EL80: Sophos XG Firewall

ENGINEER LAB WORKBOOK
Version 16.5.0  January 2017
Sophos Certified Engineer

Contents
Introduction ................................................................................................................................................................................................................................................... 5
Prerequisites........................................................................................................................................................................................................................................... 5
Workbook conventions ...................................................................................................................................................................................................................... 5
Lab environment...................................................................................................................................................................................................................................6
Environment overview .......................................................................................................................................................................................................................6
User accounts ........................................................................................................................................................................................................................................ 7
Network diagram ..................................................................................................................................................................................................................................9
Lab 1: Getting Started with XG Firewall.......................................................................................................................................................................................... 10
Objectives.............................................................................................................................................................................................................................................. 10
Task 1 Register for a Sophos Central Evaluation............................................................................................................................................................. 10
Task 2 Register and Activate Sophos XG Firewall ........................................................................................................................................................... 11
Task 3 Navigating the WebAdmin .......................................................................................................................................................................................... 15
Task 4 Configure Zones and Interfaces ............................................................................................................................................................................... 16
Task 5 Configure Static Routes ............................................................................................................................................................................................... 18
Task 6 Create Definitions ........................................................................................................................................................................................................... 19
Task 7 Configure DNS Request Routes................................................................................................................................................................................ 22
Task 8 Import CA Certificates................................................................................................................................................................................................... 23
Task 9 Create a Configuration Backup ................................................................................................................................................................................. 24
Review .................................................................................................................................................................................................................................................... 25
Lab 2 Network Protection................................................................................................................................................................................................................. 26
Objectives.............................................................................................................................................................................................................................................. 26
Task 1 Configure Logging........................................................................................................................................................................................................... 26
Task 2 Create Network Firewall Rules .................................................................................................................................................................................. 26
Task 3 Install the SSL CA Certificates................................................................................................................................................................................... 32
Task 4 Install Sophos Central ................................................................................................................................................................................................... 34
Task 5 Publish Servers Using Business Application Rules ......................................................................................................................................... 35
Task 6 Configure IPS Policies ................................................................................................................................................................................................... 37
Task 7 - Enable Advanced Threat Protection........................................................................................................................................................................ 38
Task 8 Enable DoS (Denial of Service) and Spoof Protection .................................................................................................................................... 39
Task 9 Configure Security Heartbeat .................................................................................................................................................................................... 41
Review .................................................................................................................................................................................................................................................... 44
Lab 3 Site-to-Site Connections ..................................................................................................................................................................................................... 45
Objectives.............................................................................................................................................................................................................................................. 45
Task 1 Create an SSL Site-to-Site VPN................................................................................................................................................................................ 45
Task 2 Create an IPsec Site-to-Site VPN ............................................................................................................................................................................ 49
Review .................................................................................................................................................................................................................................................... 52

Page 2 of 87
Sophos Certified Engineer

Lab 4 Authentication .......................................................................................................................................................................................................................... 53
Objectives.............................................................................................................................................................................................................................................. 53
Task 1 Configure an Active Directory Authentication Server ..................................................................................................................................... 53
Task 2 Configure Single Sign-On Using STAS................................................................................................................................................................... 55
Task 3 User-Based Policies....................................................................................................................................................................................................... 57
Task 4 One-Time Passwords ................................................................................................................................................................................................... 59
Review .................................................................................................................................................................................................................................................... 60
Lab 5 Web Protection and Application Control ....................................................................................................................................................................... 61
Objectives.............................................................................................................................................................................................................................................. 61
Task 1 Create Custom Web Categories and User Activities ....................................................................................................................................... 61
Task 2 Create a Custom Web Policy ..................................................................................................................................................................................... 62
Task 3 Create a Surfing Quota for Guest Users ................................................................................................................................................................ 64
Task 4 Create an Application Filter Policy........................................................................................................................................................................... 65
Review .................................................................................................................................................................................................................................................... 67
Lab 6 Email Protection ...................................................................................................................................................................................................................... 67
Objectives.............................................................................................................................................................................................................................................. 67
Task 1 Enable and Configure Quarantine Digests ........................................................................................................................................................... 67
Task 2 Configure an Email Protection Policy .................................................................................................................................................................... 68
Task 3 Configure Data Control and SPX Encryption ...................................................................................................................................................... 72
Task 4 User Quarantine Management .................................................................................................................................................................................. 74
Review .................................................................................................................................................................................................................................................... 75
Lab 7: Wireless and Remote Access ............................................................................................................................................................................................... 76
Objectives.............................................................................................................................................................................................................................................. 76
Task 1 Create a Hotspot.............................................................................................................................................................................................................. 76
Task 2 Configure an SSL Remote Access VPN ................................................................................................................................................................ 77
Review .................................................................................................................................................................................................................................................... 79
Lab 8 Reporting..................................................................................................................................................................................................................................... 80
Objectives.............................................................................................................................................................................................................................................. 80
Task 1 Run, Customize and Schedule Reports................................................................................................................................................................. 80
Review .................................................................................................................................................................................................................................................... 81
Lab 9 Troubleshooting ....................................................................................................................................................................................................................... 82
Objectives.............................................................................................................................................................................................................................................. 82
Task 1 Use SF Loader Tools ...................................................................................................................................................................................................... 82
Task 2 Connection Table ............................................................................................................................................................................................................ 83
Task 3 Dropped Packet Capture ............................................................................................................................................................................................. 84
Task 4 Packet Capture ................................................................................................................................................................................................................ 85
Review .................................................................................................................................................................................................................................................... 86

Page 3 of 87
Sophos Certified Engineer

© 2017 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior
written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether
express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park,
Abingdon, Oxfordshire, OX14 3YP.

Page 4 of 87
Sophos Certified Engineer

Introduction
These labs accompany the Sophos Certified Engineer Sophos XG Firewall (ET80)
course and form the practical part of the certification. They are estimated to take 7
hours to complete.

You should complete each section of labs when directed to
do so in the training content. Throughout the labs there are
Workbook conventions
prompts for information to be written down; you will require
This workbook uses the following conventions throughout:
this information to pass the online assessment. You will
need to complete the course assessment while your lab
 At the start of each lab is the learning objective, along
environment is still active, as there may be some questions
with any requirements that must have been completed
based on the live environment.
prior to starting the lab.
If you need help or support at any point while completing the
labs, please contact us at globaltraining@sophos.com and  Labs which cover larger subjects are divided into several
one of the team will be able to assist you. tasks. Each task has a short description followed by the
steps that are required to complete the task.

 Short labs are presented as a single task.
Prerequisites
 Throughout the guide the following styles are used:
Prior to taking this training we recommend that you should
have:
 Completed and passed the Fundamentals Certified Bold text  Actions: On-screen elements
Engineer course that you interact with e.g. menu
To be able to complete these labs in the time suggested you items, buttons, tick boxes, tabs,
should have the following knowledge and experience:
 Important points to note
 Experience in installing and replacing network gateways
and firewalls in production environments On-screen elements that you do
 Knowledge of general Windows networking not interact with e.g. page titles,

Courier New font Commands to be executed

Underlined Hyperlinks

<variables> Variables will be shown between
chevrons e.g. <Red ID>

Page 5 of 87
Sophos Certified Engineer

Lab environment does not open, please check that your browser is not
blocking popups.

These labs are designed to be completed on the hosted If you need to leave your environment and return to it, you
CloudShare environment. If you are not using CloudShare can again use the Launch Lab Environment link to log back in
(e.g. this course is being taught in a classroom and not to the same environment.
completed online) some details such as hostnames and IP
Important note: Once you launch your environment it will be
addresses may vary.
available for three days. Once your environment expires it is
You can launch your lab environment on CloudShare by automatically deleted. If you require an extension, please
clicking the Launch Lab Environment on give our team sufficient time to receive and action your
00 - request prior to the environment expiring, by contacting
The environment will open in a pop-up window. If the window globaltraining@sophos.com.

Environment overview
The environment used to complete these labs is comprised of multiple computers, connected via a simple network.

Computer Description

SOPHOS.LOCAL This is the main network you will be using during the labs.
Networks: 172.16.16.0/24, 172.17.17.0/24, 192.168.16.0/24

LON-GW1.SOPHOS.LOCAL This is a Sophos XG Firewall, and is the default gateway for the sophos.local network and has
a separate interface for a DMZ network.
IP Addresses: 172.16.16.16, 172.17.17.16, 172.25.25.16, 172.30.30.16, 10.1.1.100,
10.100.100.65
Throughout this workbook this will be referred to as London Gateway 1

LON-DC.SOPHOS.LOCAL This is a Windows 2012 R2 domain controller for the lab.local domain.
It runs an SMTP server, webmail, DNS, Active Directory and a certificate authority.
IP Address: 172.16.16.10
Throughout this workbook this will be referred to as London DC

LON-CLIENT.SOPHOS.LOCAL
IP Address: 172.17.17.20
Throughout this workbook this will be referred to as London Client

INTRANET.SOPHOS.LOCAL This is a Debian Linux server running a simple website. The server is located on a separate
subnet.
IP Address: 172.25.25.40
Throughout this workbook this will be referred to as London Intranet

SOPHOS.DMZ This is the DMZ for the lab network.
Network: 172.30.30.0/24

STORE.SOPHOS.DMZ This is a Debian Linux server running a simple website.
IP Addresses: 172.30.30.50
Throughout this workbook this will be referred to as DMZ Website

NY-GW.SOPHOS.LOCAL This is a Sophos XG Firewall, and is the default gateway for the sophos.local network.

Page 6 of 87
Sophos Certified Engineer

IP Addresses: 192.168.16.16, 172.25.25.17, 10.2.2.200
Throughout this workbook this will be referred to as New York Gateway

NY-DC.SOPHOS.LOCAL This is a Windows 2012 R2 domain controller for the sophos.local domain.
It runs an SMTP server, webmail, DNS, Active Directory and a certificate authority.
IP Address: 192.168.16.30
Throughout this workbook this will be referred to as New York DC

WAREHOUSE.SOPHOS.LOCAL This is a Debian Linux server running a simple website. The server is located on a separate
subnet.
IP address: 172.25.25.60
Throughout this workbook this will be referred to as New York Warehouse

INTERNET.WWW This is a Debian Linux server which provides central DNS for the lab.local and sophos.local
networks, as well as running a DHCP server, simple website and certificate authority.
IP Address: 10.1.1.250, 10.2.2.250
Throughout this workbook this will be referred to as Internet

User accounts
The table below details the user accounts in the lab environment.

Username Full name Password Scope and privileges

SOPHOS\administrator Administrator Sophos1985 SOPHOS.LOCAL

Domain administrator

SOPHOS\jsmith John Smith Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\rbrown Rob Brown Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\spage Sally Page Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\lfox Lucy Fox Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\frogers Fred Rogers Sophos1985 SOPHOS.LOCAL

Domain User

root Root Sophos1985 DMZ Website

London Intranet

New York Warehouse

Page 7 of 87
Sophos Certified Engineer

Internet

Local Administrator

sophos Sophos Sophos1985 DMZ Website

London Intranet

New York Warehouse

Internet

Local User

sspade Sam Spade Sophos1985 Internet

Local User

Page 8 of 87
Sophos Certified Engineer

Network diagram

Page 9 of 87
Sophos Certified Engineer

Lab 1: Getting Started with XG Firewall
Objectives
Upon successful completion of this lab you will be able to:
1. Register for a Sophos Central evaluation
2. Register and Activate a Sophos XG Firewall
3. Navigate the WebAdmin
4. Configure zones and interfaces
5. Configure static routes
6. Create definitions
7. Configure DNS request routes
8. Import CA certificates
9. Create a configuration backup

Task 1 Register for a Sophos Central Evaluation
Register for a Sophos Central evaluation in preparation for configuring Security Heartbeat.

Instructions Notes

On Your Local Computer
1 Open a web browser and navigate to https://central.sophos.com
2 Click the Sign Up link
3 Follow the on-screen instructions to register for a trial Make sure you use an email address
that you can access.
You will need to use an email address
that is not already registered with
Sophos Central.
4 Check your inbox and open the email with the subje You will receive an email with an
activation link.
This may take several minutes to arrive.
5 Click Activate in the email This will open the activation page.
6 Enter and confirm a password of your choice
7 Select where to have the data stored
8 Read the statements and select both checkboxes
9 Click Activate Account
10 Sophos Central is now ready to use.
11 Use the menu in the top-right of the screen to log Out

Page 10 of 87
Sophos Certified Engineer

Task 2 Register and Activate Sophos XG Firewall
Register and activate the Sophos XG Firewall, then complete the setup wizard to configure Sophos XG Firewall in Gateway mode.

Instructions Notes

On Your Local Computer
1 If you do not have a Sophos ID account open a browser and navigate to
https://secure2.sophos.com/en-us/mysophos/registration.aspx

Follow the on-screen instructions to create a Sophos ID
2 Open a browser and navigate to https://secure2.sophos.com/en-
us/products/next-gen-firewall/free-trial/os.aspx
3 Login with your Sophos ID email address and password
4 Complete the form and follow the on-screen instructions to register for a serial
number
5 You will receive an email with your serial number. Write down your serial You will use this serial number to
number: activate London Gateway 1.
____________________________________________

6 Navigate to https://secure2.sophos.com/en-us/products/next-gen-
firewall/free-trial/os.aspx

Follow the on-screen instructions and complete the form to register for a
serial number
7 You will receive an email with your serial number. Write down your serial You will use this serial number to
number: activate New York Gateway.
____________________________________________

On London DC
8 Open Chrome and navigate to https://172.16.16.16:4444 This is the default IP address.
You will get a certificate warning but it is
safe to proceed.
9 Login to the WebAdmin as admin The password is admin
10 Click Basic Setup

Page 11 of 87
Sophos Certified Engineer

11 Configure Device basic setup with the following information;

Setting Value

IP Assignment Static

IP Address 10.1.1.100

Subnet Mask 255.255.255.0

Default Gateway 10.1.1.250

DNS 10.1.1.250

12 Click Save Changes This may take a minute to complete.
13 Enter the serial number you received from registering for the evaluation at the The serial number is case sensitive.
start of this task then click Activate Device
14 Click Register Device The Register Device button will appear
once the device is activated.
15
email address and password
16 Wait close the window
17 Click Synchronize License This may take a minute to complete.
18 Click the link Click Here This will appear once the license is
synchronized.
19 Start
20 Click the blue Next icon to configure the device in Gateway Mode
21 Select PortC on the left
22 Configure PortC with the following settings: You need to select the zone for the
interface before you can configure any
Setting Value
other settings.
Zone LAN

Use Static IP Selected

IP Address 172.17.17.16

Subnet Mask 255.255.255.0

23 Select PortE on the left
24 Configure PortE with the following settings: You need to select the zone for the
interface before you can configure any
Setting Value
other settings.
Zone DMZ

Use Static IP Selected

IP Address 172.30.30.16

Subnet Mask 255.255.255.0

25 Click the blue Next

Page 12 of 87
Sophos Certified Engineer

26 Configure the DNS and hostname with the following information: Leave the other settings as default.

Setting Value

DNS Configuration

Static DNS Selected

DNS 1 10.1.1.250

DNS 2 172.16.16.10

Hostname Configuration

Hostname lon-gw1.sophos.www

27 Click the blue Next
28 Configure the Default Network Policy with the following settings:

Setting Value

User / Network Rule Selected

Web Filter Default Workplace Policy

App Filter Allow All

IPS None

29 Click the blue Next icon
30 Configure the Mail Server Configuration with the following settings: This configuration is used by the XG
Firewall for sending notifications about
Setting Value
system events or threats that require
Send Notifications to Email Address administrator@sophos.local your attention.

Mail Server IPv4 Address/FQDN 172.16.16.10

Port 25

From Email Address administrator@sophos.local

Authentication Required Deselected

Connection Security None

31 Click the blue Next icon
32 Select Automatically Synchronize with NTP Server
33 Select Use Custom NTP Server
34 Enter 172.16.16.10
35 Click the blue Next icon
36 Deselect Send App & Threat data As this is a training lab we do not want
to send data to Sophos.
37 Click Finish then click OK This may take a couple of minutes to
complete.
38 Click the link https://172.16.16.16:4444 You will get a certificate warning but it is
safe to proceed.
39 Login to the WebAdmin as admin The password is admin

Page 13 of 87
Sophos Certified Engineer

40 Select SYSTEM > Administration in the left-hand menu
41 Select the Device Access tab
42 Scroll down
43 Enter the current admin password admin and the new password
Sophos1985
44 Click Apply then click OK

On New York DC
45 Open Chrome and navigate to https://192.168.16.16:4444/ You will get a certificate warning but it is
safe to proceed.
46 Login to the WebAdmin as admin The password is admin
47 Click Basic Setup
48 Configure Device basic setup with the following information;

Setting Value

IP Assignment Static

IP Address 10.2.2.200

Subnet Mask 255.255.255.0

Default Gateway 10.2.2.250

DNS 10.2.2.250

49 Click Save Changes This may take a minute to complete.
50 Enter the serial number you received from registering for the evaluation at the The serial number is case sensitive.
start of this task then click Activate Device
51 Click Register Device The Register Device button will appear
once the device is activated.
52 In
email address and password
53 Wait close the window
54 Click Synchronize License This may take a minute to complete.
55 Click the link Click Here This will appear once the license is
synchronized
56 Skip then click OK
57 Select SYSTEM > Administration in the left-hand menu
58 Select the Device Access tab
59 Scroll down
60 Enter the current admin password admin and the new password
Sophos1985
61 Click Apply then click OK
62 Select SYSTEM > Backup & Firmware in the left-hand menu

Page 14 of 87
Sophos Certified Engineer

63 Click Choose File
64 Select C:\Config\NY-GW_Engineer_Lab1 then click Open
65 Click Upload & Restore then click OK This may take several minutes to
complete. You can proceed with the
labs while the configuration is being
restored.

Task 3 Navigating the WebAdmin
Tour the WebAdmin to make navigation easier throughout the labs,

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 When you first login you will see the Control Center. This page gives a real-
time summary of what is happening on your network and on the XG Firewall
4 Select PROTECT > Firewall in the left-hand menu
5 Firewall rules are where most of the protection configuration is applied. You
can see that your lab environment has been preconfigured with a number of
firewall rules
6 Click on the #Default_Network_Policy firewall rule to expand it, then click the
Edit icon
7 This is a basic network rule that allows traffic from the LAN zone to the WAN

applied to this rule, include intrusion prevention, traffic shaping and web
filtering
8 Select PROTECT > Wireless in the left-hand menu
9 In this section of the XG Firewall you can manage wireless access points and
networks. Select each tab in turn and review the configuration available in
each
10 Select CONFIGURE > VPN in the left-hand menu
11 In this section you can configure site-to-site and remote access VPNs
12 Click Show VPN Settings
13 Here you can find settings that you will need to access less frequently. The
-to-site and remote
access SSL VPNs
14 Click Close VPN Settings
15 Select each of the tabs in turn and review the configuration on each
16 Select CONFIGURE > Network in the left-hand menu
17 In this section you configure the interfaces and other basic network settings
such as DNS and DHCP

Page 15 of 87
Sophos Certified Engineer

18 Select CONFIGURE > Routing in the left-hand menu
19 The XG Firewall supports static, policy and dynamic routing, all of which can be
configured in this section
20 Select SYSTEM > Administration in the left-hand menu
21 In this section you configure the device settings
22 Take 5 minutes to browse through the WebAdmin and familiarize yourself with
where to find all of the configuration options, this will help you when
completing the labs. You could try to find the following in the WebAdmin:
 Where do you download the STAS software?
 Where would you configure the primary antivirus engine for email
scanning?

 Where would you view the current IPsec connections?
 Where would you configure the log settings?

Task 4 Configure Zones and Interfaces
Configure network zones and interfaces.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select CONFIGURE > Network in the left-hand menu
4 Select the Zones tab
5 Click Add
6 Configure the zone with the following settings: Leave the other settings as default.

Setting Value

Name Intranet

Type LAN

Device Access

Admin Services HTTPS

Network Services DNS
Ping/Ping6

7 Click Save
8 Select the Interfaces tab
9 Click PortD

Page 16 of 87
Sophos Certified Engineer

10 Configure the zone with the following settings:

Setting Value

Network Zone Intranet

IPv4 Configuration Selected

IP Assignment Static

IPv4//Netmask 172.25.25.16 /24

IPv6 Configuration Deselected

11 Click Save then Update Interface
12 Click PortF We will use this port to simulate an
MPLS between London and New York
later in the labs.
13 Configure the zone with the following settings: We are adding this interface to the WAN
zone so you need to define a default
Setting Value
gateway.
Network Zone WAN

IPv4 Configuration Selected

IP Assignment Static

IPv4//Netmask 10.100.100.65 /29

Gateway Name Port F Default Gateway

Gateway IP 10.100.100.70

IPv6 Configuration Deselected

14 Click Save then Update Interface
15 Select the WAN Link Manager tab
16 Click Port F Default Gateway
17 Backup To prevent the MPLS interface being
used for any Internet traffic, set it as a
backup gateway with no automatic
failover.
18 None
19 Click Save then click OK

On New York DC
20 Open Chrome and navigate to https://ny-gw.sophos.local:4444
21 Login to the WebAdmin as admin The password is Sophos1985.
22 Select CONFIGURE > Network in the left-hand menu
23 Click PortD We will use this port to simulate an
MPLS between London and New York
later in the labs.

Page 17 of 87
Sophos Certified Engineer

24 Configure the zone with the following settings: We are adding this interface to the WAN
zone so you need to define a default
Setting Value
gateway.
Network Zone WAN

IPv4 Configuration Selected

IP Assignment Static

IPv4//Netmask 10.100.100.70 /29

Gateway Name Port D Default Gateway

Gateway IP 10.100.100.65

IPv6 Configuration Deselected

25 Click Save then Update Interface
26 Select the WAN Link Manager tab
27 Click Port D Default Gateway
28 Backup To prevent the MPLS interface being
used for any Internet traffic, set it as a
backup gateway with no automatic
failover.
29 None
30 Click Save then click OK

Task 5 Configure Static Routes
Create static routes for MPLS traffic on London Gateway 1 and New York Gateway.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select CONFIGURE > Routing in the left-hand menu
4 Add
5 Configure the static route with the following information: This static route will send all traffic
destined for the New York LAN network
Setting Value
over the MPLS interface to the New York
Destination IP / Netmask 192.168.16.0 /24 Gateway.

Gateway 10.100.100.70

Interface PortF-10.100.100.65

Distance 0

6 Click Save

Page 18 of 87
Sophos Certified Engineer

On New York DC
7 Open Chrome and navigate to https://ny-gw.sophos.local:4444
8 Login to the WebAdmin as admin The password is Sophos1985.
9 Select CONFIGURE > Routing in the left-hand menu
10 Add
11 Configure the static route with the following information: This static route will send all traffic
destined for the London LAN network
Setting Value
over the MPLS interface to the London
Destination IP / Netmask 172.16.16.0 /24 Gateway.

Gateway 10.100.100.65

Interface PortD-10.100.100.70

Distance 0

12 Click Save
13 Add
14 Configure the static route with the following information: This static route will send all traffic
destined for the London Client LAN
Setting Value
network over the MPLS interface to the
Destination IP / Netmask 172.17.17.0 /24 London Gateway.

Gateway 10.100.100.65

Interface PortD-10.100.100.70

Distance 0

15 Click Save

Task 6 Create Definitions
Configure the host and service definitions required for later labs

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select SYSTEM > Hosts and Services in the left-hand menu
4 Select the FQDN Host tab
5 Click Add

Page 19 of 87
Sophos Certified Engineer

6 Configure the object with the following information:

Setting Value

Name London Gateway 1 External

FQDN lon-gw1.sophos.www

7 Add New Item
8 Click Create new
9 type Gateway Hosts then click Save
10 Click Save
11 Click Add
12 Configure the object with the following information:

Setting Value

Name New York Gateway External

FQDN ny-gw.sophos.www

FQDN Group Gateway Hosts

13 Click Save
14 Select the IP Host tab
15 Click Add
16 Configure the object with the following information:

Setting Value

Name NewYork LAN

IP Family IPv4

Type Network

IP Address 192.168.16.0

Subnet /24 (255.255.255.0)

17 Click Save
18 Click Add
19 Configure the object with the following information:

Setting Value

Name London LAN

IP Family IPv4

Type Network

IP Address 172.16.16.0

Subnet /24 (255.255.255.0)

20 Add New Item

Page 20 of 87
Sophos Certified Engineer

21 Click Create new
22 type London Networks then click Save
23 Click Save
24 Click Add
25 Configure the object with the following information:

Setting Value

Name London Client LAN

IP Family IPv4

Type Network

IP Address 172.17.17.0

Subnet /24 (255.255.255.0)

IP Host Group London Networks

26 Click Save
27 Click Add
28 Configure the object with the following information:

Setting Value

Name SophosStore

IP Family IPv4

Type IP

IP Address 172.30.30.50

29 Add New Item
30 Click Create new
31 type DMZ IP Hosts then click Save
32 Click Save
33 Click Add
34 Configure the object with the following information:

Setting Value

Name LondonDC

IP Family IPv4

Type IP

IP Address 172.16.16.10

35 Add New Item
36 Click Create new
37 type Server IP Hosts then click Save
38 Click Save

Page 21 of 87
Sophos Certified Engineer

39 Click Add
40 Configure the object with the following information:

Setting Value

Name NewYorkDC

IP Family IPv4

Type IP

IP Address 192.168.16.30

41 Add New Item
42 Select Server IP Hosts then click Apply 1 selected items
43 Click Save
44 Click Add
45 Configure the object with the following information:

Setting Value

Name LondonClient

IP Family IPv4

Type IP

IP Address 172.17.17.20

46 Click Save
47 Select the Services tab
48 Click Add
49 Configure the service with the following settings:

Setting Value

Name WebAdmin

Type TCP/UDP

Protocol TCP

Source Port *

Destination Port 4444

50 Click Save

Task 7 Configure DNS Request Routes
routes for
domains that will be resolved by an internal DNS server.

Instructions Notes

Page 22 of 87
Sophos Certified Engineer

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select CONFIGURE > Network in the left-hand menu
4 Select the DNS tab
5 Add
6 Configure the request route with the following information:

Setting Value

Host/Domain Name sophos.local

Target Servers LondonDC

7 Click Save
8 Repeat this to create DNS request routes for the following domains: -
 sophos.dmz
lookup zones for IP addresses. The first
 16.16.172.in-addr.arpa
parts of the domain are the network
 17.17.172.in-addr.arpa octets for the subnet in reverse order.
9 Open Command Prompt from the Start screen
10 Use nslookup to test the DNS request routes by running the following -
commands:
nslookup should return a non-authoritative
> server 172.16.16.16 answer.
> lon-client.sophos.local
> 172.17.17.20
11 Close Command Prompt

Task 8 Import CA Certificates
Import the CA certificates from the lab environment certificate authority. These will be used by the XG Firewall to validate website
certificates later in the labs.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://ca.internet.www
2 Root CA Certificate (PEM)
3 Intermediate CA Certificate
(PEM)
4 Navigate to https://lon-gw1.sophos.local:4444

Page 23 of 87
Sophos Certified Engineer

5 Login to the WebAdmin as admin The password is Sophos1985.
6 Select SYSTEM > Certificates in the left-hand menu
7 Select the Certificate Authorities tab
8 Click Add
9 Configure the certificate with the following information: The root-ca.pem file will be located in
\Users\Administrator\Downloads\
Setting Value
You do not need to select a private key
Name AAAGlobalTrainingRootCA as this is a verification CA.
Certificate File Format PEM
CA on the first page of certificate
Certificate root-ca.pem authorities.

10 Click Save
11 Click Add
12 Configure the certificate with the following information: The intermediate-ca.pem file will be
located in
Setting Value
\Users\Administrator\Downloads\
Name AAAGlobalTrainingIntermediateCA You do not need to select a private key
as this is a verification CA.
Certificate File Format PEM

Certificate intermediate-ca.pem CA on the first page of certificate
authorities.

13 Click Save

Task 9 Create a Configuration Backup
Create a configuration backup of your environment.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select SYSTEM > Backup & Firmware in the left-hand menu
4 enter the following configuration:

Setting Value

Backup Mode Local

Backup Prefix TRAINING

Frequency Daily

Schedule 17 HH 00 MM

Page 24 of 87
Sophos Certified Engineer

5 Click Apply then OK
6 Click Backup Now Wait for the backup to complete.
7 Click Download This will save the backup file to London
DC.
8 Write down the filename of the backup file that you downloaded: You can optionally save your
____________________________________________ configuration backups to a cloud
storage account in case you need to
revert your environment for any reason.

Review
You have now successfully:
1. Registered for a Sophos Central evaluation
2. Registered and Activate a Sophos XG Firewall
3. Navigated the WebAdmin
4. Configured zones and interfaces
5. Configured static routes
6. Created definitions
7. Configured DNS request routes
8. Imported CA certificates
9. Created a configuration backup

Page 25 of 87
Sophos Certified Engineer

Lab 2 Network Protection
Objectives
Upon successful completion of this lab you will be able to:
1. Configure logging
2. Create network firewall rules
3. Install the SSL CA certificate
4. Install Sophos Central
5. Publish servers using Business Application Rules
6. Configure IPS policies
7. Enable Advanced Threat Protection
8. Enable DoS and spoof protection
9. Configure Security Heartbeat

Task 1 Configure Logging
Review and enable the logging options on the XG Firewall.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > System Services in the left-hand menu
3 Select the Log Settings tab
4 Review
5 Select all of the items in by selecting the top

6 Click Apply then click OK

Task 2 Create Network Firewall Rules
Create and test basic network firewall rules.

Instructions Notes

On London DC

1 Login to the WebAdmin of London Gateway 1 as admin

Page 26 of 87
Sophos Certified Engineer

2 Select PROTECT > Firewall in the left-hand menu You will see that there are some rules
that were imported with the
configuration backup.

3 Click + Add Firewall Rule > User / Network Rule
4 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value
Click Add New Item in the bottom of
About This Rule each field to change the settings
mentioned.
Rule Name LAN to LAN
This firewall rule is to allow traffic
Description Allow LAN to LAN traffic between LAN segments. In the lab
Rule Position Top environment the London DC is on a
subnet connected to PortA, and London
Action Accept Client is on a different subnet
Source connected to PortC. Even though both
PortA and PortC are in the LAN zone,
Zone LAN you need to define a rule to allow traffic
to pass between the interfaces.
Networks Any

Schedule All The Time

Destination

Zone LAN

Networks Any

Services Any

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

5 Click Save Notice the icon to the left of the rule
you created indicating that it is a
Network Rule.

6 Click on the #Default_Network_Policy rule to expand it

7 Click the Edit icon

Page 27 of 87
Sophos Certified Engineer

8 Modify the following settings:

Setting Value

Source

Zone LAN
DMZ
Intranet

Destination

Services DNS
FTP
HTTP
HTTPS
WebAdmin

Malware Scanning

Scan FTP Select

Scan HTTP Select

Decrypt and Scan HTTPS Select

Log Traffic

Log Firewall Traffic Select

9 Click Save
10 Click on the LAN to LAN rule to expand it

11 Click the Clone icon and select Clone Below

Page 28 of 87
Sophos Certified Engineer

12 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value
Click Add New Item in the bottom of
About This Rule each field to change the settings
mentioned.
Rule Name Intranet Zone Access

Description Allow LAN to Intranet servers
web traffic

Action Accept

Source

Zone LAN

Networks Any

Schedule All The Time

Destination

Zone Intranet

Networks Any

Services HTTP
HTTPS

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

13 Click Clone
14 Click + Add Firewall Rule > User / Network Rule

Page 29 of 87
Sophos Certified Engineer

15 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value

About This Rule

Rule Name To MPLS

Description Allow traffic to New York via the
MPLS

Rule Position Top

Source

Zone LAN

Destination

Zone WAN

Networks NewYork LAN

Identity

Match known users Deselect

Advanced

Rewrite source address Deselect
(Masquerading)

Log Traffic

Log Firewall Traffic Select

16 Click Save

17 Click + Add Firewall Rule > User / Network Rule

18 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value

About This Rule

Rule Name From MPLS

Description Allow traffic from New York via
the MPLS

Rule Position Top

Source

Zone WAN

Networks NewYork LAN

Destination

Zone LAN

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

Page 30 of 87
Sophos Certified Engineer

19 Click Save

20 Write down the order the policies you have created are evaluated in
____________________________________________
____________________________________________
____________________________________________
____________________________________________
____________________________________________

On New York DC

21 Open Chrome and navigate to https://ny-gw.sophos.local:4444

22 Login as admin The password is Sophos1985.
23 Select PROTECT > Firewall in the left-hand menu

24 Click Add Firewall Rule > User / Network Rule
25 Configure the firewall rule with the following settings: Leave all of the other settings as
default.
Setting Value

Rule Name To MPLS

Description Allow traffic to London via the MPLS

Rule Position Top

Source

Source Zones LAN

Destination & Services

Destination Zones WAN

Destination Networks London LAN
London Client LAN

Identity

Match known users Deselect

Advanced

Rewrite source address Deselect
(Masquerading)

Log Traffic

Log Firewall Traffic Select

26 Click Save

27 Click Add Firewall Rule > User / Network Rule

Page 31 of 87
Sophos Certified Engineer

28 Configure the firewall rule with the following settings: Leave all of the other settings as
default.
Setting Value

Rule Name From MPLS

Description Allow traffic from London via the
MPLS

Rule Position Top

Source

Source Zones WAN

Source Networks and London LAN
Devices London Client LAN

Destination & Services

Destination Zones LAN

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

29 Click Save

On London Client

30 Login as SOPHOS\jsmith The password is Sophos1985.

31 Open Chrome and navigate to http://lon-dc.sophos.local Confirm that you are able to access this
website.
32 Navigate to http://intranet.lon.sophos.local Confirm that you are able to access this
website.
33 Navigate to http://store.sophos.dmz Confirm that you are not able to access
this website.
No firewall rule has been created to
allow traffic from the LAN to the DMZ.
34 Navigate to http://ny-dc.sophos.local Confirm that you are able to access this
website.
This is accessed using the MPLS and is
routed using the static routes you
created.

