Proof of Concept Guide
The XG Series hardware appliances reached End of Life on March 31, 2025. All new deployments should use XGS Series appliances. Existing XG customers can continue to run Sophos Firewall OS (SFOS) but hardware support and replacements are no longer available. Learn more →
What's New in Sophos Firewall v22.0
Sophos Firewall OS v22.0 is the current major release, introducing significant new capabilities across threat detection, identity management, and network operations. 📖 Full v22.0 docs →
🛡️ NDR Active Threat Intelligence
Integration with Taegis NDR iSensor and NDR Essentials — delivers network detection and response with AI-powered behavioral analysis. Sophos Firewall acts as a sensor feeding telemetry to Taegis for correlation across the entire estate.
🌐 Third-Party Threat Feeds (Active Threat Response)
Ingest external IOC threat feeds directly into policy. The Active Threat Response with MDR Threat Feeds lets Sophos MDR automatically push threat intel to block malicious IPs and domains in real time.
🔑 Microsoft Entra ID SSO
Microsoft Entra ID (Azure AD) integration with Captive Portal SSO — users authenticate via their Entra credentials. Eliminates duplicate user directories and reduces friction for cloud-first organizations.
🔒 Let's Encrypt Certificates
Native Let's Encrypt ACME certificate provisioning and auto-renewal for WAF and SSL VPN. Removes the need for manual certificate management.
🌍 DHCP Prefix Delegation (IPv6)
Full IPv6 DHCPv6-PD support — automatically delegates IPv6 prefixes to downstream routers, enabling enterprise-grade IPv6 deployments without manual subnetting.
💾 Backup & VPN Enhancements
Selective backup restore of config sections. SD-WAN policy routing improvements, BGP enhancements, and IPsec IKEv2 improvements for site-to-site tunnels.
XGS Series Hardware (Current Generation):
Gen.2: XGS 88/88w · 108/108w · 118/118w · 128/128w · 138 | Gen.1: XGS 87/87w · 107/107w · 116/116w · 126/126w · 136/136w
Rack/Mid-range: XGS 2100/2300/3100/3300/4300/4500 | Enterprise: XGS 5500/6500/7500/8500
All XGS appliances include the Xstream Flow Processor for hardware-accelerated TLS inspection and FastPath traffic offloading.
🔄 XG → XGS Migration Center →
📺 TechVids — v22.0 Feature Walkthroughs
Auto-renewal for WAF & SSL VPN
IOC ingestion & policy blocking
MDR threat feed auto-blocking
Azure AD authentication walkthrough
DHCPv6-PD enterprise setup
SD-WAN & IPsec improvements
Selective config section restore
First-time firewall setup walkthrough
Introduction
This guide is designed for Sophos system engineers to get the best results from a Sophos Firewall deployment during a proof of concept (PoC) exercise. It covers how to approach different PoC scenarios and concludes with success criteria checklists to eliminate security gaps.
The guide includes suggested questionnaires covering pain points with existing solutions, the recommended workflow, and how to present findings with recommendations to improve security posture in a customer's environment. Content is based on Sophos Firewall v22.0. For questions, contact the Sophos GSE team at gse@sophos.com.
Overview
Sophos Firewall provides unrivaled visibility into risky users, unwanted applications, suspicious payloads, and persistent threats. It integrates a full suite of modern threat protection technologies that are easy to set up and maintain. Unlike legacy firewalls, Sophos Firewall communicates with other security systems on the network, enabling it to act as a trusted enforcement point — automatically containing threats and blocking malware from spreading or exfiltrating data in real time.
Sophos Firewall has three key advantages over other network firewalls:
Visibility
Superior visibility into risky activity, suspicious traffic, and advanced threats through a visual dashboard, cloud and on-box reporting, and unique risk insights.
Protection
Powerful next-gen protection technologies including deep learning and intrusion prevention to keep the organization secure against known and unknown threats.
Response
Automatic threat response via Synchronized Security — instantly identifies and isolates compromised systems on the network to stop threats from spreading.
Initial Deployment & Administration
Sophos Firewall offers flexible deployment options to meet the needs of any organization. It can be deployed in four ways:
Hardware Appliance
Sophos Firewall hardware devices come pre-loaded and ready to deploy. Delivers Visibility, Protection, and Response out of the box.
Software
Install Sophos Firewall onto any Intel-compatible hardware. Ideal for organizations wanting to Consolidate, Simplify, & Save on hardware costs.
