Considerations for Deploying Sophos Firewall in Common Scenarios

 What features are not supported on Sophos Firewall deployed in bridge mode?
Email Protection
VPN Concentrator
Web Protection
TLS Decryption
Multiple WAN Links

 What comman is used on the console to enable fail-to-wire on XGS series

appliances?
Type your text here: xgs-ftw

Here are the three main things you learned in this chapter.

There are broadly four modes of deployment for Sophos Firewall: gateway, bridge, mixed, and
discover. Mixed mode is a combination of gateway mode, the most common type of deployment,
and bridge mode, as it is not a pure transparent bridge.
Bridge mode is a fully transparent bridge that is deployed inline without changing the network
topology. As it is transparent it does not support terminating VPNs or multiple WAN links.
Fail-to-wire is a fault-tolerance feature on XGS Series devices that protects your essential
business communications in the event of a power outage. You would use this when deploying
in bridge mode.

Deploying Sophos Firewall in Discover Mode

 Which of the following is required to enable discover mode?

A port without an IP address
Active Directory Server
A Managed switch with port mirroring
Sophos Central
 Which of the following does connecting the Sophos Firewall to the LAN allow when in
discover mode?
Security Heartbeat

Updates
Security Lookups
User Identification

Here are the three main things you learned in this chapter.
Discover mode provides non-intrusive monitoring of network traffic without making changes to the
architecture. It allows Sophos Firewall to see a copy of the network traffic and report on threats
being missing by the current solution.
Discover mode is enabled per-port on the Console. The port needs to be connected to a managed
switch with port mirroring enabled for the port Sophos Firewall is connected to.
So that Sophos Firewall can receive updates and perform lookups you can configure a WAN
connection. By connecting Sophos Firewall to the LAN, clients can establish a Security
Heartbeat with Sophos Firewall, and Sophos Firewall can be configured to lookup user
identities.
Advanced Interface Configuration on Sophos Firewall

 You want to display the MTU setting for PortA. You have typed show network and
a space. Now type the rest of the command.
Show network mtu-mss PortA

Match the VLAN ID to its description

0 Used for priority-tagged frames when the VLAN is not known
1 Reserved for the physical LAN
2 – 4094 can be assigned to interfaces
4095 When configured it acts like a trunkport for the vSwitch
Here are the three main things you learned in this chapter.
You can configure the MTU and MSS for interfaces, and this includes support for jumbo frames with
more than 1500-byte payloads. This can be configured in the WebAdminin the ‘Advanced settings’
for the interface or in the console.
You can create multiple VLAN interfaces on a single physical interface and allow for tagged as well
as untagged traffic on the same physical interface in the Sophos Firewall.
Link Aggregation Groups, (LAG), combine multiple physical links into a single logical link to
increase bandwidth and make automatic failover available.
Advanced Routing and Configuration on Sophos Firewall

 What command would you run on the console to see which type of routes are being
processed first?
system route_precedence show

 Which paramenter can be used to configure the SLA in an SD-WAN profile?

Latency, Jitter and Packet Loss

Here are the three main things you learned in this chapter.

Sophos Firewall marks incoming traffic with the matching routes and the destination zone before
DNAT is applied. Routes are then processed in order of precedence before SNAT is applied.
Sophos Firewall has the WAN link manager for configuring balancing and failover of Internet links.
There is also the gateway manager for creating and managing custom gateways for SD-WAN
routing.
SD-WAN profiles provide link selection based on link quality and performance using latency,
jitter, packet loss, or a combination of all three. SD-WAN routes provide powerful traffic
selection options, that can leverage SD-WAN profiles for link selection.

Dynamic Routing on Sophos Firewall

Which 4 dynamic routing protocols does Sophos Firewall support?

