You are on page 1of 7

XG Firewall Features

Sophos XG Firewall ÌÌ Dynamic firewall rule support for endpoint health

(Sophos Security Heartbeat) to automatically isolate
or limit network access to compromised endpoints
ÌÌ Purpose-built user interface with interactive control
center utilizing traffic-light indicators (red, yellow, green) ÌÌ Synchronized Application Control to automatically,
to instantly identify what needs attention at-a-glance identify, classify and control all unknown Mac/
Windows applications on the network
ÌÌ The Control Center offers instant insights into endpoint
health, unidentified Mac and Windows applications, ÌÌ Cloud Application Visibility enables Shadow IT discovery
cloud applications and Shadow IT, suspicious instantly and offers one-click traffic shaping
payloads, risky users, advanced threats, network
ÌÌ Policy test simulator tool to enable firewall rule and web
attacks, objectionable websites, and much more.
policy simulation and testing by user, IP and time of day
ÌÌ Optimized two-clicks-to-anywhere navigation
ÌÌ User Threat Quotient for identifying risky users based
ÌÌ Policy Control Center Widget monitors policy activity on recent browsing behavior and ATP triggers
for business, user and network policies and tracks
ÌÌ Application Risk Meter provides and overall risk factor
unused, disabled, changed and new policies
based on the risk level of applications on the network
ÌÌ New unified policy model combines all business,
ÌÌ Configuration API for all features
user and network firewall rules onto a single screen
for RMM/PSA integration
with grouping, filtering and search options
ÌÌ Discover Mode (TAP mode) for seamless integration for
ÌÌ Streamlined firewall rule management for large rule
trials and PoCs with support for Synchronized Security
sets with custom auto and manual grouping with at-a-
glance mouse-over feature and enforcement indicators ÌÌ Full-featured centralized management of multiple
firewalls with Sophos Firewall Manager available
ÌÌ All firewall rules provide an at-a-glance summary of the
as a hardware, software, or virtual appliance
applied security and control for AV, Sandboxing, SSL, IPS,
Web, App, Traffic Shapping (QoS), routing, and Heartbeat ÌÌ Central management of multiple firewalls from
Sophos Central providing one management
ÌÌ Pre-defined IPS, Web, App, and Traffic Shaping
console for all your Sophos IT security products.
(QoS) policies enable quick setup and easy
customization for common deployment scenarios ÌÌ Easy streamlined setup wizard to enable quick out-
(e.g. CIPA, typical workplace policies, and more) of-the box deployment in just a few minutes

ÌÌ IPS, Web, App, and Traffic Shaping (QoS) policies ÌÌ Zero-touch setup and configuration in Sophos
snap-into firewall rules and can be edited in- Central for new firewalls that remote staff can utilize
place providing a powerful but intuitive model for during the initial startup to configure the device
configuring and managing security and control
Base Firewall
ÌÌ Policy Templates for common business
applications including Microsoft Exchange, General Management
SharePoint, Lync, and much more defined in ÌÌ Purpose-built streamlined user interface and firewall
XML enabling customization and sharing. rule management for large rule sets with grouping with
at-a-glance rule feature and enforcement indicators
ÌÌ Sophos Security Heartbeat connecting Sophos
endpoints with the Firewall to share health status ÌÌ Two-factor authentication (One-time-password) support
and telemetry to enable instant identification for administrator access, user portal, IPSec and SSL VPN
of unhealty or compromised endpoints
ÌÌ Advanced trouble-shooting tools in
XG Firewall Features

GUI (e.g., Packet Capture) ÌÌ Upstream proxy support

ÌÌ High Availability (HA) support clustering two ÌÌ Protocol independent multicast

devices in active-active or active-passive mode. routing with IGMP snooping

ÌÌ Full command-line-interface (CLI) accessible from GUI ÌÌ Bridging with STP support and
ARP broadcast forwarding
ÌÌ Role-based administration
ÌÌ VLAN DHCP support and tagging
ÌÌ Automated firmware update notification with easy
automated update process and roll-back features ÌÌ Multiple bridge support

ÌÌ Reusable system object definitions for ÌÌ WAN link balancing: multiple Internet connections,
networks, services, hosts, time periods, auto-link health check, automatic failover, automatic
users and groups, clients and servers and weighted balancing, and granular multipath rules

