Anda di halaman 1dari 102

EL80: Sophos XG Firewall

ENGINEER LAB WORKBOOK


Version 17.5v1  March 2019
Sophos Certified Engineer

Contents
Introduction ................................................................................................................................................................................................................................................... 5
Prerequisites........................................................................................................................................................................................................................................... 5
Workbook conventions ...................................................................................................................................................................................................................... 5
Lab environment...................................................................................................................................................................................................................................6
Environment overview .......................................................................................................................................................................................................................6
User accounts ........................................................................................................................................................................................................................................ 7
Network diagram ..................................................................................................................................................................................................................................9
Lab 1: Preparation ................................................................................................................................................................................................................................... 10
Objectives.............................................................................................................................................................................................................................................. 10
Task 1.1 Register for a Sophos Central Evaluation ......................................................................................................................................................... 10
Review .................................................................................................................................................................................................................................................... 11
Lab 2: Getting Started with XG Firewall ......................................................................................................................................................................................... 12
Objectives.............................................................................................................................................................................................................................................. 12
Task 2.1 Use the Initial Setup Wizard to configure a Sophos XG Firewall ............................................................................................................ 12
Task 2.2 Configure a Sophos XG Firewall using a Configuration Backup File .................................................................................................... 15
Task 2.3 Navigating the WebAdmin ...................................................................................................................................................................................... 17
Task 2.4 Configure Zones and Interfaces ........................................................................................................................................................................... 18
Task 2.5 Configure Static Routes ........................................................................................................................................................................................... 20
Task 2.6 Create Definitions ....................................................................................................................................................................................................... 20
Task 2.7 Configure DNS Request Routes ............................................................................................................................................................................ 22
Task 2.8 Import CA Certificates ............................................................................................................................................................................................... 23
Task 2.9 Create a Manual Configuration Backup ............................................................................................................................................................. 24
Task 2.10 Import a Configuration for the Next Lab ........................................................................................................................................................ 25
Review .................................................................................................................................................................................................................................................... 25
Lab 3 Network Protection................................................................................................................................................................................................................. 26
Objectives.............................................................................................................................................................................................................................................. 26
Task 3.1 Configure Logging ....................................................................................................................................................................................................... 26
Task 3.2 Create Network Firewall Rules .............................................................................................................................................................................. 27
Task 3.3 Install the SSL CA Certificates ............................................................................................................................................................................... 30
Task 3.4 Install Sophos Central ............................................................................................................................................................................................... 32
Task 3.5 Publish Servers Using Business application rules ....................................................................................................................................... 34
Task 3.6 Configure IPS Policies ............................................................................................................................................................................................... 37
Task 3.7 - Enable Advanced Threat Protection .................................................................................................................................................................... 38
Task 3.8 Enable DoS (Denial of Service) and Spoof Protection ................................................................................................................................ 39
Task 3.9 Configure Security Heartbeat ................................................................................................................................................................................ 42
Review .................................................................................................................................................................................................................................................... 46

Page 2 of 102
Sophos Certified Engineer

Lab 4 Site-to-Site Connections ..................................................................................................................................................................................................... 47


Objectives.............................................................................................................................................................................................................................................. 47
Task 4.1 Create an SSL Site-to-Site VPN ............................................................................................................................................................................ 47
Task 4.2 Create an IPsec Site-to-Site VPN ........................................................................................................................................................................ 50
Review .................................................................................................................................................................................................................................................... 52
Lab 5 Authentication .......................................................................................................................................................................................................................... 53
Objectives.............................................................................................................................................................................................................................................. 53
Task 5.1 Configure an Active Directory Authentication Server ................................................................................................................................. 53
Task 5.2 Configure Single Sign-On Using STAS ............................................................................................................................................................... 55
Task 5.3 User-Based Policies ................................................................................................................................................................................................... 57
Task 5.4 One-Time Passwords ................................................................................................................................................................................................ 59
Review .................................................................................................................................................................................................................................................... 60
Lab 6 Web Protection and Application Control ....................................................................................................................................................................... 62
Objectives.............................................................................................................................................................................................................................................. 62
Task 6.1 Create Custom Web Categories and User Activities ................................................................................................................................... 62
Task 6.2 Create a Content Filter .............................................................................................................................................................................................. 63
Task 6.3 Create a Custom Web Policy .................................................................................................................................................................................. 64
Task 6.4 Delegate Web Policy Overrides ............................................................................................................................................................................. 67
Task 6.5 Create a Surfing Quota for Guest Users ............................................................................................................................................................ 69
Task 6.6 Create an Application Filter Policy ....................................................................................................................................................................... 71
Task 6.7 Categorize Applications using Synchronized Application Control ........................................................................................................ 72
Task 6.8 Detect and Categorize Cloud Applications ...................................................................................................................................................... 74
Review .................................................................................................................................................................................................................................................... 75
Lab 7 Email Protection ....................................................................................................................................................................................................................... 76
Objectives.............................................................................................................................................................................................................................................. 76
Task 7.1 Enable and Configure Quarantine Digests ....................................................................................................................................................... 76
Task 7.2 Configure SMTP Routing and Protection .......................................................................................................................................................... 77
Task 7.3 Configure Data Control and SPX Encryption ................................................................................................................................................... 79
Task 7.4 User Quarantine Management .............................................................................................................................................................................. 82
Review .................................................................................................................................................................................................................................................... 82
Lab 8: Wireless Protection ................................................................................................................................................................................................................... 84
Objectives.............................................................................................................................................................................................................................................. 84
Task 8.1 Create a Hotspot .......................................................................................................................................................................................................... 84
Review .................................................................................................................................................................................................................................................... 85
Lab 9: Remote Access ........................................................................................................................................................................................................................... 86
Objectives.............................................................................................................................................................................................................................................. 86
Task 9.1 Configure an SSL Remote Access VPN............................................................................................................................................................. 86
Task 9.2 Configure an IPsec Remote Access VPN with Sophos Connect ........................................................................................................... 88
Review .................................................................................................................................................................................................................................................... 91
Lab 10 Logging, Reporting and Troubleshooting .................................................................................................................................................................. 92

Page 3 of 102
Sophos Certified Engineer

Objectives.............................................................................................................................................................................................................................................. 92
Task 10.1 Run, Customize and Schedule Reports .......................................................................................................................................................... 92
Task 10.2 View Sandstorm Activity ....................................................................................................................................................................................... 93
Task 10.3 Use SF Loader Tools................................................................................................................................................................................................ 94
Task 10.4 Connection Table...................................................................................................................................................................................................... 95
Task 10.5 Packet Capture .......................................................................................................................................................................................................... 96
Task 10.6 Dropped Packet Capture ....................................................................................................................................................................................... 97
Review .................................................................................................................................................................................................................................................... 98
Lab 11: Management.............................................................................................................................................................................................................................. 99
Objectives.............................................................................................................................................................................................................................................. 99
Task 11.1 Manage an XG Firewall in Sophos Central ..................................................................................................................................................... 99
Review ................................................................................................................................................................................................................................................. 101

© 2019 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior
written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether
express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park,
Abingdon, Oxfordshire, OX14 3YP.

Page 4 of 102
Sophos Certified Engineer

Introduction
These labs accompany the Sophos Certified Engineer Sophos XG Firewall course
and form the practical part of the certification. They are estimated to take 9 hours
to complete.

You should complete each section of labs when directed to


do so in the training content. Throughout the labs, there are
Workbook conventions
prompts for information to be written down; you may require
This workbook uses the following conventions throughout:
this information later in the labs. You will need to complete
the course assessment while your lab environment is still
 At the start of each lab is the learning objective, along
active, as there may be some questions based on the live
with any requirements that must have been completed
environment.
prior to starting the lab.
If you need help or support at any point while completing the
labs, please contact us at globaltraining@sophos.com and  Labs which cover larger subjects are divided into several
one of the team will be able to assist you. tasks. Each task has a short description followed by the
steps that are required to complete the task.

 Short labs are presented as a single task.


Prerequisites
 Throughout the guide the following styles are used:
Prior to taking this training, we recommend that you should
have:
 Completed and passed the Sophos Central Overview Bold text  Actions: On-screen elements
Certified Engineer course that you interact with e.g. menu
To be able to complete these labs in the time suggested you items, buttons, tick boxes, tabs,
should have the following knowledge and experience:
 Important points to note
 Experience in installing and replacing network gateways
and firewalls in production environments On-screen elements that you do
 Knowledge of general Windows networking not interact with e.g. page titles,
field names,

Courier New font Commands to be executed

Underlined Hyperlinks

<variables> Variables will be shown between


chevrons e.g. <Red ID>

Page 5 of 102
Sophos Certified Engineer

the first module. The environment will


Lab environment open in a pop-up window. If the window does not open,
please check that your browser is not blocking popups.
These labs are designed to be completed on the hosted
CloudShare environment. If you are not using CloudShare If you need to leave your environment and return to it, you
(e.g. this course is being taught in a classroom and not can again use the Launch Lab Environment link to log back in
completed online) some details such as hostnames and IP to the same environment.
addresses may vary.
Important note: Once you launch your environment, it will be
You can launch your lab environment on CloudShare by available for five days. Once your environment expires, it is
clicking the Launch Lab Environment on automatically deleted. If you require assistance, please
email globaltraining@sophos.com.

Environment overview
The environment used to complete these labs is comprised of multiple computers, connected via a simple network.

Computer Description

SOPHOS.LOCAL This is the main network you will be using during the labs.
Networks: 172.16.16.0/24, 172.17.17.0/24, 192.168.16.0/24

LON-GW1.SOPHOS.LOCAL This is a Sophos XG Firewall, and is the default gateway for the sophos.local network and
has a separate interface for a DMZ network.
IP addresses: 172.16.16.16, 172.17.17.16, 172.25.25.16, 172.30.30.16, 10.1.1.100,
10.100.100.65
Throughout this workbook this will be referred to as London Gateway 1

LON-DC.SOPHOS.LOCAL This is a Windows 2016 R2 domain controller for the lab.local domain.
It runs an SMTP server, webmail, DNS, Active Directory and a certificate authority.
IP address: 172.16.16.10
Throughout this workbook this will be referred to as London DC

LON-SRV2.SOPHOS.LOCAL This is a Windows 10 Computer.


IP address: 172.17.17.21
Throughout this workbook this will be referred to as London Server 1

LON-CLIENT2.SOPHOS.LOCAL This is a Debian Linux computer.


IP address: 172.17.17.22
Throughout this workbook this will be referred to as London Client 2

LON-INTRANET.SOPHOS.LOCAL This is a Debian Linux server running a simple website. The server is located on a separate
subnet.
IP address: 172.25.25.40
Throughout this workbook this will be referred to as London Intranet

SOPHOS.DMZ This is the DMZ for the lab network.


Network: 172.30.30.0/24

STORE.SOPHOS.DMZ This is a Debian Linux server running a simple website.

Page 6 of 102
Sophos Certified Engineer

IP addresses: 172.30.30.50
Throughout this workbook this will be referred to as Store Website

NY-GW.SOPHOS.LOCAL This is a Sophos XG Firewall, and is the default gateway for the sophos.local network.
IP addresses: 192.168.16.16, 172.25.25.17, 10.2.2.200
Throughout this workbook this will be referred to as New York Gateway

NY-SRV.SOPHOS.LOCAL
It runs an SMTP server, webmail, DNS, Active Directory and a certificate authority.
IP address: 192.168.16.30
Throughout this workbook this will be referred to as New York Server

INTERNET.WWW This is a Debian Linux server which provides central DNS and routing for the simulated
Internet, as well as running a webmail server, simple website and certificate authority.
IP address: 10.1.1.250, 10.2.2.250
Throughout this workbook this will be referred to as Internet

User accounts
The table below details the user accounts in the lab environment.

Username Full name Password Scope and privileges

SOPHOS\administrator Administrator Sophos1985 SOPHOS.LOCAL

Domain administrator

SOPHOS\jsmith John Smith Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\jdoe Jane Doe Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\sspade Sam Spade Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\lfox Lucy Fox Sophos1985 SOPHOS.LOCAL

Domain User

SOPHOS\frogers Fred Rogers Sophos1985 SOPHOS.LOCAL

Domain User

NY-SRV\NYAdmin NY Admin Sophos1985 LON-SRV

Local Administrator

root Root Sophos1985 Store Website

Page 7 of 102
Sophos Certified Engineer

London Intranet

Internet

Local Administrator

sophos Sophos Sophos1985 Store Website

London Intranet

New York Warehouse

Internet

Local User

jbrown Jim Brown Sophos1985 Internet

Local User

Page 8 of 102
Sophos Certified Engineer

Network diagram

Page 9 of 102
Sophos Certified Engineer

Lab 1: Preparation
Objectives
Upon successful completion of this lab, you will be able to:
1. Register for a Sophos Central evaluation

Task 1.1 Register for a Sophos Central Evaluation


Register for a Sophos Central evaluation and activate the account in preparation for configuring Synchronized Security features
including Security Heartbeat, Synchronized User Identity and Synchronized Application Control.

Instructions Notes

On Your Local Computer


1 Open a web browser and navigate to https://central.sophos.com
2 Click the Sign Up link
3 Follow the on-screen instructions to register for a trial Important: Do not use your primary
email address. We recommend using a
temporary email account for creating
this evaluation.
Make sure you use an email address
that you can access.
You will need to use an email address
that has not already been registered
with Sophos Central.
4 Check You will receive an email with an
activation link.
This may take several minutes to arrive.
5 Click Create Password in the email This will open the activation page.
6 Enter and confirm a password of your choice
7 Select where to have the data stored
8 Read the statements and select both checkboxes
9 Click Activate Account
10 Sophos Central is now ready to use.
11 Use the menu in the top-right of the screen to Log Out

 You have registered for a Sophos Central evaluation and activated the account.

