Sophos Firewall Sizing Guide: Properly Dimensioning XGS
Sophos Firewall sizing is not just about the number of users. Key factors include bandwidth, TLS Inspection, IPS, VPN, HA, logging, and reserve …
Practical German Sophos Firewall guides for setup, hardening, VPN, network rules, licenses, updates, logs, and troubleshooting.
The articles are organised by typical admin tasks: select, set up, secure, publish, connect remotely, analyse, and restore.
Sizing, XGS selection, Base License, bundles, Air Gap, lifecycle, portals, and license operation.
Sophos Firewall sizing is not just about the number of users. Key factors include bandwidth, TLS Inspection, IPS, VPN, HA, logging, and reserve …
When purchasing or renewing a Sophos Firewall, Standard Protection, Xstream Protection, and Epic Protection must match the protection needs.
The Base License is the foundation of Sophos Firewall, but it does not replace support or security subscriptions. Licence status, support, updates, HA …
A Sophos Firewall licence key links or renews subscriptions. Serial number, account, synchronisation, HA, and follow-up checks are important.
Air-gap operation on Sophos Firewall requires approval, license file, manual synchronization, pattern updates, and a clear operational routine.
Sophos Firewall datasheet values are comparative figures. Key factors include firewall, IMIX, IPS, NGFW, TLS Inspection, VPN, and reserves.
Hardware, virtual appliance, Software Appliance and Cloud Deployment differ in operation, HA, recovery, sizing and responsibilities.
This article explains XG End of Life, XG vs XGS differences, SFOS 21/22 limits and how to prepare migration to XGS cleanly.
Sophos lifecycle planning needs End-of-Sale, Last Renewal, End-of-Life, successor products and clear checks before renewal, migration or hardware …
Warranty, support contract and RMA must be checked separately for Sophos hardware: serial number, purchase date, lifecycle, contract and replacement …
SophosID, Central, Support Portal and Firewall portals have different tasks. Login, licensing, access and remote access are important.
The serial number uniquely identifies a Sophos Firewall. It is needed for support, licensing, RMA, Central registration, HA and inventory.
Account transfer moves license and registration mapping to a firewall. The target account, acceptance period, management boundaries and follow-up …
Setup Wizard, Central connection, Active Directory, STAS, SATC, Device Access, and support access.
After the Setup Wizard, the firewall is accessible but not yet fully hardened. Following this, backup, firmware, Device Access, rules, and logs are …
A Sophos Firewall can operate locally but offers additional features for management, backups, reporting, and security with Sophos Central.
Active Directory provides users, groups and authentication for Sophos Firewall. LDAPS, search base, group import, Main Group and AD SSO matter.
Not every environment runs Active Directory. LDAP connects Sophos Firewall to OpenLDAP, 389-ds, FreeIPA, or Google Secure LDAP. Bind DN, Base DN, and …
RADIUS connects Sophos Firewall to NPS, MFA systems or other identity services. Shared secret, services, groups, timeouts and tests matter.
STAS maps AD logons to client IPs so Sophos Firewall can use user-based rules. Agent, collector, audit events and tests are key.
SATC maps users on Remote Desktop Session Hosts to Sophos Firewall. Server Protection, registry, Device Access and Live Users matter.
Device Access controls local firewall services. Key aspects include zone permissions, ACL Exception Rules, WAN risks, lockout protection, logs, and …
Avanet support access should be time-limited and tightly controlled. Important aspects include WebAdmin, optional SSH, Device Access, sources, MFA, …
Firewall rules, zones, interfaces, VLAN, NAT, DNS, DHCP, SD-WAN, NTP, and VoIP.
Zones and interfaces are the basis for clean Sophos Firewall rules. Zone, interface, IP object, Device Access, routing and tests matter.
Firewall rules are at the heart of the Sophos Firewall. What is important is the rule structure, sequence, limits, rule types, practical examples, …
A clear rule description saves time in daily operations. Purpose, owner, ticket, expiry date, risk, review and a useful Description field matter.
VLANs on Sophos Firewall need more than a VLAN ID: parent interface, switch tagging, zone, IP objects, DHCP, DNS, rules, NAT and tests must match.
After SFOS 22, bridge VLANs are particularly noticeable for traffic to or from the firewall. CLI VLAN tags, br0 interfaces and tests are important.
A LAG bundles two to four physical ports into one logical interface. Bonding mode, switch configuration, hashing, and failover tests all matter.