ÌÌ Self-service user portal ÌÌ Wireless WAN support (n/a in virtual deployments)

ÌÌ Configuration change tracking ÌÌ 802.3ad interface link aggregation

ÌÌ Flexible device access control for services by zones ÌÌ Full configuration of DNS, DHCP and NTP

ÌÌ Email or SNMP trap notification options ÌÌ Dynamic DNS

ÌÌ SNMP and Netflow support ÌÌ IPv6 Ready Logo Program Approval Certification

ÌÌ Central managment support from Sophos Firewall ÌÌ IPv6 tunnelling support including 6in4, 6to4, 4in6,
Manager or Sophos Cloud Firewall Manager and IPv6 rapid deployment (6rd) through IPSec

ÌÌ Backup and restore configurations: locally, via FTP

Base Traffic Shaping and Quotas
or email; on-demand, daily, weekly or monthly
ÌÌ Flexible network or user based traffic shaping (QoS)
ÌÌ API for third party integration (enhanced Web and App traffic shaping options are
included with the Web Protection Subscription)
ÌÌ Remote access option for Sophos Support
ÌÌ Set user-based traffic quotas on upload/download
ÌÌ Cloud-based license management via MySophos
or total traffic and cyclical or non-cyclical

Firewall, Networking, and Routing ÌÌ Real-time VoIP optimization

ÌÌ Stateful deep packet inspection firewall
ÌÌ DSCP marking
ÌÌ FastPath Packet Optimization
Secure Wireless
ÌÌ User, group, time, or network based policies
ÌÌ Simple plug-and-play deployment of Sophos
ÌÌ Access time polices per user/group wireless access points (APs) — automatically
appear on the firewall control center
ÌÌ Enforce policy across zones, networks, or by service type
ÌÌ Central monitor and manage all APs and wireless
ÌÌ Zone isolation and zone-based policy support.
clients through the built-in wireless controller
ÌÌ Default zones for LAN, WAN, DMZ, LOCAL, VPN, and WiFi
ÌÌ Bridge APs to LAN, VLAN, or a separate
ÌÌ Custom zones on LAN or DMZ zone with client isolation options

ÌÌ Customizable NAT policies with IP masquerading ÌÌ Multiple SSID support per radio including hidden SSIDs
and full object support to redirect or forward
ÌÌ Support for the latest security and encryption
multiple services in a single rule
including WPA2 Personal and Enterprise
ÌÌ Flood protection: DoS, DDoS and portscan blocking
ÌÌ Channel width seletion option
ÌÌ Country blocking by geo-IP
ÌÌ Support for IEEE 802.1X (RADIUS authentication)
ÌÌ Routing: static, multicast (PIM-SM) with primary and secondary server support
and dynamic (RIP, BGP, OSPF)
ÌÌ Support for 802.11r (fast transition)
XG Firewall Features

ÌÌ Hotspot support for (custom) vouchers, Base VPN Options

password of the day, or T&C acceptance ÌÌ Site-to-site VPN: SSL, IPSec, 256- bit AES/3DES,
PFS, RSA, X.509 certificates, pre-shared key
ÌÌ Wireless guest Internet access with
walled garden options ÌÌ L2TP and PPTP

ÌÌ Time-based wireless network access ÌÌ Remote access: SSL, IPsec, iPhone/iPad/

Cisco/Andriod VPN client support
ÌÌ Wireless repeating and bridging meshed
network mode with supported APs ÌÌ IKEv2 Support

ÌÌ Automatic channel selection background optimization ÌÌ SSL client for Windows and configuration
download via user portal
ÌÌ Support for HTTPS login

Sophos Connect IPSec Client

ÌÌ Authentication: Pre-Shared Key (PSK),
ÌÌ Synchronized User ID utilizes Synchronized Security
PKI (X.509), Token and XAUTH
to share currently logged in Active Directory user
ID between Sophos endpoints and the firewall ÌÌ Enables Synchronized Security and Security
without an agent on the AD server or client Heartbeat for remote connected users

ÌÌ Authentication via: Active Directory, ÌÌ Intelligent split-tunneling for optimum traffic routing
eDirectory, RADIUS, LDAP and TACACS+
ÌÌ NAT-traversal support
ÌÌ Server authentication agents for Active
ÌÌ Client-monitor for graphical overview
Directory SSO, STAS, SATC
of connection status
ÌÌ Single sign-on: Active directory,
ÌÌ Mac and Windows Support
eDirectory, RADIUS Accounting

