This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Firewall Web Policies


New to Sophos, and trying to search the forums for some help, but unable to find it.

I'm using the Default Web Policy, and have turned on Risky downloads and suspicious. So it blocks all exe currently.

When i attempt to download an exe, it blocks it and i hit the block page, which is good. But i've created and admin user so when i hit the Block page, i chose "login to network" to attempt to download the exe. but it still is blocked.

Is this possible or am i doing this wrong? this is not an AD environment.


This thread was automatically locked due to age.
  • Hello,

    You don't need a Administrator User for this, a Regular User is enough. You can either override a policy based on user or through a PIN Code, you can check this KB for more information on It.

    Another option since you don't have AD is; Using client-less Users in order to do Web/App Filtering based on a certain device or user, you can look at the XG Help Document for more information. After It you will be able to use a client-less user in the same way you're able to use a AD User on the Firewall Rules.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Thank you for the Quick reply,

    I've tried adding the regular user / pin code, but then it seems kind of tedious to request a code every time.

    The clientless won't work.

    Maybe i'll give you the exact scenario, so i can say what i'm trying to accomplish.

    We're setting up the environment as an IT Administrator, so we would want everything blocked on all ips / devices.

    So if we do need to make a change or download something to install or update. we can just log into the network on any device, input a username and password and just download the file as needed.

    Is this possible?

    Thanks again.

  • FormerMember
    0 FormerMember in reply to Joseph Ng

    You can use captive portal authentication to allow temporary internet access.

    As mentioned you don't have an AD environment, so you'll need to create local users on XG. You'll use these users to log in to captive portal to get internet access on blocked devices.

    Create a LAN to WAN firewall rule on top with 'Match known users' & 'Use web authentication for unknown users' enabled. Add local users under 'User or groups' and apply required web and app control policy on it.

    Now, to give temporary internet access on blocked devices, you need to access the captive portal on https://<Firewall IP>:8090 URL.

    Login with the local user credentials and then you'll be able to access websites and applications allowed in above firewall rule. Later you can log out from the captive portal to block the access.

    Note: Ensure that 'Captive portal' is enabled for the required zone under SYSTEM > Administrator > Device access.

  • FormerMember
    0 FormerMember in reply to Joseph Ng

    You can use captive portal authentication to allow temporary internet access.

    As mentioned you don't have an AD environment, so you'll need to create local users on XG. You'll use these users to log in to captive portal to get internet access on blocked devices.

    Create a LAN to WAN firewall rule on top with 'Match known users' & 'Use web authentication for unknown users' enabled. Add local users under 'User or groups' and apply required web and app control policy on it.

    Now, to give temporary internet access on blocked devices, you need to access the captive portal on https://<Firewall IP>:8090 URL.

    Login with the local user credentials and then you'll be able to access websites and applications allowed in above firewall rule. Later you can log out from the captive portal to block the access.

    Note: Ensure that 'Captive portal' is enabled for the required zone under SYSTEM > Administrator > Device access.

  • I don't want to disable the internet to everyone unless you login.

    The scenario is just to be able to download an .EXE or another file type by logging in, but internet should be able on all the time.

    So in this page, i want to login to the network, to download the file. But no one else can, other than IT Admins.


  • There's no easy way to do this, the most reliable way would be to create a local user on Sophos XG, and enable "Policy Override" with "Allow manual access code entry", this would allow the IT Admins to create a PIN Code that can be used to override the blocking page temporary.

    Here's how the blocking page will look like after It:

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • This is just for a specific website? And i'd have to add each website manually? Would it work in the instance if i just wanted to download a .exe file not knowing what the website is?

    When i sign in to network, after i've clicked on the download. i don't get an option to put in a PIN. 

    When I try to create a policy override in the user portal, its still asking me to input a particular website. Am i missing a setting, or is what i want to do not possible?

    Thanks again.

  • Well, I just found out about this, you can create overrides for any web categories, but you can't do the same with file blocking.

    On the User Portal you should be able to select "Any Web Traffic".

    Can anyone from the support give any information on why It's isn't possible to select file types in the policy override ?

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • I'm still unable to get that PIN option to download the .exe. Does this not work for downloading exe's?

    After i login to the network

    Still comes up like this, with no pin option

  • Check my last post.

    It only works for Web Categories, If something get blocked by File Type, It won't allow you to use the PIN.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall