The Firewall Health Check: Optimizing your Security Setup webinar is focused on sharing best practices while highlighting important features within Sophos Firewall.
Please find resources, answers to the questions asked, and the link to the webinar recording below.
Webinar recording
You can access the recording here
Related resources
Questions and Answers
Any questions related to an issue you’re experiencing within your security environment would be best handled by our support team. You can connect with them through our Support Portal.
Q: Is it possible to adopt LAN equipment for monitoring cisco switches or ubiquiti access points?
A: This is achievable via Managed Detection and Response (MDR) and Network Detection and Response (NDR). We are flexible to integrate third-party products from this list of products.
Q: How can I use Sophos Firewall to protect my emails sent & received?
A: You can purchase an email module to allow the firewall to scan emails; however, our recommended method is to use Sophos Email.
Q: Is there an integration between Sophos Firewall and any other end point protection?
A: Not at this time. You can find more information on our integrations and API here.
Q: Can I integrate Sophos with Azure AD for authentication?
A: Yes, Entra ID can be used to authenticate the Web Admin Portal, Captive Portal and User Portal.
Q: I Have 2 MPLS connections. I need to know how to configure these connections when a branch connection is down to replace the connection to the other MPLS.
We recommend reviewing this page for configuring gateway failover. You may also be interested to read about or SD-WAN capabilities.
Q: I have a problem with some VPN apps that bypass the Firewall. Is there a rule we need to configure to block all the VPM apps?
A: You can try using the 'Block Filter Avoidance Apps' Application Control policy to stop this.
Q: How do I delete IP from DHCP?
A: I would recommend reviewing our documentation for DHCP. If you're referencing a static IP entry you would like to remove, you should be able to do that from the DHCP server configuration page within the firewall settings.
Q: Accessing the console on my browser sometimes seems quite slow. Can the web interface be made faster?
A: Changes are being implemented for this. The speed of accessing firewalls directly from Central should be increased in the near future.
Q: Can we do SAML authentication for VPN connections?
A: Not at this time, while you may be interested in reviewing this article on Using Azure MFA for SSL VPN and User portal.
Q: Is there is any way to recover the old backup password?
A: No. If the password is lost the backup is lost too. If the configuration is still present on the firewall I would create a new backup with a new password.
Q: With customers that are on the fence with AI, especially in their security appliances, will there be an onboarding session to cover that?
A: Theres nothing officially planned at this time. There will be a lot of resources, such as videos and documentation, which will detail the new AI capabilities within the product. For more information we would recommend contacting your Account Manager to schedule a meeting with a Solutions Engineer.
Q: Can I force multi-factor authentication on a remote desktop connection through the Firewall?
A: Not at this time.
Q: Does Sophos Firewall support DMVPN?
A: Not at this time.
Q: Best all "Free VPN" blocking policies?
A: Use the block filter avoidance apps policy on the firewall as a good baseline.
Q: RED Configuration, how will it work?
A: A Remote Ethernet Device (RED) provides a secure tunnel between a remote site and Sophos Firewall.
REDs connect remote branch offices to your main offices as if the branch office is part of your local network. Using RED interfaces, you can configure and install RED appliances or create a site-to-site RED tunnel between two Sophos Firewall devices in a client-server configuration.
Q: How can we protect our devices from ransomware?
A: Intercept X Advanced! You can find more information on Intercept X Advanced here.
Q: Which application do we need for MFA?
A: For a detailed MFA process, please refer to this documentation.
Q: I'm presently using the XG Firewall device and will be upgrading to the XGS soon. Can the Backup I made under the XG device be restored to the XGS once deployed?
A: Yes. You can read more about backup and restore through this link.
Q: I have multiple I addresses on different subnets. Can DHCP work for all the subnets?
A: Yes, you can have a DHCP server for each subnet.
Q: My Sophos keeps blocking my shared resources. What setting might I have missed?
A: You can use the log viewer to see more information as to why this may be blocked. There are quite a few settings that could be impacting this so it's worth reviewing this on a case-by-case basis. Support are always happy to help too.
Q: My Sophos lacks the Active Threat Response feature. Why don’t I see it in the console?