FQDN hosts help with dynamic cloud and service destinations. Wildcard FQDNs are different because the firewall learns matching IP addresses from DNS …
If a firewall rule is not matching, it is usually due to order, zone, source, destination, service, user matching, NAT, routing, or logging.
Captive Portal with Entra ID SSO maps local users via browser login. Redirect URI, device access, primary groups and logs are important.
Rule tests need clear test data and real events. Log Viewer, Policy Tester, Packet Capture, tcpdump, Central Reporting, and Syslog answer different …
IPv6 Prefix Delegation brings provider prefixes into internal networks. Key aspects include WAN configuration, Router Advertisement, rules, and …
NAT translates addresses or ports but does not allow traffic. Important are SNAT, DNAT, MASQ, PAT, loopback, reflexive rules and troubleshooting.
DNAT publishes internal services over public IPs or ports. Close sources, appropriate firewall rules, NAT order and tests are crucial.
DNS Request Routes forward specific DNS queries to defined DNS servers. Key points are firewall as resolver, internal domains, reverse lookups, DNS …
MTU and MSS issues manifest as stalled downloads, RDP, HTTPS, or VoIP. Path checking, VPN overhead, PPPoE, and XFRM are important.
DHCP options distribute PXE, WDS, thin client, or RED parameters. WebAdmin, CLI fallbacks, and common error patterns are important.
SD-WAN routes steer traffic by criteria, not only by the routing table. Order, DSCP, applications, gateways, SLA, NAT, logs and path tests matter.
Route Precedence decides whether Static, SD-WAN or VPN takes effect first. Direct networks, IPsec special cases, tests and rollback are important.
Reply Packets and system generated traffic can affect SD-WAN routing. CLI status, use cases, risks, testing and validation are important.
VLANs with Sophos Firewall and UniFi need clean tagging. Important are Gateway, parent interface, UniFi network, Access-Port, Trunk, DHCP and rules.
Cellular WAN is usually a backup line. For 4G/5G failover, SIM, APN, PIN, Gateway, signal quality, SD-WAN checks, and fallback logic are crucial.
Sophos Firewall is not a full-fledged NTP server, but can forward NTP requests to external or internal time servers via NAT.
A manual IPsec Route on Sophos Firewall may be necessary when routing, NAT, or SFOS-22 behaviour does not match VPN traffic.
Application Traffic Shaping prioritises important applications and limits other traffic. Key aspects include policy, match, direction, testing, and …
VoIP problems often arise from SIP ALG, UDP timeouts, NAT, RTP ports or routing. SIP/RTP analysis, capture and CLI testing are important.
Sophos Connect, SSL VPN, Entra ID SSO, IPsec, SD-RED, and VPN troubleshooting.
Sophos Connect with IPsec, Sophos Connect with SSL VPN, classic OpenVPN clients and ZTNA fit different remote access scenarios.
Sophos Connect needs matching IPsec/SSL VPN profiles, users, IP pool, DNS, MFA, firewall rules, provisioning and update process.
SSL VPN Remote Access only works cleanly when global settings, portal, policy, current profile, DNS, MFA, Device Access, firewall rules and routing …
Legacy Remote Access IPsec blocks SFOS 22 MR1 and newer. Before upgrading, it needs detection, a replacement, restore checks and removal.
Sophos Connect on Windows requires client version, profile, platform, MFA/SSO and rules. The connection, DNS and access must then be correct.
Sophos Connect on macOS depends on client version, Apple Silicon/Rosetta, IPsec or SSL VPN profile, DNS, MFA, and tested firewall rules.
Entra ID SSO connects Remote Access with OAuth 2.0, OpenID Connect, and Entra-MFA. Key elements include Redirect URIs, groups, and Device Access.
Sophos Connect updates affect VPN profiles, platforms, MFA, SSO, helpdesk and rollback. Version checks, pilots, profile tests and known issues matter.
SSL VPN with Sophos Connect on Windows needs a current OVPN profile, VPN Portal access, MFA, client version, DNS test, profile cleanup, and matching …
SSL VPN on macOS today often runs with Sophos Connect instead of Tunnelblick. OVPN profile, Apple Silicon/Rosetta, DNS, MFA and maintenance are …
SSL VPN on iPhone and iPad uses an OpenVPN-compatible client. OVPN profile, VPN Portal, MFA, DNS and firewall rules are important.
SSL VPN on Android requires an OpenVPN client, current OVPN profile, VPN portal access, MFA, DNS test, firewall rules, and device changes.
