Managing Device Access and

Certificates on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1550: Managing Device Access and Certificates on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Managing Device Access and Certificates on Sophos Firewall - 1

 Managing Device Access and Certificates on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to control access to admin ✓ Navigating and Managing the Sophos Firewall using
services and add a certificate to the WebAdminSophos
replace the default
‘ApplianceCertificate’.

DURATION

10 minutes

In this chapter you will learn how to control access to admin services and add a certificate to
replace the default ‘ApplianceCertificate’.

Managing Device Access and Certificates on Sophos Firewall - 2

 Control Access to Local Services

Local services are management services of Sophos Firewall

Examples include Web admin and CLI consoles, and authentication services

Firewall rules cannot be used to control access to local services

Control access to the management services of Sophos Firewall from

custom and default zones using the local service ACL (Access Control List)

Local services are management services specific to the internal functioning of Sophos Firewall,
such as web admin and CLI consoles, and authentication services.

Firewall rules cannot be used to control traffic to these services.

You can control access to the management services of Sophos Firewall from custom and default
zones using the local service ACL (Access Control List).

Managing Device Access and Certificates on Sophos Firewall - 3

 Device Access Device Access is configured in:
SYSTEM > Administration > Device Access

The zones which are allowed access to Admin services can be managed on the Device Access page
under the heading Local service ACL. The example shows that only the LAN and WiFi zones are
allowed access to Admin services using HTTPS and SSH. This section gives an easy and graphical
way to manage access to admin services as well as authentication, network, and other services
from any zone on the Sophos firewall.

Managing Device Access and Certificates on Sophos Firewall - 4

 Best Practices

BEST PRACTICES

Sophos does not recommend allowing access to the web admin console (HTTPS), CLI console
(SSH), and the user portal from the WAN zone or over the SSL VPN port.

Even though you can enable access to admin services from these zones, the Webadmin will warn
you that this is not a safe practice.

If you must give access, best practices are provided in the Administrator Help.

[Additional Information]
Best practices: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Administration/DeviceAccess/index.html

Managing Device Access and Certificates on Sophos Firewall - 5

 Local Service ACL Exception Rule

Add a Local service ACL

exception rule

The Local service ACL rules allow an administrator to quickly enable or disable access to a service
for a specific zone. While this is a simple way to enable access to these services, it does not allow
an administrator to securely grant access to services from untrusted zones. Or an administrator
may want to restrict access from specific IP addresses in a secure zone, for example, to prevent
guests from being able to see the User Portal login page.

To only allow specific hosts and networks to access the services, scroll down to Local service ACL
exception rule, and click Add.

Managing Device Access and Certificates on Sophos Firewall - 6

 Local Service ACL Exceptions

In the example shown here, we are allowing access to the WebAdmin and SSH in the WAN zone,
but only from the specified IP address.

Managing Device Access and Certificates on Sophos Firewall - 7

 Device Access for a Zone

We have looked at the built-in zones on the Sophos firewall. These include the LAN, WAN, VPN,
DMZ, and WiFi zones. While you can choose to use only these zones, you also have the option of
creating additional custom zones to further define your networks.

When you create or edit a zone from Network > Zones, you can also configure which services it can
access on the Sophos Firewall.

Managing Device Access and Certificates on Sophos Firewall - 8

 Certificates for Firewall Management
Trusted certificate
Untrusted Default when using Central
Appliance Certificate Firewall Management

When you first connect to a Sophos firewalls webadmin console, you may notice that you get a
certificate error. This is not to say that your connection is insecure, but rather that the certificate is
untrusted by your machine.

This is because Sophos Firewall comes with a default certificate called ‘ApplianceCertificate’, this is
used to provide HTTPS for the Admin Portal, User Portal and SSL VPNs. The common name on this
certificate is the serial number of the appliance, and therefore you will almost certainly get a
certificate error when you login.

If you use Sophos Central to connect to Firewall Management, the certificate provided by Sophos
Central will be trusted.

Managing Device Access and Certificates on Sophos Firewall - 9

 Certificates
Options for adding a certificate to Sophos Firewall:

1 Upload Upload a certificate signed by a trusted CA

2 Self-Signed Create a self-signed certificate that will be signed by the ‘Default’ signing CA

3 CSR Create a certificate signing request that will be signed by a trusted CA

Certificates can be added to Sophos Firewall and can then be selected to be used in place of the
default ‘ApplianceCertificate’.

