Configuring Web Protection

on Sophos Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]

Sophos Firewall
4010: Configuring Web Protection on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Web protection on Sophos Firewall- 1

 Configuring Web Protection on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create policies for web ✓ How Sophos Firewall provides web protection as a
protection and TLS transparent or explicit proxy
decryption and configure global
settings for protection and an
explicit proxy.

DURATION

24 minutes

In this chapter you will learn how to create policies for web protection and TLS decryption and
configure global settings for protection and an explicit proxy.

Configuring Web protection on Sophos Firewall- 2

 Web Policies

Web Protection Policies Policy Rules

• Include options to control end users’
web browsing
• SafeSearch prevents potentially
inappropriate images, videos, and
text from appearing search results
• YouTube restrictions also restrict
search results
• Time quotas can allow limited access
to restricted websites
• Define the type of usage to restrict
• Specify content filters to restrict web
content that contains any terms in
the lists
• Define the action to take when the
firewall encounters traffic that
matches the rule criteria

Web policies can be used to control end users’ web browsing activities. Policies include options for:
• SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in
Google, Yahoo, and Bing search results.
• YouTube restrictions, which prevent access to potentially inappropriate content by restricting
YouTube search results.
• Time quotas, that allow access to restricted websites, such as online shopping, for a limited
period.

Policies include rules, which are used to:

• Define the type of usage to restrict. This can include user activities, categories, URL groups, file
types, and dynamic categories.
• Specify content filters to restrict web content that contains any terms in the lists.
• Define the action to take when the firewall encounters HTTP traffic that matches the rule
criteria.

Configuring Web protection on Sophos Firewall- 3

 Creating and Editing Web Policies

This shows an example of a web policy. It has an ordered list of rules and a default action, in this
case allow, that determines the behaviour if the traffic does not match any of the rules.

Configuring Web protection on Sophos Firewall- 4

 Creating and Editing Web Policies
Dynamic Categories

User Activities
Categories

URL Groups

Users &
Groups File Types Constraints

Content Filter Action Status

Each web policy rule applies to either specific users and groups, or anybody.

You define the activities, or types of web traffic that are going to be controlled by the rule, and you
can optionally also apply a keyword content filter to the traffic.

Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a
separate action applied to HTTPS traffic.

You can set time constraints for the rule. If no time constraints are selected, then the rule will be
active all the time.

Finally, you can enable and disable individual rules. This is especially useful when creating new
rules and testing.

Configuring Web protection on Sophos Firewall- 5

 Web Policies

Below the web policy rules are further options, some of which require the web proxy to be
enforced. These are indicated with a notice. If these options are selected and used with the DPI
engine, they will not be enforced.

The available options are:

• Enforce SafeSearch in common search engines. This is done by modifying the request to enable
the features in the search engine and requires decrypting the web traffic.
• Enforce YouTube restrictions, which is done in the same ways as enforcing SafeSearch.
• Configure how much quota time users have per day.

Configuring Web protection on Sophos Firewall- 6

 Advanced Settings

Advanced settings allow you to:

• Include this policy in logs and reports.
• Prevent the downloading of files greater than the size specified.
• Add X-Forwarded-For header to pass on the IP address of the original HTTP request.
• Allow users to sign into Google Apps, such as Gmail and Drive, only with the domains specified.
• Apply Microsoft Azure AD tenant restrictions.

Again, a notice indicates which settings require the web proxy to be enforced.

Configuring Web protection on Sophos Firewall- 7

 User Activities

User activities are a group of web categories, URL groups and file types

Let’s look at the types of traffic you can select to control in the web policy rules, starting with User
Activities.

User Activities are a way of grouping web categories, URL groups and file types into a single object
to simplify management.

Configuring Web protection on Sophos Firewall- 8

 Additional information in
the notes
Categories

Web categories are what most people think of when they think of web filtering. Sophos Firewall
comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping
policies to.

You can also create custom web categories based on either local lists of domains and keywords or
an external URL database.

[Additional Information]

External URL databases can be from either a HTTP or FTP server. The database should be in one of
the following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.

Configuring Web protection on Sophos Firewall- 9

 URL Groups

Local TLS exclusion list

Managed TLS exclusion

list (read only)

URL groups are used to create a match list of domains for which the default configuration should
not be applied. All subdomains for the entered domains will also be matched.