Virtual Appliance
Runs on VMware, Citrix, Microsoft Hyper-V, Nutanix, and KVM. Suitable for Retail, Branch Office, ICS & SD-WAN environments.
Cloud (Azure / AWS)
Deploy Sophos Firewall in the cloud on Azure and AWS for Synchronized Security & Automated Response in cloud-native environments.
Deployment Modes
Gateway Mode
In Gateway Mode, Sophos Firewall acts as the primary network gateway — routing all traffic between internal segments and the outside world. This is the ideal solution for organizations replacing an existing firewall or deploying a new one. All security features are fully supported in this mode. 📖 Gateway mode setup →
Bridge Mode
In Bridge Mode, Sophos Firewall sits inline between an existing firewall and the internal network, adding deep packet inspection, IPS, malware scanning, and email content scanning without changing any IP schema. It augments security to an upstream firewall by detecting unknown applications and threats it may miss. Selected Sophos models support a hardware bypass module to ensure network continuity during hardware failure.
Best for: Organizations that want to add Sophos Firewall capabilities alongside an existing firewall without network reconfiguration. Supports Layer 3 bridge (mixed mode) for hybrid deployments. Selected XGS models support a hardware bypass module for uninterrupted traffic flow during hardware failure. 📖 Bridge mode setup →
Discover Mode (TAP / SPAN / Port Mirror)
Discover Mode — also known as Test Access Point (TAP), port mirroring, or SPAN mode — lets you deploy Sophos Firewall to passively monitor all network traffic without any changes to the existing network schema. A switch forwards a copy of every packet to the Sophos Firewall for analysis and reporting.
This mode is ideal for PoC demonstrations — a partner can identify threats the existing firewall is missing without disrupting the live environment. It also unlocks Synchronized Security capabilities, including endpoint health status visibility and automatic isolation of infected systems. 📖 Discover mode setup →
Visibility
Lack of visibility into security posture highlights a significant challenge: if you don't know how a threat got in, it's difficult to prevent future attacks. The longer a threat remains in the network, the greater the risk. According to a Vanson Bourne survey of 3,100 IT managers globally, organizations took an average of 13 hours to detect threats — ample time for attackers to deliver payloads.
Control Center
Sophos Firewall's Control Center provides an unprecedented level of visibility into activity, risks, and threats on the network. It uses traffic-light indicators to focus attention on critical items: Red requires immediate attention, Yellow indicates a potential problem, and Green means no action is required.
Sophos Central Management & Reporting
Sophos Central provides a unified interface for managing multiple Sophos Firewalls and the full Sophos security portfolio. It includes alerting, backup management, one-click firmware updates, and Group Firewall Management for synchronizing policies across all firewalls with a few clicks. Central Firewall Reporting (CFR) is bundled at no extra cost — delivering rich analytics on user behavior, application usage, and security events with interactive dashboards and drill-down syslog data. The free tier retains data for 7 days; CFR Advanced extends retention up to 365 days per firewall. Sophos Firewalls can also forward logs to external syslog servers or SIEM systems for long-term storage. 📖 Central management docs →
Key question: To highlight Sophos Firewall's visibility value, ask customers where their current firewall solution may be lacking. Use the checklist below to guide the conversation.
Visibility Assessment Checklist
| Description | Value Provided by Sophos Firewall | Complete? |
|---|---|---|
| Does the current firewall integrate with existing endpoints to identify all evasive and unknown applications generating traffic? | With endpoint visibility, administrators can make informed decisions about what to allow, prioritize, or block — optimizing bandwidth use and reducing attack surface. | |
| Does the current firewall scan all encrypted TLS/SSL traffic in the environment? | Sophos Firewall enables TLS/SSL inspection without compromising performance. The Xstream DPI engine provides comprehensive threat protection in a single high-performance streaming engine — proxyless scanning for AV, IPS, and web threats. | |
| Can the current firewall identify all applications generated by network traffic? | Most firewalls classify the majority of traffic as "unclassified" or "general internet." Sophos can detect custom, obscure, evasive, and generic HTTP/HTTPS applications that other firewalls miss. | |
| Can the current firewall provide insights into high-risk users based on their recent network behavior and activity? | Sophos Firewall's UTQ (User Threat Quotient) provides an overview of the riskiest users based on network activity and recent browsing history, enabling proactive policy action. | |
| Can the current firewall provide additional visibility and management of "Shadow IT" applications used by users? | By analyzing cloud application traffic, Sophos Firewall can mitigate risks from unsanctioned cloud app usage. Non-critical applications can be further controlled with QoS policies. | |
| Can the current firewall provide an overall application risk assessment? | Understanding the overall risk exposure based on Layer-7 application traffic is critical. Sophos provides detailed historical reporting on application usage and risk levels across the network. |
Connectivity
When evaluating connectivity requirements, consider not only the current topology but also future growth. Select a firewall that offers flexible deployment options — both on-premises and cloud — with appropriate management tools. For organizations with small remote locations, consider SD-WAN to securely and affordably connect those sites.