A: Please ensure the OS version of your Firewall is at least v20 or higher. The feature was also recently renamed to Sophos X-Ops Threat Feeds in more recent versions of the OS.
Q: Can I block all devices with Android OS on my network?
A: Not natively, while you may be able to achieve a similar result by enforcing the “Block clients with no heartbeat” functionality from your Firewall rules.
Q: Who would you recommend to help configure a Firewall? Can I get an expert from Sophos to assist with configuring our Firewall?
A: Yes. Please connect with your Account Manager to ask about our Professional Services offerings.
Q: Can all users on my network be authenticated to prevent intruders?
A: Yes. Adding an authentication server will allow you to mandate authentication for your users.
Q: We have multiple email domains with a single Active Directory setup. We created a LAN-to-WAN rule for users, but it only works for users within the same domain. For users from subdomains, it doesn’t work.
A: This question would be best handled by our support team.
Q: How do you place multiple Firewalls within a group?
A: Please refer to this page of our documentation.
Q: Can we have QOS configured?
A: Yes. We support QOS. You can find out more from this link.
Q: Does creating multi SSID on Sophos Central make the Access point consume more power?
A: No. This will not consume more power.
Q: Are there any plans to update Sophos Connect for MacOS? It currently doesn’t work there and OpenVPN or something similar needs to be used.
A: At the moment TunnelBlik is the recommended VPN client for MacOS. Work is in progress to provide additional options for our Mac community.
Q: Will there be a MFA integration with Entra ID and VPN SSL directly without AD?
A: Yes. This is a planned feature on our roadmap.
Q: I’m facing an issue configuring the Captive Portal. The setup involves more than 25 access points. When a user connects to one of the access point via Captive Portal, other users are able to access the internet without logging into the portal. How can I resolve this issue?
A: Check to see if “Match known users” is enabled on your Firewall rules. We also recommend raising a support case to investigate this further.
Q: How can I ensure my Sophos IP can be trusted by my web browser?
A: This will require you to upload the appliance certificate to your computers certificate store. This will stop the Firewall administration page showing as untrusted.
Q: How can I block all app VPN?
A: You can use the application filtering option within the Firewall or application control within our Endpoint product.
Q: Can I sync new users through Central to all my Firewalls?
A: No. User authentication is separate for Central and Firewalls.
Q: Which is more important on the Firewall rules, the numbering position or the rule ID when applying rules.
A: The numbering position identifies which rules will be processed first. This is more important than the rule ID.
Q: Which is your advice on Sophos Endpoint encryption and another Endpoint encryption solution? This is partly due to implementing Synchronized Security.
A: We recommend opting for Sophos Encryption for optimal security compared to third-party solutions.
Q: Can I add policies based off of using AD users or OUs from Windows Active Directory?
A: Yes. Firewall rules can be matched to authenticated users. You can find more information through this link.
Q: SSL site to site VPN between SFOS 20.2 firewall and SFOS 18.5.4 firewall is not working, any alternative solutions for this?
A: Update from SFOS 18.5.4. Currently V21 is the latest version, support for V18 has stopped.
Q: How do I restrict application users on Sophos firewall?
A: Please refer to this page of our documentation.
Q: How do we check the RED firewall bandwidth speed and usage of users?
A: For the moment we do not have detailed reporting for RED devices; however, we can see the bandwidth consumption from Sophos Firewall > Reports > VPN > RED usage
Q: Sophos Firewall supports multiple DHCP if we have multiple interfaces in the firewall?
A: Yes, this is supported.
Q: Does DHCP Snooping have any impact in terms of my FW capabilities?
A: DHCP snooping protection happens at Layer 2 and is available on our switches. It is not available on the firewall and as such will not impact the firewall's performance.
Q: Does the Sophos Central have a maximum storage capacity? We’re hoping to keep our backup files and logs stored in central itself.
A: Yes, we offer up to 1 year of Sophos Central storage for your Sophos firewall with some nominal cost. Please reach out to your account manager to for more information.
Q: We have three WAN links. Can we use two primary links and 1 backup link?
A: You may add up to 8 gateways using SD-WAN profile and specify the order in which you want the firewall to elevate them. You may configure SLAs using Latency, Jitter, and Packet loss.