There's no Linux client for Sophos Connect. Linux users connect using the standard OpenVPN client or NetworkManager-strongSwan with IPsec.
The old Sophos SSL VPN Client can start automatically. Auto-Login with password.txt is risky. Important are risk, autostart, and alternatives.
Site-to-Site IPsec needs clear networks, profiles, rules, routing, NAT and acceptance tests. Choose policy-based or route-based designs deliberately.
Azure Site-to-Site VPN needs Local Network Gateway, Virtual Network Gateway, matching IPsec/IKE parameters, Sophos XFRM, routes and firewall rules.
AWS Site-to-Site VPN needs a customer gateway, target gateway, two tunnels, matching IPsec settings, routing and validation on both sides.
IPsec troubleshooting requires a clear sequence: IKE, Phase 2, Security Associations, StrongSwan logs, XFRM, routing, NAT, firewall rules and packet …
If Sophos Connect IPsec disconnects after about 4 hours or requests OTP again, first check the profile, IKE Key Life, logs, and client distribution.
Sophos SD-RED connects remote sites to the firewall. Key aspects include provisioning, NTP, ports, LED status, RED interface, DHCP, VLANs, and rules.
MFA, TLS Inspection, WAF, Threat Feeds, IPS, Web Protection, NDR, DNS Protection, and hardening.
Hardening reduces the attack surface of Sophos Firewall. Key areas are management access, MFA, updates, published services, threat feeds, logging and …
This guide classifies all 31 Health Check findings by real risk, operational value, and optional Sophos services.
MFA protects WebAdmin, VPN Portal and Remote Access well only when Device Access, OTP tokens, groups, fallback, tests and operations are planned …
TLS Inspection increases visibility in encrypted connections, but needs CA distribution, clear rule order, DPI/Web Proxy decision, exclusions, tests …
TLS Inspection works without browser warnings only if clients trust the firewall CA. Important steps include download, distribution, and rollback.
XML API access on Sophos Firewall should only be allowed from defined management networks, automation systems, or integration hosts.
Bypass rules bypass the normal stateful firewall path. What is important is clear demarcation, tight networks, opposite directions, tests and …
Web Server Protection publishes HTTP and HTTPS applications as a reverse proxy. Key points are WAF or DNAT choice, DNS, certificate, web server …
Sophos Firewall can protect WAF-published web applications with MFA from SFOS 22. Version, Authentication Policy, token rollout, testing, and …
Sophos Firewall can obtain and renew Let's Encrypt certificates directly. HTTP validation, hosted address, port 80, supported services and monitoring …
Threat Feeds bring known malicious IPs, domains and URLs into Sophos Firewall as IoCs. Licence, indicator type, feed format, action, logging and …
IPS needs a licence, global enablement, the right policy per firewall rule, signature awareness, logging, tests, performance checks and a …
Web Protection requires an appropriate firewall rule, web policy, categories, user context, Web Exceptions, TLS visibility, QUIC decision, logging, …
NDR Essentials and NDR Active Threat Intelligence enhance Sophos Firewall with network detection. Key aspects include usage limits, operation, and …
DNS Protection adds DNS policies and Sophos Central reporting. Key aspects include location type, rollout, DNS routes, endpoint limits, and …
Spoof Protection and DoS Settings harden against implausible sources and simple flooding patterns. Routing, Packet Rate, Burst Rate, bypass order, …
Country blocking, Black Hole DNAT, WAF Blocked countries, and Threat Feeds serve different purposes. Rule position, local services, and monitoring are …
Application Control identifies applications beyond simple ports. Important aspects include application filters, signatures, rule position, TLS …
Zero-Day Protection analyses suspicious downloads and email attachments. Firewall rule, web and mail path, TLS visibility, reports, exceptions and …
Mail Protection in MTA mode makes the firewall the SMTP acceptance point. MX, TLS, relay, policies, quarantine and logs are decisive.
Web categories and instant alerts assist in web policy control. Key aspects include usage, prerequisites, configuration, logging, and error patterns.
A Secure Heartbeat database maintenance is a narrow support case. Before VACUUM FULL, a backup, maintenance window, disk check, and Sophos approval …
QUIC operates over UDP 80 and UDP 443. On the Sophos Firewall, it's important to understand when Block QUIC protocol is necessary and how to verify …
CAPTCHA reduces automated login attempts to WebAdmin and User Portal. Device console status, risk, follow-up and alternatives are important.
Log Viewer, service logs, audit trail, SSH, CLI, packet capture, tcpdump, syslog, and SIEM.