SD-WAN (Software-defined Wide Area Network) is a virtual WAN architecture that allows enterprises to leverage any combination of transport services — MPLS, LTE, and broadband — to securely connect users to applications. Sophos Firewall v19+ provides granular routing decisions via SD-WAN profiles that route traffic based on application, network, user, or service, using SLA parameters (jitter, latency, packet loss) with active-backup and load-balancing support.
Sophos Firewall delivers zero-impact failover — automatically rerouting connections to the next available gateway when an active gateway goes down or fails its SLA, with no user-visible disconnection.
SD-WAN VPN Orchestration 📖 docs →
Sophos Central provides a dedicated SD-WAN Connection Group to manage connectivity between multiple Sophos Firewalls from a single interface. Select head office and branch firewalls, and Sophos Central automatically establishes IPsec route-based VPN tunnels between them in minutes — with no manual tunnel configuration required.
- Full-mesh — every site connected to every other site
- Hub-and-spoke — branches connect to a central hub
- Mix of both in a single SD-WAN group
- Zero-touch via Sophos Central — new XGS hardware auto-registers and pulls config
- Light-touch via USB stick — pre-stage config for remote deployments
- World map view of all connected sites with IPsec tunnel status
Connectivity Requirements Checklist
| Description | Value Provided by Sophos Firewall | Complete? |
|---|---|---|
| How do you ensure WAN link redundancy and traffic prioritization according to applications? | Configure multiple WAN links and route traffic by user, Layer-7 application, and network type. QoS and DSCP markings can be assigned based on traffic priority. | |
| Does the network infrastructure require GBIC connectors or Flexi-modules for existing fiber connections? | Sophos Firewall supports a range of connectivity options with flexible Flexi port slots configurable with optional LAN modules — copper, fiber, 10GbE, and 40GbE available. | |
| How do you ensure 100% uptime of both the network and the security solution? | Configure HA (High Availability) to prevent disruption during hardware failure or power outages. Complement with a bypass module and hardware with redundant RAID/power supply. | |
| Is switch port redundancy important to the organization? | Configure LAG (Link Aggregation) on Sophos Firewall interfaces to leverage switch capability — ensuring switch port failure does not cause network downtime. | |
| Are SD-WAN and secure branch office connectivity important? | IPSec, SD-RED, and SSL VPN are all supported for site-to-site connectivity. SD-RED devices can be deployed at remote locations with zero-touch provisioning. | |
| How do you provide backup connectivity and load balancing at remote locations? | Implement SD-WAN between head office and branch sites. Optional 3G/4G expansion modules on SD-RED and desktop models provide failover and multi-ISP connectivity for secure communications. | |
| Do you need to provide remote users with VPN connectivity to the head office? | RDP connections should never be directly exposed to the Internet (ransomware risk). Use Mobile VPN (IPSec, SSL, L2TP) for remote workers accessing internal resources securely. | |
| Do you need Zero Trust Network (ZTN) to verify every incoming remote VPN connection? | Before granting access, client devices should be verified as clean and free from infections. Sophos Connect Client with Synchronized Security verifies endpoint health before allowing network access. | |
| Do you need wireless access points managed from the firewall? | Sophos Firewall can manage Sophos access points — eliminating the need for a separate wireless controller. Dedicated guest and BYOD Wi-Fi profiles can be created, isolated from the LAN. |
Protection
Network security has evolved as threats have shifted from direct network attacks to infecting systems and spreading laterally. Best practice is to segment the LAN into smaller subnets using zones or VLANs, then connect them through the firewall — enabling anti-malware and IPS protection between segments to identify and block lateral movement.
Next-gen Intrusion Prevention System (IPS)
Next-generation IPS provides advanced protection from modern threats, going beyond traditional server and network resources to protect users and applications on the network.
Security Heartbeat™
Security Heartbeat provides constant communication between Sophos-protected endpoints and Sophos Firewall, enabling administrators to visualize endpoint health status in real time. Green = healthy; Amber/Yellow = attention needed; Red = immediate action required.
