Professional Documents
Culture Documents
on Sophos Firewall
Sophos Firewall
Version: 19.5v1
[Additional Information]
Sophos Firewall
4010: Configuring Web Protection on Sophos Firewall
November 2022
Version: 19.5v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
24 minutes
In this chapter you will learn how to create policies for web protection and TLS decryption and
configure global settings for protection and an explicit proxy.
• Include options to control end users’ • Define the type of usage to restrict
web browsing
• SafeSearch prevents potentially • Specify content filters to restrict web
inappropriate images, videos, and content that contains any terms in
text from appearing search results the lists
• YouTube restrictions also restrict
search results • Define the action to take when the
• Time quotas can allow limited access firewall encounters traffic that
to restricted websites matches the rule criteria
Web policies can be used to control end users’ web browsing activities. Policies include options for:
• SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in
Google, Yahoo, and Bing search results.
• YouTube restrictions, which prevent access to potentially inappropriate content by restricting
YouTube search results.
• Time quotas, that allow access to restricted websites, such as online shopping, for a limited
period.
This shows an example of a web policy. It has an ordered list of rules and a default action, in this
case allow, that determines the behaviour if the traffic does not match any of the rules.
User Activities
Categories
URL Groups
Users &
Groups File Types Constraints
Each web policy rule applies to either specific users and groups, or anybody.
You define the activities, or types of web traffic that are going to be controlled by the rule, and you
can optionally also apply a keyword content filter to the traffic.
Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a
separate action applied to HTTPS traffic.
You can set time constraints for the rule. If no time constraints are selected, then the rule will be
active all the time.
Finally, you can enable and disable individual rules. This is especially useful when creating new
rules and testing.
Below the web policy rules are further options, some of which require the web proxy to be
enforced. These are indicated with a notice. If these options are selected and used with the DPI
engine, they will not be enforced.
Again, a notice indicates which settings require the web proxy to be enforced.
User activities are a group of web categories, URL groups and file types
Let’s look at the types of traffic you can select to control in the web policy rules, starting with User
Activities.
User Activities are a way of grouping web categories, URL groups and file types into a single object
to simplify management.
Web categories are what most people think of when they think of web filtering. Sophos Firewall
comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping
policies to.
You can also create custom web categories based on either local lists of domains and keywords or
an external URL database.
[Additional Information]
External URL databases can be from either a HTTP or FTP server. The database should be in one of
the following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.
URL groups are used to create a match list of domains for which the default configuration should
not be applied. All subdomains for the entered domains will also be matched.
Sophos Firewall can manage access to files through the web policy and comes with several groups
of common file types defined by extension and MIME type.
You can also create custom file types, which can use an existing group as a template to import
already defined types.
https://training.sophos.com/fw/simulation/WebCategories/1/start.html
In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user
activity, and create user activity for controlling access to specific categories of website.
[Additional Information]
https://training.sophos.com/fw/simulation/WebCategories/1/start.html
Web policies include the option to log, monitor and enforce policies related to keyword lists. This
feature is particularly important in educational environments to ensure online child safety and to
provide insights into students using keywords related to self-harm, bullying, radicalization or
otherwise inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and
applied to any web filtering policy as an added criteria with actions to log and monitor or block
search results or websites containing the keywords of interest.
Comprehensive reporting is provided to identify keyword matches and users that are searching or
consuming keyword content of interest, enabling proactive intervention before an at-risk user
becomes a real problem.
Keyword lists are plain text files with one term per line.
https://training.sophos.com/fw/simulation/ContentFilter/1/start.html
In this simulation you will create a custom content filter that will be used to detect web pages that
contain common bullying terms.
[Additional Information]
https://training.sophos.com/fw/simulation/ContentFilter/1/start.html
Once you have created your web policy you can apply it in firewall rules.
If there are options that cannot be enforced, this will be indicated in the firewall rule with a
warning triangle. Hovering over the warning will provide additional information.
https://training.sophos.com/fw/simulation/WebPolicy/1/start.html
In this simulation you will clone and customize a web policy by adding additional rules. You will
then test the policy using two different users and the Policy Test tool.