RIP, BGP, , OSPF, PIM-SM

Here are the three main things you learned in this chapter.
Sophos Firewall supports RIP, OSPF, BGP, and PIM-SM as dynamic routing protocols.
Dynamic routing protocols can be configured either in the web admin or via the console.
You can view detailed information for configured dynamic routing can be viewed in the web
admin on the Routing information tab.

Considerations for configuring device access on Sophos Firewall

What is the benefit of SHA Public Key Authentication?

It allows access to the CLI without needing to share the admin password.
Which of these statements about Local Service ACL Exception Rules is true?
Separate rules must be created for IPv4 and IPv6
Which of these zones have CAPTCHA enabled by default?
WAN & VPN
Here are the three main things you learned in this chapter.
Public key authentication can be configured for secure access to the CLI. This allows access without
the need to share the admin password.
Administrative access can be secured by disabling zone-based access to services and creating local
service ACL exception rules to allow access to admin services from specific network
segments/hosts.
You can enable and disable the CAPTCHA either globally, for both the WAN and VPN zone, or
just for the VPN zone. The configuration is managed via the console.
Advanced Firewall Management on Sophos Firewall

You are explaining to a colleague how to order firewall rules.

Which 2 of the following are basic rules that you suggest that they follow?
The more specific the rule, the closer to the top it should be.
Unless it is a catchall rule, deny rules should be at the top for security.

Order these Firewall rules for the best efficiency and security

Here are the three main things you learned in this chapter.
FastPath can offload traffic to increase the speed of connections, but not all traffic will be offloaded.
Firewall rules can be created to maximize the amount of traffic offloaded to the FastPath.
Firewall rules can be ordered for performance and protection. Firewall rule groups can help to
organize devices that have many rules.
The general rules are; the more specific the rule, the closer to the top the rule should be, rules
that are processed more often should be above other rules, and unless it is a catch
True or False. DNAT rules take precedence over device access
TRUE

Match the NAT rule type to its description.

Loopback Policy – For when internal users use the Public IP address or hostname to access
a resource
Reflexive Rule – Creates an SNAT from internal sources to the Internet

Here are the three main things you learned in this chapter.
Firewall rules match on post-NAT zone and pre-NAT IP address.
The default SNAT rule will automatically add WAN zone interfaces to the outbound interface
configuration.
You can use local NAT policies to set the source IP address for system generated traffic to
selected destinations.

Before applying a traffic shaping policy, what needs to be configured on the Sophos
Firewall?
Total WAN bandwidth
Firewall rules
TRUE or FALSE: A user-based policy cannot be applied to groups
False

Here are the three main things you learned in this chapter.
Traffic shaping policies can target network traffic or users.
Policies can guarantee or limit the traffic.
The priority controls which traffic is processed first.

Advanced Sophos Firewall IPS Configuration.

When creating an IPS policy, in which 3 of the following ways can signatures be selected?

Filter the signatures using pre-defined criteria.

Filter signatures using text-based-smart filters.
Search for and select individual signatures

Which 2 of the following statements about strict policy are TRUE?

It is used to check for common attacks
It is enabled by default on Sophos Firewall

Here are the three main things you learned in this chapter.
Default IPS policies are designed to cover a wide range of scenarios and are therefore not
optimized.
Each firewall rule should have its own customized IPS policy that only includes the signatures for the
services and hosts that will be using it.
When creating a new IPS policy you can clone rules from an existing policy to streamline the
process.

Advanced Sophos Firewall DoS Protection.

When DoS protection is enabled and configured in the WebAdmin, which of the following
statements is TRUE?
It is applied to all traffic

Match the item to its description.

DoS Policy  Configure limits for each attack type
DoS Rule  Select which traffic to apply the Configuration too.

Here are the three main things you learned in this chapter.
When denial-of-service, or DoS protection is configured in the Web Admin it is applied globally for
all traffic.
Advanced DoS is made up of DoS policies and DoS rules. DoS policies configure limits for each attack
type. DoS rules configure which traffic the DoS policy is applied to.
Advanced DoS configuration requires you to use packets-per-second, or PPS. To calculate this,
you need to know details of the software such as how many concurrent connections there will
be, protocol used, and the size and frequency of transactions.

