Getting Started with Zones

and Interfaces on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1515: Getting Started with Zones, Interfaces and Routing on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 1
 Getting Started with Zones and Interfaces on Sophos
Firewall
in this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use Sophos Firewall ✓ Navigating and Managing the Sophos Firewall using
WebAdmin to configure network the WebAdmin
zones and interfaces.

DURATION

8 minutes

in this chapter you will learn how to use Sophos Firewall WebAdmin to configure network zones,
interfaces and routing.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 2
 Interfaces and Zones

The firewall is shipped with physical and virtual interfaces

A physical interface is for example, Port1, PortA, or eth0

A virtual interface is a logical representation, for example an alias

A zone is a grouping of interfaces

The firewall is shipped with physical and virtual interfaces.

A physical interface is, for example, Port1, PortA, or eth0.

A virtual interface is a logical representation of an interface, for example an alias that allows you to
bind multiple IP addresses to a single physical interface.

A zone is a grouping of interfaces. When used with firewall rules, zones provide a convenient
method of managing security and traffic for a group of interfaces.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 3
 Zones
Sophos Firewall
LAN 1

Internet
LAN Zone
DMZ WAN Zone
LAN 2

Hosted Servers Zone

We’ll start by looking at zones. Sophos Firewall is a zone-based firewall, and it is important to
understand what a zone is before we proceed to look at interfaces and routing.

When we talk about zones on the Sophos Firewall, we mean a logical group of networks where
traffic originates or is destined to.

Each interface is associated with a single zone, which means that traffic can be managed between
zones rather than by interface or network simplifying the configuration.

Interfaces and zones are not equivalent; multiple interfaces can be associated with a zone and
each zone can be made up of multiple networks.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 4
 Zones Zones are created and managed in:
CONFIGURE > Network > Zones

LAN – most secure by default For internal networks

WAN –for external interfaces that provide Internet access

DMZ –for hosting publicly accessible servers
VPN – does not have a physical port or interface assigned to it

WiFi – for providing security for wireless networks

Sophos Firewall comes with five default zones, these are:

• LAN – this is the most secure zone by default and is for your internal networks.
• WAN – this zone is used for external interfaces that provide Internet access.
• DMZ – this zone is for hosting publicly accessible servers.
• VPN – this is the only zone that does not have a physical port or interface assigned to it. When a
VPN is established, either site-to-site or remote access, the connection is dynamically added to
the zone and removed when disconnected.
• WiFi – this zone is for providing security for wireless networks.

Except for the VPN zone, the default zones can be customized.

Zones are managed and created in CONFIGURE > Network > Zones.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 5
 Creating Zones

Choose whether this is a LAN or

DMZ zone

Client authentication services

Access for managing the Sophos
Firewall

Other services provided by the

Network services
Sophos Firewall

Let’s look at how you can create your own zones.

When you create a custom zone, you can choose between two types of zones, LAN or DMZ, which
is used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type
zones as there can only be one of each of these.

You then customize the zone to define which services the Sophos Firewall provides and will be
accessible. This is broken down into four categories:
• Admin services, for accessing and managing the Sophos Firewall.
• Authentication services, for user authentication.
• Network services, for PING and DNS.
• And Other services, which controls access to things like the web proxy, wireless access point
management, and user portal.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 6
 Activity
Match the zone with its description

This is the only zone that does not have a

WiFi
physical port or interface assigned to it

This zone is for hosting publicly accessible

LAN
servers

This zone is for providing security for

VPN
wireless networks

This is the most secure zone by default and

WAN
is for your internal networks

This zone is used for external interfaces that

DMZ
provide Internet access

Take a moment to test your knowledge and match the zone with its description.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 7
 Network Interfaces

Now that you know how to create zones, we will look at Network Interfaces.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 9
 Configuring Interfaces Interfaces are configured in:
CONFIGURE > Network > Interfaces

Interfaces can be given a friendly name

Interfaces must be assigned to a zone

By default, interfaces are named after their hardware device ID. However, you can give them a
friendly name to make identifying them easier.