Page 10 of 102
Sophos Certified Engineer

Review
You have now successfully:
1. Registered for a Sophos Central evaluation

Page 11 of 102
Sophos Certified Engineer

Lab 2: Getting Started with XG Firewall


Objectives
Upon successful completion of this lab, you will be able to:
1. Use the Initial Setup Wizard to configure a Sophos XG Firewall
2. Configure a new Sophos XG Firewall by importing a configuration backup
3. Navigate the WebAdmin
4. Configure zones and interfaces
5. Configure static routes
6. Create definitions
7. Configure DNS request routes
8. Import CA certificates
9. Create a configuration backup
10. Restore a configuration backup to an XG Firewall

Task 2.1 Use the Initial Setup Wizard to configure a Sophos XG


Firewall
You will use the Initial Setup Wizard to configure the Sophos XG Firewall that is London Gateway 1. Once you have completed the
configuration you will have Internet access from London DC with basic security and filtering policies applied.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://172.16.16.16:4444 This is the default IP address.
You will get a certificate warning, but it
is safe to proceed.
2 Click the Click to begin link to start the Initial Setup Wizard
3 Enter and confirm the password Sophos1985
4 Deselect Install the latest firmware automatically during setup So that the version of XG Firewall you
are using matches this lab workbook,
we will not update it during the initial
setup.
5 Select I agree to the license agreement at the bottom of the page
6 Click Continue
7 The XG Firewall will fail to connect to the Internet, click Manual configuration
to configure the WAN interface

Page 12 of 102
Sophos Certified Engineer

8 Configure the WAN interface with the following settings: Leave the other settings as default.

Setting Value

Choose a port to configure PortB

Interface type Static IP address

IP address 10.1.1.100

Subnet /24 (255.255.255.0)

Gateway name PrimaryGateway

Gateway IP address 10.1.1.250

DNS server 1 10.1.1.250

DNS server 2 127.0.0.1

9 Click Apply The XG Firewall will apply the new


settings to the WAN interface.
10 Click OK The XG Firewall will retest the Internet
connection. All tests should be
successful.
11 Click Continue
12 lon-gw1.sophos.www
13 Use the map to select the America/Chicago time zone Leave the time set as default.

14 Click Continue
15 Select
16 Click Continue
17 Click Sign In

Page 13 of 102
Sophos Certified Engineer

18 Enter the email address and password for your Sophos ID, then click Sign In Your Sophos ID is not the Sophos
Central evaluation you created in the
first lab.
If you do not have a Sophos ID, click
Create Sophos ID and follow the on-
screen instructions.
You can modify the keyboard layout in

the left in CloudShare.


19 Select and complete a reCAPTCHA task required
20 Click Continue Follow any additional on-screen
instructions.
21 Click Confirm Registration + Evaluation License
22 Click Initiate License Synchronization A serial number has been generated for
the XG Firewall and you have registered
it for an evaluation using your Sophos
ID. The XG Firewall now needs to
synchronize and download that
evaluation license.
23 Deselect Opt in to the customer experience improvement program As this is a training deployment, we will
not send the anonymous data to
Sophos.
24 Click Continue
25 Deselect Enable DHCP We are going to continue to use PortA to
connect to the XG Firewall with the
current IP address. For this lab we do
not require a DHCP server on this
network.
26 Click Continue
27 Select all four of the Network Protection options:
✓ Protect Users from network threats
✓ Protect Users from the suspicions and malicious websites
✓ Scan files that were downloaded from the web for malware
✓ Send suspicious files to Sophos Sandstorm
28 Click Continue
29 This configuration is used by the XG
administrator@sophos.local Firewall for sending backups and
notifications.
You can optionally configure an external
email server to use, but by default, it will
use the built-in MTA.
30 Click Continue
31 Review your configuration settings then click Finish It will take a few minutes for the new
configuration to be applied to the XG
Firewall and for the device to reboot.
You can continue to Task 2.2.

 You have configured a Sophos XG Firewall using the Initial Setup Wizard. This configuration provides Internet access with
basic security and filtering policies applied.

Page 14 of 102
Sophos Certified Engineer

Task 2.2 Configure a Sophos XG Firewall using a Configuration Backup


File
In this task, you will configure a new device by restoring a configuration file. You may need to do this if your company outgrows its
existing device and buys a larger model. The configuration file you import will preconfigure New York Gateway for the remaining
labs.

On New York Server


1 Login as NY-SRV\NYAdmin The password is Sophos1985.
There is currently no site-to-site
connection between London and New
York, so you will login as NYAdmin who
is a local administrator.
2 Open Chrome and navigate to https://192.168.16.16:4444 The IP address of PortA has been
modified on this device using the
console menu.
You will get a certificate warning, but it
is safe to proceed.
3 Click the Click to begin link to start the Initial Setup Wizard
4 Click the Restore Backup link
5 Click Upload
6 Select the file C:\Config\NY-GW_Engineer_Lab2_Task2
7 Click Open
8 Click Apply
9 Enter and confirm the password Sophos1985
10 Deselect Install the latest firmware automatically during setup So that the version of XG Firewall you
are using matches this lab workbook,
we will not update it during the initial
setup.
11 Select I agree to the license agreement at the bottom of the page
12 Click Continue
13 The XG Firewall will fail to connect to the Internet, click Manual configuration to
configure the WAN interface

Page 15 of 102
Sophos Certified Engineer

14 Configure the WAN interface with the following settings: Leave the other settings as default.

Setting Value

Choose a port to configure PortB

Interface type Static IP address

IP address 10.2.2.200

Subnet /24 (255.255.255.0)

Gateway name PrimaryGateway

Gateway IP address 10.2.2.250

DNS server 1 10.2.2.250

DNS server 2 127.0.0.1

15 Click Apply The XG Firewall will apply the new


settings to the WAN interface.
16 Click OK The XG Firewall will retest the Internet
connection. All tests should be
successful.
17 Click Continue
18 Select number (Start a Trial)
19 Click Continue
20 Click Sign In
21 Enter the email address and password for your Sophos ID, then click Sign In Your Sophos ID is not the Sophos
Central evaluation you created in the
first lab.
You can modify the keyboard layout in

the left in CloudShare.


22 Select and complete an reCAPTCHA task required
23 Click Continue Follow any additional on-screen
instructions.
24 Click Confirm Registration + Evaluation License
25 Click Initiate License Synchronization A serial number has been generated for
the XG Firewall and you have registered
it for an evaluation using your Sophos
ID. The XG Firewall now needs to
synchronize and download that
evaluation license.
26 Click Continue It will take a few minutes for the new
configuration to be applied to the XG
Firewall and for the device to reboot.
You can continue to Task 3.

 You have configured a new Sophos XG Firewall by restoring a configuration backup.

Page 16 of 102
Sophos Certified Engineer

Task 2.3 Navigating the WebAdmin


Tour the WebAdmin and identify where various configuration elements are located to make navigation easier throughout the labs.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 When you first login you will see the Control center. This page gives a real-time
summary of what is happening on your network and on the XG Firewall
4 Select PROTECT > Firewall in the left-hand menu
5 Firewall rules are where most of the protection configuration is applied. You
can see that your lab environment has been preconfigured with a number of
firewall rules
6 Locate the #Default_Network_Policy firewall rule, then click on the ellipses
on the right side and select Edit
7 This is a basic network rule that allows traffic from the LAN zone to the WAN

applied to this rule, include intrusion prevention, traffic shaping and web
filtering
8 Select PROTECT > Wireless in the left-hand menu
9 In this section of the XG Firewall you can manage wireless access points and
networks. Select each tab in turn and review the configuration available in
each
10 Select CONFIGURE > VPN in the left-hand menu
11 In this section you can configure site-to-site and remote access VPNs
12 Click Show VPN settings
13 Here you can find settings that you will need to access less frequently. The
settings on t e site-to-site and remote
access SSL VPNs
14 Click Close VPN settings
15 Select each of the tabs in turn and review the configuration on each
16 Select CONFIGURE > Network in the left-hand menu
17 In this section you configure the interfaces and other basic network settings
such as DNS and DHCP
18 Select CONFIGURE > Routing in the left-hand menu
19 The XG Firewall supports static, policy and dynamic routing, all of which can be
configured in this section
20 Select SYSTEM > Administration in the left-hand menu
21 In this section you configure the device settings

Page 17 of 102
Sophos Certified Engineer

22 Take 5 minutes to browse through the WebAdmin and familiarize yourself with
where to find all the configuration options, this will help you when completing
the labs. You could try to find the following in the WebAdmin:
• Where do you download the STAS software?
• Where would you configure the primary antivirus engine for email
scanning?

• Where would you view the current IPsec connections?
• Where would you configure the log settings?

 You are now familiar with the layout of the WebAdmin and its navigation.

Task 2.4 Configure Zones and Interfaces


You will create a new zone for the intranet servers, and then configure PortD for the intranet zone with a static IP address. You will
also configure PortF with details for an MPLS connection between the head office in London and the branch office in New York.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select CONFIGURE > Network in the left-hand menu
4 Select the Zones tab
5 Click Add
6 Configure the zone with the following settings: Leave the other settings as default.

Setting Value

Name Intranet

Type LAN

Device access

Admin services HTTPS

Network services DNS


Ping/Ping6

7 Click Save
8 Select the Interfaces tab
9 Click PortD

Page 18 of 102
Sophos Certified Engineer

10 Configure the interface with the following settings:

Setting Value

Network zone Intranet

IPv4 configuration Selected

IP Assignment Static

IPv4/netmask 172.25.25.16 /24

IPv6 configuration Deselected

11 Click Save, then Update interface


12 Click PortF We will use this port to simulate an
MPLS between London and New York
later in the labs.
13 Configure the zone with the following settings: We are adding this interface to the WAN
zone, so you need to define a default
Setting Value gateway.

Network zone WAN

IPv4 configuration Selected

IP Assignment Static

IPv4//Netmask 10.100.100.65 /29

Gateway Name MPLS GW

Gateway IP 10.100.100.70

IPv6 configuration Deselected

14 Click Save, then Update interface


15 Select the WAN link manager tab
16 Click MPLS GW
17 Backup To prevent the MPLS interface being
used for any Internet traffic, set it as a
backup gateway with no automatic
failover.
18 None
19 Click Save then click OK

You have now created a new zone for the intranet and configured PortD as an interface in the intranet zone.
 You have configured PortF with the settings for an MPLS connection between the head office in London and the branch
office in New York.

Page 19 of 102
Sophos Certified Engineer

Task 2.5 Configure Static Routes


In this task you will create a static route on London Gateway 1 that will route traffic destined for the New York LAN subnet
(192.168.16.0/24) over the MPLS connection to New York Gateway.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select CONFIGURE > Routing in the left-hand menu
4 IPv4 unicast route Add
5 Configure the static route with the following information: This static route will send all traffic
destined for the New York LAN network
Setting Value (192.168.16.0/24) over the MPLS
interface (PortF) to the New York
Destination IP / netmask 192.168.16.0 /24 Gateway (10.100.100.70).
Gateway 10.100.100.70

Interface PortF-10.100.100.65

Distance 0

6 Click Save
7 Open a new tab in Chrome and navigate to http://ny-srv.sophos.local Confirm that you are able to access this
site.

You have created a static route on London Gateway 1 to send any traffic destined for the subnet 192.168.16.0/24 over
the MPLS to New York Gateway.

 The MPLS interface is in the WAN zone so the existing #Default_Network_Policy firewall rule will allow the traffic.
New York Gateway has been preconfigured with the required firewall rule from the configuration file you imported in Task
2.

Task 2.6 Create Definitions


You will create IP Host, FQDN Host and Service definitions in this task that you will use when performing other configuration tasks
throughout the labs.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select SYSTEM > Hosts and services in the left-hand menu

Page 20 of 102
Sophos Certified Engineer

4 Click Add
5 Configure the object with the following information: This is the network definition for the
subnet in the New York branch office.
Setting Value

Name NewYork-192.168.16

IP family IPv4

Type Network

IP address 192.168.16.0

Subnet /24 (255.255.255.0)

6 Click Save
7 Click Add
8 Configure the object with the following information: This is the IP address of London DC.

Setting Value

Name London DC

IP family IPv4

Type IP

IP address 172.16.16.10

9 Click Save
10 Select the FQDN host tab
11 Click Add
12 Configure the object with the following information: This definition is for the publicly
resolvable hostname of New York
Setting Value Gateway.

Name ny-gw.sophos.www

FQDN ny-gw.sophos.www

13 host g Add new item


14 Click Create new
15 type Sophos Gateways then click Save
16 Click Save
17 Select the Services tab
18 Click Add

Page 21 of 102
Sophos Certified Engineer

19 Configure the service with the following settings: This service definition is for accessing
the WebAdmin. It is defined as TCP
Setting Value traffic coming from any source port and
going to port 4444.
Name WebAdmin

Type TCP/UDP

Protocol TCP

Destination port 4444

20 Click Save

 You have created IP Host definitions for the New York network and London DC, an FQDN Host definition for New York

Task 2.7 Configure DNS Request Routes


So that London Gateway 1 is
able to resolve internal hostnames and IP addresses, you will create DNS request routes that define which DNS servers should be
used for resolving internal domains and subnets.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select CONFIGURE > Network in the left-hand menu
4 Select the DNS tab
5 request r Add
6 Configure the request route with the following information: This instructs the XG Firewall to use the

Setting Value

Host/Domain Name sophos.local

Target Servers London DC

7 Click Save
8 Repeat this to create a DNS request route for the domain name 16.16.172.in- This is used to define a reverse lookup
addr.arpa zone for IP addresses. The first parts of
the domain are the network octets for
the subnet in reverse order, followed by
-
9 Open Command Prompt from the Start menu

Page 22 of 102
Sophos Certified Engineer

10 Use nslookup to test the DNS request routes by running the following Both requests for
commands: lon-srv2 should return an
nslookup answer. -
> server 172.16.16.16 srv2 -
> 172.16.16.10 authoritative.
> lon-srv2.sophos.local
> exit
11 Close Command Prompt

 You have created DNS request routes on London Gateway 1 so that it is able to resolve hostnames and IP addresses for
sophos.local and 172.16.16.0/24 using the DNS server on London DC.

Task 2.8 Import CA Certificates


In this task, you will download and import the CA certificates from the lab training certificate authority in this lab environment. The
XG Firewall will use these in later labs to validate website certificates.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://ca.internet.www
2 Root CA Certificate (PEM)
3 Intermediate CA Certificate
(PEM)
4 Navigate to https://lon-gw1.sophos.local:4444
5 Login to the WebAdmin as admin The password is Sophos1985.
6 Select SYSTEM > Certificates in the left-hand menu
7 Select the Certificate authorities tab
8 Click Add
9 Configure the certificate with the following information: The root-ca.pem file will be located in
\Users\Administrator\Downloads\
Setting Value
You do not need to select a private key
Name AAA Global Training Root CA as this is a verification CA.

Certificate file format PEM CA on the first page of certificate


Certificate root-ca.pem authorities.

10 Click Save
11 Click Add

Page 23 of 102
Sophos Certified Engineer

12 Configure the certificate with the following information: The intermediate-ca.pem file will be in
\Users\Administrator\Downloads\
Setting Value
You do not need to select a private key
Name AAA Global Training Intermediate as this is a verification CA.
CA Prefixing
CA on the first page of certificate
Certificate file format PEM authorities.
Certificate intermediate-ca.pem

13 Click Save

 You have uploaded CA certificates to London Gateway 1 for validating website certificates.

Task 2.9 Create a Manual Configuration Backup


The Initial Setup Wizard has configured London Gateway 1 so that it automatically send weekly configuration backups to the
administrator. In this task, you will take a manual backup of your current configuration. You will repeat this at the end of each lab
throughout this workbook so that you can restore your progress if necessary.
Note: We recommend that once you have created the backup that you upload it to cloud storage in case you need to revert your
environment for any reason.

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select SYSTEM > Backup & firmware in the left-hand menu
4 Click Backup now Wait for the backup to complete.
5 Local
the automatic backups configured.
6 Click Download This will save the backup file to London
DC.
7 Write down the filename of the backup file that you downloaded: We recommend that you save your
configuration backups to a cloud
storage account in case you need to
____________________________________________
revert your environment for any reason.

 You have downloaded a backup of the configuration from London Gateway 1.

Page 24 of 102
Sophos Certified Engineer

Task 2.10 Import a Configuration for the Next Lab


In preparation for the next lab, you will import a configuration file. This will add a number of definitions and firewall rules to London
Gateway 1, as well as configuring additional interfaces for you.,

Instructions Notes

On London DC
1 Open Chrome and navigate to https://lon-gw1.sophos.local:4444
2 Login to the WebAdmin as admin The password is Sophos1985.
3 Select SYSTEM > Backup & firmware in the left-hand menu
4 Choose File
5 Select the file C:\Config\Lon-GW1_Engineer_Lab2_Task10
6 Click Open
7 Click Upload and restore
8 Click OK This process may take 5 minutes to
complete.

 You have imported the configuration that is required for the next lab.

Review
You have now successfully:
1. Used the Initial Setup Wizard to configure a Sophos XG Firewall
2. Configured a new Sophos XG Firewall by importing a configuration backup
3. Navigated the WebAdmin
4. Configured zones and interfaces
5. Configured static routes
6. Created definitions
7. Configured DNS request routes
8. Imported CA certificates
9. Created a configuration backup
10. Restored a configuration backup to an XG Firewall

Page 25 of 102
Sophos Certified Engineer

Lab 3 Network Protection


Objectives
Upon successful completion of this lab, you will be able to:
1. Configure logging
2. Create network firewall rules
3. Install the SSL CA certificate
4. Install Sophos Central
5. Publish servers using Business application rules
6. Configure IPS policies
7. Enable Advanced Threat Protection
8. Enable DoS and spoof protection
9. Configure Security Heartbeat

Task 3.1 Configure Logging


You will review the options that available for logging, and then enable all of the logging.
Note: In a production environment, we would recommend being more selective about which items you log.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > System services in the left-hand menu
3 Select the Log settings tab
4 Review
5 Select all of the items in s by selecting the top For the purposes of this training, you will
enable all logged, however in a
production environment we would
recommend being more selective.
6 Click Apply then click OK

 You have enabled logging for all log types.

Page 26 of 102
Sophos Certified Engineer

Task 3.2 Create Network Firewall Rules


You will start this task be reviewing the two firewall rules that were imported as part of the configuration backup. You will then
modify the #Default_Network_Policy that allows outbound traffic so that it allows traffic from DMZ and Intranet zones in addition
to the LAN zone, and you will restrict which services are allowed by this rule.
You will create firewall rules that allow traffic to and from the New York branch office over the MPLS connection.
You will end this task by testing that the firewall rules you have created work.

Instructions Notes

On London DC

1 Login to the WebAdmin of London Gateway 1 as admin

2 Select PROTECT > Firewall in the left-hand menu You will see that there are some rules
that have been imported as part of the
configuration backup.

3 Review the configuration of the new firewall rules:


 The LAN to Intranet rule allows HTTP, HTTPS and SSH traffic from the LAN
zone to the Intranet zone
 The LAN to LAN rule allows all traffic between interfaces in the LAN zone.
As part of the configuration import, PortC has been configured as a LAN
interface for the subnet 172.17.17.0/24, which is where London Server 2
is connected

4 Click #Default_Network_Policy to edit it

Page 27 of 102
Sophos Certified Engineer

5 Modify the following settings: Leave the other settings as they are.
You are adding the DMZ and Intranet
Setting Value
zones to provide Internet access for
Source them.
You are restricting which services are
Source zones LAN allowed out to the Internet by this
DMZ default firewall rule.
Intranet

Destination & services

Services DNS
FTP
HTTP
HTTPS
WebAdmin

Web malware and content scanning

Scan HTTP Select

Decrypt and scan HTTPS Select

Block Google QUIC Select

Detect zero-day threats with Select


Sandstorm

Scan FTP for malware Select

Log traffic

Log firewall traffic Select

6 Click Save

7 Click + Add firewall rule > User/network rule

Page 28 of 102
Sophos Certified Engineer

8 Configure the rule with the following configuration: Leave all the other settings as default.
You are creating separate firewall rules
Setting Value
for traffic that is going to and from New
Rule name Allow MPLS to New York York over the MPLS connection so that
you do not inadvertently allow other
Description Allow traffic between London traffic that should be managed by
and New York via the MPLS another firewall rule.
Rule position Top

Source

Source zones LAN

Source networks and devices London Networks

Destination & services

Destination zones WAN

Destination networks NewYork-192.168.16

Advanced

Rewrite source address Deselect


(Masquerading)

Log traffic

Log firewall traffic Select

9 Click Save

10 Open the ellipses menu for the rule and click Clone
below

11 Modify the following settings: Leave all the other settings as they are.

Setting Value

Rule name Allow MPLS from New York

Source

Source zones WAN

Source networks and devices NewYork-192.168.16

Destination

Destination zones WAN

Destination networks London Networks

12 Click Clone

Page 29 of 102
Sophos Certified Engineer

On London Server 2

13 Login as SOPHOS\lfox The password is Sophos1985.

14 Open Chrome and navigate to http://lon-dc.sophos.local Confirm that you can access this
website. This is allowed by the LAN to
LAN rule.

15 Navigate to http://intranet.lon.sophos.local Confirm that you can access this


website.

16 Navigate to http://store.sophos.dmz Confirm that you are not able to access


this website.
No firewall rule has been created to
allow traffic from the LAN to the DMZ.

17 Navigate to http://ny-srv.sophos.local Confirm that you can access this


website.
This is accessed using the MPLS and is
routed using the static routes you
created.

You have modified the #Default_Network_Policy so it applies to traffic from the DMZ and Intranet zones and restricted the
services it allows.

You have created firewall rules to allow traffic to and from the New York branch office over the MPLS connection.
You have tested the firewall configuration.

Task 3.3 Install the SSL CA Certificates


You will use Active Directory Group Policy to deploy the SSL CA Certificate from the London Gateway 1 to computers in the
SOPHOS.LOCAL domain. This means that clients will trust website certificates generated by the XG Firewall as part of HTTPS
scanning.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select SYSTEM > Certificates in the left-hand menu
3 Select the Certificate authorities tab
4 Locate and click the Download icon on the right- You may need to use the horizontal
hand side scroll bar at the bottom of the page to
see the Download icon.
This is the CA certificate used for
decrypting and scanning traffic.

Page 30 of 102
Sophos Certified Engineer

5 Locate Default and click the Download icon on the right-hand side This is the CA certificate used to
generate self-signed certificates.
6 Open the Downloads folder
7 Change the file extension of .pem Windows does not have a file
.cer association for. pem files.
8 Right-click on Local_certificate_authority.tar.gz and select 7-Zip > Open If you are unable to locate this file,
archive please check you downloaded the file in
step 6.
9 Double-click local_certificate_authority.tar
10 Select Default.pem then click Extract
11 Click OK
12 Close 7-Zip
13 Change the file extension of .cer
14 Open Administrative Tools from the Start menu
15 Open Group Policy Management
16 In the left-hand pane right-click on Default Domain Policy and select Important: Ensure that you do this in
not the
Controller

the left-hand pane, expand Group


Policy Management > Forest:
SOPHOS.LOCAL > Domains >
SOPHOS.LOCAL.
17 In the left-hand pane select Default Domain Policy > Computer
Configuration > Policies > Windows Settings > Security Settings > Public
Key Policies > Trusted Root Certification Authorities
18 In the left-hand pane right-click on Trusted Root Certification Authorities
and select
19 Click Next
20 Click
21 Select the file
C:\Users\Administrator\Downloads\SecurityAppliance_SSL_CA.cer then
click Open
22 Click Next twice
23 Click Finish
24 Click OK This dialog box can take up to 30
seconds to appear.
25 In the left-hand pane right-click on Trusted Root Certification Authorities
and select
26 Click Next
27 Click
28 Select the file C:\Users\Administrator\Downloads\Default.cer then click
Open
29 Click Next twice
30 Click Finish

Page 31 of 102
Sophos Certified Engineer

31 Click OK This dialog box can take up to 30


seconds to appear.
32 Close the Group Policy Management Editor window
33 Close Group Policy Management window
34 Open Command Prompt from the Start menu
35 Run gpupdate /force Wait for the command to complete.

On London Server 2
36 Open Command Prompt from the Start menu
37 Run gpupdate /force Wait for the command to complete.
If the command returns an error, reboot
London Server 2, login as lfox, then run
the command again.
38 Logout of London Server 2

You have deployed the CA certificates from London Gateway 1 to computers in the sophos.local domain using Active
 Directory group policy.

Task 3.4 Install Sophos Central


Install Sophos Central on London Server 2 and London Client 2 in preparation for configuring Security Heartbeat.
Note: Sophos Central is a rapidly developed product. The instructions in this lab workbook are correct at the time of publishing;
however, you may find discrepancies between the instructions and current version of Sophos Central.

Instructions Notes

On London Server 2
1 Login as SOPHOS\jsmith The password is Sophos1985.
2 Open Chrome and navigate to https://central.sophos.com
3 Sign In with your email address and password
4 Click Got it, thanks!
5

6 Select Overview > Protect Devices in the left-hand menu


7 Server Download Windows Server
Installer
8 Download Linux Server
Installer

Page 32 of 102
Sophos Certified Engineer

9 Once the installer has downloaded run SophosSetup.exe Click Keep if Chrome flags the files as
dangerous.
Click Yes to the security warning.
10 Click Install Continue on to the next step while the
installer runs in the background.
11 Open File Manager
12 Select Downloads in the left-hand pane
13 Right-click on SophosInstall.sh and select Copy
14 Open Public Share on Lon-Client2 on the Desktop
15 Right-click in the folder and select Paste
16 Switch back to Sophos Central in Chrome
17 Select Overview > Global Settings in the left-hand menu
18 section click Reject Network Connections
19 Toggle Allow computers to reject connections from other computers with red
health on using the switch then click Save
20 Switch back to the installer and click Finish once the installation is complete This may take up to 15 minutes to
complete.
You can continue with the labs while the
installation takes place.
21 Once the installation is complete, reboot London Server 2

On London Client 2
22 Login as root The password is Sophos1985.
23 Run the following command to install Sophos Central: This may take up to 15 minutes to
/var/public/SophosInstall.sh complete.
You can continue with the labs while the
installation takes place.

 You have installed Sophos Central on London Server 2 and London Client 2.

Page 33 of 102
Sophos Certified Engineer

Task 3.5 Publish Servers Using Business application rules


You will create a Business application rule to allow HTTP traffic to the Store Website in the DMZ, and another Business application
rule to allow RDP traffic to London Server 2 from an allowed set of IP addresses.

Instructions Notes

On New York Server


1 Open Chrome navigate to http://store.sophos.www Confirm that you are not able to access
the website.

On London DC
2 Login to the WebAdmin of London Gateway 1 as admin
3 Select PROTECT > Web server in the left-hand menu
4 Click Add
5 Configure the web server with the following settings: Web server objects are for a single
protocol, either HTTP or HTTPS. If you
Setting Value want to protect both protocols you will
need to create two Web server objects.
Name Sophos Store

Description Store website in London DMZ

Host Sophos Store

Type Plaintext (HTTP)

Port 80

Keep alive ON

Timeout 300

Disable backend connection pooling OFF

6 Click Save
7 Select PROTECT > Firewall in the left-hand menu
8 Click + Add firewall rule > Business application rule

Page 34 of 102
Sophos Certified Engineer

9 Configure the rule with the following settings: When adding the domain Hosted
server
Setting Value + to add it to the list.