Managing and Deploying Security Heartbeat on Sophos Firewall

TRUE or FALSE: A Sophos Firewall can be associated with multiple Sophos Central accounts.
FALSE
ATT:
A Sophos Firewall can only be associated with one Central account,
A Central account can have multiple Sophos Firewalls

Which 2 of the following are potential causes for a managed endpoint having a YELLOW
heartvbeat status?
A PUA (Potentially Unwanted Application) has been detected.
Inactive malware has been detected.

When using Synchronized Security, how does the Sophos Firewall determine whether it needs
to send the IP addresses of its LAN interfaces to Sophos Central?
One or more discover mode interfaces are configured.

Here are the three main things you learned in this chapter.
Devices with a Security Heartbeat are identified by their IP address when the traffic is passing
through the firewall. For lateral movement protection other devices use the MAC address of
endpoints with a RED health status to drop traffic.
Central brokers trust between the endpoints and firewall using certificates, but the heartbeat is
established between the endpoint and firewall.
Endpoints use a public IP address to establish the heartbeat with the firewall so it is routed
through the Internet gateway, which should be the Sophos Firewall. For this reason, endpoints
need to be connected directly to the network or via VPN.

05 – SITE-TO-SITE

Advanced IPsec Site-to-Site Configuration on Sophos Firewall

You have created a route-based VPN in an environment where there are overlapping
subnets on either side. Which of the following statements are TRUE?

 You need to create SNAT and DNAT rules for the overlapping networks on each side of
the VPN.
 You need to use IP ranges for the networks when configuring NATing
 Use unNATed source and destination networks to limit the scope of the NATing.
 Use one-to-one load balancing for the DNAT
TRUE or FALSE: you can use SD-WAN profiles with route-based VPNs.
TRUE

TRUE or FALSE: The only way to failover between two route-based IPSec VPN is to create a
failover group.
FALSE

Here are the three main things you learned in this chapter.
Route-based VPNs support routing using static routes, SD-WAN policy routes, and dynamic routing.
You can use SD-WAN profiles and SD-WAN policy routes with route-based VPNs to select the best
link for traffic.
Where you have overlapping subnets on either side of the tunnel you need to use NATing. For
route-based VPNs you can create SNAT and DNAT rules using the normal method. For policy-based
VPNs you need to configure the NATingin the connection.
You can create failover groups for IPsec VPNs. It would be more common to use these with
policy-based VPNs as you can use SD-WAN policy routes to manage connections for route-
based VPNs.
Advanced Remote Ethernet Device Configuration on Sophos Firewall
Enter the TCP port that Remote Ethernet Devices use as a control channel.

3400

Enter the UDP port that Remote Ethernet Devices use as a data channel
3410
Match the RED mode to its description.
Standard/Unified  Sophos Firewall is the DHCP server and default gateway for the
remote network. Only defined traffic is sent through the RED.
Standard/Split  Sophos Firewall gets its IP address from a DHCP server on the remote
network.
Transparent/Split  All traffic generated on the remote network is sent through the RED
to Sophos Firewall.

How many connections are established between a RED and Sophos Firewall if the
second WAN interface on the RED is configured for failover and the second hostname
of the Sophos Firewall is configured for balancing?
2

Here are the three main things you learned in this chapter.
Remote Ethernet Devices use ports 3400 TCP and 3410 UDP to create a connection to Sophos
Firewall.
You can configure a second hostname for Sophos Firewall and use it either for failover or balancing.
The second WAN interface on REDs can also be configured for either failover or balancing.
You can create a RED tunnel between two Sophos Firewalls.