Lateral Movement Protection
When a computer is infected or nefarious activity is detected by either Sophos Firewall or an endpoint, it automatically isolates the infected device. Other machines in the same broadcast domain stop communicating with it until it is cleaned.
Synchronized Application Control
One of the key capabilities of an NGFW is detecting Layer-7 applications regardless of port or protocol. Every 30 seconds, Sophos-protected endpoints send health status and application information. Sophos Firewall categorizes traffic down to the application path on the endpoint — giving administrators full control over the network.
TLS 1.3 Scanning
Encrypted TLS/SSL traffic accounts for ~80% of internet traffic. Sophos Firewall can scan TLS 1.3 natively without downgrading to TLS 1.2. The Xstream architecture with Fastpath decrypts and scans traffic with minimal performance trade-off.
Active Threat Response — Components Overview
Sophos Firewall v22.0 unifies multiple threat intelligence and detection layers under the Active Threat Response framework. These components work together to detect, feed, and automatically act on threat intelligence — from zero-day files to live MDR-sourced IOCs.
Sophos X-Ops is the cross-functional threat intelligence team behind Sophos Firewall's advanced detection. When the firewall encounters a file with no prior conviction, it submits it to the cloud-based Sandstorm sandbox — using deep learning and Intercept X to emulate and analyse behaviour. The resulting report gives threat responders full visibility into attacker techniques for proactive threat hunting. 📖 docs →
Customers with Sophos MDR licenses get live threat intel automatically pushed from the Sophos MDR operations team directly to the firewall. Malicious IPs, domains, and URLs are blocked in real time without any manual intervention — preventing lateral movement of compromised hosts the moment a threat is identified by the MDR team. 📺 Watch demo →
New in v22.0 — ingest external IOC threat feeds (STIX/TAXII and custom formats) from any third-party intelligence provider directly into Sophos Firewall policy. Malicious indicators are automatically translated into firewall rules to block matching traffic, keeping the firewall current with the wider threat landscape beyond Sophos's own intelligence. 📺 Watch demo →
Integration with Taegis NDR iSensor and NDR Essentials — Sophos Firewall acts as a network sensor, feeding traffic telemetry to Sophos Taegis for AI-powered behavioural analysis and cross-estate correlation. NDR Essentials provides network detection and response for organisations that need deep visibility beyond endpoint-only solutions, detecting threats that evade signature-based engines.
How they work together: Sophos X-Ops provides the intelligence backbone → MDR Threat Feeds deliver real-time auto-response → Third-Party Feeds extend coverage to external IOC sources → NDR Essentials adds network-layer behavioural detection. All four feed into a unified Active Threat Response posture on Sophos Firewall v22.0.
Cloud and SaaS Application Detection
Shadow IT — employees using unsanctioned cloud services like Dropbox or Google Drive — poses data security risks. Sophos Firewall provides full visibility and control over cloud applications, allowing IT to sanction, unsanction, or apply QoS policies per application.
Protection Checklist — Identifying Security Gaps
| Description | Value Provided by Sophos Firewall | Complete? |
|---|---|---|
| Enable zone-based firewall rules | Create multiple security zones for isolation. Zone-based policy allows flexible grouping of network interfaces, objects, and VLANs into logical zones. | |
| Enable user-based firewall policy | Track and control network users by username — achieving AAA (Authentication, Authorization, and Accountability) for all users on the network. | |
| Enable SSO (Single Sign-On) for all network users | Sophos Firewall integrates with Active Directory, Microsoft Entra ID (Azure AD) with Captive Portal SSO (new in v22.0), LDAP, RADIUS, and more. Synchronized Security Heartbeat also identifies user logins from Sophos Central-managed endpoints without a separate auth agent. | |
| Block Layer-7 applications and dangerous web categories that affect productivity | Torrents, bypass proxies, and remote control applications represent security risks. Block them per user, time of day, or group using application and web category policies. | |
| How do you ensure early notification to administrators about risky applications and users? | UTQ™ (User Threat Quotient) indicates risk exposure by analyzing Layer-7 traffic and websites visited — giving administrators early warning to adjust acceptable use policy. | |
| Enable advanced file analysis and malicious behaviour detection | Zero-day and weaponized document protection is delivered through Active Threat Response — Sophos Sandstorm cloud sandbox, deep learning malware detection, and Intercept X. MDR Threat Feeds and Third-Party Threat Feeds further extend coverage with live IOC blocking. | |
| Enable an intelligent IPS signature policy tailored to the environment | Customizable IPS per-rule configuration allows software category and SCADA system tuning according to the server/client side of the firewall requiring protection. | |
| Block and control weaker SSL/TLS protocols and cipher suites | Allowing TLS 1.0, SSL 3.0, self-signed certificates, and weak cipher suites exposes the network to impersonation and MiTM attacks. Block and scan TLS traffic without downgrading. | |
| Enable lateral movement prevention / micro-segmentation | Compromised endpoint devices must be isolated immediately. Synchronized Security ensures endpoints communicate only when their health state is confirmed clean. | |