ÌÌ Client authentication agents for Sandstom Protection Subscription

Windows, Mac OS X, Linux 32/64
Sandstorm Cloud Sandbox Protection
ÌÌ Browser SSO authentication: Transparent, ÌÌ Full integration into your Sophos
proxy authentication (NTLM) security solution dashboard

ÌÌ Browser Captive Portal ÌÌ Inspects executables and documents containing

executable content (including .exe, .com, and .dll, .doc,
ÌÌ Authentication certificates for iOS and Android
.docx, docm and .rtf and PDF) and archives containing
ÌÌ Authentication services for IPSec, SSL, L2TP, PPTP any of the file types listed above (including ZIP, BZIP,
GZIP, RAR, TAR, LHA/LZH, 7Z, Microsoft Cabinet)
ÌÌ Google Chromebook authentication support for
environments with Active Directory and Google Gsuite ÌÌ Aggressive behavioral, network, and memory analysis

ÌÌ API based authentication ÌÌ Detects sandbox evasion behavior

ÌÌ Machine Learning technology with Deep

User Self-Serve Portal
Learning scans all dropped executable files
ÌÌ Download the Sophos Authentication Client
ÌÌ Includes exploit prevention and Cryptoguard
ÌÌ Download SSL remote access client (Windows)
Protection technology from Sophos Intercept X
and configuration files (other OS)
ÌÌ In-depth malicious file reports and
ÌÌ Hotspot access information
dashboard file release capability
ÌÌ Change user name and password
ÌÌ Optional data center selection and flexible
ÌÌ View personal internet usage user and group policy options on file type,
exclusions, and actions on analysis
ÌÌ Access quarantined messages and manage user-based
block/allow sender lists (requires Email Protection) ÌÌ Supports one-time download links
XG Firewall Features

Network Protection Subscription Clientless VPN

ÌÌ Sophos unique encrypted HTML5 self-service portal with
Intrusion Prevention (IPS)
support for RDP, HTTP, HTTPS, SSH, Telnet, and VNC
ÌÌ High-performance, next-gen IPS deep packet
inspection engine with selective IPS patterns
Web Protection Subscription
that can be applied on a firewall rule basis for
maximum performance and protection Web Protection and Control
ÌÌ Fully transparent proxy for anti-
ÌÌ Top rated by NSS Labs
malware and web-filtering
ÌÌ Thousands of signatures
ÌÌ Enhanced Advanced Threat Protection
ÌÌ Granular category selection
ÌÌ URL Filter database with millions of sites across
ÌÌ Support for custom IPS signatures 92 categories, backed by SophosLabs

ÌÌ IPS Policy Smart Filters that enable dynamic policies ÌÌ Surfing quota time policies per user/group
which automatically update as new patterns are added
ÌÌ Access time polices per user/group

ATP and Security Heartbeat™ ÌÌ Malware scanning: block all forms of viruses,
ÌÌ Advanced Threat Protection (Detect and block network web malware, trojans, and spyware on
traffic attempting to contact command and control HTTP/S, FTP and web-based email
servers using multi-layered DNS, AFC, and firewall)
ÌÌ Advanced web malware protection
ÌÌ Sophos Security Heartbeat™ instantly identifies with JavaScript emulation
compromised endpoints including the host, user,
ÌÌ Live Protection real-time, in-the-cloud
process, incident count, and time of compromise
lookups for the latest threat intelligence
ÌÌ Sophos Security Heartbeat™ policies can limit
ÌÌ Second independent malware detection
access to network resources or completely isolate
engine (Avira) for dual-scanning
compromised systems until they are cleaned up
ÌÌ Real-time or batch mode scanning
ÌÌ Lateral Movement Protection further isolates
compromised systems by having healthy Sophos ÌÌ Pharming Protection
endpoints reject all traffic from unhealthy
ÌÌ HTTP and HTTPS scanning and enforcement
endpoints preventing the movement of threats
on any network and user policy with fully
even on the same broadcast domain
customizable rules and exceptions