06 – AUTHENTICATION
Advanced STAS Configuration on Sophos Firewalls
When configuring STAS, what is the maximum number of collectors you
can have in a collector group?
5
STAS has a collector group with 3 collectors and 12 agents. Which collector IP
address(es) do you need to configure on the STA agents?
The IP addresses of all the Collectors

Here are the three main things you learned in this chapter.
All the Collectors should be configured with the IP addresses of all the Sophos Firewalls so that all
the firewalls have all the logged in users.
All the Agents should be configured with the IP addresses of all the Collectors to provide
redundancy.
Collector groups provide redundancy, and you can have a maximum of five Collectors in a
Collector group.

07 – WEB PROTECTION
Managing TLS Decryption for Web Protection on Sophos Firewall
You must comply with Payment Card Industry Data Security Standard.
Which default encryption profile should you use?
Strict Compliance
You need to provide certificates for TLS inspection; Which of these statements is
true?
Certificates can be deployed to managed Wndows endpoint using Active Directory GPOs

Here are the things you learned in this chapter.

HTTPS is used for 98% of all web page visits, and TLS is increasingly used by malware to
communicate remote systems over the Internet. Not decrypting this traffic is a huge vulnerability.
TLS Exceptions can be configured using URL groups. Sophos maintains the Managed TLS exclusion
list of sites that are not compatible with TLS decryption. There is also a Local TLS exclusion list and
domains can be added to the TLS Exceptions from the Control Center.
Certificates for TLS decryption need to be signed by an internal CA. SSL/TLS signing certificates
for the CA and copies of the re-signing certificates should be installed on all endpoints whose
traffic is to be decrypted.
 08 REMOTE ACCESS
Advanced Sophos Connections Configuration on Sophos Firewall
Which configuration file for IPSec remote access VPNs supports split tunnelling and
advanced options?
.SCX
Which 2 pieces of information do you need to include in an automatic provisioning
file?
Firewall hostname or IP
User portal port number

Here are the main things you learned in this chapter.

Both IPsec and SSL remote access VPNs support tunnel all and split tunnelling. This is configured
using the option ‘Use as default gateway’.
Sophos Connect can retrieve the VPN configuration from the user portal by using an automatic
provisioning file. These connections can then be updated if changes are made on Sophos Firewall.
Sophos Connect can be deployed using Active Directory Group Policy. A startup script can be
used to check for and run the Sophos Connect installer, and a configuration file can be copied to
the import directory.

09 WIRELESS PROTECTION
Troubleshooting Access Point Deployment on Sophos Firewall
What IP address does the access point send a discover packet to?
1.2.3.4

What port does the Sophos access point connect to the Sophos Firewall on?
2712

Here are the main things you learned in this chapter.

Sophos access points expect Sophos Firewall to be on the route to the Internet, and so send a
discovery packet to the magic IP 1.2.3.4. If Sophos Firewall is not on the route to the Internet the IP
address must be provided using DHCP option 234.
Sophos access points are managed using TCP port 2712. This port must not be blocked anywhere
between the access point and Sophos Firewall.
Wireless protection must be enabled for all zones where an access point is being deployed.
Wireless Authentication on Sophos Firewall.
What security mode do you need to select in the wireless network to use RADIUS
authentication?
WAP/WPA2 ENTERPRISE

Here are the main things you learned in this chapter.

A RADIUS server will need to be added as an authentication server. Uses port 1812 by default.
Primary and secondary RADIUS servers can be selected in the wireless settings, these will be used
for all wireless networks with enterprise authentication. Sophos Firewall uses port 414 for the
RADIUS communication with the access points.
In the wireless network configuration, you need to select WPA or WPA2 Enterprise as the
security mode. This will prompt users connecting to authenticate with their username and
password.

Configuring Wireless Mesh Networks

Match the mesh role to the description.

Root Access Point  Connects to the network via an Ethernet connection.
Mesh Access Point  Connects to the network wirelessly

Here are the main things you learned in this chapter.

