Enabling Advanced Threat

Protection on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Central
FW2525: Enabling Advanced Threat Protection on Sophos Firewall

April 2021
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Enabling Advanced Threat Protection on Sophos Firewall - 1

 Enabling Advanced Threat Protection on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to enable advanced threat ✓ The role of Advanced Threat Protection (ATP) in the
protection and review details of attack kill chain, blocking outgoing traffic to
detections. command and control servers

DURATION

5 minutes

In this chapter you will learn how to enable advanced threat protection and review details of
detections.

Enabling Advanced Threat Protection on Sophos Firewall - 2

 Advanced Threat Protection (ATP) Overview

Detect compromised devices on your network

Block access to command-and-control servers

Uses data from all enabled services on Sophos Firewall

If you have a compromised device on your network the Advanced Threat Protection, or ATP, on the
Sophos Firewall can help to detect it when it tries to contact the Internet.

ATP is a global configuration that monitors traffic and data from all enabled services on the Sophos
Firewall, including DNS and web requests, to detect and block access to command-and-control
servers.

Enabling Advanced Threat Protection on Sophos Firewall - 3

 Configuring Advanced Threat Protection

Log and drop

Log only

Exclusions

ATP is configured through a simple policy in PROTECT > Advanced protection.

ATP is enabled using the toggle slider at the top of the page.

The policy itself is a choice between either only logging detections, or logging and dropping the
traffic.

ATP is applied globally, so if you need to exclude specific devices or networks this can be done
here. You can also choose to exclude specific threats; however, we recommend only doing this
under the guidance of Sophos support.

Enabling Advanced Threat Protection on Sophos Firewall - 4

 Configuring Advanced Threat Protection

At the bottom of the page is the ‘Advanced security settings’ section. Here you choose whether
ATP inspects untrusted content, this is the default option, or all content.

Inspect untrusted content inspects traffic from untrusted sources or traffic going to untrusted
destinations only. This option gives the best performance.
Inspect all content inspects all content to and from both trusted and untrusted sources and
destinations.

While the difference between these two options is minimal, in high-traffic environments it may
become significant.

Enabling Advanced Threat Protection on Sophos Firewall - 5

 Advanced Threat Protection Alerts

There is a widget for ATP alerts on the Sophos Firewall Control center, which you can click to get
additional information.

Enabling Advanced Threat Protection on Sophos Firewall - 6

 Advanced Threat Protection Alerts

After clicking the widget, you will see this page that shows the detections, including the IP address,
hostname, and threat. You can further click through from this screen to the ATP report.

Enabling Advanced Threat Protection on Sophos Firewall - 7

 Advanced Threat Protection Report

Control Center

You can access the ATP report in Reports > Network & threats. Here you can see where requests
came from and where they were going to, which users made the requests, and what action was
taken, log or log-and-drop.

Enabling Advanced Threat Protection on Sophos Firewall - 8

 Simulation: Enabling Advanced Threat Protection

In this simulation you will enable

advanced threat protection, trigger
a detection, and review the
resulting information.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/Atp/1/start.html

In this simulation you will enable advanced threat protection, trigger a detection, and review
the resulting information.

[Additional Information]

https://training.sophos.com/fw/simulation/Atp/1/start.html

Getting Started with Intrusion Prevention on Sophos Firewall - 9

 Chapter Review

Advanced threat protection, or ATP, uses data from all enabled services on Sophos
Firewall to detect compromised computers on the network connecting to command-
and-control servers

ATP can be configured to either log, or log and drop traffic to command-and-control
servers

ATP can be configured to either inspect only content coming from untrusted sources or
going to untrusted destinations, or to inspect all content

Here are the three main things you learned in this chapter.

Advanced threat protection, or ATP, uses data from all enabled services on Sophos Firewall to
detect compromised computers on the network connecting to command-and-control servers.

ATP can be configured to either log, or log and drop traffic to command-and-control servers.

ATP can be configured to either inspect only content coming from untrusted sources or going to
untrusted destinations, or to inspect all content.

Enabling Advanced Threat Protection on Sophos Firewall - 12

Enabling Advanced Threat Protection on Sophos Firewall - 13