| Have a TLS interception strategy for encrypted communication without disruption | Plan root certificate deployment to corporate devices and BYOD, and intelligently offload trusted applications and web categories for optimal performance. | |
| Do you have a web server requiring protection from the Web Application Firewall (WAF)? | IPS prevents most web server attacks. Consider WAF on Sophos Firewall to filter OWASP Top 10 attacks — SQL injection, XSS — and enforce HTTPS and authentication offloads. |
Management
Sophos Firewall is managed via a secure HTTPS web UI. Color-coded widgets and an intuitive UX provide a shorter learning curve for administrators with no prior firewall experience. All tools for day-to-day tasks and network diagnostics are bundled — no add-on modules or paid subscriptions required.
The firewall provides at-a-glance information on whether the network is under attack, alerting administrators to misconfigurations and important security notifications. The live log viewer is available from every screen with a single click.
Management Evaluation Checklist
| Description | Value Provided by Sophos Firewall | Complete? |
|---|---|---|
| How do you identify unused firewall rules and verify traffic is inspected by the correct ruleset? | Per-rule traffic counters help administrators identify unused or misconfigured rules. Policy tester tools verify rules are correctly configured without requiring live traffic. | |
| How do you ensure multiple firewalls at various locations maintain the same enterprise security policy? | Sophos Central provides a single pane of glass to oversee firewalls at all remote locations, track security status, and synchronize policies across the entire organization. | |
| How do you prevent collusion and accidental changes to the firewall? | Separate administrator profiles with role-based access control (RBAC) and integrate with Active Directory or LDAP. Enable 2-factor authentication for all administrative accounts. | |
| Do you have the necessary information to kick-start threat hunting and understand advanced threats? | When malware or weaponized documents are detected, Sophos provides an in-depth analysis report on the file's characteristics and embedded scripts — enabling proactive threat hunting and better understanding of attacker intent. | |
| Is there a regulatory mandate to store logs for a defined duration? | A cloud-based logging and reporting platform can archive logs for the required retention period and aggregate them across multiple firewalls for easier threat response and compliance reporting. |
Proof of Concept Success Verification Check
Once Sophos Firewall has been deployed according to requirements, it is time to evaluate success criteria. Customers may have their own testing methodologies; the checklists below can be used to verify the setup systematically.
Network Connectivity Requirement
| Testing Procedure | Expected Outcome | Complete? |
|---|---|---|
| If multiple WAN gateways are configured, does the secondary link fail over successfully? | During a continuous ping to 4.2.2.2, there should be no more than five packet drops. Verify via Network > WAN Link Manager — confirm backup gateway behavior and fail-back action. | |
| If multiple site-to-site IPsec VPNs are used, do the VPN tunnels fail over successfully? | Ping from a host behind Firewall A to a host behind Firewall B and vice versa. Verify VPN rules allow ingress/egress traffic. When ISP 1 fails, the IPsec connection should automatically fail over to ISP 2. Confirm via Current Activities > IPSec Connections. | |
| Check the SD-WAN policy route sequence — is it configured to match source, destination, Layer-7 application, or user/groups? | Verify: Primary/backup gateway up → policy route is live. Gateway down → policy route not live (unless override monitoring is on). Hover over the status icon to view gateway and override monitoring status. | |
| Check that SD-RED 20/60 can connect to the main Sophos Firewall successfully | Confirm the new firewall rule allows traffic from the SD-RED security zone. Access internal resources (e.g., shared drives) hosted on the Sophos LAN network. If SD-RED 60 with tunnel load balancing is configured, verify traffic flows across both tunnels via Interfaces > SD-RED. | |
| Check that remote VPN users (Sophos Connect) can authenticate and access network resources | Authenticate to Sophos with AD and 2FA (if enabled). Verify virtual IP TUN/TAP address is assigned. Confirm Security Heartbeat of remote client appears in Sophos dashboard. Access resources behind Sophos (RDP, ping, SSH). Verify firewall policy in log viewer. Check Current Activities > Remote Users for connected VPN users. | |
| Verify LAG configuration can load-balance and fail over correctly | With active-backup LAG: member interface failure should cause no disruption. With 802.3ad (LACP): ensure the Xmit hash policy matches the Layer 3 switch bonding method. Run #iftop -i in the advanced shell to verify traffic flows across all LAG member interfaces. |
|
| Ensure the LAN Bypass module is correctly configured to prevent disruption in bridge mode | Sophos 210 and above support the LAN bypass module. Check in CLI: #console > show lanbypass. If the result is "off," enable it with: console > set lanbypass on. |
Security and Authentication Requirement — Egress Filter Policy
Egress filtering inspects outgoing data traffic from inside the network and prevents unauthorized traffic from leaving. Security policy focuses on protecting against client-side exploitation, reducing attack surface, and enforcing acceptable use policy.