Mesh networks can be used to bridge an Ethernet connection wirelessly, to repeat a wireless
network, or both.
All APX series access points support mesh networking.
Root access points are connected to the Sophos Firewall via an Ethernet connection, mesh
access points are connected wirelessly once they have received the configuration.

Troubleshooting Wireless Performance on Sophos Firewall

If you determine that you are operating in an area of crowded frenquencies, what
actions could you take?

Manually select the broadcast channel

Enable dynamic channel selection.
Here are the main things you learned in this chapter.
Wireless performance issues are commonly caused by incorrectly located access points leaving gaps
in coverage or being too densely deployed leading to interference. Crowded frequencies can also
lead to performance problems.
Use tools to scan for networks; identify what channels they are running on and review the location
of your access points.
If you have overlapping coverage with your access points, you may need to reduce the
transmission power to reduce interference.

10 - WEB SERVER PROTECTION

Overview of Web Server Protection on Sophos Firewall

Which feature would you use to proted against cross-site scripting attacks?
Threat Filters

Here are the main things you learned in this chapter.

Sophos Firewall uses a reverse proxy to protect web servers. Sophos Firewall can protect against
common web attacks such as XSS, SQL injection, malware, and more.
Sophos Firewall creates an Apache virtual web server instance for each web service that is being
protected. The virtual server loads security modules to filter the traffic.
Sophos Firewall can act as an authentication proxy. Attackers would need to authenticate
successfully with Sophos Firewall before they can even establish a connection through the reverse
proxy to the web server.

Configuring Web Server Protection on Sophos Firewall

Which of the following options allows RPC over HTTP traffic to traverse the Web Server
Protection module?
Pass Outlook Anywhere

When browsing your website, you notice that it is not being displayed correctly and are
experiencing content-encoding errors. Which additional option in the web application
firewall can you enable to stop this from happening?
Disable compression support.

How is a web application firewall rule created?

By selecting protection with web server protection in the action field.

Here are the main things you learned in this chapter.

Each service to be protected needs to be defined as a web server. This includes the host and port,
whether it is HTTP or HTTPS, as well as keep alive and timeout settings.
The protection policy is where you enable the protection features. This defines what filtering will
be done on the traffic to protect the web server. Protection policies can be in either a monitor only
mode or a reject mode.
When creating the firewall rule you need to select ‘Protect with web server protection’. In the
configuration you will select the web server to be protected, the protection policy, and define any
exceptions.

Troubleshooting Web Server Protection on Sophos Firewall

When refining the configuration of a web server protection rule, which log file do you need to
check on the advanced shell?
reverseproxy.log

TRUE or FALSE: Web Server Protection Entry URLs are case sensitive.
TRUE

You are refining your web server protection configuration and need to skip a threat filter rule,
where do you enter the ID?
Protection Policy

Here are the main things you learned in this chapter.

Errors relating to URL hardening will generally include the message ‘no signature found’. Ensure
that all entry URLs have been added, these are case sensitive.
For form hardening you will see form validation errors in the log. The user may see an error like
‘your browser sent a request this server could not understand’. Dynamically generated forms need
to be excluded from form hardening.
Threat filter rules include ‘security2:error’ in the log. The user may see a forbidden error. Add the
triggered rule IDs to the skip filter rule list. Avoid adding infrastructure rules, which will have a
reason related to exceeding a score in the log.

Configuring Web Server Authentication on Sophos Firewall

What methods of authentication does web server authentication support?

Form-based authentication.
Basic authentication

TRUE or FALSE: You can append and prepend a string to the username when passing through
credentials.
TRUE
Here are the main things you learned in this chapter.
In the authentication policy you choose between presenting a basic authentication prompt or form-
based login, and if form-based, the template to use. You also select the users and groups that are
allowed to login and whether to pass the credentials through to the web server.
You can optionally add a prefix or suffix to the username when it is passed through. This can be
used to reformat usernames into UPN (user principal name) format or Windows domain format as
required by the web application.
Select the authentication policy in the firewall rule, either to the whole web server, or to a single
path using path-specific routing.