Task 3 Install the SSL CA Certificates
Use Active Directory Group Policy to deploy the SSL CA Certificate from the London Gateway 1 to computers in the
SOPHOS.LOCAL domain. This means that clients will trust website certificates generated by the XG Firewall as part of HTTPS
scanning.

Page 32 of 87
Sophos Certified Engineer

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select SYSTEM > Certificates in the left-hand menu
3 Select the Certificate Authorities tab
4 Click the Download icon on the right-hand side for You may need to use the horizontal
scroll bar at the bottom of the page to
see the Download icon.
5 Click the Download icon on the right- Default
6 Open the Downloads folder
7 Change the file extension of SecurityAppliance_SSL_CA.pem Windows does not have a file
association for .pem files.
8 Right-click on Local_certificate_authority.tar.gz and select 7-Zip > Open
archive
9 Double-click local_certificate_authority.tar
10 Select Default.pem then click Extract
11 Click OK
12 Change the file extension of
13 Open Administrative Tools from the Start screen
14 Open Group Policy Management
15 In the left-hand pane right-click on Default Domain Policy and select
16 In the left-hand pane select Default Domain Policy > Computer
Configuration > Policies > Windows Settings > Security Settings > Public
Key Policies > Trusted Root Certification Authorities
17 In the left-hand pane right-click on Trusted Root Certification Authorities
and select
18 Click Next
19 Click
20 Select the file
C:\Users\Administrator\Downloads\SecurityAppliance_SSL_CA.cer then
click Open
21 Click Next twice
22 Click Finish
23 Click OK
24 In the left-hand pane right-click on Trusted Root Certification Authorities
and select
25 Click Next
26 Click

Page 33 of 87
Sophos Certified Engineer

27 Select the file C:\Users\Administrator\Downloads\Default.cer then click
Open
28 Click Next twice
29 Click Finish
30 Click OK
31 Close the Group Policy Management Editor window
32 Close Group Policy Management window
33 Open Command Prompt from the Start screen
34 Run gpupdate /force Wait for the command to complete.

On London Client
35 Open Command Prompt from the Start menu
36 Run gpupdate /force Wait for the command to complete.

Task 4 Install Sophos Central
Install Sophos Central on London Client in preparation for configuring Security Heartbeat.
Note: Sophos Central is a rapidly developed product. The instructions in this lab workbook are correct at the time of publishing;
however you may find discrepancies between the instructions and current version of Sophos Central.

Instructions Notes

On London Client
1 Login as SOPHOS\jsmith The password is Sophos1985.
2 Open Chrome and navigate to https://central.sophos.com
3 Sign In with your email address and password
4 Click Got it, thanks!
5

6 Select CONFIGURE > Protect Devices in the left-hand menu
7 Download Complete
Windows Installer
8 Once the installer has downloaded run SophosInstall.exe Click Yes to the security warning.
9 On the
click Next
10 Once the compatibility checks are complete click Next
11 Click Install Continue on to the next step while the
installer runs in the background.
12 Switch back to Sophos Central in Chrome

Page 34 of 87
Sophos Certified Engineer

13 Select CONFIGURE > System Settings in the left-hand menu
14 Tamper Protection
15 Toggle Tamper Protection off using the switch then click Save
16 Switch back to the installer and click Finish once the installation is complete This may take up to 15 minutes to
complete.
You can continue with the labs while the
installation takes place.

Task 5 Publish Servers Using Business Application Rules
Create a Business Application Rule to allow HTTP traffic to Store Website in the DMZ, and another Business Application Rule to
allow RDP traffic to London Client.

Instructions Notes

On New York DC
1 Open Chrome navigate to http://store.sophos.www Confirm that you are not able to access
the website.

On London DC
2 Login to the WebAdmin of London Gateway 1 as admin
3 Select PROTECT > Web Server in the left-hand menu
4 Click Add
5 Configure the web server with the following settings:

Setting Value

Name SophosStore

Description Store website in London DMZ

Host SophosStore

Type Plaintext (HTTP)

Port 80

Keep alive ON

Timeout 300

Disable backend connection pooling OFF

6 Click Save
7 Select PROTECT > Firewall in the left-hand menu
8 Click the icon and select Below (Business Application Use this method to insert firewall rules
Rule) into the optimal position.

Page 35 of 87
Sophos Certified Engineer

9 Configure the rule with the following settings:
+
Setting Value
to add it to the list.
About This Rule Leave all of the other settings as
default.
Application Template Web Server Protection (WAF)

Rule Name Store Website

Description Access to the store website from
the Internet

Hosted Server

Hosted Address #PortB

HTTPS OFF

Redirect HTTP OFF

Listening Port 80

Domains store.sophos.www

Protected Server(s)

Path-specific routing Deselect

SophosStore Select

10 Click Save Notice the icon to the left of the rule
you created indicating that it is a
Business Application Rule.

On New York DC
11 Open Chrome navigate to http://store.sophos.www Confirm that you can access the
website.
12 Open Remote Desktop Connection from the Start screen and connect to Confirm that you cannot connect.
lon-gw1.sophos.www:7000

On London DC
13 Click + Add Firewall Rule > Business Application Rule

Page 36 of 87
Sophos Certified Engineer

14 Configure the rule with the following settings: Leave the other settings as default.

Setting Value

About This Rule

Application Template DNAT/Full NAT/Load Balancing

Rule Name London Client RDP

Description RDP access to London Client

Rule Position Bottom

Source

Source Zones Any

Allow client Networks New York Gateway External

Destination & Service

Destination Host/Network #PortB-10.1.1.100

Forward Type Port

Service Port(s) forwarded 7000

Protocol TCP

Forward To

Protected Server(s) LondonClient

Protected Zone LAN

Change Destination Port(s) Selected

Mapped Port Type Port

Mapped Port 3389

Log Traffic

Log Firewall Traffic ON

15 Click Save

On New York DC
16 Open Remote Desktop Connection from the Start screen and connect to lon-
gw1.sophos.www:7000
17 Login as SOPHOS\jsmith, using password Sophos1985 Confirm that you can connect to
London Client.
18 Logout of London Client

Task 6 Configure IPS Policies
Configure an IPS policy and apply it to a business application firewall rule.

Instructions Notes

Page 37 of 87
Sophos Certified Engineer

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Intrusion Prevention in the left-hand menu
3 Select the IPS Policies tab
4 Click Add
5 Do not select to clone rules.
6 Click Save
7 Click Store Website to edit the policy
8 Click Add
9 Apache Linux Server Sev 4
10 -hand side deselect Select All
11 Select the following signature criteria on the left-hand side:

Setting Value

Category

Apache HTTP Server Select

Severity

1 Critical Select

2 Major Select

3 Moderate Select

4 - Minor Select

5 Warning Deselect

Platform

Linux Select

Target

Server Select

12 Click Save then click Save again
13 Select PROTECT > Firewall in the left-hand menu
14 Click on the Store Website rule to expand it
15 Click the Edit icon
16 Store Website
17 Click Save

Task 7 - Enable Advanced Threat Protection
Enable Advanced Threat Protection on the XG Firewall and trigger an event.

Page 38 of 87
Sophos Certified Engineer

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Advanced Threat in the left-hand menu
3 ON
4 -down select Log and Drop
5 Click Apply
6 Open a new tab in Chrome and navigate to http://sophostest.com/callhome Access to this page should be blocked.
7 Close the tab and switch back to the WebAdmin, then select Control Center in
the left-hand menu
8

9
Click on the alert icon
10 Write down the name of the threat that was detected:
______________________________________________

Task 8 Enable DoS (Denial of Service) and Spoof Protection
Enable DoS and spoof protection and use it to protect against a SYN flood.

Instructions Notes

On London Client
1 Open Chrome and navigate to http://blog.internet.www Confirm you are able to reach the
Sophos website

On London DC
2 Open Command Prompt from the Start screen
3 Run the following command: ipconfig /all
4 Write down
______________________________________________

5 Login to the WebAdmin of London Gateway 1 as admin
6 Select SYSTEM > Administration in the left-hand menu

Page 39 of 87
Sophos Certified Engineer

7 Select the Device Access tab
8 HTTPS column This enables access to the WebAdmin
from the WAN zone. We are enabling it
here as a method of recovery in case
you become locked out during this task.
9 Click Apply then click OK
10 Select PROTECT > Intrusion Prevention in the left-hand menu
11 Select the DoS & Spoof Protection tab
12 Add
13 Enter the MAC Address you wrote down at the beginning of this task
14 Static
15 Enter 172.16.16.10
16 Click Save
17 Add
18 Enter the MAC Address 00-50-56-00-00-00 This is not the correct MAC address for
the London Client and so will be
detected by the spoof protection
19 Static
20 Enter 172.17.17.20
21 Click Save
22 Configure
information:

Setting Value

Enable Spoof Prevention Select

Restrict Unknown IP on Trusted MAC Select

23
 IP Spoofing
 MAC Filter
 IP-MAC Pair Filter
24 Click Apply then click OK If you have made a mistake with the
trusted MAC addresses you will lose
access to the WebAdmin.
To correct your settings login to New
York DC and connect to the WebAdmin
at https://lon-
gw1.sophos.www:4444.
25 select all of the Apply Flag checkboxes
26 Click Apply then click OK
27 Review the settings available in this section In particular review the options available
for each of the DoS attack types.

Page 40 of 87
Sophos Certified Engineer

On London Client
28 Refresh the webpage http://blog.internet.www Confirm that you can no longer access
the website

On Internet
29 Login as root The password is Sophos1985
Press the Ctrl key to see the login
prompt.
30 Run the following command This command will perform a basic SYN
hping3 –S --flood –V lon-gw1.sophos.www flood on London Gateway1.
More information about SYN floods can
be found online at:
https://en.wikipedia.org/wiki/SYN_flood
31 Wait for around one minute then press CTRL + C to terminate the command

On London DC
32 Switch back to the WebAdmin
33 Select the DoS Attacks tab
34 Confirm that the SYN Flood traffic was dropped
Source
35 Select the DoS & Spoof Protection tab
36 Deselect Enable Spoof Prevention
37 Click Apply then click OK

On London Client
38 Refresh the webpage http://blog.internet.www Confirm that you can access the
website

Task 9 Configure Security Heartbeat
Enable Security Heartbeat and configure a minimum heartbeat for a network rule.