Application template Web Server Protection (WAF) Leave all the other settings as default.
Note Web Server
Rule name Store Website was imported with the configuration
Description Access to the store website from file.
the Internet

Hosted server

Hosted address #PortB

HTTPS OFF

Redirect HTTP OFF

Listening Port 80

Domains store.sophos.www

Protected server(s)

Path-specific routing Deselect

Sophos Store Select

Advanced

Protection General Web Server Policy

Intrusion prevention WAN TO DMZ

10 Click Save

On New York Server


11 Open Chrome navigate to http://store.sophos.www Confirm that you can access the
website.
12 Open Remote Desktop Connection from the Start menu and connect to: Confirm that you cannot connect.
lon-gw1.sophos.www:7000

On London DC
13 Click + Add firewall rule > Business application rule

Page 35 of 102
Sophos Certified Engineer

14 Configure the rule with the following settings: Note:

Setting Value
Leave the other settings as default.
Application template DNAT/Full NAT/Load Balancing

Rule name London Server 2 RDP

Description RDP access to London Server 2


from admin IPs

Rule position Bottom

Source

Source zones Any

Allowed client networks Admin IPs

Destination & service

Destination host/network #PortB-10.1.1.100

Services RDP-7000

Forward to

Protected zone LAN

Mapped port 3389

Advanced

Intrusion prevention WAN TO LAN

Log traffic

Log firewall traffic ON

15 Create new > IP address


16 Configure the IP host with the following settings:

Setting Value

Name London Server 2

IP version IPv4

Type IP

IP address 172.17.17.20

17 Click Save, then click Save again

Page 36 of 102
Sophos Certified Engineer

On New York Server


18 Open Remote Desktop Connection from the Start menu and connect to lon-
gw1.sophos.www:7000
19 Login as SOPHOS\lfox, using password Sophos1985 Confirm that you can connect to
London Server 2
20 Logout of London Server 2

You have created a Business application rule to publish and protect the website of a server running in the DMZ.

You have created a DNAT rule to route RDP traffic to London Server 2 from a list of allowed IP addresses.

Task 3.6 Configure IPS Policies


In this task you will create a custom IPS policy for the Store Website server and apply it to the Business application rule you
created in the previous task.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Intrusion prevention in the left-hand menu
3 Select the IPS policies tab
4 Click Add
5 Store Website Do not select to clone rules.
6 Click Save
7 Click Store Website to edit the policy
8 Click Add
9 Rule name Apache Linux Server Severity Minor and Above

Page 37 of 102
Sophos Certified Engineer

10 Select the following signature criteria: Selecting these criteria will filter the
signatures. Any new signatures that are
Setting Value added that match these criteria will also
be included.
Category

server-apache Select

Severity

1 Critical Select

2 Major Select

3 Moderate Select

4 - Minor Select

Platform

Linux Select

Target

Server Select

11 Click Save then click Save again


12 Select PROTECT > Firewall in the left-hand menu
13 Edit
14 Store Website
15 Click Save

 You have created a custom IPS policy and applied it to a Business application rule.

Task 3.7 - Enable Advanced Threat Protection


You will enable Advanced Threat Protection on London Gateway 1, and then trigger an event.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Advanced threat in the left-hand menu
3 ON
4 -down select Log and Drop
5 Click Apply
6 Open a new tab in Chrome and navigate to http://sophostest.com/callhome Access to this page should be blocked.
7 Close the tab and switch back to the WebAdmin, then select Control center in
the left-hand menu

Page 38 of 102
Sophos Certified Engineer

8 section on the right you will see an alert


9

Click on the alert


10 Write down the name of the threat that was detected:

______________________________________________

 You have enabled and test Advanced Threat Protection on London Gateway 1.

Task 3.8 Enable DoS (Denial of Service) and Spoof Protection


In this task, you will enable both DoS protection and spoof protection.
You will generate a brief SYN flood attach against London Gateway 1 to test the DoS protection.
To test the spoof protection, you will intentionally configure a mismatch between MAC and IP address.

Instructions Notes

On London Server 2
1 Open Chrome and navigate to http://blog.internet.www Confirm you can reach the website

On London DC
2 Open Command Prompt from the Start menu
3 Run the following command: ipconfig /all
4 Write down You will need this to configure spoof
protection.
______________________________________________

5 Login to the WebAdmin of London Gateway 1 as admin


6 Select SYSTEM > Administration in the left-hand menu
7 Select the Device access tab
8 HTTPS column This enables access to the WebAdmin
from the WAN zone. We are enabling it
here as a method of recovery in case you
become locked out during this task.
9 Click Apply then click OK

Page 39 of 102
Sophos Certified Engineer

10 Select PROTECT > Intrusion prevention in the left-hand menu


11 Select the DoS & spoof protection tab
12 protection t Add
13 Enter the MAC Address you wrote down at the beginning of this task Important: If you enter this incorrectly,
you will lock yourself out form London
Gateway 1.
14 In Static
15 Enter 172.16.16.10
16 Click Save
17 protection t Add
18 Enter the MAC Address 00-50-56-00-00-00 This is not the correct MAC address for the
London Server 2 and so will be detected
by the spoof protection
19 In Static
20 Enter 172.17.17.20
21 Click Save
22 Configure protection general s the following
information:

Setting Value

Enable spoof prevention Select

Restrict unknown IP on trusted MAC Select

23
✓ IP Spoofing
✓ MAC Filter
✓ IP-MAC Pair Filter
24 Click Apply then click OK If you have made a mistake with the
trusted MAC addresses, you will lose
access to the WebAdmin.
To correct your settings login to New York
Server and connect to the WebAdmin at
https://lon-gw1.sophos.www:4444.
An alternative method to correct this
configuration is to login to the Console
and run the following command:
system appliance_access enable
This does two things:
1. Enables all forms of access to the XG
Firewall
2. Disables all access through the XG
Firewall, as this can only be used for
recovery
If you use this command, you must
remember to disable it again afterwards.
25 select the Apply Flag checkbox for source SYN
Flood attacks

Page 40 of 102
Sophos Certified Engineer

26 Click Apply then click OK


27 Review the settings available in this section In particular, review the options available
for each of the DoS attack types.

On London Server 2
28 Refresh the webpage http://blog.internet.www Confirm that you can no longer access
the website

On London DC
29 Open a new tab in Chrome and navigate to http://test.internet.www
30 Read the message including the warning, then click Start More information about SYN floods can be
found online at:
https://en.wikipedia.org/wiki/SYN_flood
31 Switch back to the WebAdmin
32 Select the DoS attacks tab
33 Confirm that the SYN Flood traffic was dropped
Source
34 Select the DoS & spoof protection tab
35 Deselect Enable spoof prevention
36 Click Apply then click OK

On London Server 2
37 Refresh the webpage http://blog.internet.www Confirm that you can access the website
38 Logout of London Server 2

 You have enabled and tested DoS protection and spoof protection on London Gateway 1.

Page 41 of 102
Sophos Certified Engineer

Task 3.9 Configure Security Heartbeat


You will enable Synchronized Security on London Gateway 1, and then modify firewall rules to restrict network access based on
the heartbeat status of source devices.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Click here
3 Click Activate
4 Click Register
5 Enter the email address and password you used to register for the Sophos Wait for the registration to complete.
Central evaluation then click Register
6 Optional configurations
7 eartbeat z LAN
8 Click Save configuration
9 Select PROTECT > Firewall in the left-hand menu
10 #Default_Network_Policy rule, then click
Clone above
11 Modify the following settings: You are changing the web policy so that
executables are not blocked.
Setting Value

Rule name User Internet Access

Source

Source zones LAN

Source networks and devices London-172.17.17

Web malware and content scanning

Detect zero-day threats with Deselect


Sandstorm

Advanced

Web Policy Default Workplace Policy

Minimum Source HB Yellow


Permitted

12 Click Clone
13 Open the ellipses rule, then click Clone above

Page 42 of 102
Sophos Certified Engineer

14 Modify the following settings: This rule will only apply to computers
connected to the 172.17.17.0/24
Setting Value subnet. This is the network that London
Server 2 is connected to.
Rule name User LAN to Intranet Zone

Source

Source networks and devices London-172.17.17

Advanced

Minimum Source HB Green


Permitted

Block clients with no heartbeat Select

15 Click Clone
16 Edit
17 Modify the following settings: This will only allow servers connected to
the 172.16.16.0/24 subnet access to
Setting Value the Intranet zone.

Source

Source networks and devices London-172.16.16

18 Click Save
19 Edit
20 Modify the following settings:

Setting Value

Source

Source networks and devices London-172.16.16


Intranet-172.25.25
DMZ-172.30.30

21 Click Save
22 Open a new tab in chrome and navigate to http://intranet.lon.sophos.local You should be able to access the
website because the London DC is in
the subnet 172.16.16.0/24.
23 Switch back to the WebAdmin
24 Select MONITOR & ANALYZE > Control center in the left-hand menu Confirm
section now shows the icon for two

clients with a green heartbeat


Note: this may take a few minutes to
update.

Page 43 of 102
Sophos Certified Engineer

On London Server 2
25 Login as SOPHOS\lfox The password is Sophos1985.
26 Open Chrome and navigate to http://intranet.lon.sophos.local Confirm you can access the website as
London Server 2 has a green heartbeat.
27 Run MTD.vbs on the Desktop You should see a notification appear in
the bottom-right corner of the screen
that Sophos has detected malicious
traffic.
28 Switch back to Chrome
29 Navigate to http://intranet.lon.sophos.local Confirm you cannot access the intranet.
If the page loads it is a cached copy,
press Ctrl + Shift + R to reload the page.
30 Click Reason for blocking this site to expand that section of the block page
and read the details
31 Logout of London Server 2

On London DC
32 Select MONITOR & ANALYZE > Control center in the left-hand menu Confirm
section now shows the icon for one
client with a red heartbeat.
33 Click on the red Security Heartbeat icon Review the information shown
34 Click on the Sophos Central link
35 Sign In with your email address and password
36 Click LON-SRV2 next to the alert
37 Write down the description for the alert for LON-SRV2:

____________________________________________
____________________________________________

38 Select the STATUS tab


39 Mark As Resolved
40 Read the message then click OK As it was a malicious traffic detection
there is nothing to be cleaned.
41 Repeat this for all the alerts
42 Select Overview > Global Settings in the left-hand menu
43 section, click Registered Firewall Appliances Confirm that the Sophos XG Firewall is
active.

Page 44 of 102
Sophos Certified Engineer

44 Write down the name of the Sophos XG Firewall that is registered in Sophos
Central:

____________________________________________

45 Select MY PRODUCTS > Firewall Management in the left-hand menu


46 Review the information on the Dashboard
47 Select MANAGE > Firewalls in the left-hand menu
48 Write down

____________________________________________

49 Switch back to the WebAdmin If your session has timed out log back in
as admin.
50 Select MONITOR & ANALYZE > Control center in the left-hand menu
51 Confirm two This may take several minutes until the
detection is resolved on the endpoint.
clients with a green heartbeat

On London Server 2
52 Open Chrome and navigate to http://intranet.lon.sophos.local Confirm you can access the website as
London Server 2 has a green heartbeat.
53 Open Public Share on Lon-Client2 on the Desktop Confirm that you can access the share.

On London Client 2
54 Run the command:
wget http://sophostest.com/callhome

On London DC
55 Select MONITOR & ANALYZE > Control center in the left-hand menu Confirm
section now shows the icon for one
client with a red heartbeat.

Page 45 of 102
Sophos Certified Engineer

On London Server 2
56 Open Public Share on Lon-Client2 on the Desktop Confirm that you can no longer access
the share.
57 Logoff of London Server 2

On London DC
58 Switch to the Central Admin Dashboard
59 Click debian next to the alert
60 Select the STATUS tab
61 Mark As Resolved
62 Read the message then click OK As it was a malicious traffic detection
there is nothing to be cleaned.
63 Repeat this for all the alerts
64 Switch back to the WebAdmin of London Gateway 1
65 Select SYSTEM > Backup & firmware in the left-hand menu
66 Click Backup now Wait for the backup to complete.
67 Local
68 Click Download

You have enabled Synchronized Security on London Gateway 1, and then modified firewall rules to restrict network
 access based on the heartbeat status of source devices.
You have triggered a red heartbeat status on London Server 2 and London Client 2 to test your configuration.

Review
You have now successfully:
1. Configured logging
2. Created network firewall rules
3. Installed the SSL CA certificate
4. Installed Sophos Central
5. Published servers using Business application rules
6. Configured IPS policies
7. Enabled Advanced Threat Protection
8. Enabled DoS and spoof protection
9. Configured Security Heartbeat

Page 46 of 102
Sophos Certified Engineer

Lab 4 Site-to-Site Connections


Objectives
Upon successful completion of this lab, you will be able to:
1. Configure an SSL site-to-site VPN
2. Configure an IPsec site-to-site VPN

Task 4.1 Create an SSL Site-to-Site VPN


Create a simple SSL site-to-site VPN between the head office in London and the branch office in New York. Configure basic
firewall rules to allow traffic to and from the VPN zone.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Routing in the left-hand menu
3 Click the Delete icon next to the IPv4 unicast route then click OK This deletes the static route for the
simulated MPLS connection.
4 Open a new tab in Chrome and navigate to http://ny-srv.sophos.local Confirm that you cannot access this
site.
5 Switch back to the WebAdmin
6 Select CONFIGURE > VPN in the left-hand menu
7 Select the SSL VPN [site-to-site]tab
8 Add
9 Configure the server connection with the following settings:

Setting Value

Connection Name NewYork

Description Site-to-site VPN to New York

Use Static Virtual IP address Deselected

Local Networks London-172.16.16


London-172.17.17

Remote Networks NewYork-192.168.16

10 Click Save
11 Click the Download icon for the NewYork VPN connection
12 Select Encrypt configuration file

Page 47 of 102
Sophos Certified Engineer

13 Enter the and confirm the password Sophos1985


14 Click Download
15 Open a new tab and navigate to https://ny-gw.sophos.www:4444 Important: while you have the
WebAdmin for both London Gateway 1
and New York Gateway open, take
extra care to perform tasks on the
correct device.
16 Login to the WebAdmin of New York Gateway as admin
17 Select CONFIGURE > Routing in the left-hand menu
18 Select all the IPv4 unicast routes, then click Delete This deletes the static routes for the
simulated MPLS connection.
19 Click OK
20 Select CONFIGURE > VPN in the left-hand menu
21 Select the SSL VPN [site-to-site]tab
22 Add
23 Configure the VPN connection with the following settings: The indicates that the
configuration file is encrypted.
Setting Value
If the configuration file has not been
Connection Name London encrypted it has an

Description Site-to-site VPN to London

Configuration File C:\Users\Administrator\Downloads\


server_NewYork.epc

Password Sophos1985

User HTTP Proxy Server Deselected

Override Peer Hostname Deselected

24 Click Save
25 Click the SSL VPN [site-to-site]tab to refresh the page Confirm that the connection indicator
has turned green.
Note: a firewall rule to allow VPN traffic
has already been created as part of the
configuration import.
26 Close the tab with the New York Gateway WebAdmin
27 Switch back to the London Gateway 1 WebAdmin Note: Ensure you are accessing the
correct XG Firewall.
28 Select PROTECT > Firewall in the left-hand menu
29 Click + Add firewall rule > User/network rule

Page 48 of 102
Sophos Certified Engineer

30 Configure the rule with the following configuration: Leave all the other settings as default.
In a production environment, you would
Setting Value
usually limit the services and apply
Rule name To VPN protection policies.
You are creating separate firewall rules
Description Allow traffic to the VPN zone for traffic that is going to and from the
Rule position Top VPN zone so that you do not
inadvertently allow other traffic that
Action Accept should be managed by another firewall
Source rule.

Source zones LAN

Destination

Destination zones VPN

Log traffic

Log firewall traffic Select

31 Click Save
32 Click + Add firewall rule > User/network rule
33 Configure the rule with the following configuration: Leave all the other settings as default.
In a production environment, you would
Setting Value
usually limit the services and apply
Rule name From VPN protection policies.

Description Allow traffic from the VPN zone

Rule position Top

Action Accept

Source

Source zones VPN

Destination

Destination zones LAN

Log traffic

Log firewall traffic Select

34 Click Save
35 Open a new tab in Chrome and navigate to http://ny-srv.sophos.local Confirm that you can access this site.
You can test the VPN in the other
direction by browsing to http://lon-
dc.sophos.local on New York Server.
36 Switch back to the London Gateway 1 WebAdmin
37 Select CONFIGURE > VPN in the left-hand menu
38 Select the SSL VPN [site-to-site]tab
39 Toggle the VPN OFF then click OK

Page 49 of 102
Sophos Certified Engineer

On New York Server


40 Login to the WebAdmin of New York Gateway as admin
41 Select CONFIGURE > VPN in the left-hand menu
42 Select the SSL VPN [site-to-site]tab
43 Toggle the VPN OFF then click OK
44 Open a new tab in Chrome and navigate to http://lon-dc.sophos.local Confirm that you cannot access this
site.

Created a simple SSL site-to-site VPN between the head office in London and the branch office in New York.

Configured basic firewall rules to allow traffic to and from the VPN zone.

Task 4.2 Create an IPsec Site-to-Site VPN


Create an IPsec site-to-site VPN between the head office in London and the branch office New York using the wizard. The
connection has already been configured on New York Gateway.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > VPN in the left-hand menu
3 IPsec connections Wizard
4 NewYork, then click Start
5 Select the Site To Site image
6 IKEv2
7 Click the blue Next button
8 k Sophos1985
9 Click the blue Next button

Page 50 of 102
Sophos Certified Engineer

10 network d

Setting Value

Local WAN port PortB 10.1.1.100

IP version IPv4

Local Subnet London-172.16.16


London-172.17.17
Intranet-172.25.25

Local ID DNS lon-gw1.sophos.www

11 Click the blue Next button


12

Setting Value

Remote VPN server *

IP version IPv4

Remote subnet NewYork-192.168.16

Local ID DNS ny-gw.sophos.www

13 Click the blue Next button twice


14 Click Finish
15 Click on the red OK

On New York Server


16 Login to the WebAdmin of New York Gateway as admin
17 Select CONFIGURE > VPN in the left-hand menu
18 Click on the red OK Wait for the VPN to establish and the
icon to turn green.
19 Click on the Information icon next to the connection indicator
20 Write down the network mappings created for the VPN:

______________________________________________
______________________________________________
______________________________________________

21 Click Close
22 Open a new tab in Chrome and navigate to https://lon-dc.sophos.local Confirm that you can access this site.
Note: The traffic is allowed due to the
VPN firewall rules already created.

Page 51 of 102
Sophos Certified Engineer

23 Switch back to the WebAdmin


24 Select SYSTEM > Backup & firmware in the left-hand menu
25 Click Backup now Wait for the backup to complete.
26 Local
27 Click Download
28 Logout of New York Server

On London DC
29 Switch back to the WebAdmin
30 Select SYSTEM > Backup & firmware in the left-hand menu
31 Click Backup now Wait for the backup to complete.
32 Local
33 Click Download

 Created an IPsec site-to-site VPN between the head office in London and the branch office New York using the wizard.

Review
You have now successfully:
1. Configured an SSL site-to-site VPN
2. Configured an IPsec site-to-site VPN

Page 52 of 102
Sophos Certified Engineer

Lab 5 Authentication
Objectives
Upon successful completion of this lab, you will be able to:
1. Configure Active Directory Authentication
2. Authenticated using Synchronized User Identity
3. Configure User-based policies including Security Heartbeat
4. Configure Sophos Transparent Authentication Suite
5. Configure One Time Passwords

Task 5.1 Configure an Active Directory Authentication Server


You will configure an Active Directory authentication server on London Gateway 1, and then import groups from Active Directory.
You will enable the Active Directory server as an authentication source for the firewall services, and test user authentication.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Authentication in the left-hand menu
3 Click Add
4 Configure the authentication server with the following settings:

Setting Value

Server type Active Directory

Server name London DC

Server IP/domain 172.16.16.10

Port 389

NetBIOS domain SOPHOS

ADS user name Administrator

Password Sophos1985

Connection security Simple

Display name attribute displayName

Email address attribute mail

Domain name SOPHOS.LOCAL

5 Add link
6 enter dc=SOPHOS,dc=LOCAL then click Add

Page 53 of 102
Sophos Certified Engineer

7 Click Test Connection You should see a message appear that


the connection was successful.
8 Click Save
9 Click the Import icon This will open Group Import Wizard.
10 Click Start
11 select dc=SOPHOS,dc=LOCAL then click the blue Next
button
12 Expand Sophos Groups
13 Select the following groups:
✓ HR
✓ IT
✓ Sales
✓ Marketing
✓ Support
14 Click the blue Next button three times
15 Click OK Wait for the import to complete.
16 Click Close
17 Select the Users tab Note that there are no users listed.
Users will be added as they
authenticate with the XG Firewall.
18 Select the Services tab
19 select London DC The authentication server has to be
enabled as an authentication source for
the required services.
20 Click Apply then click OK
21 In a new browser tab navigate to http://lon-gw1.sophos.local:8090 This will open the captive portal.
22 In the Captive portal Sign in as jsmith The password is Sophos1985.
By logging in as John Smith the user
will be added to the device.
23 Click Sign out
24 In the captive portal Sign in as frogers The password is Sophos1985.
25 Switch back to the WebAdmin
26 Click Log viewer in the top-right
27 In the drop-down field select Authentication Verify that the login events are present.
28 Close the Log viewer window
29 Select the Users tab
30 Write down the group name for the following users:

Fred Rogers:
____________________________________________

John Smith:
____________________________________________

Page 54 of 102
Sophos Certified Engineer

31 Select MONITOR & ANALYZE > Current activities in the left-hand menu
32 Write down

____________________________________________

33 Switch back to the Captive Portal tab


34 Click Sign out

 You have configured an Active Directory authentication server on London Gateway 1, imported groups and enabled the
authentication service as an authentication source for the firewall services.

Task 5.2 Configure Single Sign-On Using STAS


You will configure single sign-on using the Sophos Transparent Authentication Suite. For this lab, you will install the STAS suite on
London DC and use it to authenticate users in the London head office.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Authentication in the left-hand menu
3 Select the STAS tab
4 ON
5 Click Activate STAS User inactivity on the XG Firewall is for
when STAS is unable to use WMI for
logoff detection. We do not need to use
it in this environment.
6 Click Add new collector
7 172.16.16.10 then click Save
8 Select the Client downloads tab You will need to select the ellipses on
the right-hand of the menu,
9 Click Sophos Transparent Authentication Suite (STAS)
10 Once the download is complete Run the file Click Run to the security warning.
11 Click Next Note the location of the installation
folder.
12 Click Next three times and then click Install
13 Select SSO Suite then click Next This will install both the STA Collector
and STA Agent on London DC.
14 Enter the login details for SOPHOS\STAS then click Next The password is Sophos1985.
STAS is an administrative user with
logon as a service rights.
15 Click Finish This completes the client installation.

Page 55 of 102
Sophos Certified Engineer

16 Run Sophos Transparent Authentication Suite from the desktop shortcut


17 Start to start the service. The service should now start
successfully.
18 Select the Exclusion List tab
19 Add
20 Type STAS then click OK
21 Select the STA Collector tab
22 172.16.16.16
23 Select the STA Agent tab
24

• 172.16.16.0/24
• 172.17.17.0/24

25 Select the General tab


26 Configure the following settings:

Setting Value

NetBIOS Name SOPHOS

Fully Qualified Domain Name SOPHOS.LOCAL

27 Click OK
28 Click Yes to restart the service
29 Open Administrative Tools from the Start menu
30 Open Local Security Policy
31 Select Security Settings > Local Policies > Audit Policy in the left-hand pane
32 In the right-hand pane double-click Audit account logon events
33 Select both Success and Failure then click OK You can then close the Local Security
Policy.
34 Switch back to the WebAdmin of London Gateway 1
35 Select CONFIGURE > System services in the left-hand menu
36 Select the Services tab
37 Click Restart OK This will clear the cached authentication
status on the XG Firewall.

On London Server 2
38 Login as SOPHOS\jsmith You may need to logout as lfox first.
The password is Sophos1985.
39 Open Chrome and navigate to http://www.google.com

Page 56 of 102
Sophos Certified Engineer

On London DC
40 Switch back to the WebAdmin of London Gateway 1
41 Select MONITOR & ANALYZE > Current Activities in the left-hand menu
42 Write down lfox If no users are show, wait a minute then
click Live users to refresh the tab.
____________________________________________

On London Server 2
43 Logout of London Server 2

 You have installed and configure the STAS suite on London DC, enabled STAS authentication on London Gateway 1, and
tested single sign-on to the firewall.

Task 5.3 User-Based Policies


You will modify the firewall rules that provide access from the 172.17.17.0/24 subnet to the Intranet and WAN zones so that they
required user authentication.
Traffic that accesses the Intranet zone will be assumed to be work related and therefore not counted, whereas traffic for the WAN
zone will be tracked.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Firewall in the left-hand menu
3 Edit the User LAN to Intranet Zone rule

Page 57 of 102
Sophos Certified Engineer

4 Modify the following settings: We are selecting the option to exclude


this activity from data accounting so
Setting Value that any use of the intranet does not
count towards any quotas set.
Identity

Match known users Select

Show captive portal to Select


unknown users

Users or groups Any

Exclude this user activity from Select


data accounting

5 Click Save
6 Edit the User Internet Access rule
7 Modify the following settings:

Setting Value

Identity

Match known users Select

Show captive portal to Select


unknown users

Users or groups Any

Exclude this user activity from Deselect


data accounting

8 Click Save

On London Server 2
9 Login as SOPHOS\lfox
10 Open Chrome and navigate to http://blog.internet.www
11 Click Downloads at the top of the page
12 Click large.file
13 Open Chrome and navigate to http://intranet.lon.sophos.local/intranet- Wait for the downloads to complete.
large.file
14 Logout of London Server 2

On London DC

Page 58 of 102
Sophos Certified Engineer

15 Switch back to the WeAdmin of London Gateway 1


16 Select CONFIGURE > Authentication in the left-hand menu
17 Select the Users tab
18 Click Lucy Fox
19 Click the View usage button at the bottom of the page
20 Confirm that only one 111MB download
has been accounted for.
This is because we have excluded traffic

from accounting.
If the data is not appearing, wait a
couple of minutes then navigate to the
page again.

 You have modified Network firewall rules so that they are User rules that require an authenticated user.

