Here are some recommendations to harden the overall security of your Sophos Firewall.
Every update to Sophos Firewall OS includes important security enhancements and in some cases, important Hotfixes are released between updates. Ensure you keep your firmware up to date and have Hotfixes enabled under Backup & Firmware > Firmware.
It’s critically important that you disable non-essential services on the WAN interface. In particular, HTTPS and SSH admin services. To manage your Firewall remotely, Sophos Central offers a much more secure solution than enabling WAN admin access. If the User Portal is not being used, we also recommend deactivating this service on the WAN as well.
Check your local services access control under Administration > Device Access and ensure no items are checked for the WAN Zone unless absolutely necessary:
Do NOT expose any systems directly to the internet using NAT or Firewall Rules that allow inbound connections. This includes IoT devices. Review all your NAT and Firewall Rules and ensure there are no WAN to LAN rules. Use VPN or ZTNA only for remote administration and access for internal systems. For IoT devices, shut down any devices that require direct access via NAT and do not offer a cloud proxy service.
Enable Multi-Factor Authentication or One Time Password (OTP) and enforce strong passwords which will protect your Firewall from unauthorized access either from stolen credentials or brute force hacking attempts
Take advantage of Sophos Firewall’s granular role-based administration profiles to limit access for administrators of the firewall. Provide read-only access to administrators that don’t absolutely need control over various firewall functions.
IPS can help protect against intrusions and Denial of Service attacks, but only if encrypted traffic is inspected. Enable TLS inspection and IPS and ensure it’s configured to automatically update and DoS protection is applied.
Sophos Firewall can be configured to alert administrators of system-generated events. Administrators should review the list of events and ensure that key events are monitored to ensure that issues and events can be acted upon promptly. Sophos recommends that you adopt a regular triage and investigation routine to make sure that no events are missed or left to linger too long. Notifications are sent via either an email and/or to SNMP traps. To configure Notifications, navigate to Configure > System services and select the Notifications list tab.
As a security best practice you can further narrow your attack surface area by limiting exposure to regions you don't do business with using country blocking.