Thread Info
Options
Suggested

Sophos Firewall: Daily Admin Checklist

Raphael Alganes

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

 

Special thanks and credits to   and   as co-authors of this Recommended Read.

 

Table Of Contents:

 

Overview: 

This Recommended Read is designed to guide through the daily checklist for Firewall administrators and is intended to complement the Firewall Best Practices:

 

List of Items to Review: 

 

 1.  Review of CPU/Memory/Interface/Disk usage Graphs (You can also change the selection as required) 

 

Go to Monitor & Analyze > Diagnostics > System graphs, Then choose “Today” or “Last 48 hours” for the Periods drop-down selection (You may also select desired time periods as per your requirements) 

 

 

After making your selections, click Update to see the results of the chosen output.

Should you notice any anomalies beyond the usual, consider following the preliminary checks detailed in the guide below:

 

 

 

2. Review any Alerts generated on the firewall dashboard/Central Dashboard. 

 

Sophos Firewall Dashboard: 

 

 

 

Central Firewall Reporting Dashboard: 

 

 

Furthermore, you can refer to this documentation guide for instructions on utilizing Central Firewall Reporting: Use Sophos Central reporting  

 

 

3. Generate IPS/Web/Application reports and validate that the risky websites and applications are blocked properly 

 

  • Navigate to Reports > Dashboards > Show: Security dashboard, High-risk applications. 

            

 

  • Validate if Web activities for any objectionable, unproductive, risky activities coming from any user/s. 
  • For IPS reports, Navigate to Monitor & Analyze > Reports > Network & Threats > Intrusion Attacks > Select your desired output on the drop-down: 

            

 

  • In the event that network attacks or IPS events are identified, it is advisable to first examine the source and destination IP addresses. Should the detection originate from a host within the internal network, consider conducting an antivirus scan and cleaning the potentially compromised machine. 

 

 

 4. Review the Source and Destination Country sections within the Applications and web report to verify the presence of traffic from any undesired or sanctioned country and proceed with appropriate measures if necessary. 

 

  • Navigate to Monitor & Analyze > Reports > Applications & web > User app risks & usage > Select Destination countries on Drop down:  

            

  • If there are any unwanted or sanctioned countries for the result, you may take further action such as configuring/blocking countries using a firewall rule: Block countries using a firewall rule

 

  • If there’s any traffic inbound to Sophos Firewall, we may add a black hole DNAT rule if unwanted country traffic is observed on the DNAT rule. 

           Create a black hole DNAT rule 

         

5. Review Admin login reports and authentication log viewer logs to see and validate (too many) failed login attempts and take further action. 

 

             

         

Recommended further action to take when there’s an occurrence of too many failed login attempts. You may also use these steps to improve the security measures of your device. 

 

Note: Ensure to input all necessary host IP/s that would manage the Sophos Firewall before committing the configuration to avoid locking out access to the Firewall from the specified zones. 

  • Minimize unsuccessful login attempts under Administration > Admin and user settings > Login security: Sign-in security settings

 

Additionally, you can refer to these Knowledge Base Articles (KBAs) to enhance the security of your Sophos Firewall:

Sophos Firewall: Multiple failed login (brute force) attempts for WAN-facing portals on the firewall

Hardening Your Sophos Firewall



Edited formatting
[edited by: Raphael Alganes at 12:42 PM (GMT -7) on 25 Mar 2025]
    Unfiltered HTML