Instructions Notes

Page 41 of 87
Sophos Certified Engineer

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Configure
3 Enter the email address and password you used to register for the Sophos Wait for the registration to complete.
Central evaluation then click Register
4 LAN
5 Click Apply
6 Select PROTECT > Firewall in the left-hand menu
7 Click on the #Default_Network_Policy rule to expand it
8 Click the Clone icon and select Clone Above
9 Modify the following settings:

Setting Value

Rule Name User Internet Access

Source

Zone LAN

Source Networks and Devices London Client LAN

Advanced

Minimum Source HB Yellow
Permitted

10 Click Clone
11 Click on the Intranet Zone Access rule to expand it
12 Click the Clone icon and select Clone Above
13 Modify the following settings: This rule will only apply to computers
connected to the 172.17.17.0/24
Setting Value
subnet.
Rule Name User Intranet Zone Access

Source

Source Networks and Devices London Client LAN

Advanced

Minimum Source HB Green
Permitted

Block clients with no heartbeat Select

14 Click Clone Notice that the User Internet Access
rule has a red heartbeat icon.
15 Click on the Intranet Zone Access rule to expand it
16 Click the Edit icon

Page 42 of 87
Sophos Certified Engineer

17 Modify the following settings: This will only allow servers connected to
the 172.16.16.0/24 subnet access to
Setting Value
the Intranet zone.
Source

Source Networks and Devices London LAN

18 Click Save
19 Open a new tab in chrome and navigate to http://intranet.lon.sophos.local You should be able to access the
website because the London DC is not
in the London Client LAN.
20 Select MONITOR & ANALYZE > Control Center in the left-hand menu Confirm
section now shows the icon for one

client with a green heartbeat

On London Client
21 Login as SOPHOS\jsmith The password is Sophos1985.
22 Open Chrome and navigate to http://intranet.lon.sophos.local Confirm you can access the website as
London Client has a green heartbeat.
23 Navigate to http://blog.internet.www/download/game.exe
24 Click Proceed You should see a notification appear in
the bottom-right corner of the screen.
25 Navigate to http://blog.internet.www/ Confirm you can access the website.
26 Navigate to http://intranet.lon.sophos.local Confirm you cannot access the
intranet.
If the page loads it is a cached copy,
press Ctrl + R to reload the page.

On London DC
27 Select MONITOR & ANALYZE > Control Center in the left-hand menu Confirm
section now shows the icon for one
client with a yellow heartbeat.
28 Click on the yellow Security Heartbeat icon Review the information shown
29 Click on the Sophos Central link
30 Sign In with your email address and password
31 Click ANALYZE > Alerts in the left-hand menu
32 Write down the value of the description for the alert for LON-CLIENT:
____________________________________________
____________________________________________

Page 43 of 87
Sophos Certified Engineer

33 Select the checkbox next to the alert and click Clean Up PUA
34 Read the message then click OK
35 Select CONFIGURE > System Settings in the left-hand menu
36 Registered Firewall Appliances Confirm that the Sophos XG Firewall is
active.
37 Write down the name of the Sophos XG Firewall that is registered in Sophos
Central:
____________________________________________

38 Switch back to the WebAdmin If your session has timed out log back in
as admin.
39 Select MONITOR & ANALYZE > Control Center in the left-hand menu
40 Confirm This may take 10-15 minutes while the
detected PUA is cleaned up.

client with a green heartbeat
41 Select SYSTEM > Backup & Firmware in the left-hand menu
42 Click Backup Now Wait for the backup to complete.
43 Click Download

Review
You have now successfully:
1. Configured logging
2. Created network firewall rules
3. Installed the SSL CA certificate
4. Installed Sophos Central
5. Published servers using Business Application Rules
6. Configured IPS policies
7. Enabled Advanced Threat Protection
8. Enabled DoS and spoof protection
9. Configured Security Heartbeat

Page 44 of 87
Sophos Certified Engineer

Lab 3 Site-to-Site Connections
Objectives
Upon successful completion of this lab you will be able to:
1. Configure an SSL site-to-site VPN
2. Configure an IPsec site-to-site VPN

Task 1 Create an SSL Site-to-Site VPN
Create a simple SSL site-to-site VPN and the firewall rules required to allow traffic to flow.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Routing in the left-hand menu
3 Click the Delete icon next to the IPv4 Unicast Route then click OK This deletes the static route for the
simulated MPLS connection.
4 Open a new tab in Chrome and navigate to http://ny-dc.sophos.local Confirm that you cannot access this
site.
5 Switch back to the WebAdmin
6 Select CONFIGURE > VPN in the left-hand menu
7 Select the SSL VPN (Site to Site) tab
8 Add
9 Configure the server connection with the following settings:

Setting Value

Connection Name NewYork

Description Site-to-site VPN to New York

Use Static Virtual IP Address Deselected

Local Networks London LAN
London Client LAN

Remote Networks NewYork LAN

10 Click Save
11 Click the Download icon for the NewYork VPN connection
12 Select Encrypt Configuration File
13 Enter the and confirm the password Sophos1985

Page 45 of 87
Sophos Certified Engineer

14 Click Download
15 Open a new tab and navigate to https://ny-gw.sophos.www:4444
16 Login to the WebAdmin of New York Gateway as admin
17 Select CONFIGURE > Routing in the left-hand menu
18 Click the Delete icon next to both of the IPv4 Unicast Routes then click OK This deletes the static route for the
simulated MPLS connection.
19 Select CONFIGURE > VPN in the left-hand menu
20 Select the SSL VPN (Site to Site) tab
21 Add
22 Configure the VPN connection with the following settings:
configuration file is encrypted.
Setting Value
If the configuration file has not been
Connection Name London

Description Site-to-site VPN to London

Configuration File C:\Users\Administrator\Downloads\
server_NewYork.epc

Password Sophos1985

User HTTP Proxy Server Deselected

Override Peer Hostname Deselected

23 Click Save
24 Click the SSL VPN (Site to Site) tab to refresh the page Confirm that the connection indicator
has turned green.
25 Select PROTECT > Firewall in the left-hand menu
26 Click + Add Firewall Rule > User / Network Rule

Page 46 of 87
Sophos Certified Engineer

27 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value

About This Rule

Rule Name To VPN

Description Allow traffic to the VPN zone

Rule Position Top

Action Accept

Source

Zone LAN

Destination

Zone VPN

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

28 Click Save
29 Click + Add Firewall Rule > User / Network Rule
30 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value

About This Rule

Rule Name From VPN

Description Allow traffic from the VPN zone

Rule Position Top

Action Accept

Source

Zone VPN

Destination

Zone LAN

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

31 Click Save
32 Close the tab with the New York Gateway WebAdmin
33 Switch back to the London Gateway 1 WebAdmin Note: Ensure you are accessing the
correct XG Firewall.

Page 47 of 87
Sophos Certified Engineer

34 Select PROTECT > Firewall in the left-hand menu
35 Click + Add Firewall Rule > User / Network Rule
36 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value

About This Rule

Rule Name To VPN

Description Allow traffic to the VPN zone

Rule Position Top

Action Accept

Source

Zone LAN

Destination

Zone VPN

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

37 Click Save
38 Click + Add Firewall Rule > User / Network Rule
39 Configure the rule with the following configuration: Leave all of the other settings as
default.
Setting Value

About This Rule

Rule Name From VPN

Description Allow traffic from the VPN zone

Rule Position Top

Action Accept

Source

Zone VPN

Destination

Zone LAN

Identity

Match known users Deselect

Log Traffic

Log Firewall Traffic Select

40 Click Save

Page 48 of 87
Sophos Certified Engineer

41 Open a new tab in Chrome and navigate to http://ny-dc.sophos.local Confirm that you can access this site.
You can test the VPN in the other
direction by browsing to http://lon-
dc.sophos.local on New York DC.
42 Switch back to the London Gateway 1 WebAdmin
43 Select CONFIGURE > VPN in the left-hand menu
44 Select the SSL VPN (Site to Site) tab
45 Toggle the VPN OFF then click OK

On New York DC
46 Login to the WebAdmin of New York Gateway as admin
47 Select CONFIGURE > VPN in the left-hand menu
48 Select the SSL VPN (Site to Site) tab
49 Toggle the VPN OFF then click OK
50 Open a new tab in Chrome and navigate to http://lon-dc.sophos.local Confirm that you cannot access this
site.

Task 2 Create an IPsec Site-to-Site VPN
Create an IPsec site-to-site VPN between the London and New York offices.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > VPN in the left-hand menu
3 Add

Page 49 of 87
Sophos Certified Engineer

4 Configure the VPN with the following settings:

Setting Value

General Settings

Name NewYork

Description Site-to-site connection to New York

Connection Type Site-to-Site

Policy DefaultHeadOffice

Action on VPN Restart Respond Only

Authentication Details

Authentication Type Preshared Key

Preshared Key Sophos1985

Endpoint Details

Local PortB - 10.1.1.100

Remote 10.2.2.200

Network Details

IP Family IPv4

Local

Local Subnet London LAN
London Client LAN

Local ID DNS lon-gw1.sophos.www

Remote

Allow NAT Traversal Deselected

Remote LAN Network New York LAN

Remote ID DNS ny-gw.sophos.www

5 Click Save then click OK
6 Click on the red OK

On New York DC
7 Login to the WebAdmin of New York Gateway as admin
8 Select CONFIGURE > VPN in the left-hand menu
9 Add

Page 50 of 87
Sophos Certified Engineer

10 Configure the VPN with the following settings:

Setting Value

General Settings

Name London

Description Site-to-site connection to London

Connection Type Site to Site

Policy DefaultBranchOffice

Action on VPN Restart Initiate

Authentication Details

Authentication Type Preshared Key

Preshared Key Sophos1985

Endpoint Details

Local PortB 10.2.2.200

Remote 10.1.1.100

Network Details

IP Family IPv4

Local

Local Subnet New York LAN

Local ID DNS ny-gw.sophos,www

Remote

Allow NAT Traversal Deselected

Remote LAN Network London LAN
London Client LAN

Remote ID DNS lon-gw1.sophos,www

11 Click Save then click OK
12 Click on the red OK Wait for the VPN to establish and the
icon to turn green.
13 Click on the Information icon next to the connection indicator
14 Write down the network mappings created for the VPN:
______________________________________________
______________________________________________

15 Click Close
16 Open a new tab in Chrome and navigate to https://lon-dc.sophos.local Confirm that you can access this site.
Note: The traffic is allowed due to the
VPN firewall rules created in the
previous task.
17 Switch back to the WebAdmin
18 Click the green OK

Page 51 of 87
Sophos Certified Engineer

19 Select SYSTEM > Backup & Firmware in the left-hand menu
20 Click Backup Now Wait for the backup to complete.
21 Click Download

On London DC
22 Switch back to the WebAdmin
23 Click the green OK
24 Select SYSTEM > Backup & Firmware in the left-hand menu
25 Click Backup Now Wait for the backup to complete.
26 Click Download

Review
You have now successfully:
1. Configured an SSL site-to-site VPN
2. Configured an IPsec site-to-site VPN

Page 52 of 87
Sophos Certified Engineer

Lab 4 Authentication
Objectives
Upon successful completion of this lab you will be able to:
1. Configure Active Directory Authentication
2. Configure Sophos Transparent Authentication Suite
3. Configure User-based policies including Security Heartbeat
4. Configure One Time Passwords

Task 1 Configure an Active Directory Authentication Server
Configure an Active Directory server on London DC, import the groups and test user authentication

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Authentication in the left-hand menu
3 Click Add
4 Configure the authentication server with the following settings:

Setting Value

Server Type Active Directory

Server Name LondonDC

Server IP/Domain 172.16.16.10

Port 389

NetBIOS Domain SOPHOS

ADS Username Administrator

Password Sophos1985

Connection Security Simple

Display Name Attribute displayName

Email Address Attribute mail

Domain Name SOPHOS.LOCAL

5 Add link
6 enter dc=SOPHOS,dc=LOCAL then click Add
7 Click Test Connection You should see a message appear that
the connection was successful.

Page 53 of 87
Sophos Certified Engineer

8 Click Save
9 Click the Import icon This will open Group import Wizard.
10 Click Start
11 select dc=SOPHOS,dc=LOCAL then click the blue Next
icon
12 Expand Sophos Users
13 Expand the child organizational units and select the following groups: Do not select the OUs, just the groups.
 Technical Support
 Sales
 Marketing
 IT
14 Click the blue Next icon three times
15 Click OK
16 Click Close
17 Select the Users tab Note that there are no users listed.
18 Select the Services tab
19 select LondonDC
20 Click Apply then click OK
21 In a new browser tab navigate to http://lon-gw1.sophos.local:8090 This will open captive portal.
22 In the Captive portal login as jsmith The password is Sophos1985.
By logging in as John Smith the user
will be added to the device.
23 Click Logout
24 In the Captive portal login as frogers The password is Sophos1985.
25 Switch back to the WebAdmin
26 Click Log Viewer in the top-right
27 -down field select Verify that the login events are present.
28 Close the Log Viewer window
29 Select the Users tab
30 Write down the group name for the following users:
Fred Rogers:
____________________________________________
John Smith:
____________________________________________

31 Select MOINTOR & ANALYZE > Current Activities in the left-hand menu
32 Write down
____________________________________________

33 Switch back to the Captive Portal tab
34 Click Logout

Page 54 of 87
Sophos Certified Engineer

Task 2 Configure Single Sign-On Using STAS
Configure Sophos Transparent Authentication Suite to provide single sign-on at the London office.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Authentication in the left-hand menu
3 Select the STAS tab
4 ON
5 Click Activate STAS User inactivity on the XG Firewall is for
when STAS is unable to use WMI for
logoff detection. We do not need to use
it in this environment.
6 Click Add New Collector
7 172.16.16.10 then click Save
8 Select the Client Downloads tab You will need to select the ellipses on
the right-hand of the menu,
9 Click Sophos Transparent Authentication Suite (STAS)
10 Click Keep to the browser warning at the bottom of the screen
11 Once the download is complete run the file Click Run to the security warning.
12 Click Next Note the location of the installation
folder.
13 Click Next three times and then click Install
14 Select SSO Suite then click Next This will install both the STA Collector
and STA Agent on London DC.
15 Enter the login details for SOPHOS\STAS then click Next The password is Sophos1985.
STAS is an administrative user with
logon as a service rights.
16 Click Finish This completes the client installation.
17 Run Sophos Transparent Authentication Suite from the desktop shortcut
18 Start to start the service.
19 Click Start The service should now start
successfully.
20 Select the Exclusion List tab
21 lick Add
22 Type STAS then click OK
23 Select the STA Collector tab
24 172.16.16.16
25 Select the STA Agent tab

Page 55 of 87
Sophos Certified Engineer

26
 172.16.16.0/24
 172.17.17.0/24
27 Select the General tab
28 Configure the following settings:

Setting Value

NetBIOS Name SOPHOS

Fully Qualified Domain Name SOPHOS.LOCAL

29 Click OK
30 Click Yes to restart the service
31 Open Administrative Tools from the Start screen
32 Open Local Security Policy
33 Select Security Settings > Local Policies > Audit Policy in the left-hand pane
34 In the right-hand pane double-click Audit account logon events
35 Select both Success and Failure then click OK You can then close the Local Security
Policy.
36 Switch back to the WebAdmin of London Gateway 1
37 Select CONFIGURE > System Services in the left-hand menu
38 Select the Services tab
39 Click Restart OK This will clear the cached authentication
status on the XG Firewall.

On London Client
40 Login as SOPHOS\frogers You may need to logout from jsmith
first.
The password is Sophos1985.
Note: You will need to switch to using
the console connection in CloudShare.

On London DC
41 Switch back to the WebAdmin of London Gateway 1
42 Select MONITOR & ANALYZE > Current Activities in the left-hand menu
43 Write down
____________________________________________

Page 56 of 87
Sophos Certified Engineer

On London Client
44 Logout of London Client

Task 3 User-Based Policies
Create a simple user-base policy.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Firewall in the left-hand menu
3 Click on the User Intranet Zone Access rule to expand it
4 Click the Edit icon
5 Modify the following settings: We are selecting the option to exclude
this activity from data accounting so
Setting Value
that any use of the intranet does not
Identity count towards any quotas set.

Match known users Select

Show captive portal to Select
unknown users

Users or Groups Technical Support
Sales
Marketing
IT

Exclude this user activity from Select
data accounting

6 Click Save
7 Click on the User Internet Access rule to expand it
8 Click the Edit icon

Page 57 of 87
Sophos Certified Engineer

9 Modify the following settings:

Setting Value

Identity

Match known users Select

Show captive portal to Select
unknown users

Users or Groups Technical Support
Sales
Marketing
IT

Exclude this user activity from Deselect
data accounting

10 Click Save

On London Client
11 Log in as SOPHOS\jsmith
12 Open Chrome and navigate to http://blog.internet.www
13 Click Downloads at the top of the page
14 Click large.file Wait for the download to complete.

On London DC
15 Select CONFIGURE > Authentication in the left-hand menu
16 Select the Users tab
17 Click John Smith
18 Click the View Usage button at the bottom of the page
19 Confirm that the 111MB download has
been accounted for.

On London Client
20 Open Chrome and navigate to http://intranet.lon.sophos.local/intranet- Wait for the download to complete.
large.file

On London DC

Page 58 of 87
Sophos Certified Engineer

21 Select the Users tab
22 Click John Smith
23 Click the View Usage button at the bottom of the page
24 Confirm that the second 111MB
download has not been accounted for.
This is because we have excluded traffic

from accounting.

Task 4 One-Time Passwords
Enable and configure one-time passwords for logging into the User Portal then test this configuration.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Authentication in the left-hand menu
3 Select One-Time Password
4 Click Settings
5 Toggle One-Time Password ON
6 deselect WebAdmin
7 Click Apply
8 Select SYSTEM > Administration in the left-hand menu
9 Select the Device Access tab
10 User Portal column
11 Click Apply then click OK

On New York DC
12 Open authenticator from the Desktop
13 Open Chrome and navigate to https://lon-gw1.sophos.www
14 Login as jsmith The password is Sophos1985.
15 Select Ctrl + C to copy it to the clipboard
16 Switch to Authenticator and click the Add New Token button
17 Click Add Token Manually
18 Select the value of the Ctrl + V to paste the
token secret
19 Jsmith XG

Page 59 of 87
Sophos Certified Engineer

20 Click the pencil Edit icon in the top-right to finish editing the token You can end up with two tokens. If this
happens. You can remove the bottom
token, which will be missing the secret
configuration, by click the Edit icon then
the Delete icon.
21 Switch back to the User Portal and click Proceed to Login
22 Login as jsmith using the password and the token The password is Sophos1985 and the
current token will be displayed in the
Authenticator app. The token should be
appended to the password with no
spaces.
If you are unable to login this may be
caused by a time difference between
London DC and New York DC. To resolve
this, click the OP time-offset
synchronization icon next to the token
on London Gateway 1 and enter the
current token code. London Gateway 1
can then compensate for the time
difference.
23 Keep the authenticator application open for a later lab

On London DC
24 Switch back to the WebAdmin of London Gateway 1
25 On the One-Time Password page, click Settings
26 Toggle One-Time Password OFF
27 Click Apply
28 Select SYSTEM > Backup & Firmware in the left-hand menu
29 Click Backup Now Wait for the backup to complete.
30 Click Download

Review
You have now successfully:
1. Configured Active Directory Authentication
2. Configured Sophos Transparent Authentication Suite
3. Configured User-based policies including Security Heartbeat
4. Configured One Time Passwords

Page 60 of 87
Sophos Certified Engineer

Lab 5 Web Protection and Application
Control
Objectives
Upon successful completion of this lab you will be able to:
1. Create custom web categories and user activities to use in a web policy
2. Create a custom web policy that applies different actions to groups of users
3. Create a surfing quota for guest users
4. Configure an application filter policy

Task 1 Create Custom Web Categories and User Activities
Create custom web categories and user activities that will be used in a web policy.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Select the Categories tab
4 Click Add
5 Configure the web category with the following settings:

Setting Value

Name Keyword filter

Description Keywords for unproductive web
browsing

Classification Unproductive

Configure Category Local

Domain/Keyword <blank> toys
games

6 Click Save
7 Select User Activities tab
8 Click the Edit

Page 61 of 87
Sophos Certified Engineer

9 Add the following categories:
 Keyword filter
 Audio Files
 Video Files
10 Click Save then click Save for all
11 Click Add
12 Configure the user activity with the following settings:

Setting Value

Name Controlled Categories

Category Hacking
Download Freeware & Shareware

13 Click Save

Task 2 Create a Custom Web Policy
Create and test a web policy that applies different actions to users of groups.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Click the Clone
4 Change the name of the policy to Custom Workplace Policy
5 Click Add Rule This will be added to the top of the list of

6 Configure the new rule with the following settings:

Setting Value

Users Anybody

Activities Unproductive Browsing

Action Warn

Status ON

7 Click Add Rule

Page 62 of 87
Sophos Certified Engineer

8 Configure the new rule with the following settings:

Setting Value

Users Anybody

Activities Controlled Categories

Action Block

Status ON

9 Click on the Clone ic Clone
Rule Above
10 IT
11 Warn
12 Click Save
13 Select PROTECT > Firewall in the left-hand menu
14 Click the Edit firewall rule
15 Scroll
16 Custom Workplace Policy
17 Click Save
18 Select PROTECT > Web in the left-hand menu
19 Select the User Notifications tab
20 Use custom warn message
21 You can copy and paste text into the
Your organization's Internet access policy suggests you should not be virtual machine via the Machine
visiting this website. Clipboard icon in CloudShare.

With the following text:
It is likely that visiting this website is against company policy. If you have
a business need to use this website and you have reason to believe that it
is safe to do so you can choose to proceed.

22 Click Apply

On London Client
23 Open Chrome and navigate to http://bing.com John Smith should be able to access
this site.
If you are prompted to authenticate with
the Captive Portal, login as jsmith.
24 Navigate to http://sophostest.com/downloads This site should be blocked for John

Page 63 of 87
Sophos Certified Engineer

25 Navigate to http://games.internet.www John Smith should receive a warning

activity.
26 Navigate to the Captive Portal https://lon-gw1.sophos.local:8090 If you used the Captive Portal to login,
click Logout
27 Login as lfox The password is Sophos1985.
Lucy Fox is in IT.
28 Open a new tab and navigate to http://bing.com Lucy Fox should be able to access this
site.
Do not close the tab you logged in on as
you will use this to logout. If you need to
get back to this tab the URL is
https://lon-gw1.sophos.local:8090.
29 Navigate to http://sophostest.com/downloads This site should be allowed with a
warning for Lucy Fox because it is in

30 Navigate to http://games.internet.www Lucy Fox should receive a warning for

31 Switch Logout

Task 3 Create a Surfing Quota for Guest Users
Configure a surfing quota for guest users. Create a guest user and login as that user.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Select the Surfing Quotas tab Review the default Surfing Quotas that
are preconfigured.
4 Click Add
5 Configure the Surfing Quota with the following settings:

Setting Value

Name Guest User Surfing Quota

Description 6 hours, non-cyclic

Cycle Type Non-Cyclic

Validity Unlimited

Maximum Hours 6 Hour(s)

6 Click Save

Page 64 of 87
Sophos Certified Engineer

7 Select CONFIGURE > Authentication in the left-hand menu
8 Select the Groups tab
9 Click Guest Group
10 Guest User Surfing Quota
11 Click Save
12 Select the Guest Users tab
13 Click Add Multiple
14 Enter the following details:

Setting Value

Number of Users 5

User Validity (Duration in Days) 1

Validity Start After First Login

15 Click Add
16 Select the checkbox for guest-00001 then click Print
17 Write down the username and password for the guest user:

Username
____________________________________________

Password
____________________________________________

18 Click Cancel
19 Open a new tab and navigate to https://lon-gw1.sophos.local:8090
20 Login as guest-00001 User the password you wrote down for
this user.
21 Open a new tab and navigate to https://www.google.com
22 Navigate to http://blog.internet.www/download/large.file
23 Switch back to the WebAdmin of London Gateway 1
24 Click guest-00001
25 Click View Usage
26 Note: It may take a couple of minutes
sections for this section to update.
27 Switch Logout

Task 4 Create an Application Filter Policy
Create an application filter policy that will block recreation applications such as for gaming, media streaming and social media.

Instructions Notes

Page 65 of 87
Sophos Certified Engineer

On London DC
1 Open Chrome and navigate to https://www.youtube.com/
2 Click on any video Confirm that the video starts streaming
3 Stop the video
4 Login to the WebAdmin of London Gateway 1 as admin
5 Select PROTECT > Applications > Application Filter in the left-hand menu
6 Click Add
7 Configure the Application Filter with the following settings:
applications will be allowed unless they
Setting Value
are explicitly denied
Name Block Recreational Apps

Template Allow All

8 Click Save
9 Click Block Recreational Apps
10 Click Add
11 Select All
12 Select the following categories:
 Gaming
 General Interest
 P2P
 Streaming Media
 Social Networking
13 Deny
14 Click Save
15 Click Save again
16 Select PROTECT > Firewall in the left-hand menu
17 Click on the #Default_Network_Policy rule to expand it
18 Click the Edit icon
19 select Block Recreational Apps
20 Click Save
21 Open a new tab in Chrome and navigate to https://www.youtube.com/ Confirm that you are no longer able to
access YouTube.
22 Select SYSTEM > Backup & Firmware in the left-hand menu
23 Click Backup Now Wait for the backup to complete.
24 Click Download

Page 66 of 87
Sophos Certified Engineer

Review
You have now successfully:
1. Created custom web categories and user activities to use in a web policy
2. Created a custom web policy that applies different actions to groups of users
3. Created a surfing quota for guest users
4. Configured an application filter policy

Lab 6 Email Protection
Objectives
Upon successful completion of this lab you will be able to:
1. Enable and configure quarantine digests
2. Configure an Email Protection Policy for MTA mode
3. Encrypt emails that match a Data Control List using SPX
4. Manage quarantined items as a user

Task 1 Enable and Configure Quarantine Digests
Enable and configure quarantine digests.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Email in the left-hand menu
3 Select the Quarantine Digest tab
4 Select Enable Quarantine Digest
5 Configure the digest with the following settings: Configure the quarantine digest to be
sent30 minutes later than the current
Setting Value
time of London Gateway 1.
Email Frequency Daily This will allow you to receive one in time
for the last task in this lab.
Send Mail Daily At 30 minutes later than the current time of
London Gateway 1 Important: use the time of the
computers in the lab environment, not
From Email Address administrator@sophos.local your local computer.
Display Name Quarantine Digest

Reference User Portal IP PortC

6 Click Apply then click OK

Page 67 of 87
Sophos Certified Engineer

7 Click You can use this to apply the quarantine
digest settings to existing users, and to
edit the email addresses associated
with each user.
8 Select all of the users then click Apply
9 Click OK
10 Select CONFIGURE > Authentication in the left had menu
11 Select the Users tab
12 Click John Smith
13 Disable You can enable and disable quarantine
digests per user.
14 Click Save

Task 2 Configure an Email Protection Policy
Create an Email Protection Policy on London Gateway using MTA mode. Test the configuration by sending test emails from a mail
server outside of the SOPHOS.LOCAL network.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin The password is Sophos1985.
2 Select SYSTEM > Administration in the left-hand menu
3 Select the Device Access tab
4 Select the SMTP Relay column on the WAN row You need to do this to be able to accept
email from the Internet in MTA mode.
5 Click Apply and click OK
6 Select PROTECT > Email in the left-hand menu
7 Select the General Settings tab
8 Click Switch to Legacy Mode
9 Click Switch to MTA Mode This step is required for the automatic
firewall rule to be created in PROTECT >
Firewall as it is not added by the
Network Configuration Wizard. This will
be fixed in a future release of XG
Firewall.
10 Scroll
11 lon-gw1.sophos.www
12 Click Apply then click OK
13 Select the Relay Settings tab
14 Add New Item

Page 68 of 87
Sophos Certified Engineer

15 Select LondonDC
16 Click Apply 1 selected items
17 Click Apply
18 Select the Policies tab
19 Click Add Policy > Add SMTP Policy
20 General SMTP Policy
21 Add New Item, then click Create new
22 Configure the address group with the following settings:

Setting Value

Name Sophos Domains

Group Type Email Address/Domain

Type Manual

Email Address(es)/Domain(s) sophos.www
sophos.local

23 Click Save
24 -down select Static Host
25 LondonDC
26 ON
27 Edit
28 Select Quarantine
29 ON
30 Review the options in this section
31 ON
32 Executable Files
33 None
34 Click Save

On New York DC
35 Open a new tab in Chrome and navigate to http://mail.internet.www
36 Login to SquirrelMail as sspade The password is Sophos1985.
37 Click Compose at the top of the page

Page 69 of 87
Sophos Certified Engineer

38 Write the email with the following details:

Setting Value

To frogers@sophos.www

Subject Normal email

Body This is a normal test email.

Regards,
Sam

39 Click Send
40 Click Compose at the top of the page
41 Write the email with the following details: You can copy and paste text into the
virtual machine via the Machine
Setting Value
Clipboard icon in CloudShare.
To frogers@sophos.www The body of this email can also be found
in the file C:\Samples\GTUBE.txt.
Subject Spam email

Body This is a spam test email.

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-
STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Regards,
Sam

42 Click Send
43 Click Compose at the top of the page
44 Write the email with the following details:

Setting Value

To frogers@sophos.www

Subject Virus email

Body This is a virus test email.

Regards,
Sam

45 Click Choose File
46 Select the file C:\Samples\Eicar.txt then click Open
47 Click Send
48 Click Compose at the top of the page

Page 70 of 87
Sophos Certified Engineer

49 Write the email with the following details:

Setting Value

To frogers@sophos.www

Subject File type email

Body This is a file type test email.

Regards,
Sam

50 Click Choose File
51 Select the file C:\Samples\Script.bat then click Open
52 Click Send
53 Click Compose at the top of the page
54 Write the email with the following details:

Setting Value

To frogers@sophos.www

Subject Encrypted file email

Body This is an encrypted file test email.

Regards,
Sam

55 Click Choose File
56 Select the file C:\Samples\Encrypted.7z then click Open
57 Click Send

On London DC
58 Open a new tab in Chrome and navigate to https://lon-
dc.sophos.local/mewebmail
59 Login to MailEnable as frogers The password is Sophos1985
60 Verify that you have received:
 The normal email
 The file type email with the attachment replaced with a text file
61 Switch back to the London Gateway WebAdmin
62 Select the Mail Logs tab
63 Review the actions taken on the test emails

Page 71 of 87
Sophos Certified Engineer

Task 3 Configure Data Control and SPX Encryption
Configure a Data Control Policy for emails that you want to encrypt. Create a new SPX Template that enables the SPX Reply Portal
and test this configuration using by enabling Data Protection in the SMTP policy.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin The password is Sophos1985.
2 Select PROTECT > Email in the left-hand menu
3 Select the Data Control List tab
4 Click Add You can create new Data Control Lists
to meet your needs, or modify existing
ones.
5 Global CCLs
6 Global For this example we will create a fairly
general Data Control List by selecting
the signatures that are not country
specific.
7 Select all of the filtered signatures
8 Click Save
9 Select the Encryption tab
10
London Gateway 1 External
11 Click Apply
12 Add
13 Configure the template with the following settings: Leave the other settings as default.

Setting Value

Name Recipient Password and Reply Portal

Organization Name Sophos

Password Type Specified by recipient

Enable SPX Reply Portal Enable

14 Click Save
15 Select the Policies tab
16 Click General SMTP Policy
17 ON
18 Financial information
19 Edit
20 Select Accept with SPX

Page 72 of 87
Sophos Certified Engineer

21 In the drop-down box select Recipient Password and Reply Portal
22 Click Save
23 Open a new tab in Chrome and navigate to https://lon-
dc.sophos.local/mewebmail
24 Login to MailEnable as frogers The password is Sophos1985.
25 Click New > Email Message at the top of the page
26 Write the email with the following details: The body of this email can also be found
in the file C:\Samples\Credit Card
Setting Value
Details Email.txt.
To sspade@internet.www

Subject Credit card details

Body Hi Sam,

Here are the credit card numbers:
American Express 378282246310005
American Express 371449635398431
American Express Corporate
378734493671000
Australian BankCard 5610591081018250
Diners Club 30569309025904
Diners Club 38520000023237
Discover 6011111111111117
Discover 6011000990139424
JCB 3530111333300000
JCB 3566002020360505
MasterCard 5555555555554444
MasterCard 5105105105105100
Visa 4111111111111111
Visa 4012888888881881
Visa 4222222222222
Dankort (PBS) 76009244561
Dankort (PBS) 5019717010103742
Switch/Solo (Paymentech)
6331101999990016

Regards,
Fred

27 Click Send

On New York DC
28 Open a new tab in Chrome and navigate to http://mail.internet.www
29 Login to SquirrelMail as sspade The password is Sophos1985.

Page 73 of 87
Sophos Certified Engineer

30 Click SPX Registration Request from Sophos
31 Click the link in the email to register You will get a certificate error but it is
safe to proceed.
32 Type and confirm the password Sophos-1985 then click Register

On London DC
33 Switch back to the London Gateway WebAdmin
34 Select the Mail Spool tab You will see the email with the status

35 Select the email and click Retry This email would be sent automatically
after around 15 minutes.

On New York DC
36 Switch back to SquirrelMail and refresh the inbox
37 Click Credit card details
38 Click the Download link at the bottom of the page
39 Open the downloaded PDF
40 Enter the password Sophos-1985 and click SUBMIT
41 Click the Reply button at the top of the page This button can be used multiple times
and is active for 30 days.
If the reply button is not present, resend
the email from Fred Rogers.
42 Enter a reply message to Fred Rogers then click Send

On London DC
43 Switch back to MailEnable in Chrome
44 Open the email with the subject RE: Credit card details This will be your reply from the SPX
Reply Portal.
45 Select SYSTEM > Backup & Firmware in the left-hand menu
46 Click Backup Now Wait for the backup to complete.
47 Click Download

Task 4 User Quarantine Management
Review the methods that users can use to manage their quarantined emails.