| # | Verification Procedure | Complete? |
|---|---|---|
| 1 | Check the log viewer to verify that outgoing traffic is translated to the correct gateway IP address. | |
| 2 | If user-based policy is configured with "match known user," verify in the log viewer that the username and firewall rule ID match the configuration. | |
| 3 | If "use web authentication for unknown users" is enabled to allow BYOD users to authenticate via captive portal, verify users are correctly redirected and authenticated. | |
| 4 | If web filtering is enabled, browse to a restricted web category URL or test via sophostest.com to confirm Sophos Firewall blocks the URL and displays the block page to the user. | |
| 5 | If IPS is enabled to scan outgoing traffic, verify with an "attack on the wire" LAN-to-WAN client-side exploitation script. Confirm in the log viewer that the connection is dropped by the correct IPS signature and firewall rule ID. | |
| 6 | To verify malware download blocking from client browsers, use EICAR test files hosted on sophostest.com. The client's browser should display "Stop! This website contains malware." Verify the correct firewall rule ID in the log viewer. | |
| 7 | If Active Threat Response is enabled, Sophos Firewall blocks connections to known C2 domains, IPs, and URLs pushed by Sophos X-Ops / MDR threat feeds. Verify by connecting to a C2 call-home test URL. Confirm the "source blocked" counter increments in the Active Threat Response dashboard or log viewer. | |
| 8 | If SSL/TLS inspection rules are enabled, verify that the CA certificate is installed on client machines via GPO. No certificate errors should appear in browsers for HTTPS sites. If the DPI engine is used, verify that O365, Salesforce, banking sites, corporate VPNs, and internal HTTPS applications are not blocked by Sophos Firewall. | |
| 9 | If "Use web proxy instead of DPI engine" is enabled for SafeSearch enforcement and YouTube restricted mode, verify that Google, Bing, and Yahoo all enforce SafeSearch as expected. | |
| 10 | If "Detect zero-day threats with Sandstorm" is enabled, try downloading a PDF file hosted on sophostest.com. Verify in the log viewer that the file is blocked with log_type=Sandbox. | |
| 11 | If application control is enabled to block P2P, proxy avoidance, and high-risk applications, test connectivity on a client workstation and confirm the application is blocked in the log viewer. | |
| 12 | Synchronized Security: With "minimum source HB permitted: Green" and "block clients with no heartbeat" enabled, browse to a C2 call-home on an endpoint and verify the status changes from Green to Red. Confirm in the log viewer: log_type=heartbeat status=red, and that the endpoint is blocked from internet access and other workstations. | |
| 13 | If SSL/TLS Inspection is set to "strict compliance" to block older TLS 1.0/1.1/SSL 3.0, verify from the client's browser using Qualys SSL Labs. A correctly configured profile should block older TLS protocols without vulnerability. |
Security and Authentication Requirement — Ingress Filter Policy
Ingress filtering applies when Sophos Firewall receives packets from an untrusted source or WAN interface. A series of security checks is applied before traffic reaches its destination. Policy focuses on securing web services, email, and NAT configurations.
