Sophos Central Admin: Sophos Central Engineering will be performing routine maintenance to Sophos Central on Saturday February 1, 2020 starting at 13:00 (UTC). For more info please see KBA 133402.
This article describes the steps to how to configure the XG to block unwanted applications that are designed to bypass firewalls and proxy servers. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
Some applications that are designed to bypass firewalls and proxy devices are continually doing their best to circumvent protections put into place at the network administration and product level. Sometimes the developers of these applications are successful in getting their applications to bypass the security put into place to prevent these applications. As such, below are a list of settings that should be set to help block these applications. In addition to the settings below, please ensure that patterns on the XG are up to date and that the IPS service is running.
Ensure that you have configured a web policy that blocks the following categories:
You need an application filter policy that blocks the unwanted applications which are generally classed in the High Risk and Very High Risk application category.
You need to enable HTTPS Decrypt and Scan. Please remember that when enabling this, that you should have deployed the HTTPS scanning certificate to all devices going through this particular rule.
The Decrypt and Scan option for HTTPS connections is configurable in the firewall rule itself. Ensure that you have checked the option to block Google's QUIC protocol so that Chrome is forced to use TCP 443.
Next, you need to navigate to the web filtering General Settings page and set the following options as shown in the screen capture below:
Next, you would need to go into the CLI and change a few settings related to IPS. Please note that you do NOT need to have IPS enabled on the firewall rule for these settings to take effect.
To go to the CLI, open up your preferred SSH client and connect to the LAN IP (any IP on the XG that allows SSH to it) and go to:
This takes you to the console command line.
From there you can then set advanced IPS settings. Ensure the following settings are configured on the XG. By default many of these settings are already set to the recommended values.
You can show your current IPS configuration by running command:
Note: Changing these settings in IPS will result in a connectivity drop for about 30-60 seconds. Only users on VOIP and video streaming will notice the connectivity drop.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.