[Additional Information]
https://training.sophos.com/fw/simulation/WebPolicy/1/start.html
When any web filtering is enabled, Sophos Firewall will automatically block websites that are
identified as containing child sexual abuse content by the Internet Watch Foundation.
No policy or exclusions can be configured to allow these sites, and the domain names will be
hidden in the logs and reports.
[Additional Information]
There are several protection settings that can be managed in Web > General settings, including:
• Selecting between single and dual engine scanning.
• Scan mode.
• And the action to take for unscannable content and potentially unwanted applications.
[Additional Information]
Zero-day protection requires the Sophos scan engine; this means that you need to either select
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use
dual engine scanning.
The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more
cautious approach.
Then we must decide on how to handle content that cannot be scanned due to factors such as
being encrypted, or password protected. The safest option is to block this content, but it can be
allowed if required.
An option is available as part of web protection to block Potentially Unwanted Applications from
being downloaded. Specific applications can be allowed by adding them to the Authorized PUAs
list; and this is applied as part of the malware protection in firewall rules.
The HTTPS decryption and scanning settings on this page allow you to change the signing CA and
modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS
decryption rules.
The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection
settings.
Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos
decide where to send files for analysis based on which will give the best performance. You may
need to configure this to remain compliant with data protection laws.
You can also choose to exclude certain types of file from zero-day protection using the predefined
file type options.
Zero-day protection scanning is enabled in the Web filtering section of firewall rules.
On the General settings tab there are also some advanced settings where you can enable web
caching and caching Sophos endpoint updates.
The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites
with limited or slower Internet access; however, the web proxy is required in order to enforce this.
In the User notifications tab, you can modify the images and text shown on the warn and block
pages. The text can include variables to display the category detected, and to link to suggesting a
different category.
You can preview what the message will look like when users see it using the link.
Web policy overrides settings allow authorized users to override blocked sites on user devices,
temporarily allowing access.
You define which users (for example this could be teachers in an education setting) have the option
to authorize policy overrides. Those users can then create their own override codes in the Sophos
Firewall User Portal and define rules about which sites they can be used for. In the WebAdmin you
can see a full list of all override codes created and disable or delete them, as well as defining sites
or categories that can never be overridden. There is also a report providing full historical insight
into web override use.
Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse,
codes can easily be changed or cancelled.
Codes can be shared with end users, who enter them directly into the block page to allow access
to a blocked site.
https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html
In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web
policy override and use the access code generated to allow John Smith to access a site that is
currently blocked.
[Additional Information]
https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html
The exceptions found within the web protection in the Sophos Firewall can be used to bypass
certain security checks or actions for any sites that match criteria specified in the exception. There
are a few predefined exceptions already in Sophos Firewall and more can be created at the
administrator's discretion. It is important to note that exceptions apply to all web protection
policies no matter where they are applied in Sophos Firewall.
Please note that many websites have multiple IP addresses, and all of them would need to be
listed. Where multiple matching criteria are used, then the traffic must match all the criteria to
match successfully. You can then select which checks the exception will bypass.
Web policy rules can apply to specific users and groups, or anyone. They define the
activities or types of web traffic and have an action to allow, warn, apply quota or
block. A separate action can be applied to HTTPS traffic.
The web filtering policy is selected in the security features of the firewall rule. It
provides an option to use the web proxy or the DPI engine. Some policy options can only
be enforced by the web proxy
Web policy overrides allow authorized users to override blocked sites on user devices,
temporarily allowing access
Here are the three main things you learned in this chapter.
Web policy rules can apply to specific users and groups, or anyone. They define the activities or
types of web traffic and have an action to allow, warn, apply quota or block. A separate action can
be applied to HTTPS traffic.
The web filtering policy is selected in the security features of the firewall rule. It provides an option
to use the web proxy or the DPI engine. Some policy options can only be enforced by the web
proxy.
Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.