Sophos Firewall Sizing Guide: Properly Dimensioning XGS
Sophos Firewall sizing is not just about the number of users. Key factors include bandwidth, TLS Inspection, IPS, VPN, HA, logging, and reserve …
Sophos Firewall
Practical German Sophos Firewall guides for setup, hardening, VPN, network rules, licenses, updates, logs, and troubleshooting.
Table of Contents
Sophos Firewall Topic Overview
The articles are organised by typical admin tasks: select, set up, secure, publish, connect remotely, analyse, and restore.
Getting Started, Selection, and Licensing 13
Sizing, XGS selection, Base License, bundles, Air Gap, lifecycle, portals, and license operation.
Comparing Sophos Firewall Bundles
When purchasing or renewing a Sophos Firewall, Standard Protection, Xstream Protection, and Epic Protection must match the protection needs.
Understanding the Sophos Firewall Base License
The Base License is the foundation of Sophos Firewall, but it does not replace support or security subscriptions.
Activate Sophos Firewall Licence Key
A Sophos Firewall licence key is activated in SFOS. Important aspects include serial number, account, activation, licence status, and typical errors.
Operating Sophos Firewall Air-Gap Licensing and Pattern Updates
Air-gap operation on Sophos Firewall requires approval, license file, manual synchronization, pattern updates, and a clear operational routine.
Correctly Interpreting Sophos Firewall Performance Data
Sophos Firewall datasheet values are comparative figures. Key factors include firewall, IMIX, IPS, NGFW, TLS Inspection, VPN, and reserves.
Sophos Firewall: Hardware, Virtual, or Cloud?
Hardware, Virtual Appliance, Software Appliance, and Cloud Deployment differ in operation, HA, recovery, sizing, and responsibilities.
Sophos XG vs XGS: differences, EOL and migration
This article explains XG End of Life, XG vs XGS differences, SFOS 21/22 limits and how to prepare migration to XGS cleanly.
Sophos Product Lifecycle Calendar - End-of-Sale / End-of-Life
Sophos lifecycle planning needs End-of-Sale, Last Renewal, End-of-Life, successor products and clear checks before renewal, migration or hardware …
Understanding Sophos Hardware Warranty, Support, and RMA
Warranty, support contract, and RMA are distinct topics for Sophos hardware. For firewalls, serial number, purchase date, lifecycle, contract, and …
Sophos portals: SophosID, Central, support and firewall access
SophosID, Sophos Central, Support Portal and firewall portals have different roles. Login, licensing, access, certificates and Remote Access are key.
Find the Sophos Firewall serial number
The serial number uniquely identifies a Sophos Firewall. You need them for support, licensing, RMA, account transfer and inventory.
Transfer Sophos Firewall to another Central account
The account transfer moves the firewall's licence and registration assignment. Preparation, process, limits and checks are important.
Setup and Basic Configuration 7
Setup Wizard, Central connection, Active Directory, STAS, SATC, Device Access, and support access.
Properly Configure Sophos Firewall After the Setup Wizard
After the Setup Wizard, the firewall is accessible but not yet fully hardened. Following this, backup, firmware, Device Access, rules, and logs are …
Connect Sophos Firewall with Sophos Central
A Sophos Firewall can operate locally but offers additional features for management, backups, reporting, and security with Sophos Central.
Connect Active Directory to Sophos Firewall
Active Directory provides users, groups and authentication for Sophos Firewall. LDAPS, search base, group import, Main Group and MFA matter.
Set up STAS on Sophos Firewall
STAS maps AD logons to client IPs so Sophos Firewall can use user-based rules. Agent, collector, audit events and tests are key.
Set up Sophos Firewall SATC for Remote Desktop Services
SATC maps users on Remote Desktop Session Hosts to Sophos Firewall. Server Protection, registry, Device Access and Live Users matter.
Securing Sophos Firewall Access: Properly Configuring Device Access
Device Access controls access to local services on the Sophos Firewall. Key aspects include zone permissions, ACL Exception Rules, WAN risks, lockout …
Set Up Avanet Support Access on Sophos Firewall
Avanet support access should be time-limited and tightly controlled. Important aspects include WebAdmin, optional SSH, Device Access, sources, MFA, …
Firewall Rules, NAT, and Network Design 23
Firewall rules, zones, interfaces, VLAN, NAT, DNS, DHCP, SD-WAN, NTP, and VoIP.
