Central Firewall - no Sophos Services and FQDN - why?

here in hosts: also nothing...

Hi LHerzog,

I suspect the reason Sophos is not present in these UI menus is because the hard-coded exclusions for Sophos should be sufficient to allow communication to and from Sophos' back-end.

Could you elaborate on what sort of issues you encounter when the exclusions for Sophos are not manually entered?

needed for this:

and this:

just some 2 examples

Thank you for clarifying. I recommend sending this in as a feature request from the Sophos Ideas page. 

Hi, 

The default design choice in the SFOS is that users will allow outbound traffic for web (http/https) and then use the web filter to restrict and protect it. This security stance works for the majority of our customers. However, for those that desire to have a stricter firewall rule policy (limiting http and https traffic at the perimeter without using the web filter) a bit more work is needed to configure this. Basically, the Sophos URLs are auto excluded in our web filter. So you could allow 80 and 443 outbound and turn on the web filter and restrict everything but Sophos would still be accessible.

Does that answer your question?

Just to add onto this, Sophos does add all the necessary TLS and filtering exceptions if web filtering is enabled we have the following exceptions out of the box:

Also for the managed TLS exclusions list we have added all of the Sophos domains in the "URL groups" section. Hopefully the suggestion from Richard can help in the future for ease of configuration.

Just to add onto this, Sophos does add all the necessary TLS and filtering exceptions if web filtering is enabled we have the following exceptions out of the box:

Also for the managed TLS exclusions list we have added all of the Sophos domains in the "URL groups" section. Hopefully the suggestion from Richard can help in the future for ease of configuration.

Thanks. Indeed there are scenarios, like Sophos Central WiFi and others, that are not covered by these exceptions or the TLS exclusion groups. They require firewall rules and so need to create all the hosts manually.

Also think of a Server LAN - would you generally allow servers any internet connection via Web Proxy / DPI TLS Inspection? If probably no, you need to create a firewall rule to the (Sophos) hosts, they are only allowed to communicate with. That's where you would need pre configured hosts. On a Sophos machine, the vendors required FQDN pre defined would make so much sense and the product more cool.