Q: I’m currently facing an issue with setting up an SSL VPN, specifically with creating a hostname. I’d like to know how to configure a hostname without relying on third-party companies. Could you please guide me on the process or recommend a solution?
A: We recommend reviewing this document.
Q: Does ZTNA require any additional licenses to use?
A: Yes. A ZTNA license is required for ZTNA; however, XGS customers with Xstream protection get 3 ZTNA licenses free of charge.
Q: Is it possible to get an evaluation license for 6 months?
A: Evaluation licenses last for 30 days. We can request an extension of this if required, although 6 months may be difficult for us to offer.
Q: Can we create a traffic shaping for the web categories?
A: You can yes. You can find more information through this link.
Q: How can guest users get access without the captive portal?
A: Turn off captive portal on your guest network.
Q: What is the best practice for the traffic shaping on the user level or group level?
A: To apply traffic shaping on User/Group level, create a traffic shaping policy under System Services. Under Authentication > Users, select policy for destined users/groups. Under Rules and Policies > Firewall rules > Match known users > Select Users.
Q: Can you please clarify the ckientless user?
A: You can configure network devices, such as servers and printers, as clientless users.
Clientless users don't require authentication and don't use a client to access the network. Sophos Firewall allows these users to access the network by matching the username to the IP address you specify in the clientless user policy.
Clientless users appear as live users in current activities. If you deactivate these users, they don't appear as live users.
You can also configure people as clientless users, for example, senior executives, for whom you don't want to require a sign-in when they're within the network. If you configure users rather than network devices, we recommend that you map the users with static IP addresses on your DHCP server.
Q: If I have more than 100 VLANs, will creating these VLANs on Sophos impact the device's performance?
A: VLANs can impact firewall performance, but it depends on how they are configured. For better performance and manageability, we recommend distributing VLANs across multiple interfaces. It is also recommended to get in touch with Sophos experts while sizing the firewall.
Q: What configurations are necessary to establish site-to-site VPN tunnels between on-premises environments and AWS using SD-WAN?
A: We recommend reviewing this link for more information.
Q: What troubleshooting steps can I follow if a Sophos XGS firewall fails to sync with Sophos Central?
A: You can de-register and re-register the appliance to try to fix this. With that said, I would recommend reaching out to support to gain assistance with this.
Q: What specific security logs or alerts can Sophos Central provide for detecting advanced threats in AWS environments?
A: Take a look at Sophos Cloud Optix. This integrates with your cloud environment, providing security and administration related capabilities.
Q: For firewalls which are deployed on the AWS or any cloud service, how can we enhance the security level, bypass the PUB IP or mask it by any domain? Also, can we directly host on Linux OS or is this not possible?
A: Where this question relates directly to your environment, I would suggest a meeting with your Account Manager and a Sales Engineer to review your requirements. We will be able to get a much better understanding of the issue.
Unfortunately for software firewall installations we only support the installation on Windows and Mac OS. You can read more about this here.
Q: We don't have any public static IPs, is it secure to use the Dynamic DNS? I don’t see it being secure, how can we secure it?
A: DDNS can be a security risk. It is wise to opt for a static IP. Alternatives with DDNS can be used like Teamviewer or Anydesk based on your requirement. Best practices with DDNS are to use DNS security solutions to identify malicious DNS entries and be careful while applying any changes to the firewall rules and port forwarding.
Q: Can we change the time Firewall backups happen in central from the default of 10 AM?
A: Not at this moment in time. Backups are automatically taken at 10am.
Q: Internet Scheme used to be in Cyberoam. When we moved to SophosXG210 we were able to retain it through the back up. My question is if we will be able to do the same with XGS2100?
A: Yes, you may backup and restore from your XG to XGS without any issue; however, if you have a complex configuration and seek assistance for a smoother migration process you may opt for Sophos professional services to drive this at an additional cost.
Q: Is there an alternative option about MFA using intercept app for OTP sending this mail or phone?
A: We support typical authenticator apps such as Microsoft Authenticator and Duo Authenticator, you do not have to use the Intercept X app. We now also support pass keys, providing a new method for secure authentication into the Sophos Central console. You can find more information here.