11 - High AVAILABILITY

Overview of Sophos Firewall High Availability

Which of the following are prerequisites for creating a HA cluster?

Hardware devices must be the same model.
Devices must have the same number of ports.

Which of the following statements are true about the active-passive HA on Sophos Firewall?
All traffic is sent to the primary device.
The primary device processes all traffic.
The Primary device own the virtual MAC address.
The Primary device will respond to ARP requests.

Here are the main things you learned in this chapter.

High availability (HA) allows you to configure two Sophos Firewall devices as a high availability (HA)
cluster in either active-passive for redundancy or active-active for redundancy and increased processing.

The HA cluster uses a virtual MAC address, which is always owned by the current primary device. All
traffic is always sent to the primary device because it responds to ARPs with the virtual MAC address.
In active-active mode, the primary device forwards the packet to the auxiliary device using the physical
MAC address. The primary device forwards the response to the auxiliary device using the physical MAC
address.

Configuring High Availability of Sophos Firewall

Which of the following are prerequisites for creating a HA cluster?
Devices must have the same number of ports.
Hardware devices must be the same model.

Which of the following statements are TRUE about the port that is used for the dedicated HA
link?
The port must be in a DMZ zone.
Must be the same port on both devices.
Must be in a DMZ zone
Devices must have the same number of ports.

Here are the main things you learned in this chapter.

High availability requires that all hardware devices must be the same model, all devices must have
the same number of ports, and the SF-OS version must be the same. In active-active mode, both
devices require a license.
High availability is not supported on wireless models. Dynamic IP address allocation is not
supported on any interface in active-active mode.
The port must be in a zone of the type ‘DMZ’ and have the SSH admin service enabled. The same
port must be used on both devices and the IP addresses on the two devices need to be in the same
subnet.

Managing High Availability on Sophos Firewall

In which of the following device state can you disable HA?
Primary
Standalone

Here are the main things you learned in this chapter.

The ‘system ha’ command can be used on the console to view the status of the cluster, access the
logs, enable or disable load-balancing, or disable high availability.
When you disable HA, the auxiliary device does a soft reboot, and the admin port IP address is set
to the value in the HA configuration. The dedicated HA port configuration is retained, as well as
configuration that has been synchronized.
You can disable HA from either the primary device or a standalone device. You cannot disable it
from the auxiliary device when the primary is still active.

Troubleshooting Sophos Firewall High Availability

Which log file contains the results of checks carried out when enabling high availability?

applog.log
Where would you perform an Ethernet card test?
SF Loader
Here are the main things you learned in this chapter.
To enable HA on Sophos Firewall, both devices must be the same model with the same firmware
version, the MTU/MSS, link speed and duplex settings should be default, the WAN links must have
static IP addresses, and the HA port must be in a DMZ zone with SSH enabled.
Creating the HA cluster starts with the CSC service performing a sanity check. This is logged in
/log/applog.log.
Faulty ports and cables can result in either both devices becoming primary, or the primary device
failing over the auxiliary device.

12 - PUBLIC CLOUD

Overview of Sophos Firewall on Public Cloud

In an IaaS environment, who is responsible for identify and access

management?
Customer
Which AWS virtual machine size is recommended?
m5.large

Here are the main things you learned in this chapter.

Responsibility for platform, application, and data security is divided between the cloud provider and
the customer, and where that division will be depends on the type of service being provided, IaaS,
PaaS, or SaaS. This is called the shared security model.
When you deploy Sophos Firewall you choose which size of virtual machine to use. We recommend
m5.large for AWS and an Fv2-series VM for Azure. You can choose to deploy as either pay-as-you-go
or bring your own license.
With pay-as-you-go you only pay for what you use, when you use it. There is no upfront
commitment and no minimum fee. This is based on the virtual machine size you select to deploy
Sophos Firewall on. When you bring your own license, you bring a standard Sophos Firewall
software license that you purchased.