Remote Ethernet Device (RED) VPN ÌÌ SSL protocol tunnelling detection and enforcment
ÌÌ Central Management of all RED devices
ÌÌ Certificate validation
ÌÌ No configuration: Automatically connects
ÌÌ High performance web content caching
through a cloud-based provisioning service
ÌÌ Forced caching for Sophos Endpoint updates
ÌÌ Secure encrypted tunnel using digital X.509
certificates and AES256-encryption ÌÌ File type filtering by mime-type, extension and active
content types (e.g. Activex, applets, cookies, etc.)
ÌÌ Virtual Ethernet for reliable transfer of
all traffic between locations ÌÌ YouTube for Schools enforcement
per policy (user/group)
ÌÌ IP address management with centrally defined
DHCP and DNS Server configuration ÌÌ SafeSearch enforcement (DNS-based) for major
search engines per policy (user/group)
ÌÌ Remotely de-authorize RED devices
after a select period of inactivity ÌÌ Web keyword monitoring and enforcement to log,
report or block web content matching keyword
ÌÌ Compression of tunnel traffic
lists with the option to upload customs lists
ÌÌ VLAN port configuration options (RED 50)
ÌÌ Block Potentially Unwanted Applications
XG Firewall Features

ÌÌ Web policy override option for teachers or monitoring based on patented Recurrent-
staff to temporarily allow access to blocked Pattern-Detection technology
sites or categories that are fully customizable
ÌÌ Block spam and malware during the SMTP transaction
and manageable by select users
ÌÌ Spam greylisting and Sneder Policy
ÌÌ User/Group policy enforcement on Google Chromebooks
Framework (SPF) protection

Cloud Application Visibility ÌÌ Recipient verification for mistyped email addresses

ÌÌ Control Center widget displays amount of data uploaded
ÌÌ Second independent malware detection
and downloaded to cloud applications categorized
engine (Avira) for dual-scanning
as new, sanctioned, unsanctioned or tolerated
ÌÌ Live Protection real-time, in-the-cloud
ÌÌ Discover Shadow IT at a glance
lookups for the latest threat intelligence
ÌÌ Drill down to obtain details on users, traffic and data
ÌÌ Automatic signature and pattern updates
ÌÌ One-click access to traffic shaping policies
ÌÌ Smart host support for outbound relays
ÌÌ Filter cloud application usage by category or volume
ÌÌ File-Type detection/blocking/scanning of attachments
ÌÌ Detailed customizable cloud application
ÌÌ Accept, reject or drop over-sized messages
usage report for full historical reporting
ÌÌ Detects phishing URLs within e-mails
Application Protection and Control
ÌÌ Use pre-defined content scanning rules or create
ÌÌ Synchronized App Control to automatically, identify,
your own custom rules based on a variety of criteria
classify and control all unknown Windows and Mac
with granular policy options and exceptions
applications on the network by sharing information
between Sophos Endpoints and the firewall ÌÌ TLS Encryption support for SMTP, POP, and IMAP

ÌÌ Signature-based application control with ÌÌ Append signature automatically to

patterns for thousands of applications all outbound messages

ÌÌ Cloud Application Visibility and ÌÌ Email archiver

Control to discover Shadow IT
ÌÌ Individual user-based block and allow sender
ÌÌ App Control Smart Filters that enable dynamic policies lists maintained through the user portal
which automatically update as new patterns are added
Email Quarantine Management
ÌÌ Micro app discovery and control
ÌÌ Spam quarantine digest and notifications options
ÌÌ Application control based on category, characteristics
ÌÌ Malware and spam quarantines with search and
(e.g., bandwidth and productivity consuming),
filter options by date, sender, recipient, subject, and
technology (e.g., P2P) and risk level
reason with option to release and delete messages
ÌÌ Per-user or network rule application
ÌÌ Self-serve user portal for viewing and
control policy enforcement
releasing quarantined messages

Web and App Traffic Shaping

Email Encryption and DLP
ÌÌ Enhanced traffic shaping (QoS) options by web category
ÌÌ Patent-pending SPX encryption for
or application to limit or guarantee upload/download or
one-way message encryption
total traffic priority and bitrate individually or shared
ÌÌ Recipient self-registration SPX password management