Task 5.4 One-Time Passwords


You will enable and configure one-time passwords for logging into the User Portal, and then test this configuration.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > Authentication in the left-hand menu
3 Select One-time password
4 Click Settings
5 Toggle One-time password ON
6 deselect WebAdmin
7 Click Apply

On New York Server


8 Open WinAuth from the Desktop
9 Open Chrome and navigate to https://lon-gw1.sophos.www
10 Login as jdoe The password is Sophos1985.
11 Select Ctrl + C to copy it to the clipboard

Page 59 of 102
Sophos Certified Engineer

12 Switch to WinAuth and click the Add > Authenticator


13 London Gateway 1
14 In the field for the secret code, paste the secret using Ctrl + V
15 Click Verify Authenticator, then click OK
16 Deselect Protect with my own password
17 Click OK
18 Switch back to the User Portal and click Proceed to login
19 Login as jdoe using the password and the token The password is Sophos1985 and the
current token will be displayed in
WInAuth when you click the reveal
token button. The token should be
appended to the password with no
spaces.
If you are unable to login this may be
caused by a time difference between
London DC and New York Server. To
resolve this, click the OP time-offset
synchronization icon next to the token
on London Gateway 1 and enter the
current token code. London Gateway 1
can then compensate for the time
difference.

On London DC
20 Switch back to the WebAdmin of London Gateway 1
21 On the One-time password page, click Settings
22 Toggle One-time password OFF
23 Click Apply
24 Select SYSTEM > Backup & firmware in the left-hand menu
25 Click Backup now Wait for the backup to complete.
26 Local
27 Click Download

 You have enabled and configured one-time passwords for logging into the User Portal, and then tested this configuration.

Review
You have now successfully:
1. Configured Active Directory Authentication
2. Authenticated using Synchronized User Identity
3. Configured User-based policies including Security Heartbeat

Page 60 of 102
Sophos Certified Engineer

4. Configured Sophos Transparent Authentication Suite


5. Configured One Time Passwords

Page 61 of 102
Sophos Certified Engineer

Lab 6 Web Protection and Application


Control
Objectives
Upon successful completion of this lab, you will be able to:
1. Create custom web categories and user activities to use in a web policy
2. Create a content filter
3. Create a custom web policy that applies different actions to groups of users
4. Delegate web policy overrides
5. Create a surfing quota for guest users
6. Configure an application filter policy
7. Categorize applications using Synchronized Application Control
8. Detect and categorize cloud applications

Task 6.1 Create Custom Web Categories and User Activities


vity to
add additional categories, and create a new user activity for controlling access to specific categories of website. These will be
used later in this lab when you create a custom web policy.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Select the Categories tab
4 Click Add
5 Configure the web category with the following settings: This keyword filter will identify keywords
in the URL.
Setting Value

Name Keyword filter

Description Keywords for unproductive web


browsing

Classification Unproductive

Configure category Local

Domain/keyword <blank> toys


games

6 Click Save
7 Select User activities tab

Page 62 of 102
Sophos Certified Engineer

8 Click the Edit


9 Add the following categories: Tip: You can type to search for each of
✓ Keyword filter these categories.
✓ Audio Files
✓ Video Files
10 Click Save then click Save for all
11 Click Add
12 Configure the user activity with the following settings:

Setting Value

Name Controlled Categories

Category Hacking
Download Freeware & Shareware
Translators

13 Click Save

 add additional categories, and created a new user activity for controlling access to specific categories of website.

Task 6.2 Create a Content Filter


You will create a custom content filter that will be used to detect web pages that contain common bullying terms. You will used
this content filter in your custom web policy later in this lab.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Select the Content filters tab
4 Click Add Content Filter
5 Configure the content filter with the following settings:

Setting Value

Name Bullying Terms

Description Common bullying terms

6 Click Choose File


7 Select the file C:\Samples\BullyingTerms.txt, then click Open The format of this file is a text file with
one term per line.
8 Click Apply

Page 63 of 102
Sophos Certified Engineer

 You have created a custom content filter that can be used to detect web pages that contain common bullying terms.

Task 6.3 Create a Custom Web Policy


In this task, you will clone an existing web policy and customize it using with the user activities and content filter you created in
the previous tasks.
You will test the web policy with two different users on London Server 2, and the Policy Test tool on London Gateway 1.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Click the Clone
4 Change the name of the policy to Custom Workplace Policy
5 Click Add Rule This will be added to the top of the list

6 Configure the new rule with the following settings:

Setting Value

Users Anybody

Activities Unproductive Browsing

Action Warn

Status ON

7 Click Add Rule


8 Configure the new rule with the following settings:

Setting Value

Users Anybody

Activities Controlled Categories

Action Block

Status ON

9 Click on the Clone ic Categories Clone rule


above
10 IT
11 Warn

Page 64 of 102
Sophos Certified Engineer

12 lick on
the Add > Add rule below
13 Click on AllWebTraffic
14 Select the Content filters tab
15 Select and with content
16 Add Bullying Terms
17 Click the Status icon for the new rule to enable it
18 Click Save then click Skip this step to the message that appears
19 Select the User notifications tab
20 Use custom warn message
21 You can copy and paste text into the
virtual machine.
The administrator of this network has restricted access to sites categorized
as {category}.<br><br>Clicking proceed will allow temporary access to this
site, but you should only do this if necessary.

With the following text:


It is likely that visiting this website is against company policy. If you have a
business need to use this website and you have reason to believe that it is
safe to do so you can choose to proceed.

22 Click Apply
23 Select PROTECT > Firewall in the left-hand menu
24 Edit firewall rule
25 Modify the following settings:

Setting Value

Web malware and content scanning

Detect zero-day threats with Sandstorm Select

Advanced

Web policy Custom Workplace


Policy

26 Click Save

On London Server 2
27 Login as SOPHOS\jsmith
28 Open Chrome and navigate to http://bing.com John Smith should be able to access
this site.

Page 65 of 102
Sophos Certified Engineer

29 Navigate to http://sophostest.com/downloads This site should be blocked for John


Smith

30 Navigate to http://games.internet.www John Smith should receive a warning

activity.
31 Logout of London Server 2
32 Login as SOPHOS\lfox The password is Sophos1985.
Lucy Fox is in IT.
33 Open a new tab and navigate to http://bing.com Lucy Fox should be able to access this
site.
34 Navigate to http://sophostest.com/downloads This site should show a warning for
Lucy Fox because
is included in the

Note: warning pages allow the user to


choose to proceed.
35 Navigate to http://games.internet.www Lucy Fox should receive a warning for

activity.
36 Navigate to http://test.internet.www/sandstorm
37 The file will be sent to Sandstorm for further analysis. If you leave the webpage You can move onto the next part of this
it will automatically update and provide a link once it is complete lab task while the file is being analyzed.
38 Logout of London Server 2

On London DC
39 Switch back to the WebAdmin
40 Click Log viewer in the top-right
41 Select the Policy test tab

Page 66 of 102
Sophos Certified Engineer

42 d settings:

Setting Value

URL http://test.internet.www/keywords

User

Authenticated User Select

frogers@sophos.local

Test Method Test Firewall Policy

Source IP 172.17.17.21

Source Zone LAN

43 Click Test
44 Review the results of the test

You have cloned an existing web policy and customized it using with the user activities and content filter you created in
the previous tasks.

You have tested the web policy with two different users on London Server 2, and the Policy Test tool on London Gateway
1.

Task 6.4 Delegate Web Policy Overrides


In this task you will enable web policy overrides for Fred Rogers. You will then create a web policy override using Fred Rogers
account, and use the access code generated to allow John Smith to access a site that is currently blocked.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Select the General settings tab
4 Enable policy override

Page 67 of 102
Sophos Certified Engineer

5 Configure the policy overrides with the following settings:

Setting Value

Authorized users and groups frogers@sophos.local

Block websites and categories Criminal Activity


Extreme
Intolerance & Hate
Marijuana
Nudity
Personals & Dating
Phishing & Fraud
Pro-Suicide & Self-Harm
Spam URLs
Spyware & Malware

Allow manual access code entry Deselect

6 Click Apply

Page 68 of 102
Sophos Certified Engineer

On London Server 2
7 Login as SOPHOS\jsmith The password for John Smith is
Sophos1985.
8 Open Chrome and navigate to https://lon-gw1.sophos.local
9 Login as frogers The password for Fred Rogers is
Sophos1985.
10 Select My policy overrides in the left-hand menu
11 Click Add
12 Configure the policy override with the following settings:

Setting Value

Session name Translators

Allowed website categories Translators

13 Write down the access code:

____________________________________________

14 Click Apply
15 Open Chrome and navigate to http://translate.google.com Confirm that this is blocked.
16 Click
17 Enter the access code you wrote down and click Go

You enabled web policy overrides for Fred Rogers. You then created a web policy override using Fred Rogers account, and
 used the access code generated to allow John Smith to access a site that was blocked.

Task 6.5 Create a Surfing Quota for Guest Users


You will configure a surfing quota for guest users will create a guest user and test your quota
policy.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Web in the left-hand menu
3 Select the Surfing quotas tab Review the default Surfing Quotas that
are preconfigured.

Page 69 of 102
Sophos Certified Engineer

4 Click Add
5 Configure the surfing quota with the following settings:

Setting Value

Name Guest User Surfing Quota

Description 6 hours, non-cyclic

Cycle Type Non-Cyclic

Validity Unlimited

Maximum Hours 6 Hour(s)

6 Click Save
7 Select CONFIGURE > Authentication in the left-hand menu
8 Select the Groups tab
9 Click Guest Group
10 Guest User Surfing Quota
11 Click Save
12 Select the Guest users tab
13 Click Add Multiple
14 Enter the following details:

Setting Value

Number of Users 5

User Validity (Duration in Days) 1

Validity Start After First Login

15 Click Add
16 Select the checkbox for guest-00001 then click Print
17 Write down the username and password for the guest user:

Username
____________________________________________

Password
____________________________________________

18 Click Cancel
19 Open a new tab and navigate to https://lon-gw1.sophos.local:8090
20 Login as guest-00001 User the password you wrote down for
this user.
21 Open a new tab and navigate to https://www.google.com
22 Navigate to http://blog.internet.www/download/large.file

Page 70 of 102
Sophos Certified Engineer

23 Switch back to the WebAdmin of London Gateway 1


24 Click guest-00001
25 Click View usage
26 Note: It may take a couple of minutes
sections for this section to update.
27 Switch back to captive portal and click Sign out


tested your quota policy.

Task 6.6 Create an Application Filter Policy


In this task, you will create an application filter policy that blocks recreation applications such as peer-to-peer sharing, gaming,
media streaming and social media. You will apply the policy to a firewall rule and test it.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Click the How-to guides link in the top-right
3 Registration and Setup and confirm it loads Note: The videos are hosted on Vimeo.
4 Close the tab and switch back to the WebAdmin
5 Select PROTECT > Applications in the left-hand menu
6 Click Add
7 Configure the application filter with the following settings:
applications will be allowed unless they
Setting Value are explicitly denied

Name Block non-business apps

Template Allow All

8 Click Save
9 Click Block non-business apps
10 Click Add
11 the following categories: Note: this field is not in alphabetical
✓ Gaming order.
✓ P2P
✓ Streaming Media
12 Deny
13 Click Save, then click Save again
14 Select PROTECT > Firewall in the left-hand menu
15 Edit the #Default_Network_Policy rule

Page 71 of 102
Sophos Certified Engineer

16 c select Block non-business apps


17 Click Save
18 Click the How-To Guides link in the top-right
19 Registration and Setup and confirm it does
not load

 You have created an application filter policy that blocks recreation applications such as peer-to-peer sharing, gaming,
media streaming and social media. You have applied the policy to a firewall rule and tested it.

Task 6.7 Categorize Applications using Synchronized Application


Control
You will apply a You will apply an application control policy to the firewall rule that provides Internet access to London Server 2. On
London Server 2 you will run a script that will download a webpage using Wget.
On London Gateway 1 you will see that Wget has been identified by Synchronized Application Control and automatically
categorized. You will customize the category for Wget, then block that category in the application control policy applied to the
firewall rule.
On London Server 2, you will run the script again and confirm that Wget is now blocked.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Firewall in the left-hand menu
3 Click User Internet Access to edit the firewall rule
4 Block non-business apps
5 Click Save

On London Server 2
6 On the Desktop, run Lab 6.7 This script will download a webpage
using wget.
7 You will see that the webpage is downloaded successfully, press any key to
close the window

On London DC

Page 72 of 102
Sophos Certified Engineer

8 Switch back to the WebAdmin of London Gateway 1


9 Select MONITOR & ANALYZE > Control center in the left-hand menu
10 The number of new applications shown
in your lab may differ from the icon
icon shown here.

11 If Wget is not listed, wait for a minute


then refresh the page by selecting the
Synchronized Application Control tab.
12 Write down the category that has been automatically assigned to Wget:

____________________________________________

13 Click the ellipses to open the menu options for Wget, then select Customize
14 Download Applications
15 Click Apply
16 Wget will no longer show in the New applications view, use the drop-down
menu at the top of the table to select the Categorized applications view
17 You will see Wget in this view.
18 Write down

____________________________________________

19 Select the Application filter tab


20 Click Block non-business apps to edit the application filter you created earlier
21 Click Add
22 Download Applications
23 Synchronized Application Control
24 Confirm that Wget is listed
25 Write down

____________________________________________

26 Deny
27 Click Save
28 Click Save

On London Server 2
29 On the Desktop, run Lab 6.7 This script will try to download a
webpage using wget.

Page 73 of 102
Sophos Certified Engineer

30 You will see that the webpage can no longer be downloaded

You applied an application control policy to the firewall rule that provides Internet access to London Server 2. On London
Server 2 you ran a script that will download a webpage using Wget.

 On London Gateway 1 confirmed that Wget had been identified by Synchronized Application Control and automatically
categorized. You customized the category for Wget, then blocked that category in the application control policy applied to
the firewall rule.
On London Server 2, you ran the script again and confirmed that Wget was then blocked.

Task 6.8 Detect and Categorize Cloud Applications


You will access several web-based applications on London Server 2 to be detected by the XG Firewall. On London Gateway 1 you
will review the detected applications and apply a category to one of them.