| # | Verification Procedure | Complete? |
|---|---|---|
| 1 | When hosting an internal application server with web server protection, verify in the log viewer that the web page can be browsed successfully through the correct WAF policy. | |
| 2 | If web server protection is enabled with "common threat filter" and "static form hardening," review all available URLs and dynamic objects to ensure filter rules are not overly restrictive. Create exceptions in "skip filter rules" as needed. | |
| 3 | When SSL scanning is used with web server protection, validate the certificate against the protected web server. Verify that General Settings > SlowHTTP protection is enabled and the minimum TLS version is set to TLS 1.2. | |
| 4 | Ensure the IPS protection profile is set to "WAN to LAN" or "WAN to DMZ." Verify from the server protected by WAF with the correct protection policy applied. | |
| 5 | If authentication is enabled on Sophos Firewall before granting access to internal applications, verify that all users can authenticate successfully against the internal directory server. | |
| 6 | To check the SSL offload posture, use Qualys SSL Labs with the domain name protected behind Sophos Firewall's web server protection feature. | |
| 7 | If destination NAT is created for port forwarding to an internal application, verify it only allows specific ports/services (not "any") to the internal server. Ensure IPS is enabled with "WAN to DMZ." | |
| 8 | If email protection is enabled for scanning incoming and outgoing email, ensure Relay Settings > Host-based relay is set to the internal mail server IP address only, or "enable authenticated relay." | |
| 9 | Use mxtoolbox.com to verify the SMTP server behind Sophos has correct DNS records and no unexpected open ports. Ensure the malware protection policy is set to "quarantine or drop" with "quarantine unscannable content" enabled. | |
| 10 | On the firewall policy redirecting SMTP traffic to the internal mail server, ensure "WAN to DMZ" IPS policy is applied. Verify with an SMTP brute force attempt and confirm the block in the log viewer by firewall rule ID. | |
| 11 | Verify clients can send and receive email. Check that the mail spool and mail logs are processing both incoming and outgoing mail. For additional testing, enable "Detect zero-day threats with Sandstorm" and verify that a SPAM email with an .exe attachment is intercepted and blocked. |
Logging, Reporting, and Administration Checklist
Administration is an essential part of network protection. Correct security practices and comprehensive visibility into network activity help distinguish "normal" from "abnormal" behavior — enabling proactive prevention.
| # | Verification Procedure | Complete? |
|---|---|---|
| 1 | The default "admin" account should not be used for daily firewall administration. Enable RBAC if multiple administrators manage the firewall with different privilege levels. | |
| 2 | If not in use, disable the following from the WAN interface under Device Access: HTTPS, SSH, Ping/Ping6, DNS, SSLVPN, User Portal, Dynamic Routing, SMTP Relay, and SNMP. | |
| 3 | Verify the administrator receives email notifications for security events, connectivity events, and login failures. Check Notification List > Email Notifications and Administration > Notification Settings. | |
| 4 | Ensure logs are forwarded to an external syslog server or SIEM via Log Settings > Syslog Servers, OR confirm Sophos Central Reporting is enabled and synchronized. | |
| 5 | Review log retention policy per regulatory or company requirements. Set Report > Data Management > Log Retention Period to 6 months or 1 year to take advantage of on-box storage capacity. | |
| 6 | Verify that report scheduling is working as expected. Executive reports, security audit reports, and compliance reports (HIPAA, PCI, GLBA, SOX, FISMA, NERC CIP v3, CIPA) should be scheduled to be emailed to administrators on a weekly or daily basis. | |
| 7 | Ensure scheduled backup is enabled and that the administrator is successfully receiving the encrypted backup configuration file. | |
| 8 | Verify Shadow IT cloud applications (Dropbox, Google Drive, iCloud) in use within the environment, along with associated users and data transfer volumes. Assign appropriate bandwidth shaping to sanctioned, unsanctioned, and tolerated applications via Applications > Cloud Applications. | |
| 9 | If remote VPN is in use (SD-RED, IPSec, SSL), verify VPN usage and up/down events by generating the VPN usage report: Reports > VPN > RED/IPsec Usage. | |
| 10 | Click on UTQ (User Threat Quotient) from the dashboard to review the organization's risk exposure based on application usage and web surfing behavior. Use the application filter to proactively block risky applications and web categories. | |
| 11 | If Synchronized Security is used with Intercept X, verify all endpoints appear as Green. Items marked "At Risk," "Missing," or "Warning" should be immediately remediated from both the Sophos dashboard and the Sophos Central console. | |
| 12 | Review the Synchronized Application Control widget from the dashboard and verify applications detected by the Security Heartbeat. Customize application mappings not automatically handled by signatures so the administrator can easily spot new or unknown applications. | |
| 13 | Click on the SSL/TLS Connections widget filtered by "failed" count and review the error domains and users. If applications use certificate pinning, ensure they are correctly exempted from TLS decryption. |
Review the Findings
The framework in this guide is designed to provide guidance across various use cases and test scenarios. The appropriate depth and focus of the PoC will be influenced by the organization's security maturity level, industry vertical, and regulatory guidelines.