ÌÌ Add attachments to SPX secure replies

Email Protection Subscription
ÌÌ Completely transparent, no additional
Email Protection and Control
software or client required
ÌÌ E-mail scanning with SMTP, POP3, and IMAP support
ÌÌ DLP engine with automatic scanning of emails
ÌÌ Reputation service with spam outbreak
XG Firewall Features

and attachments for sensitive data Logging and Reporting

NOTE: XG Firewall reporting is included at no extra charge
ÌÌ Pre-packaged sensitive data type content
but individual log, report, and widget availability may be
control lists (CCLs) for PII, PCI, HIPAA, and
dependent on their respective protection module license.
more, maintained by SophosLabs
ÌÌ Hundreds of on-box reports with custom report
Web Server Protection Subscription options: Dashboards (Traffic, Security, and User
Threat Quotient), Applications (App Risk, Blocked
Web Application Firewall Protection
Apps, Synchronized Apps, Search Engines, Web
ÌÌ Reverse proxy
Servers, Web Keyword Match, FTP), Network and
ÌÌ URL hardening engine with deep-linking Threats (IPS, ATP, Wireless, Security Heartbeat,
and directory traversal prevention Sandstorm), VPN, Email, Compliance (HIPAA,
ÌÌ Form hardening engine
ÌÌ Current Activity Monitoring: system health, live users,
ÌÌ SQL injection protection
IPsec connections, remote users, live connections,
ÌÌ Cross-site scripting protection wireless clients, quarantine, and DoS attacks

ÌÌ Dual-antivirus engines (Sophos and Avira) ÌÌ Report anonymization

ÌÌ HTTPS (SSL) encryption offloading ÌÌ Report scheduling to multiple recipients by

report group with flexible frequency options
ÌÌ Cookie signing with digital signatures
ÌÌ Export reports as HTML, PDF, Excel (XLS)
ÌÌ Path-based routing
ÌÌ Report bookmarks
ÌÌ Outlook anywhere protocol support
ÌÌ Log retention customization by category
ÌÌ Reverse authentication (offloading) for form-based
and basic authentication for server access ÌÌ Full featured log viewer with column view and
detailed view with powerful filter and search options,
ÌÌ Virtual server and physical server abstraction
hyperlinked rule ID, and data view customization
ÌÌ Integrated load balancer spreads
visitors across multiple servers

ÌÌ Skip individual checks in a granular fashion as required

ÌÌ Match requests from source networks

or specified target URLs

ÌÌ Support for logical and/or operators

ÌÌ Assists compatibility with various configurations

and non-standard deployments

ÌÌ Options to change Web Appliaction

FIrewall performance parameters

ÌÌ Scan size limit option

ÌÌ Allow/Block IP ranges

ÌÌ Wildcard support for server paths

ÌÌ Automatically append a prefix/suffix for authentication

XG Firewall Features

XG Firewall Features by Subscription Summary

FullGuard Plus (included in TotalProtect Plus)

FullGuard (included in TotalProtect)

EnterpriseGuard Plus
Features (included in EnterpriseProtect Plus)
(as listed above)
(included in EnterpriseProtect)

Sandstorm Network Web Server

Base Firewall Protection Protection Web Protection Email Protection Protection
General Management (incl. HA) ●
Firewall, Networking and Routing ●
Base Traffic Shaping and Quotas ●
Secure Wireless ●
Authentication ●
Self-Serve User Portal ●
Base VPN Options ●
Sophos Connect IPSec Client ●
Sandstorm Protection ●
Intrusion Prevention (IPS) ●
ATP and Security Heartbeat™ ●
Remote Ethernet Device (RED) VPN ●
Clientless VPN ●
Synchronized Application Control ●
Web Protection and Control ●
Application Protection and Control ●
Cloud Application Visibility ●
Web and App Traffic Shaping ●
Email Protection and Control ●
Email Quarantine Management ●
Email Encryption and DLP ●
Web Application Firewall Protection ●
Logging and Reporting ● ● ● ● ● ●

United Kingdom and Worldwide Sales North American Sales Australia and New Zealand Sales Asia Sales
Tel: +44 (0)8447 671131 Toll Free: 1-866-866-2802 Tel: +61 2 9409 9100 Tel: +65 62244168
Email: Email: Email: Email:

© Copyright 2018. Sophos Ltd. All rights reserved.

Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK
Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are
trademarks or registered trademarks of their respective owners.

16-12 FLNA (SM)