, configure HA:
- Deploy Sophos firewalls in HA pairs
- Configure active-passive or active-active mode
- Test failover procedures regularly
- Monitor HA synchronization status
10. Security Checklist
Essential Security Checklist:
11. Additional Resources
Remember: Security is an ongoing process. Regularly review and update your configuration based on new threats and best practices.