Instructions Notes

On London Server 2
1 Open Chrome and navigate to http://www.slideshare.net Note: all URLs will redirect to HTTPS.
2 Click on one of the slide shares
3 Click on the forward arrow to progress through several slides
4 Navigate to http://twitter.com/sophos
5 Click Proceed
6 Scroll down through the page
7 Navigate to http://slack.com
8 Navigate to http://flickr.com
9 Click Proceed

On London DC
10 Login to the WebAdmin of London Gateway 1 as admin
11 The widget can take 10 minutes to
update.
If no data is displayed, wait for several
minutes then refresh the Control
center.
12 Click on the Cloud applications widget in the Control center
13 Click on the + to expand SlideShare

Page 74 of 102
Sophos Certified Engineer

14 Write down the information displayed:

____________________________________________
____________________________________________

15 Click on the Classify link for SlideShare


16 Unsanctioned
17 Click Apply
18 Select MONITOR & ANALYZE > Control center in the left-hand menu
19 Hover the mouse over the Cloud applications widget
20 The data for SlideShare will now show as unsanctioned The report can take 10 minutes to
update.
21 Select SYSTEM > Backup & firmware in the left-hand menu
22 Click Backup now Wait for the backup to complete.
23 Local
24 Click Download

 You accessed several web-based applications on London Server 2 to be detected by the XG Firewall. On London Gateway
1 you reviewed the detected applications and applied a category to one of them.

Review
You have now successfully:
1. Created custom web categories and user activities to use in a web policy
2. Created a content filter
3. Created a custom web policy that applies different actions to groups of users
4. Delegated web category overrides
5. Created a surfing quota for guest users
6. Configured an application filter policy
7. Categorized applications using Synchronized Application Control
8. Detected and categorized cloud applications

Page 75 of 102
Sophos Certified Engineer

Lab 7 Email Protection


Objectives
Upon successful completion of this lab, you will be able to:
1. Enable and configure quarantine digests
2. Configure an Email Protection Policy for MTA mode
3. Encrypt emails that match a Data Control List using SPX
4. Manage quarantined items as a user

Task 7.1 Enable and Configure Quarantine Digests


Enable quarantine digests for users so that you will receive one after completing other tasks in this lab. You will also override the
quarantine digest settings, by disabling them for a specific user.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select SYSTEM > Administration in the left-hand menu
3 Select the Time tab
4 Write down the current time on London Gateway 1:

____________________________________________

5 Select PROTECT > Email in the left-hand menu


6 Select the Quarantine digest tab Note: this tab may be found through
the ellipsis menu.
7 Select Enable quarantine digest
8 Configure the digest with the following settings: Configure the quarantine digest to be
sent30 minutes later than the current
Setting Value time of London Gateway 1.

Email Frequency Daily This will allow you to receive one in


time for the last task in this lab.
Send Mail Daily At 30 minutes later than the current time of Important: use the time you wrote
London Gateway 1 down earlier in this task.
From Email Address administrator@sophos.local

Display Name Quarantine Digest

Reference User Portal IP PortC

9 Click Apply then click OK

Page 76 of 102
Sophos Certified Engineer

10 Click Change u quarantine digest settings You can use this to apply the
quarantine digest settings to existing
users, and to edit the email addresses
associated with each user.
11 Select all the users then click Apply
12 Click OK
13 Select CONFIGURE > Authentication in the left had menu
14 Select the Users tab
15 Click John Smith
16 Disable You can enable and disable quarantine
digests per user.
17 Click Save

 You have enabled quarantine digests for users, and overridden the quarantine digest settings, by disabling them for a
specific user.

Task 7.2 Configure SMTP Routing and Protection


You will configure SMTP routing and protection on London Gateway 1 using MTA mode. You will then test the configuration by
sending test emails from a mail server that is on a separate domain.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select SYSTEM > Administration in the left-hand menu
3 Select the Device access tab
4 Select the SMTP Relay column on the WAN row You need to do this to be able to accept
email from the Internet in MTA mode.
5 Click Apply and click OK
6 Select PROTECT > Email in the left-hand menu
7 Select the General settings tab
8 Scroll s section
9 lon-gw1.sophos.www
10 Click Apply then click OK
11 Select the Relay settings tab
12 Add new item
section.
13 Select London DC
14 Click Apply 1 selected items
15 Click Apply

Page 77 of 102
Sophos Certified Engineer

16 Select the Policies & exceptions tab


17 Click Add policy > SMTP route & scan
18 type General SMTP Policy
19 field click Add new item, then click Create new
20 Configure the address group with the following settings:

Setting Value

Name Sophos Domains

Group Type Email Address/Domain

Type Manual

Email Address(es)/Domain(s) sophos.www

21 Click Save
22 b -down select Static Host
23 l London DC
24 p ON
25 a Quarantine
26 v With Callout (Recommended)
27 p ON
28 In Single Anti-Virus
29 Select Detect zero-day threats with Sandstorm
30 Review the options in this section
31 p ON
32 file t Executable Files
33 white l None
34 Click Save

On New York Server


35 Open a new tab in Chrome and navigate to http://mail.internet.www
36 Login to SquirrelMail as jbrown The password is Sophos1985.
37 Click Drafts in the left-hand menu
38 Click Normal Email in the main window
39 Click Resume Draft
40 Click Send
41 Repeat this for all the other draft emails

Page 78 of 102
Sophos Certified Engineer

On London DC
42 Open a new tab in Chrome and navigate to https://lon-
dc.sophos.local/mewebmail
43 Login to MailEnable as frogers The password is Sophos1985
44 Verify that you have received:
• The normal email
• The file type email with the attachment replaced with a text file
45 Switch back to the London Gateway 1 WebAdmin
46 Select the Mail logs tab
47 Review the actions taken on the test emails

You have configured SMTP routing and protection for the sophos.local domain using MTA mode, and tested the
 configuration by sending emails from a domain outside the network.

Task 7.3 Configure Data Control and SPX Encryption


You will configure a Data Control Policy for emails that you want to encrypt, create a new SPX Template that enables the SPX
Reply Portal, and test this configuration by enabling Data Protection in the SMTP policy.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Email in the left-hand menu
3 Select the Data control list tab
4 Click Add You can create new Data Control Lists
to meet your needs or modify existing
ones.
5 Global CCLs
6 Global For this example, we will create a fairly
general Data Control List by selecting
the signatures that are not country
specific.
7 Select all the filtered signatures
8 Click Save
9 Select the Encryption tab
10 portal settings lon-
gw1.sophos.www
11 Click Apply

Page 79 of 102
Sophos Certified Engineer

12 Add
13 Configure the template with the following settings: Leave the other settings as default.

Setting Value

Name Recipient Password and Reply Portal

Organization name Sophos

Password type Specified by recipient

Enable SPX reply portal Enable

14 Click Save
15 Select the Policies & exceptions tab
16 Click General SMTP Policy
17 ON
18 control l Financial information
19 ontrol list a field on select Accept with SPX
20 In the Accept with SPX select Recipient Password and Reply Portal
21 Click Save
22 Open a new tab in Chrome and navigate to https://lon-
dc.sophos.local/mewebmail
23 Login to MailEnable as frogers The password is Sophos1985.
24 Select Mailbox-frogers > Drafts in the left-hand menu
25 Select the email in the main window, then click Open
26 Review the email then click Send

On New York Server


27 Open a new tab in Chrome and navigate to http://mail.internet.www
28 Login to SquirrelMail as jbrown The password is Sophos1985.
29 Click SPX Registration Request from Sophos
30 Click the link in the email to register You will get a certificate error, but it is
safe to proceed.
31 Type and confirm the password Sophos1985? then click Register

On London DC
32 Switch back to MailEnable in Chrome

Page 80 of 102
Sophos Certified Engineer

33 Select Sent Items in the left-hand pane


34 Select the email you sent, then click Forward
35 jbrown@internet.www
36 Second SPX email
37 Click Send
38 Switch back to the WebAdmin of London Gateway 1
39 Select the Mail spool tab
40 Retry

On New York Server


41 Switch back to SquirrelMail and refresh the inbox
42 Click Second SPX email The recipient is not prompted to register
again, the same password is used to
encrypt subsequent emails.
43 Click the Download link at the bottom of the page
44 Open the downloaded PDF
45 Enter the password Sophos1985? and click SUBMIT
46 Click the Reply button at the top of the page This button can be used multiple times
and is active for 30 days.
IMPORTANT: If the reply button is not
present, resend the email from Fred
Rogers.
47 Enter a reply message to Fred Rogers then click Send

On London DC
48 Switch back to MailEnable in Chrome
49 Open the email with the subject RE: Second SPX email This will be your reply from the SPX
Reply Portal.
50 Select SYSTEM > Backup & firmware in the left-hand menu
51 Click Backup now Wait for the backup to complete.
52 Local
53 Click Download

You have configured a Data Control Policy for emails that you want to encrypt, created a new SPX Template to enable the
 SPX Reply Portal, and tested this configuration by enabling Data Protection in the SMTP policy.

Page 81 of 102
Sophos Certified Engineer

Task 7.4 User Quarantine Management


You will review the information that is sent to users in the Quarantine Digest emails, then access the quarantine in the User Portal.

Instructions Notes

On London Server 2
1 Open Chrome and navigate to https://lon-dc.sophos.local/mewebmail
2 Login as frogers The password is Sophos1985.
3 Read the quarantine digest email then click the My Account link for the User The quarantine digest email may not
Portal have been sent yet depending on the
time you set in task 1.
You can still login to the User Portal to
view the quarantine by navigating to:
https://lon-gw1.sophos.local

4 Login as frogers The password is Sophos1985.


5 Select Email > Quarantine in the left-hand menu
6 Write down which emails are shown in the quarantine:

____________________________________________
____________________________________________
____________________________________________
____________________________________________

7 Click the Release link for one of the emails


8 Select Email > Exception in the left-hand menu
9
noreply@mailinglist.internet.www
10 *@baddomain.internet.www
11 Click Save
12 Click OK
13 Switch back to the MailEnable tab and refresh the inbox to confirm that you
have now received the released email

 You have reviewed the information that is sent to users in the Quarantine Digest emails and accessed the quarantine in
the User Portal.

Review
You have now successfully:
1. Enabled and configured quarantine digests
2. Configured an Email Protection Policy for MTA mode
3. Encrypted emails that match a Data Control List using SPX

Page 82 of 102
Sophos Certified Engineer

4. Managed quarantined items as a user

Page 83 of 102
Sophos Certified Engineer

Lab 8: Wireless Protection


Objectives
Upon successful completion of this lab, you will be able to:
1. Create a hotspot for an interface on the XG Firewall

Task 8.1 Create a Hotspot


You will create a hotspot on PortC of London Gateway 1, then create vouchers for the hotspot and test access from London
Server 2.

Instructions Notes

On London DC
7 Login to the WebAdmin of London Gateway 1 as admin
8 Select PROTECT > Wireless in the left-hand menu
9 Select the Hotspots tab
10 Click Add
11 Configure the hotspot with the following information: Leave the other settings as default.

Setting Value

Name PortCHotspot

Interfaces PortC

Hotspot type Voucher

Voucher Definitions 1 Day

Administrative Users jsmith@sophos.local

Redirect to URL after login ON

URL http://store.sophos.www

12 Click Save then click OK


13 Open a new tab and navigate to https://lon-gw1.sophos.local
14 Login as jsmith
15 Select Hotspots in the left-hand menu
16 voucher d 1 Day
17 10
18 Click Create Vouchers

Page 84 of 102
Sophos Certified Engineer

19 Write down one of the voucher codes:

____________________________________________

On London Server 2
20 Open Chrome and navigate to http://blog.internet.www You will be redirected to the hotspot. If
the page is displayed use Ctrl + Shift + R
to force a refresh.
21 Enter the voucher code that you wrote down and click Login Wait to be redirected within a minute.
22 Navigate to http://blog.internet.www Confirm you can access the website.

On London DC
23 Switch back to the WebAdmin of London Gateway 1
24 Select SYSTEM > Backup & firmware in the left-hand menu
25 Click Backup now Wait for the backup to complete.
26 Local
27 Click Download
28 Select PROTECT > Wireless in the left-hand menu
29 Select the Hotspots tab
30 Click the Delete OK

 You have created a hotspot on PortC for an interface on the XG Firewall, created vouchers for the hotspot and tested
access from London Server 2.