For troubleshooting, know which Sophos Firewall service belongs to which module, which log file fits, and when Log Viewer, CTR, debug, or CLI is …
In cases of disruptions, VPN issues, or unclear firewall events, a support case requires clean logs, timestamps, and captures if necessary.
Audit Trail Logs display configuration changes on the Sophos Firewall. Key aspects include activation, download, evaluation, and retention.
SSH is a powerful support channel on Sophos Firewall. Device Access, ACL exceptions, public keys, host keys and control limits matter.
Important CLI commands help with troubleshooting, log analysis, network checking, service status and debug logging. A safe process is crucial.
Packet Capture shows whether packets arrive, are forwarded, or dropped. Key aspects include test planning, filters, NAT, and evaluation.
tcpdump provides precise packet captures on the firewall. Key aspects include Advanced Shell, tight filters, PCAP files, interface comparison, support …
Sophos Firewall uses internal User IDs for users and groups. The 65,535 limit can disrupt VPN portal downloads in large environments.
Drops are not automatically errors. For analysis, Log Viewer, Invalid Traffic, Packet Capture, Firewall ID 0, Rule ID, NAT ID, routing, and return …
After a firewall change, old ARP entries can block WAN or alias IP addresses. Important are ARP cache, provider device, and tests.
Missing heartbeat alerts occur when the firewall sees traffic without a matching security heartbeat. Endpoint status, DNS and logs are important.
iPerf measures TCP or UDP throughput between endpoints. The test only becomes meaningful with a clear path, direction and evaluation.
sFlow makes traffic patterns and noticeable flows visible. Important aspects include Collector, Sampling, Interface Selection, Limits, and Operational …
SFOS 22 expands SNMP to include temperature, fans, power supplies and PoE. Important are Device Access, MIBs, SNMP version, monitoring targets and …
A speed test on the Sophos Firewall helps isolate WAN and client issues. Key aspects include SSH testing, WAN path, unit, test file, and …
Central Firewall Reporting transfers firewall logs to Sophos Central. Important aspects include log selection, retention, Report Hub, and syslog …
Syslog brings Sophos firewall logs to SIEM, SOC or central log servers. Log types, transport, TLS compatibility, parsers, validation and operational …
Backup, firmware, SFOS upgrades, task queue, services, Config Studio, reimage, SSD, HA, and RMA.
Backups are only useful with file, password, Secure Storage Master Key, target version, management access, and restore compatibility. Mandatory before …
Firmware updates on Sophos Firewall need preparation, backup, upgrade path, maintenance window, HA planning, rollback criteria and targeted …
Before an SFOS 22 upgrade, platform, interface names, storage space, backup, HA, IPsec, STAS, and recovery should be prepared.
The task queue shows whether central firewall changes have been processed. History, status, Skip, Retry and local validation are important.
Installation is only the short part of a firmware update. Image, upgrade path, backup, GUI action, HA behaviour, Central status and rollback matter.
Service restarts can stabilise firewall modules, but they change state. Logs, risk, access and follow-up checks matter first.
Config Studio helps read, compare and review firewall configurations. Key aspects include export file, review, API output and limitations.
WebAdmin GUI not responding? A targeted restart of tomcat and apache often helps. You should check access, system status and logs beforehand.
A reimage fully overwrites the firewall. Before starting, backup, SSMK, installer image, restore compatibility, HA and post-checks matter.
The SMART endurance value helps assess SSD wear. Trends, symptoms, storage checks, HA nodes, and support data are decisive.
Storage warnings require root-cause analysis. /var, reports, event logs, troubleshooting logs, mail queue, warning thresholds and data retention are …
HA connects two Sophos Firewalls into a cluster. Important aspects include prerequisites, licensing, HA link, Monitored Ports, QuickHA, updates, RMA …
Local scripts on Sophos Firewall jeopardise support, HA, updates, and troubleshooting. Important are risks, alternatives, and minimum checks.
A good Sophos support ticket reduces follow-up questions. Serial number, licence status, error description, logs, screenshots and portal flow are …
With a Sophos hardware defect, serial number, warranty, support case, backup, HA status, replacement device and return are important.
Special cases, older clients, and topics that do not fit neatly into the main areas.
Sophos Home Edition, XGS with Base License and Sophos Home suit different private scenarios. The CPU limit, benefits, limits and operation are …
UniFi devices need a controller address for L3 adoption, suitable outbound ports and often DNS. Firewall rules, Inform URL and tests are important.