Instructions Notes

Page 74 of 87
Sophos Certified Engineer

On London Client
1 Open Chrome and navigate to https://lon-dc.sophos.local/mewebmail
2 Login as frogers The password is Sophos1985.
3 Read the quarantine digest email then click the My Account link for the User The quarantine digest email may not
Portal have been sent yet depending on the
time you set in task 1.
4 Login as frogers The password is Sophos1985.
5 Select SMTP Quarantine in the left-hand menu
6 Write down which emails are shown in the quarantine:
____________________________________________
____________________________________________
____________________________________________
____________________________________________

7 Write down which emails include a link to release them:
____________________________________________
____________________________________________

8 Click the Release link for one of the emails
9 Switch back to the MailEnable tab and refresh the inbox to confirm that you
have now received the released email

Review
You have now successfully:
1. Enabled and configured quarantine digests
2. Configured an Email Protection Policy for MTA mode
3. Encrypted emails that match a Data Control List using SPX
4. Managed quarantined items as a user

Page 75 of 87
Sophos Certified Engineer

Lab 7: Wireless and Remote Access
Objectives
Upon successful completion of this lab you will be able to:
1. Create a hotspot
2. Configure an SSL remote access VPN

Task 1 Create a Hotspot
Create a hotspot on PortC for the London Client LAN.

Instructions Notes

On London DC
7 Login to the WebAdmin of London Gateway 1 as admin
8 Select PROTECT > Wireless in the left-hand menu
9 Select the Hotspots tab
10 Click Add
11 Configure the hotspot with the following information: Leave the other settings as default.

Setting Value

Name ClientLANHotspot

Interfaces PortC

Hotspot type Voucher

Voucher Definitions 1 Day

Administrative Users jsmith@sophos.local

Redirect to URL after login ON

URL http://store.sophos.www

12 Click Save
13 Open a new tab and navigate to https://lon-gw1.sophos.local
14 Login as jsmith
15 Select Hotspots in the left-hand menu
16 I Day
17 10
18 Click Create Vouchers

Page 76 of 87
Sophos Certified Engineer

19 Write down one of the voucher codes:
____________________________________________

On London Client

20 Open Chrome and navigate to http://bing.com You will be redirected to the hotspot.
21 Enter the voucher code that you wrote down and click Login Wait to be redirected.
22 Navigate to http://bing.com Confirm you are able to access the
website.

On London DC
23 Switch back to the WebAdmin of London Gateway 1
24 Click the Delete OK

Task 2 Configure an SSL Remote Access VPN
Configure an SSL remote access VPN with one-time password authentication, then test the configuration.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > VPN in the left-hand menu
3 Click Show VPN Settings
4 enter lon-gw1.sophos.www
5 Click Apply then click OK
6 Click Close VPN Settings
7 Select the SSL VPN (Remote Access) tab
8 Click Add

Page 77 of 87
Sophos Certified Engineer

9 Configure the VPN with the following settings: Leave the other settings as default.

Setting Value

General Settings

Name SSL VPN for Sales

Identity

Policy Members Sales

Tunnel Access

Use as Default Gateway Off

Permitted Network London LAN
Resources (IPv4)

10 Click Apply then click OK
11 Select CONFIGURE > Authentication in the left-hand menu
12 Select the One-Time Password tab
13 Click Settings
14 Toggle One-Time Password ON
15 SSL VPN Remote Access
16 Click Apply
17 Select the Services tab
18 Same as Firewall
19 Click Apply then click OK

On New York DC
20 Open Chrome and navigate to https://lon-gw1.sophos.www You will get a certificate error; it is safe
to proceed.
21 Login as jsmith using the password and the token The password is Sophos1985 and the
current token will be displayed in the
Authenticator app. The token should be
appended to the password with no
spaces.
22 Select SSL VPN in the left-hand menu
23 Click Download Client and Configuration for Windows
24 Click Keep at the bottom of Chrome
25 Once the download is complete run jsmith@sophos.local_ssl_vpn_client.exe
from the Downloads folder
26 Click Run to the security warning
27 Click Next
28 Click I Agree for the agreement
29 Click Install

Page 78 of 87
Sophos Certified Engineer

30 Click Install to install the SSL VPN network adapter
31 Click Next then click Finish
32 Right-click on the Sophos SSL VPN Client icon in the system tray
33 Click Connect
34 Login as jsmith using the password and the token The password is Sophos1985 and the
current token will be displayed in the
Authenticator app. The token should be
appended to the password with no
spaces.
35 In Chrome navigate to http://lon-dc.sophos.local to confirm the VPN is
working correctly
36 Open Command Prompt from the Start screen
37 Run tracert –d lon-dc.sophos.local Confirm that the traffic is going via the
VPN (10.81.234.*) and not via NY-GW
(192.168.16.16).
38 Right-click on the Sophos SSL VPN Client icon in the system tray
39 Click Disconnect

On London DC
40 Select SYSTEM > Backup & Firmware in the left-hand menu
41 Click Backup Now Wait for the backup to complete.
42 Click Download

Review
You have now successfully:
1. Configured a hotspot
2. Configured an SSL remote access VPN

Page 79 of 87
Sophos Certified Engineer

Lab 8 Reporting
Objectives
Upon successful completion of this lab you will be able to:
1. Run, customize and schedule reports

Task 1 Run, Customize and Schedule Reports
Run reports that are available in XG Firewall

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select MONITOR & ANALYZE > Reports in the left-hand menu
3 Click on the FROM date
4 Select the date you started this course
5 Click Generate
6 section click on HTTP
7 Review the information on this page
8 Click Bookmark in the top-right
9 HTTP Applications
10 Click Save
11 Select the Bookmarks tab Notice that you can select bookmarked
reports organized by group.
12 Click Show Report Settings
13 Select the Report Scheduling tab
14 Click Add

Page 80 of 87
Sophos Certified Engineer

15 Configure the report notification with the following settings: If you select Bookmark

Setting Value
bookmarked report to be sent via email.
Report Selected

Name Executive Report

To Email Address administrator@sophos.local

Report Type Report Group

Report Group Executive Report

Sorting Criteria Bytes

Email Frequency Daily

16 -down select the next nearest hour to the current
time
17 Click Save When the time for the report to be sent
has passed, review the email in
MailEnable.
18 Select SYSTEM > Backup & Firmware in the left-hand menu
19 Click Backup Now Wait for the backup to complete.
20 Click Download

Review
You have now successfully:
1. Run, customized and scheduled reports

Page 81 of 87
Sophos Certified Engineer

Lab 9 Troubleshooting
Objectives
Upon successful completion of this lab you will be able to:
1. Use SF Loader tools
2. View the connection table
3. Use the drop-packet-capture command
4. Use the WebAdmin Log View and Packet Capture

Task 1 Use SF Loader Tools
Use the SF Loader tools to review the firmwares that are installed on the device and reset the admin password.

Instructions Notes

On London Gateway 1
1 Login to the console of London Gateway 1 The password is Sophos1985.
2 Type 7 then press Enter
3 Type R then press Enter This will reboot the device.
4 As soon as the device reboots, keep pressing Enter repeatedly until a screen

5 Type 0 then press Enter This will choose SF Loader.
6 Type 3 then press Enter This will open Appliance Information
menu.
7 Write down the following details from Appliance info:
Model:
____________________________________________
FwLoader Version:
____________________________________________
Loaded Firmwares:
____________________________________________

8 Press Enter This will bring back to options menu.
9 Type 2 then press Enter This will select the Troubleshoot menu
10 Type 1 then press Enter This option is used to reset the default
admin password.
11 Type 5 then press Enter This will reboot the device.
12 At the password prompt login with the password admin The password has been reset to the
default setting of admin.

Page 82 of 87
Sophos Certified Engineer

Task 2 Connection Table
Review the connection table using both the WebAdmin and the command line console.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin The password is admin.
2 Select PROTECT > Firewall in the left-hand menu
3 Click on the #Default_Network_Policy rule to expand it
4 Click the Edit icon
5 SMTP
6 Click Save
7 Select MONITOR & ANALYZE > Diagnostics in the left-hand menu
8 Select the Connection List tab
9 -down select 30 Sec
10 Open Command Prompt from the Start screen and run the command:
telnet mail.internet.www 25
11 Switch back to the WebAdmin
12 Click Display Filter
13 type 25
14 Click Apply then click OK
15 Write down the following details about the connection:
In Interface

______________________________________________
Out Interface

______________________________________________
Source IP

______________________________________________
Destination IP

______________________________________________
Protocol

______________________________________________
Application Name

______________________________________________

Page 83 of 87
Sophos Certified Engineer

16 Switch back to the Command Prompt
17 Type: quit
Then press Enter
18 Switch back to the WebAdmin
19 Click Refresh The connection should disappear from
the connection list
20 Switch back to the Command Prompt
21 Run the command: telnet mail.internet.www 25

On London Gateway 1
22 Login using the admin password The password is admin.
23 Type 4 then press Enter to access the console
24 Run the following command: This is all one command with no line
system diagnostics utilities connections v4 show src_ip break.
172.16.16.10 dest_ip 10.1.1.250
25 Write down the following details about the connection:
proto-no

______________________________________________
reply-dst

______________________________________________

26 Run the following command: exit
27 Type 0 then press Enter

Task 3 Dropped Packet Capture
Use the drop-packet-capture console command so see detailed packet information on packets that the XG Firewall is dropping.

Instructions Notes

On London Gateway 1
28 Login to the console of London Gateway 1 The password is admin.
29 Type 4 then press Enter
30 Run the following command: drop-packet-capture “ip proto 1”
ICMP.

Page 84 of 87
Sophos Certified Engineer

On London Intranet
31 Login as root The password is Sophos1985.
32 Run the following command: ping 172.16.16.10

On London Gateway 1
33 When you see the dropped packets being logged press CTRL+C
34 Review the information that is logged
35 Run the following command: exit
36 Type 0 then press Enter

On London Intranet
37 Press CTRL + C

Task 4 Packet Capture
Use the packet capture and Log Viewer in the WebAdmin to see a filtered view of packets relating to a log entry..

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select MONITOR & ANALYZE > Diagnostics in the left-hand menu
3 Select the Packet Capture tab
4 Toggle Packet Capture ON
5 Click the Log Viewer link in the top-right
6 Firewall
7 Switch back to the other Chrome window, open a new tab and navigate to
https://ny-dc.sophos.local
8 Switch back to the Log Viewer window and click Refresh
9 Locate a log entry from 172.16.16.10 to 192.168.16.30 on port 443
10 Scroll to the right and click the Open PCAP link for that entry
11 You will see the related packet capture entries

Page 85 of 87
Sophos Certified Engineer

12 Click Display Filter and review the settings that have been applied

Review
You have now successfully:
1. Used SF Loader tools
2. Viewed the connection table
3. Used the drop-packet-capture command
4. Used the WebAdmin Log View and Packet Capture

Page 86 of 87
globaltraining@sophos.com