Professional Documents
Culture Documents
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW1515: Getting Started with Zones, Interfaces and Routing on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 1
Getting Started with Zones and Interfaces on Sophos
Firewall
in this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to use Sophos Firewall ✓ Navigating and Managing the Sophos Firewall using
WebAdmin to configure network the WebAdmin
zones and interfaces.
DURATION
8 minutes
in this chapter you will learn how to use Sophos Firewall WebAdmin to configure network zones,
interfaces and routing.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 2
Interfaces and Zones
A virtual interface is a logical representation of an interface, for example an alias that allows you to
bind multiple IP addresses to a single physical interface.
A zone is a grouping of interfaces. When used with firewall rules, zones provide a convenient
method of managing security and traffic for a group of interfaces.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 3
Zones
Sophos Firewall
LAN 1
Internet
LAN Zone
DMZ WAN Zone
LAN 2
We’ll start by looking at zones. Sophos Firewall is a zone-based firewall, and it is important to
understand what a zone is before we proceed to look at interfaces and routing.
When we talk about zones on the Sophos Firewall, we mean a logical group of networks where
traffic originates or is destined to.
Each interface is associated with a single zone, which means that traffic can be managed between
zones rather than by interface or network simplifying the configuration.
Interfaces and zones are not equivalent; multiple interfaces can be associated with a zone and
each zone can be made up of multiple networks.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 4
Zones Zones are created and managed in:
CONFIGURE > Network > Zones
• LAN – this is the most secure zone by default and is for your internal networks.
• WAN – this zone is used for external interfaces that provide Internet access.
• DMZ – this zone is for hosting publicly accessible servers.
• VPN – this is the only zone that does not have a physical port or interface assigned to it. When a
VPN is established, either site-to-site or remote access, the connection is dynamically added to
the zone and removed when disconnected.
• WiFi – this zone is for providing security for wireless networks.
Except for the VPN zone, the default zones can be customized.
Zones are managed and created in CONFIGURE > Network > Zones.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 5
Creating Zones
When you create a custom zone, you can choose between two types of zones, LAN or DMZ, which
is used to indicate the level of trust for the zone. You cannot create additional VPN or WAN type
zones as there can only be one of each of these.
You then customize the zone to define which services the Sophos Firewall provides and will be
accessible. This is broken down into four categories:
• Admin services, for accessing and managing the Sophos Firewall.
• Authentication services, for user authentication.
• Network services, for PING and DNS.
• And Other services, which controls access to things like the web proxy, wireless access point
management, and user portal.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 6
Activity
Match the zone with its description
Take a moment to test your knowledge and match the zone with its description.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 7
Network Interfaces
Now that you know how to create zones, we will look at Network Interfaces.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 9
Configuring Interfaces Interfaces are configured in:
CONFIGURE > Network > Interfaces
By default, interfaces are named after their hardware device ID. However, you can give them a
friendly name to make identifying them easier.
To begin configuring the network settings, you must assign the interface to a zone. This will
determine what IP configuration can be set, as only interfaces in the WAN zone are configured with
a gateway.
You can configure interfaces either statically or by DHCP. IPv4 configuration also supports
configuration via PPPoE.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 10
Configuring Interfaces
Interfaces can be
configured for IPv4 or
IPv6 or both
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 11
Interface Types
BRIDGE: Allows two or more interfaces to be used to create a transparent layer 2 or 3 bridged
interface for seamless communication between interfaces
VLAN: A virtual LAN interface created on an existing Sophos Firewall interface, used when the
Sophos Firewall needs to perform inter-VLAN routing or tagging
LAG: A group of interfaces acting as a single connection which can provide redundancy and
increased speed between two devices
RED: Used to connect Sophos’ Remote Ethernet Devices back to the Sophos Firewall
In addition to those used for configuring the network adapters in the Sophos Firewall, there are
several other interface types that can be created.
These are:
• Bridge
• Alias
• VLAN
• LAG
• And RED
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 12
Bridge Interface
We’ll look at two examples of these interfaces. The first is a bridge interface which bridges over
physical interfaces, such as ports or virtual interfaces, such as VLANs.
If ‘enable routing’ is selected, you must assign an IP address to the bridge interface.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 13
Alias Interface
An Alias interface is
added for the GuestAP
physical interface
An Alias interface is used to bind multiple IP addresses to a physical interface. In this example an
alias is added to the GuestAP interface and can then be seen in the interfaces listing page.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 14
Activity
Match the interface type with its description
Take a moment to test your knowledge and match the interface type with its description.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 15
Interface Types
TUNNEL: Tunnel interfaces are created using a type of IPsec VPN, that allows standard
routing to be used to send traffic over the VPN
WiFi: A wireless network where traffic is routed back to the Sophos Firewall from the access
point instead of directly onto the network the access point is connected to
These two interface types are created as part of configuring other functionality on Sophos Firewall,
IPsec VPNs, and wireless networks using separate zone configuration.
Tunnel interfaces are created using a type of IPsec VPN that allows standard routing to be used to
send traffic over the VPN.
WiFi interfaces are created when a wireless network routes traffic back to the Sophos Firewall
using separate zone configuration, instead of to either the physical LAN the access point is
connected to, or a VLAN.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 17
Simulation: Create Zones and Interfaces
https://training.sophos.com/fw/simulation/ZonesAndInterfaces/1/start.html
In this simulation you will configure zones and interfaces on Sophos Firewall.
A zone is a logical group of networks. Each firewall interface is associated with a single
zone, meaning that traffic can be managed using zones
IPsec tunnel and wireless interface types are created as part of configuring other
functionality on Sophos Firewall. These use separate zone configuration
Here are the three main things you learned in this chapter.
A zone is a logical group of networks. Each firewall interface is associated with a single zone,
meaning that traffic management can be simplified using zones instead of interfaces and networks.
Network interfaces are assigned to a zone, which determines what IP configuration can be set.
IPsec tunnel and wireless interface types are created as part of configuring other functionality on
Sophos Firewall. These use separate zone configuration.
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 21
Getting Started with Zones, Interfaces and Routing on Sophos Firewall 19.0v1 - 22