There are three options for doing this:

1. Upload a certificate that has been signed by an external trusted certificate authority. This could
be a third-party company such as GlobalSign, or an internal enterprise certificate authority. To
upload a certificate, you need to provide the certificate, private key, and the passphrase for
decrypting the private key.
2. Generate a self-signed certificate. This will be generated and signed by the Sophos Firewall’s
own ‘Default’ signing certificate authority.
3. The third option is to generate a CSR and download it along with the private key and
passphrase. This is a signing request for a certificate that can be signed by either a third-party
company or an internal enterprise certificate authority. Once you have the certificate you can
then upload it to the Sophos Firewall.

Managing Device Access and Certificates on Sophos Firewall - 10

 Adding a Locally Signed Certificate

Generate locally signed

certificate

IP addresses used for

SANs

In this example, the option to Generate locally-signed certificate has been selected and the
required information for the certificate has been entered. This must include the common name,
which is included in the Distinguished name, and one or more Subject Alternative Names. SANs
define the entities for which your certificate will be valid and can be DNS names or IP addresses.

Managing Device Access and Certificates on Sophos Firewall - 11

 Certificates Certificates can be viewed in:
SYSTEM > Certificates > Certificates

The new certificate is now listed as well as the ‘ApplianceCertificate’.

Managing Device Access and Certificates on Sophos Firewall - 12

 Select a Certificate

If you have created a new certificate or uploaded a public certificate to the firewall, it can be
assigned for use by the Webadmin and user portal.
Admin and user settings, under Administration, allows you to select another certificate using the
drop-down list.

Managing Device Access and Certificates on Sophos Firewall - 13

 Verification Certificate Authorities
• Includes certificates for common trusted Internet root CAs
• Upload certificate for additional CAs

Sophos Firewall comes preconfigured with the certificates for common trusted Internet root
certificate authorities; these are used to verify the certificates of devices the Sophos Firewall
connects to.

You can also upload additional CA certificates that you want to trust, such as an internal enterprise
CA that signs the certificates for your internal servers.

Managing Device Access and Certificates on Sophos Firewall - 14

 Simulation: Import CA Certificates

In this simulation you will import CA

certificates from an internal
certificate authority to Sophos
Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ImportCACertificates/1/start.html

In this simulation you will import CA certificates from an internal certificate authority to
Sophos Firewall.

Application Traffic Shaping on Sophos Firewall - 15

 Signing Certificate Authorities
Two default signing CAs
• Default: Used for creating certificates
• SecurityApplicance_SSL_CA: Used for HTTPS scanning and email TLS/SSL connections
Upload additional CAs
• Provide certificate and private key
• Can be selected for use in Web and Email protection

Sophos Firewall also acts as a certificate authority, and so comes with two signing CAs.
• The ‘Default’ signing CA is used for creating and signing certificates.
• The ‘SecurityAppliance_SSL_CA’ is used for creating the certificates used in HTTPS web scanning
and securing TLS/SSL email connections.

You can upload additional signing CAs by providing the private key with the CA certificate when you
upload it. These CAs can then be selected for use in Web and Email Protection.
• The Email CAs can be separately selected for SMTPS and IMAPS & POPS. This is done in EMAIL >
General settings.
• The Web CA for HTTPS scanning can be selected in Web > Protection.

Managing Device Access and Certificates on Sophos Firewall - 16

 Simulation: Deploy Sophos Firewall CA Certificates

In this simulation you will download

Sophos Firewall’s CA certificates and
deploy them using Active Directory
Group Policy.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/DeployCertificates/1/start.html

In this simulation you will download Sophos Firewall’s CA certificates and deploy them using Active
Directory Group Policy.

Application Traffic Shaping on Sophos Firewall - 17

 Chapter Review

The zones which are allow access to Admin services can be managed on the Device
Access page. Local service ACL exception rules restrict by IP addresses or by network

Certificates can be added and used in place of the default ’ApplianceCertificate’

Sophos Firewall acts as a certificate authority with two signing CAs. ’Default’ creates and
signs certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web
scanning and securing TLS/SSL email connections

Here are the three main things you learned in this chapter.

The zones which are allowed access to Admin services can be managed on the Device Access page.
Local service ACL exception rules restrict by IP addresses or by network.

Certificates can be added to Sophos Firewall and used in place of the default ’ApplianceCertificate’
which generates a certificate error.

Sophos Firewall acts as a certificate authority with two signing CAs. ‘Default’ creates and signs
certificates. ‘SecurityAppliance_SSL_CA’ creates certificates used in HTTPS web scanning and
securing TLS/SSL email connections.

Managing Device Access and Certificates on Sophos Firewall - 22

Managing Device Access and Certificates on Sophos Firewall - 23