The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
The Sophos firewall enables only named applications, or classes of applications, to access the company network or internet. It is available as part of Sophos Endpoint Security and Control.
These guidelines cover the phased deployment of Sophos Client Firewall across your network. This will avoid flooding your network with traffic in the initial stages. You are strongly encouraged to follow these guidelines.
These guidelines complement the user documentation, which can be downloaded from the Sophos website. They are not a replacement for it.
Note: Sophos firewall is not supported on server operating systems.
You must tailor a Sophos Client Firewall policy for your network before deployment.
The purpose of this article is to help you plan and roll-out the Sophos firewall, version 2. across your network in the most effective and economical way.
Two roll-out scenarios are described below, these are designed to help you assess, with minimal disruption, what traffic you should allow and what you should block on your network. Read through the scenarios described and decide which best suits your organisation.
Summary of roll-out methods
Method 1 you work on a single client computer where you run as many different sorts of software as you can which are likely to be to used on your network. This will allow you to create a basic set of rules which should cover all the main software that is used on your network. You can use these to create a fairly robust policy.
This means that when you roll this out, either to a test group or across the whole network, the policy you have created will already deal with the bulk of the network traffic, therefore the amount of traffic falling outside of these rules should not be great, so you can modify the policy as you go along.
Method 2 you roll out a policy which allows you to monitor all traffic that is passing throughout your network, and you will receive reports in the event viewer on all these items. Because you have not previously created rules for frequently occurring events, you will receive a very large volume of traffic, much of it will of course be related to the same type of traffic. For this reason, Method 1 is the preferred method in most cases, due to lower traffic volumes.
This is the preferred method, as it produces the lowest volume of alerts and traffic during the roll-out. It allows you to set up a basic policy, you then let the system run and the basic and main applications used by your network are identified. From this identification you can create a 'foundation policy'. You then create rules and from these build upon your 'foundation policy' and refine it as necessary to create the policies that will best serve your organization. Of all the scenarios described this produces the least traffic, and for many this will be the preferred method.
Roll-out method 2
Note that this method will produce a very high volume of traffic reports, which will be listed in the 'Firewall event viewer'. Use the information gained to set up a basic policy,
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.