Need help? If at any stage you would like assistance running or assessing the findings of your proof of concept, contact the Sophos GSE team at gse@sophos.com.
Conclusion — Suggested Activities & Workflow
First 10 Days Activities
Day 30 — Proof of Concept Review
Use the information gathered during the 30-day trial to fully evaluate Sophos Firewall:
Additional Resources: In addition to this Sophos Firewall PoC Guide, refer to the Sophos Endpoint PoC Guide and Cloud Optix PoC Guide when more than one product is involved in the opportunity.
Licensing
Sophos Firewall uses a subscription-based licensing model. All licenses are managed through Sophos Central — the cloud management platform. 📖 License information docs →
License Bundles
Core firewall + routing, Basic AV, IPS, App control, On-box reporting. Included with hardware purchase.
Network Protection + Web Protection + Zero-Day Threat Protection (Sandstorm). Most common bundle.
SD-WAN, Site-to-Site VPN orchestration from Sophos Central. Required for managed SD-WAN deployments.
License Information & Registration
Licenses are tied to the device serial number and activated via Sophos Central. To view license status: go to System → Licensing → License information in the Sophos Firewall admin console. The page shows each subscription module, expiry date, and activation status.
Trial/PoC Licensing: During a PoC, Sophos partners can provision a 30-day NFR (Not for Resale) trial license via the Sophos Partner Portal. This enables full Xstream Protection features. Contact your Sophos SE or channel manager to provision trial keys before the PoC begins.
High Availability (HA) Licensing
Sophos Firewall supports Active-Active and Active-Passive HA configurations for high-availability deployments. HA licensing works as follows: 📖 HA documentation →
Important: HA failover will not function correctly if the auxiliary node's license has expired or is missing required modules. Always verify both nodes show "Active" subscription status before relying on HA for production.
Migration from Competitive Firewalls
Migrating from a competitive firewall to Sophos Firewall is a common PoC scenario. Sophos provides migration tools and documentation for the most common platforms. Below are platform-specific guidance and key considerations. 📖 Migration docs →
Migration Best Practice: Run Sophos Firewall in Discover/TAP mode for 7–14 days alongside the existing firewall before cutover. This identifies all traffic patterns, applications, and users so Sophos Firewall rules can be tuned before going live. It eliminates surprise policy gaps on Day 1.
Remote VPN Users
Sophos Firewall provides multiple remote access VPN options to support remote workers. The recommended solution for most organizations is Sophos Connect — a lightweight SSL VPN client with automatic tunnel management. 📖 Remote Access VPN docs →
Recommended for most deployments. Auto-connects, supports split tunneling, MFA-ready. Client available for Windows, macOS, and Linux.
IKEv2/IPsec for clients that require it. Native support on iOS, Android, Windows, and macOS without additional client software.
Browser-based access to internal web apps and RDP/SSH — no client installation needed. Accessible via the Sophos User Portal.
How to Configure Sophos Connect (SSL VPN) — Step by Step
Remote Access Portal: Users can self-manage their VPN credentials, download the Sophos Connect client, and access Clientless VPN resources at: https://[your-firewall-IP-or-FQDN]/userportal
Site-to-Site VPN
For branch-to-branch or cloud connectivity, Sophos Firewall supports IPsec IKEv2 site-to-site VPN. 📖 Site-to-site VPN docs → Sophos Central Orchestration enables zero-touch SD-WAN mesh VPN across all branch firewalls from a single console — dramatically simplifying multi-site deployments.
How Do I Configure…?
Quick reference for the most common configuration tasks. Each item links directly to the relevant section of the Sophos Firewall v22.0 documentation.
Documentation Quick Links
All official Sophos Firewall v22.0 documentation is available at docs.sophos.com. Key sections are linked below for fast reference during a PoC.
Initial setup, licensing, admin access
Policies, networking, security modules
SSL VPN, IPsec, User Portal, RED
CLI reference, diagnostics, advanced config
HA setup, licensing, failover monitoring
AWS, Azure, VMware, Hyper-V, KVM
Fortinet, Palo Alto, SonicWall, Check Point
REST API, automation, integrations
Sophos Community — questions, tips, KB articles