Basic Sophos Firewall Deployment on Azure

What is required to configure the User Defined Route table in Azure?

The private IP address of the Sophos Firewall’s LAN adaptor.

Sophos Firewall Deployment Scenarios on Azure

Which 2 of the following statements are TRUE when configuring a hybrid deployment with
Sophos Firewall and Azure VPN gatewa?
Azure VPN gateways can either be route-based or policy based.
Only the route-based Azure VPN Gateway supports IKEv2.

Here are the main things you learned from this chapter.
You can connect your on-premise firewall to Azure using a site-to-site VPN, either to an Azure
hosted Sophos Firewall, or directly to an Azure VPN gateway.
Azure VPN gateways can be either policy-based or route-based. To use IKEv2 you must use a route-
based VPN. The firewall WAN interface must have an MSS of 2350 or MTU of 1400 to prevent
fragmentation on Azure.
The connection configuration file downloaded from Azure contains all the information for
configuring the site-to-site VPN and routing on Sophos Firewall.

Sophos Firewall Deployment on AWS

How many Security Groups are attached to the public interface of Sophos Firewall in AWS?
Enter the Answer in digits.
2

Here are the main things you learned in this chapter.

The CloudFormation template for deploying Sophos Firewall on AWS creates two subnets; a private
subnet for connecting to internal networks where all Internet traffic is routed to the internal
interface of the firewall, and a public subnet that is Internet facing that routes Internet traffic to the
AWS managed gateway.
The CloudFormation template creates three security groups; SecurityGroupLAN,
SecurityGroupTrusted, and SecurityGroupPublic. SecurityGroupLANis attached to the private
interface of Sophos Firewall to manage network access from the internal networks.
SecurityGroupTrustedand SecurityGroupPublicare attached to the public external interface of
Sophos Firewall. SecurityGroupTrustedmanages access to TCP ports 22 (SSH) and 4444 (WebAdmin)
for remote management. SecurityGroupPublicis for all other ports.

Sophos Firewall Deployment Scenarios on AWS

How many tunnels do AWS VPN gateways have?

2
Where do you select whether you will be using static or dynamic routing?
AWS Customer Gateway

Here are the main things you learned in this chapter.

In a hybrid deployment you can connect to AWS using site-to-site VPNs either to another Sophos
Firewall or to an AWS VPN gateway or Express Route. AWS VPN gateways always create two
connections for redundancy.
If you are connecting to a Sophos Firewall in AWS, you do not need an interface for each subnet in
AWS. AWS can manage the routing if you create and apply the route table to the relevant AWS
private subnets.
When configuring the xfrminterfaces, in the ‘Advanced settings’ set the MTU to 1436 and the MSS
to 1379.

Connecting to Amazon VPN on Sophos Firewall

Where do you select the IKE version you will use?

When downloading the configuration file

Here are the main things you learned in this chapter.

You can import AWS VPN connections on Sophos Firewall, either by downloading a configuration
file from AWS, or entering AWS IAM credentials so that Sophos Firewall can connect to download
the configuration.
When you download the configuration file you select the vendor, platform, version, and IKE version.
The configuration file will create two connections for redundancy and configures BGP; however, you
still need to add local networks to the BGP configuration.
If your Sophos Firewall is behind a NAT, you will need to edit the configuration file so that the
customer gateway outside IP address matches your WAN IP, otherwise the configuration will fail to
import.

13 – COURSE REVIEW

Here are the main things you learned in this chapter:

Enter the URL address for Sophos support website.

www.sophos.com/support

What does the SophosLabs page provide information on?

Real-time data and threat reports

Help can be found by navigating to sophos.com/support.

Contact Sophos support via the support portal, live chat and Twitter.
Stay up to date with Sophos news and alerts by joining the Sophos Community, signing up for news
alerts using SMS or RSS.