Professional Documents
Culture Documents
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Central
FW2525: Enabling Advanced Threat Protection on Sophos Firewall
April 2021
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to enable advanced threat ✓ The role of Advanced Threat Protection (ATP) in the
protection and review details of attack kill chain, blocking outgoing traffic to
detections. command and control servers
DURATION
5 minutes
In this chapter you will learn how to enable advanced threat protection and review details of
detections.
If you have a compromised device on your network the Advanced Threat Protection, or ATP, on the
Sophos Firewall can help to detect it when it tries to contact the Internet.
ATP is a global configuration that monitors traffic and data from all enabled services on the Sophos
Firewall, including DNS and web requests, to detect and block access to command-and-control
servers.
Exclusions
ATP is enabled using the toggle slider at the top of the page.
The policy itself is a choice between either only logging detections, or logging and dropping the
traffic.
ATP is applied globally, so if you need to exclude specific devices or networks this can be done
here. You can also choose to exclude specific threats; however, we recommend only doing this
under the guidance of Sophos support.
At the bottom of the page is the ‘Advanced security settings’ section. Here you choose whether
ATP inspects untrusted content, this is the default option, or all content.
Inspect untrusted content inspects traffic from untrusted sources or traffic going to untrusted
destinations only. This option gives the best performance.
Inspect all content inspects all content to and from both trusted and untrusted sources and
destinations.
While the difference between these two options is minimal, in high-traffic environments it may
become significant.
There is a widget for ATP alerts on the Sophos Firewall Control center, which you can click to get
additional information.
After clicking the widget, you will see this page that shows the detections, including the IP address,
hostname, and threat. You can further click through from this screen to the ATP report.
Control Center
You can access the ATP report in Reports > Network & threats. Here you can see where requests
came from and where they were going to, which users made the requests, and what action was
taken, log or log-and-drop.
https://training.sophos.com/fw/simulation/Atp/1/start.html
In this simulation you will enable advanced threat protection, trigger a detection, and review
the resulting information.
[Additional Information]
https://training.sophos.com/fw/simulation/Atp/1/start.html
Advanced threat protection, or ATP, uses data from all enabled services on Sophos
Firewall to detect compromised computers on the network connecting to command-
and-control servers
ATP can be configured to either log, or log and drop traffic to command-and-control
servers
ATP can be configured to either inspect only content coming from untrusted sources or
going to untrusted destinations, or to inspect all content
Here are the three main things you learned in this chapter.
Advanced threat protection, or ATP, uses data from all enabled services on Sophos Firewall to
detect compromised computers on the network connecting to command-and-control servers.
ATP can be configured to either log, or log and drop traffic to command-and-control servers.
ATP can be configured to either inspect only content coming from untrusted sources or going to
untrusted destinations, or to inspect all content.