Getting Started with

Application Control on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW4505: Getting Started with Application Control on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with Application Control on Sophos Firewall - 1

 Getting Started with Application Control on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure application control ✓ The multiple layers of protection provided by
filters and apply them to firewall Sophos Firewall to detect and block attacks
rules. ✓ Configuring firewall rules

DURATION

15 minutes

In this chapter you will learn how to configure application control filters and apply them to firewall
rules.

Getting Started with Application Control on Sophos Firewall - 2

 Application Control Overview

Cloud Storage Peer-to-Peer

Video Streaming Social Media

Protect against risky

applications Guarantee bandwidth for
business applications
Block or limit
unproductive Sophos Firewall
applications

Computer

Many applications and tools used for day-to-day business are provided through cloud-based
services, so ensuring good Internet connectivity to employees is vital.

Alongside these business applications are every other type of application and service that can be
imagined, many of which are unproductive or can expose users and the company network to risks.

Sophos Firewall can protect against risky applications and either block or limit access to
unproductive applications, and at the same time guarantee that business applications have the
bandwidth they need.

Getting Started with Application Control on Sophos Firewall - 3

 Applications can be found in:
Application List PROTECT > Applications > Application list

Sophos Firewall comes with definitions for thousands of known applications, which you can filter
and view the details of in PROTECT > Applications > Application list.

Getting Started with Application Control on Sophos Firewall - 4

 Current connections can be monitored in:
Live Connections MONITOR & MANGE > Current activities > Live connections

The Live connections page lists all of the current applications making connections through the
Sophos Firewall. You can use the link in the ‘Total’ column to get more detailed information about
all of the connections for that application.

The live connections can be shown by application, username or source IP address, and the page
can be optionally set up to automatically refresh to give a real-time view.

Getting Started with Application Control on Sophos Firewall - 5

 Applications can be found in:
Application Filters PROTECT > Applications > Application filter

Application filters are sets of rules that can allow or deny access to applications. Unlike web
policies, application filter rules are not applied to users and groups, so the application filter will
apply to all users for the firewall rule it is used in.

Getting Started with Application Control on Sophos Firewall - 6

 Creating Application Filters

You can optionally select an existing

application filter as a template

Application filters are created in two stages.

First you create the application filter. Here you can optionally select an existing application filter as
a template.

You save the application filter and if you selected a template the rules will be copied over to the
new filter.

Getting Started with Application Control on Sophos Firewall - 7

 Creating Application Filters

You can now add rules to your

application filter

Drag and drop to reorder

You can now open the application filter and start adding rules or edit rules if you selected a
template.

Please note that the rules are processed in order, and you can rearrange them by dragging and
dropping.

Getting Started with Application Control on Sophos Firewall - 8

 Application Filter Rules

For each application filter rule, you select which applications it will apply to, set whether the action
for those applications is allow or deny, and optionally select a schedule for when the rule will be
active.

Selecting the applications in the rule is done by filtering the applications using the criteria provided
or using a free-text smart filter. When new applications are added that match the filters they will
automatically be included in the rule.

You can optionally choose to select individual applications rather than all applications included in
the filtered results, in this case newly added applications will not automatically be added to the
rule.

Getting Started with Application Control on Sophos Firewall - 9

 Application Filter Rules

Below the selected applications, you can choose whether this rule is to allow or deny them. You
can also select when this rule is active based on a schedule.

Getting Started with Application Control on Sophos Firewall - 10

 Apply an Application Filter

Once you have configured your application filter, it needs to be selected in a firewall rule in the
‘Other security features’ section.

Getting Started with Application Control on Sophos Firewall - 11

 Simulation: Create an Application Filter

In this simulation you will create a

custom application filter, apply it to
a firewall rule, then test the results.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/AppFilter/1/start.html

In this simulation you will create a custom application filter, apply it to a firewall rule, then test the
results.

[Additional Information]

https://training.sophos.com/fw/simulation/AppFilter/1/start.html

Getting Started with Application Control on Sophos Firewall - 12

 Synchronized App Control

I don’t recognize this traffic,

what application is it from?

Sophos Sophos Firewall Internet

Central
Managed
endpoint
Custom Business This is Custom Business
Application Application, and it is allowed

Synchronized app control can identify, classify and control previously unknown applications active
on the network. It uses the Security Heartbeat to obtain information from the endpoint about
applications that don’t have signatures or are using generic HTTP or HTTPS connections. This
solves a significant problem that affects signature-based app control on all firewalls today, where
many applications are classified as “unknown”, “unclassified”, “generic HTTP” or, “SSL”.

Synchronized app control is not supported in active-active high availability deployments.

Getting Started with Application Control on Sophos Firewall - 13

 Managing Synchronized App Control

Synchronized app control is enabled when you register the Sophos Firewall with Sophos Central.

In the Control center there is a synchronized application control widget that provides an at-a-
glance indication of new applications that have been identified.

Getting Started with Application Control on Sophos Firewall - 14

 Categorizing Identified Applications
Identified applications are managed in:
PROTECT > Applications > Synchronized Application Control

Where possible, Sophos Firewall will automatically classify identified applications and they will be
controlled based on the current application filters you have in place.

Through the menu for the application you customize the classification.

Getting Started with Application Control on Sophos Firewall - 15

 Categorizing Identified Applications

Here you can see that OneDrive has been assigned to the application category ‘Storage and
Backup’. If you were blocking this category but wanted to allow OneDrive, you could choose to
move it to another category such as ‘General Business’.

Getting Started with Application Control on Sophos Firewall - 16

 Synchronized Application Control

1 month
3 months
6 months
9 months
12 months

You can configure clean up of the synchronized application control database to remove obsolete
applications that are no longer in use; this is done in PROTECT > Central synchronization.

You can choose how long to retain applications in the database from 1 month to 12 months.
Sophos Firewall will then run a daily check for applications older than the threshold and remove
them in batches of 100 every 5 minutes. Applications are also deleted from application filter
policies if they were added individually.

The time applications are retained for is since they were last detected by synchronized application
control. If the application is frequently used, then the last detection date will always be updated,
and the application will not be purged. This feature is designed to only purge applications that are
no longer in use, and therefore no longer being detected by synchronized application control.

Getting Started with Application Control on Sophos Firewall - 17

 Simulation: Use Synchronized App Control to Block an
Application

In this simulation you will reclassify

an application detected by
synchronized application control,
then test that it is blocked.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html

In this simulation you will reclassify an application detected by synchronized application

control, then test that it is blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/SyncAppControl/1/start.html

Getting Started with Application Control on Sophos Firewall - 18

 Application Routing

Routing > SD-WAN Routing > Add

Applications can be added as a traffic selector for SD-WAN policy Routes.

To use this functionality you need to create an application object. An application object is a list of
applications selected using the same filtering criteria and options as for application filter rules.

In the example here, we have selected remote access applications that have been detected by
synchronized application control.

Getting Started with Application Control on Sophos Firewall - 19

 Cloud Applications

OneDrive OneDrive

Dropbox Dropbox

OneDrive is sanctioned
Dropbox is unsanctioned

Identify cloud Classify cloud Apply traffic shaping Block using application
applications being used applications rules control

Sophos Firewall has a lite cloud access security broker, or CASB, implementation, which helps to
identify risky behavior by providing insights into what cloud services are being used. You can then
take appropriate action by educating users or implementing application control or traffic shaping
policies to control or eliminate potential risky or unwanted behavior.

For example, if your company has a corporate Microsoft 365 and uses OneDrive for file storage,
and one user is consistently uploading data to Dropbox, that could be a red flag that needs further
investigation or policy enforcement. This practice of using unsanctioned cloud services is called
“Shadow IT”, a term you’ll often hear in association with CASB.

Getting Started with Application Control on Sophos Firewall - 20

 Cloud Applications in the Control Center

In Control center there is a widget that provides a visual summary of cloud application usage by
classification. This can be New, Sanctioned, Unsanctioned, or Tolerated.

The statistics show the number of cloud applications, and the amount of data in and out.

Clicking on the widget takes you to PROTECT > Applications > Cloud applications, where you can
get more detailed information.

Getting Started with Application Control on Sophos Firewall - 21

 Cloud applications can be found in:
Cloud Applications PROTECT > Applications > Cloud applications

Here you can see all the cloud applications that have been detected, and filter them by
classification and category, and can be sorted either by volume of data or number of users.

You can expand each application to see which users have been using it, and how much data they
have transferred.

Getting Started with Application Control on Sophos Firewall - 22

 Classifying and Traffic Shaping

For each detected application you can select a classification and a traffic shaping policy.

By selecting a classification for the applications, you can then use this to customize reports to
show, for example, use of unsanctioned applications on your network.

Traffic shaping policies can be applied to either limit or guarantee bandwidth for applications.

Getting Started with Application Control on Sophos Firewall - 23

 Simulation: Categorize Cloud Applications on Sophos Firewall

In this simulation you will review

the cloud applications detected by
Sophos Firewall and classify them.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CloudApplications/1/start.html

In this simulation you will review the cloud applications detected by Sophos Firewall and classify
them.

[Additional Information]

https://training.sophos.com/fw/simulation/CloudApplications/1/start.html

Getting Started with Application Control on Sophos Firewall - 24

 Chapter Review

Application filters are an ordered list of rules that allow or deny applications based on
filter criteria. Application filters need to be applied in a firewall rule

Synchronized application control can detect unknown applications using Security

Heartbeat. Discovered applications are automatically classified and allowed or blocked
based on your application filters. You can also reclassify applications

Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network

Here are the three main things you learned in this chapter.

Application filters are an ordered list of rules that allow or deny applications based on filter criteria.
Application filters need to be applied in a firewall rule.

Synchronized application control can detect unknown applications using Security Heartbeat.
Discovered applications are automatically classified and allowed or blocked based on your
application filters. You can also reclassify applications.

Sophos Firewall can detect cloud applications; these can be classified to report on use of
unsanctioned applications on the network.

Getting Started with Application Control on Sophos Firewall - 29

Getting Started with Application Control on Sophos Firewall - 30