Professional Documents
Culture Documents
FW1550 19.0v1 Managing Device Access and Certificates
FW1550 19.0v1 Managing Device Access and Certificates
Certificates on Sophos
Firewall
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW1550: Managing Device Access and Certificates on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
10 minutes
In this chapter you will learn how to control access to admin services and add a certificate to
replace the default ‘ApplianceCertificate’.
Local services are management services specific to the internal functioning of Sophos Firewall,
such as web admin and CLI consoles, and authentication services.
You can control access to the management services of Sophos Firewall from custom and default
zones using the local service ACL (Access Control List).
The zones which are allowed access to Admin services can be managed on the Device Access page
under the heading Local service ACL. The example shows that only the LAN and WiFi zones are
allowed access to Admin services using HTTPS and SSH. This section gives an easy and graphical
way to manage access to admin services as well as authentication, network, and other services
from any zone on the Sophos firewall.
BEST PRACTICES
Sophos does not recommend allowing access to the web admin console (HTTPS), CLI console
(SSH), and the user portal from the WAN zone or over the SSL VPN port.
Even though you can enable access to admin services from these zones, the Webadmin will warn
you that this is not a safe practice.
If you must give access, best practices are provided in the Administrator Help.
[Additional Information]
Best practices: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html
The Local service ACL rules allow an administrator to quickly enable or disable access to a service
for a specific zone. While this is a simple way to enable access to these services, it does not allow
an administrator to securely grant access to services from untrusted zones. Or an administrator
may want to restrict access from specific IP addresses in a secure zone, for example, to prevent
guests from being able to see the User Portal login page.
To only allow specific hosts and networks to access the services, scroll down to Local service ACL
exception rule, and click Add.
In the example shown here, we are allowing access to the WebAdmin and SSH in the WAN zone,
but only from the specified IP address.
We have looked at the built-in zones on the Sophos firewall. These include the LAN, WAN, VPN,
DMZ, and WiFi zones. While you can choose to use only these zones, you also have the option of
creating additional custom zones to further define your networks.
When you create or edit a zone from Network > Zones, you can also configure which services it can
access on the Sophos Firewall.
When you first connect to a Sophos firewalls webadmin console, you may notice that you get a
certificate error. This is not to say that your connection is insecure, but rather that the certificate is
untrusted by your machine.
This is because Sophos Firewall comes with a default certificate called ‘ApplianceCertificate’, this is
used to provide HTTPS for the Admin Portal, User Portal and SSL VPNs. The common name on this
certificate is the serial number of the appliance, and therefore you will almost certainly get a
certificate error when you login.
If you use Sophos Central to connect to Firewall Management, the certificate provided by Sophos
Central will be trusted.
2 Self-Signed Create a self-signed certificate that will be signed by the ‘Default’ signing CA
Certificates can be added to Sophos Firewall and can then be selected to be used in place of the
default ‘ApplianceCertificate’.
1. Upload a certificate that has been signed by an external trusted certificate authority. This could
be a third-party company such as GlobalSign, or an internal enterprise certificate authority. To
upload a certificate, you need to provide the certificate, private key, and the passphrase for
decrypting the private key.
2. Generate a self-signed certificate. This will be generated and signed by the Sophos Firewall’s
own ‘Default’ signing certificate authority.
3. The third option is to generate a CSR and download it along with the private key and
passphrase. This is a signing request for a certificate that can be signed by either a third-party
company or an internal enterprise certificate authority. Once you have the certificate you can
then upload it to the Sophos Firewall.
In this example, the option to Generate locally-signed certificate has been selected and the
required information for the certificate has been entered. This must include the common name,
which is included in the Distinguished name, and one or more Subject Alternative Names. SANs
define the entities for which your certificate will be valid and can be DNS names or IP addresses.
If you have created a new certificate or uploaded a public certificate to the firewall, it can be
assigned for use by the Webadmin and user portal.
Admin and user settings, under Administration, allows you to select another certificate using the
drop-down list.
Sophos Firewall comes preconfigured with the certificates for common trusted Internet root
certificate authorities; these are used to verify the certificates of devices the Sophos Firewall
connects to.
You can also upload additional CA certificates that you want to trust, such as an internal enterprise
CA that signs the certificates for your internal servers.
https://training.sophos.com/fw/simulation/ImportCACertificates/1/start.html
In this simulation you will import CA certificates from an internal certificate authority to
Sophos Firewall.
Sophos Firewall also acts as a certificate authority, and so comes with two signing CAs.
• The ‘Default’ signing CA is used for creating and signing certificates.
• The ‘SecurityAppliance_SSL_CA’ is used for creating the certificates used in HTTPS web scanning
and securing TLS/SSL email connections.
You can upload additional signing CAs by providing the private key with the CA certificate when you
upload it. These CAs can then be selected for use in Web and Email Protection.
• The Email CAs can be separately selected for SMTPS and IMAPS & POPS. This is done in EMAIL >
General settings.
• The Web CA for HTTPS scanning can be selected in Web > Protection.
https://training.sophos.com/fw/simulation/DeployCertificates/1/start.html
In this simulation you will download Sophos Firewall’s CA certificates and deploy them using Active
Directory Group Policy.
The zones which are allow access to Admin services can be managed on the Device
Access page. Local service ACL exception rules restrict by IP addresses or by network
Sophos Firewall acts as a certificate authority with two signing CAs. ’Default’ creates and
signs certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web
scanning and securing TLS/SSL email connections
Here are the three main things you learned in this chapter.
The zones which are allowed access to Admin services can be managed on the Device Access page.
Local service ACL exception rules restrict by IP addresses or by network.
Certificates can be added to Sophos Firewall and used in place of the default ’ApplianceCertificate’
which generates a certificate error.
Sophos Firewall acts as a certificate authority with two signing CAs. ‘Default’ creates and signs
certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web scanning and
securing TLS/SSL email connections.