Review
You have now successfully:
1. Created a hotspot for an interface on the XG Firewall

Page 85 of 102
Sophos Certified Engineer

Lab 9: Remote Access


Objectives
Upon successful completion of this lab, you will be able to:
1. Configure an SSL remote access VPN
2. Configure an IPsec remote access VPN with Sophos Connect

Task 9.1 Configure an SSL Remote Access VPN


In this task, you will configure an SSL remote access VPN with one-time password authentication, and then test the configuration
by installing the VPN client and connecting from New York Server.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > VPN in the left-hand menu
3 Click Show VPN settings
4 Configure the following settings:

Setting Value

Override hostname lon-gw1.sophos.www

IPv4 DNS 172.16.16.10

Domain name sophos.local

5 Click Apply then click OK


6 Click Close VPN settings
7 Select the SSL VPN [remote access] tab
8 Click Add

Page 86 of 102
Sophos Certified Engineer

9 Configure the VPN with the following settings: Leave the other settings as default.

Setting Value

General settings

Name SSL VPN for Sales

Identity

Policy members Sales

Tunnel Access

Use as default gateway Off

Permitted network London-172.16.16


resources (IPv4) Intranet-172.25.25

10 Click Apply then click OK


11 Select CONFIGURE > Authentication in the left-hand menu
12 Select the One-time password tab
13 Click Settings
14 Toggle One-Time Password ON
15 SSL VPN Remote Access
16 Click Apply
17 Select the Services tab
18 Same as firewall
19 Click Apply then click OK

On New York Server


20 Open Chrome and navigate to https://lon-gw1.sophos.www You will get a certificate error; it is safe
to proceed.
21 Login as jdoe using the password and the token The password is Sophos1985 and the
current token will be displayed in
WInAuth when you click the reveal
token button. The token should be
appended to the password with no
spaces.
If you closed WinAuth earlier, you
should be able to open it from the
system tray.
22 Select SSL VPN in the left-hand menu
23 Click Download client and configuration for Windows
24 Once the download is complete run jdoe@sophos.local_ssl_vpn_client.exe
from the Downloads folder
25 Click Run to the security warning

Page 87 of 102
Sophos Certified Engineer

26 Click Next
27 Click I Agree for the agreement
28 Click Install
29 Click Install to install the SSL VPN network adapter
30 Click Next then click Finish
31 Right-click on the Sophos SSL VPN Client icon in the system tray
32 Click Connect
33 Login as jdoe using the password and the token The password is Sophos1985 and the
current token will be displayed in
WInAuth when you click the reveal
token button. The token should be
appended to the password with no
spaces.
34 In Chrome navigate to http://lon-dc.sophos.local to confirm the VPN is
working correctly
35 Open Command Prompt from the Start menu
36 Run tracert –d lon-dc.sophos.local Confirm that the traffic is going via the
VPN (10.81.234.*) and not via NY-GW
(192.168.16.16).
37 Right-click on the Sophos SSL VPN Client icon in the system tray
38 Click Disconnect

On London DC
39 Switch back to the WebAdmin
40 Select the One-time password tab
41 Click Settings
42 Toggle One-Time Password OFF
43 Click Apply

 You have configured an SSL remote access VPN with one-time password authentication and tested the configuration by
installing the VPN client and connecting from New York Server.

Task 9.2 Configure an IPsec Remote Access VPN with Sophos


Connect
In this task you will enable and configure the Sophos Connect IPsec VPN on London Gateway 1, then install and test the Sophos
Connect Client on New York Server.

Instructions Notes

Page 88 of 102
Sophos Certified Engineer

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select CONFIGURE > VPN in the left-hand menu
3 Select the Sophos Connect client tab
4 Configure the following settings:

Setting Value

Sophos Connect client Enable

Interface PortB 10.1.1.100

Authentication type Preshared key

Preshared key Sophos1985

Local ID DNS lon-gw1.sophos.www

Remote ID DNS user.sophos.www

Allowed user jsmith@sophos.local

Client information

Name SophosVPN

Assign IP from 192.168.77.100 192.168.77.200

DNS server 1 172.16.16.10

5 Click Apply, then click OK


6 Click Download
7 Click Export connection
8 Copy the downloaded files to C:\Share
9 Switch back to the WebAdmin
10 Select CONFIGURE > Authentication in the left-hand menu
11 Select the Services tab
12 Set
authentication methods same as firewall
13 Click Apply

On New York Server


14 On the Desktop, open Share on DC
15 Open sophosconnect_installer
16 Click Extract

Page 89 of 102
Sophos Certified Engineer

17 Click OK
18 Close 7-zip
19 Run SophosConnect from the share
20 Select I accept the Sophos End User License Agreement and acknowledge
the Sophos Privacy Policy
21 Click Install
22 Select Launch Sophos Connect after exit
23 Click Finish
24
Click the Sophos Connect icon in the system tray
25 Click Import connection
26 \\lon-dc\share then click Open
27 Select SophosVPN.tgb then click Open
28 Login to the WebAdmin of New York Gateway as admin
29 Select CONFIGURE > VPN in the left-hand menu
30 Disable the IPsec connection; click the green
click OK
31 Click the Sophos Connect icon in the system tray
32 Click Connect
33 Login as jsmith The password is Sophos1985.
34 In Chrome navigate to http://lon-dc.sophos.local to confirm the VPN is
working correctly
35 Click the Sophos Connect icon in the system tray
36 Click Disconnect
37 Switch back to the WebAdmin
38 Enable the IPsec connection; click
click OK

On London DC
39 Switch back to the WebAdmin of London Gateway 1
40 Select SYSTEM > Backup & firmware in the left-hand menu
41 Click Backup now Wait for the backup to complete.
42 Local
43 Click Download

 In this task you enabled and configured the Sophos Connect IPsec VPN on London Gateway 1, then installed and tested
the Sophos Connect Client on New York Server.

Page 90 of 102
Sophos Certified Engineer

Review
You have now successfully:
1. Configured an SSL remote access VPN
2. Configured an IPsec remote access VPN with Sophos Connect

Page 91 of 102
Sophos Certified Engineer

Lab 10 Logging, Reporting and


Troubleshooting
Objectives
Upon successful completion of this lab, you will be able to:
1. Run, customize and schedule reports
2. Review Sophos Sandstorm activity
3. Use SF Loader tools
4. View the connection table
5. Use the WebAdmin Log View and Packet Capture
6. Use the drop-packet-capture command

Task 10.1 Run, Customize and Schedule Reports


In this task, you will run a report and filter it to customize the view. You will then create a bookmark for the report, and schedule an
executive report to be sent by email.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select MONITOR & ANALYZE > Reports in the left-hand menu
3 Click on the FROM date
4 Select the date you started this course
5 Click Generate
6 section, click on HTTP This will apply relevant filters to the
report. You can optionally select other
entries in the report to filter it further.
7 Review the information on this page
8 Click Bookmark in the top-right
9 HTTP Applications
10 Click Save
11 Select the Bookmarks tab Notice that you can select bookmarked
reports organized by group.
12 Click Show Report settings
13 Select the Report scheduling tab
14 Click Add

Page 92 of 102
Sophos Certified Engineer

15 Configure the report notification with the following settings: If you select Bookmark

Setting Value bookmarked report to be sent via email.

Report Selected

Name Executive Report

To Email Address administrator@sophos.local

Report Type Report Group

Report Group Executive Report

Email Frequency Daily

Report Period Previous Day

16 -down select the next nearest hour to the current


time
17 Click Save When the time for the report to be sent
has passed, review the email in
MailEnable.
18 Select SYSTEM > Backup & firmware in the left-hand menu
19 Click Backup now Wait for the backup to complete.
20 Local
21 Click Download

 You have run a report and filter it to customize the view. You then created a bookmark for the report and scheduled an
executive report to be sent by email.

Task 10.2 View Sandstorm Activity


In this task, you will review the report for the file that was submitted to Sandstorm in the Web Protection lab.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Advanced threat in the left-hand menu
3 Select the Sandstorm activity tab
4 Click the Show report link next to the document that was submitted to
Sandstorm
5 Review the information, then close the report

 You have reviewed the report for a file that was submitted to Sandstorm for analysis.

Page 93 of 102
Sophos Certified Engineer

Task 10.3 Use SF Loader Tools


You will use the SF Loader tools to review the firmwares that are installed on the device, to and reset the admin password.

Instructions Notes

On London Gateway 1
1 Login to the WebAdmin of London Gateway 1 as admin Once you have clicked inside the
console window you may need to press
a button to wake up the screen, we
would recommend Ctrl so you do not
enter a character at the password
prompt.
The password is Sophos1985.
2 Type 7 then press Enter
3 Type R then press Enter This will reboot the device.
4 As soon as the device reboots, keep pressing Enter repeatedly until a screen

5 Type 0 then press Enter This will choose SF Loader.


6 Type 3 then press Enter This will open Appliance Information
menu.
7 Write down the following details from Appliance info:
Model:
____________________________________________
FwLoader Version:
____________________________________________
Loaded Firmwares:
____________________________________________

8 Press Enter This will bring back to options menu.


9 Type 2 then press Enter This will select the Troubleshoot menu
10 Type 1 then press Enter This option is used to reset the default
admin password.
11 Type 5 then press Enter This will reboot the device.
12 At the password prompt login with the password admin The password has been reset to the
default setting of admin.

 You have used the SF Loader tools to review the firmwares that are installed on the device, to and reset the admin
password.

Page 94 of 102
Sophos Certified Engineer

Task 10.4 Connection Table


In this task, you will review the connection table using both the WebAdmin and the command line console.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin The password is admin.
2 Select MONITOR & ANALYZE > Diagnostics in the left-hand menu
3 Select the Connection list tab
4 i -down select 30 Sec
5 Open Command Prompt from the Start menu and run the command:
telnet mail.internet.www 25
6 Switch back to the WebAdmin
7 Click Display Filter
8 Destination port type 25
9 Click Apply then click OK
10 Write down the following details about the connection:
In Interface

______________________________________________
Source IP

______________________________________________
Destination IP

______________________________________________
Protocol

______________________________________________

11 Switch back to the Command Prompt


12 Type: quit
Then press Enter
13 Switch back to the WebAdmin
14 Click Refresh The connection should disappear from
the connection list
15 Switch back to the Command Prompt
16 Run the command: telnet 10.1.1.250 25

Page 95 of 102
Sophos Certified Engineer

On London Gateway 1
17 Login to the console of London Gateway 1 as admin The password is admin.
18 Type 4 then press Enter to access the console
19 Run the following command: This is all one command with no line
system diagnostics utilities connections v4 show src_ip break.
172.16.16.10 dest_ip 10.1.1.250
20 Run the following command: exit
21 Type 0 then press Enter

 You have reviewed the connection table using both the WebAdmin and the command line console.

Task 10.5 Packet Capture


You will use the packet capture and Log viewer in the WebAdmin to see a filtered view of packets relating to a log entry.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Click the Log viewer link in the top-right
3 172.25.25.40 and press Enter

On London Server 2
4 Open Chrome and navigate to http://intranet.lon.sophos.local If you are prompted to login, do so as
lfox.

On London DC
5 Switch back to the Log viewer window and click Refresh
6 172.25.25.40
7 Scroll to the right and click the Open PCAP link for that entry

Page 96 of 102
Sophos Certified Engineer

8 Toggle Packet Capture ON

On London Server 2
9 Refresh the page http://intranet.lon.sophos.local

On London DC
10 Switch back to the Packet Capture window
11 Click Refresh
12 You will see the related packet capture entries
13 Click Display filter and review the settings that have been applied

 You have used the packet capture and Log viewer in the WebAdmin to see a filtered view of packets relating to a log
entry.

Task 10.6 Dropped Packet Capture


In this task, you will use the drop-packet-capture console command so see detailed packet information on packets that the XG
Firewall is dropping.

Instructions Notes

On London Gateway 1
1 Login to the WebAdmin of London Gateway 1 as admin The password is admin.
2 Type 4 then press Enter
3 Run the following command: drop-packet-capture “ip proto 1”
ICMP.

On London Intranet and DMZ


4 Login as root The password is Sophos1985.
5 Run the following command: ping 172.16.16.10

Page 97 of 102
Sophos Certified Engineer

On London Gateway 1
6 When you see the dropped packets being logged press CTRL+ C
7 Review the information that is logged
8 Run the following command: exit
9 Type 0 then press Enter

On London Intranet
10 Press CTRL + C

 You have used the drop-packet-capture console command so see detailed packet information on packets that the XG
Firewall is dropping.

Review
You have now successfully:
1. Run, customized and scheduled reports
2. Used SF Loader tools
3. Viewed the connection table
4. Used the drop-packet-capture command
5. Used the WebAdmin Log View and Packet Capture

Page 98 of 102
Sophos Certified Engineer

Lab 11: Management


Objectives
Upon successful completion of this lab, you will be able to:
1. Manage an XG Firewall in Sophos Central

Task 11.1 Manage an XG Firewall in Sophos Central


In this task you will enable management of London Gateway 1 in Sophos Central, and then access the WebAdmin of London
Gateway 1 from Sophos Central. You will trigger an alert on London Server 2 and see what is reported by London Gateway 1 in
Sophos Central.

Instructions Notes

On London DC
1 Login to the WebAdmin of London Gateway 1 as admin
2 Select PROTECT > Central synchronization in the left-hand menu
3 Click on the slider for Manage from Sophos Central to enable it
4 Read the information in the message box then click Apply

On Your Local Computer


5 Open your browser and navigate to https://central.sophos.com
6 Sign In using your evaluation email address and password
7 Select MY PRODUCTS > Firewall Management in the left-hand menu
8 Select MANAGE > Firewalls in the left-hand menu
9 Accept management
10 Click on the ellipses menu icon and select Rename
11 Enter the name London Gateway 1
12 Click Rename

Page 99 of 102
Sophos Certified Engineer

13 Click London Gateway 1 to start managing it If the connection cannot be


established, refresh the Central
synchronization page on London
Gateway 1 and check the status in the

If it is still waiting for approval, wait for


a minute then refresh the page until it

You can then connect to manage the


XG Firewall.
14 Select PROTECT > Central synchronization in the left-hand menu
15 be Managed
16 Select Back to FW Management in the left-hand menu
17 Hover your mouse over System Load and review the information
several minutes the refresh the page. It
can take several minutes to start
synchronizing the system load.

On London Server 2
18 Run MTD.vbs on the Desktop You should see a notification appear in
the bottom-right corner of the screen
that Sophos has detected malicious
traffic.

On Your Local Computer


19 Wait a minute then select Back to Overview in the left-hand menu
20 Select MONITOR & ANALYZE > Alerts in the left-hand menui
21 Click on the High Alerts The detection should be reported as a
high alert.
22 Review the information shown You will see a notification from the
device London Gateway 1, and
additional alerts for the device LON-
SRV2.
23 Select all of the alerts then click Mark As Resolved
24 Click Ok

You have enabled management of London Gateway 1 in Sophos Central, and then accessed the WebAdmin of London
 Gateway 1 from Sophos Central. You triggered an alert on London Server 2 and reviewed what is reported by London
Gateway 1 in Sophos Central.

Page 100 of 102


Sophos Certified Engineer

Review
You have now successfully:
1. Managed an XG Firewall in Sophos Central

Page 101 of 102


globaltraining@sophos.com