To begin configuring the network settings, you must assign the interface to a zone. This will
determine what IP configuration can be set, as only interfaces in the WAN zone are configured with
a gateway.

You can configure interfaces either statically or by DHCP. IPv4 configuration also supports
configuration via PPPoE.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 10
 Configuring Interfaces

Interfaces can be
configured for IPv4 or
IPv6 or both

You can configure interfaces with IPv4 or IPv6 or both.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 11
 Interface Types
BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 bridged
interface for seamless communication between interfaces

ALIAS: An additional IP address added to an interface

VLAN: A virtual LAN interface created on an existing Sophos Firewall interface, used when the
Sophos Firewall needs to perform inter-VLAN routing or tagging

LAG: A group of interfaces acting as a single connection which can provide redundancy and
increased speed between two devices

RED: Used to connect Sophos’ Remote Ethernet Devices back to the Sophos Firewall

In addition to those used for configuring the network adapters in the Sophos Firewall, there are
several other interface types that can be created.

These are:
• Bridge
• Alias
• VLAN
• LAG
• And RED

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 12
 Bridge Interface

Two physical ports are

assigned to this bridge
interface

We’ll look at two examples of these interfaces. The first is a bridge interface which bridges over
physical interfaces, such as ports or virtual interfaces, such as VLANs.

In this example, two physical interfaces are selected.

If ‘enable routing’ is selected, you must assign an IP address to the bridge interface.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 13
 Alias Interface
An Alias interface is
added for the GuestAP
physical interface

An Alias interface is used to bind multiple IP addresses to a physical interface. In this example an
alias is added to the GuestAP interface and can then be seen in the interfaces listing page.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 14
 Activity
Match the interface type with its description

An additional IP address added to an

Bridge
interface

Creates a transparent layer 2 or 3 interface

Alias
for seamless communication

Can provide redundancy and increased

VLAN
speed between two devices

Connects Sophos’ remote devices back to

LAG
the Sophos Firewall

Created on an existing interface and can be

RED
used to perform tagging

Take a moment to test your knowledge and match the interface type with its description.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 15
 Interface Types

TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard
routing to be used to send traffic over the VPN

WiFi: A wireless network where traffic is routed back to the Sophos Firewall from the access
point instead of directly onto the network the access point is connected to

Additionally, you can create wireless interfaces and IPsec interfaces.

These two interface types are created as part of configuring other functionality on Sophos Firewall,
IPsec VPNs, and wireless networks using separate zone configuration.

Tunnel interfaces are created using a type of IPsec VPN that allows standard routing to be used to
send traffic over the VPN.

WiFi interfaces are created when a wireless network routes traffic back to the Sophos Firewall
using separate zone configuration, instead of to either the physical LAN the access point is
connected to, or a VLAN.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 17
 Simulation: Create Zones and Interfaces

In this simulation you will configure

zones and interfaces on Sophos
Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ZonesAndInterfaces/1/start.html

In this simulation you will configure zones and interfaces on Sophos Firewall.

Application Traffic Shaping on Sophos Firewall - 18

 Chapter Review

A zone is a logical group of networks. Each firewall interface is associated with a single
zone, meaning that traffic can be managed using zones

Network interfaces are assigned to a zone, which determines what IP configuration

can be set

IPsec tunnel and wireless interface types are created as part of configuring other
functionality on Sophos Firewall. These use separate zone configuration

Here are the three main things you learned in this chapter.

A zone is a logical group of networks. Each firewall interface is associated with a single zone,
meaning that traffic management can be simplified using zones instead of interfaces and networks.

Network interfaces are assigned to a zone, which determines what IP configuration can be set.

IPsec tunnel and wireless interface types are created as part of configuring other functionality on
Sophos Firewall. These use separate zone configuration.

Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 21
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 22