There are a couple of important default groups:

• Local TLS exclusion list, which you can use to manage domains you do not want to decrypt
traffic for.
• Managed TLS exclusion list, which is a Sophos managed list of domains that are excluded from
TLS decryption. On this page you can see the domains that are included, although you cannot
edit or delete this group.

Configuring Web protection on Sophos Firewall- 10

 File Types

Sophos Firewall can manage access to files through the web policy and comes with several groups
of common file types defined by extension and MIME type.

You can also create custom file types, which can use an existing group as a template to import
already defined types.

Configuring Web protection on Sophos Firewall- 11

 Simulation: Create Custom Web Categories on Sophos
Firewall
In this simulation you will create a
keyword filter, modify the existing
‘Unproductive Browsing’ user
activity, and create user activity for
controlling access to specific
categories of website.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebCategories/1/start.html

In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user
activity, and create user activity for controlling access to specific categories of website.

[Additional Information]

https://training.sophos.com/fw/simulation/WebCategories/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12

 Content Filters

Web policies include the option to log, monitor and enforce policies related to keyword lists. This
feature is particularly important in educational environments to ensure online child safety and to
provide insights into students using keywords related to self-harm, bullying, radicalization or
otherwise inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and
applied to any web filtering policy as an added criteria with actions to log and monitor or block
search results or websites containing the keywords of interest.

Comprehensive reporting is provided to identify keyword matches and users that are searching or
consuming keyword content of interest, enabling proactive intervention before an at-risk user
becomes a real problem.

Keyword lists are plain text files with one term per line.

Configuring Web protection on Sophos Firewall- 13

 Simulation: Create a Web Content Filter on Sophos Firewall

In this simulation you will create a

custom content filter that will be
used to detect web pages that
contain common bullying terms.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ContentFilter/1/start.html

In this simulation you will create a custom content filter that will be used to detect web pages that
contain common bullying terms.

[Additional Information]

https://training.sophos.com/fw/simulation/ContentFilter/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14

 Applying Policies

Once you have created your web policy you can apply it in firewall rules.

Configuring Web protection on Sophos Firewall- 15

 Web Policies

If there are options that cannot be enforced, this will be indicated in the firewall rule with a
warning triangle. Hovering over the warning will provide additional information.

Configuring Web protection on Sophos Firewall- 16

 Simulation: Create a Custom Web Policy on Sophos Firewall

In this simulation you will clone and

customize a web policy by adding
additional rules. You will then test
the policy using two different users
and the Policy Test tool.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicy/1/start.html

In this simulation you will clone and customize a web policy by adding additional rules. You will
then test the policy using two different users and the Policy Test tool.

[Additional Information]

https://training.sophos.com/fw/simulation/WebPolicy/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17

 Additional information in
Web Protection the notes

When any web filtering is enabled Sophos Firewall will:

• Automatically block websites that are identified as containing child sexual abuse content
by the Internet Watch Foundation (IWF)
• Hide the domain name in logs and reports
• Not support any policy or exclusion to allow the sites

We minimize the availability of online sexual abuse content.

Specifically:
• Child sexual abuse content hosted anywhere in the world
• Non-photographic child sexual abuse images hosted in the UK

When any web filtering is enabled, Sophos Firewall will automatically block websites that are
identified as containing child sexual abuse content by the Internet Watch Foundation.

No policy or exclusions can be configured to allow these sites, and the domain names will be
hidden in the logs and reports.

[Additional Information]

Find out more about the IWF at https://www.iwf.org.uk

Configuring Web protection on Sophos Firewall- 18

 Additional information in
Protection Settings the notes

There are several protection settings that can be managed in Web > General settings, including:
• Selecting between single and dual engine scanning.
• Scan mode.
• And the action to take for unscannable content and potentially unwanted applications.

[Additional Information]

Zero-day protection requires the Sophos scan engine; this means that you need to either select
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use
dual engine scanning.

The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more
cautious approach.

Then we must decide on how to handle content that cannot be scanned due to factors such as
being encrypted, or password protected. The safest option is to block this content, but it can be
allowed if required.

An option is available as part of web protection to block Potentially Unwanted Applications from
being downloaded. Specific applications can be allowed by adding them to the Authorized PUAs
list; and this is applied as part of the malware protection in firewall rules.

Configuring Web protection on Sophos Firewall- 19

 Protection Settings

The HTTPS decryption and scanning settings on this page allow you to change the signing CA and
modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS
decryption rules.

Configuring Web protection on Sophos Firewall- 20

 Zero-Day Protection

The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection
settings.

Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos
decide where to send files for analysis based on which will give the best performance. You may
need to configure this to remain compliant with data protection laws.

You can also choose to exclude certain types of file from zero-day protection using the predefined
file type options.

Zero-day protection scanning is enabled in the Web filtering section of firewall rules.

Configuring Web protection on Sophos Firewall- 21

 Advanced Settings

On the General settings tab there are also some advanced settings where you can enable web
caching and caching Sophos endpoint updates.

You can also configure some web proxy settings:

• The port that clients should use to configure the Sophos Firewall as an explicit proxy.
• The ports that can be connected to.
• And the minimum TLS version.

Configuring Web protection on Sophos Firewall- 22

 Web Proxy Content Caching

The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites
with limited or slower Internet access; however, the web proxy is required in order to enforce this.

Configuring Web protection on Sophos Firewall- 23

 User Notifications

In the User notifications tab, you can modify the images and text shown on the warn and block
pages. The text can include variables to display the category detected, and to link to suggesting a
different category.

You can preview what the message will look like when users see it using the link.

Configuring Web protection on Sophos Firewall- 24

 Policy Overrides

Web policy overrides settings allow authorized users to override blocked sites on user devices,
temporarily allowing access.

You define which users (for example this could be teachers in an education setting) have the option
to authorize policy overrides. Those users can then create their own override codes in the Sophos
Firewall User Portal and define rules about which sites they can be used for. In the WebAdmin you
can see a full list of all override codes created and disable or delete them, as well as defining sites
or categories that can never be overridden. There is also a report providing full historical insight
into web override use.

Configuring Web protection on Sophos Firewall- 25

 Policy Overrides

Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse,
codes can easily be changed or cancelled.

Configuring Web protection on Sophos Firewall- 26

 Policy Overrides

Codes can be shared with end users, who enter them directly into the block page to allow access
to a blocked site.

Configuring Web protection on Sophos Firewall- 27

 Simulation: Delegate Web Policy Overrides on Sophos Firewall
In this simulation you will enable
web policy overrides for Fred
Rogers. You will then create a web
policy override and use the access
code generated to allow John Smith
to access a site that is currently
blocked
LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html

In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web
policy override and use the access code generated to allow John Smith to access a site that is
currently blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 28

 Exceptions

The exceptions found within the web protection in the Sophos Firewall can be used to bypass
certain security checks or actions for any sites that match criteria specified in the exception. There
are a few predefined exceptions already in Sophos Firewall and more can be created at the
administrator's discretion. It is important to note that exceptions apply to all web protection
policies no matter where they are applied in Sophos Firewall.

Configuring Web protection on Sophos Firewall- 29

 Exceptions

Exceptions can be matched on any combination of:

• URL patterns, which can be either simple strings or regular expressions.
• Website categories.
• Source IP addresses.
• And destination IP addresses.

Please note that many websites have multiple IP addresses, and all of them would need to be
listed. Where multiple matching criteria are used, then the traffic must match all the criteria to
match successfully. You can then select which checks the exception will bypass.

Configuring Web protection on Sophos Firewall- 30

 Chapter Review

Web policy rules can apply to specific users and groups, or anyone. They define the
activities or types of web traffic and have an action to allow, warn, apply quota or
block. A separate action can be applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It
provides an option to use the web proxy or the DPI engine. Some policy options can only
be enforced by the web proxy

Web policy overrides allow authorized users to override blocked sites on user devices,
temporarily allowing access

Here are the three main things you learned in this chapter.

Web policy rules can apply to specific users and groups, or anyone. They define the activities or
types of web traffic and have an action to allow, warn, apply quota or block. A separate action can
be applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It provides an option
to use the web proxy or the DPI engine. Some policy options can only be enforced by the web
proxy.

Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.

Configuring Web protection on Sophos Firewall- 35

Configuring Web protection on Sophos Firewall- 36