Sophos Firewall Configure zones and interfaces
zones and interfaces are the basis for clean Sophos Firewall rules. Planning, safe changes, routing and typical errors are important.
Understanding and Securely Configuring Sophos Firewall Rules
Firewall rules are the core of the Sophos Firewall. Important aspects include rule structure, order, boundaries, practical examples, tests, and secure …
Document Sophos Firewall rules properly
A clear rule description saves time in daily operations. Purpose, owner, ticket, expiry date, risk, review and a useful Description field matter.
Sophos Firewall VLAN set up and test
VLANs on Sophos Firewall need more than one VLAN ID: Parent Interface, Switch Tagging, Zone, DHCP, DNS, Rules, NAT and tests must match.
Check Sophos Firewall Bridge-VLANs after SFOS 22
Bridge-VLANs are particularly noticeable after SFOS 22, especially with traffic to or from the firewall. Important are CLI VLAN tags, br0 interfaces, …
Sophos Firewall Rule Not Matching: Check Causes
If a firewall rule is not matching, it is usually due to order, zone, source, destination, service, user matching, NAT, routing, or logging.
Set up Microsoft Entra ID SSO for Sophos Firewall Captive Portal
Captive Portal with Entra ID SSO maps local users via browser login. Redirect URI, device access, primary groups and logs are important.
Testing Sophos Firewall Rules with Log Viewer, Policy Tester, and Packet Capture
Rule tests require real events and clear test data. Log Viewer, Policy Tester, Packet Capture, and tcpdump answer different questions.
Configure IPv6 Prefix Delegation on Sophos Firewall
IPv6 Prefix Delegation brings provider prefixes into internal networks. Key aspects include WAN configuration, Router Advertisement, rules, and …
Understanding NAT on Sophos Firewall: SNAT, DNAT, MASQ, PAT
NAT translates addresses or ports but does not allow traffic. SNAT, DNAT, MASQ, PAT, loopback, reflexive rules and troubleshooting are important.
Publishing a Server via DNAT on Sophos Firewall
DNAT publishes internal services via public IPs or ports. Key factors include tight sources, appropriate rules, NAT order, and tests.
Configure DNS Request Routes on Sophos Firewall
DNS Request Routes forward specific DNS queries to defined DNS servers. Important for internal domains, reverse lookups, DNS Protection, and VPN.
Check Sophos Firewall MTU and MSS for VPN Issues
MTU and MSS issues manifest as stalled downloads, RDP, HTTPS, or VoIP. Path checking, VPN overhead, PPPoE, and XFRM are important.
Sophos Firewall DHCP Options (SFOS)
DHCP options distribute PXE, WDS, thin client, or RED parameters. WebAdmin, CLI fallbacks, and common error patterns are important.
Configure and test Sophos Firewall SD-WAN routes
SD-WAN routes steer traffic by criteria, not only by the routing table. Gateways, services, NAT, failover and path tests matter.
Safely Change Sophos Firewall Route Precedence
Route Precedence determines whether Static Routes, SD-WAN Policy Routes, or VPN routes take precedence. Important steps include checking, changing, …
Sophos Firewall Check SD-WAN routing for reply packets and system traffic
Reply packets and system-generated traffic can affect SD-WAN routing. CLI status, use cases, risks, testing and validation are important.
Configure VLAN on Sophos Firewall and UniFi Switch
VLANs with Sophos Firewall and UniFi need clean tagging. Gateway, parent interface, UniFi network, access port, trunk, DHCP and rules must match.
Check Sophos Firewall Cellular WAN and 4G/5G Failover
Cellular WAN is usually a backup line. For 4G/5G failover, SIM, APN, PIN, Gateway, signal quality, SD-WAN checks, and fallback logic are crucial.
Sophos Firewall as NTP Server: Forward NTP via NAT
Sophos Firewall is not a true NTP server here, but can forward NTP via NAT. Important are source networks, target servers, rules, and tests.
Create IPsec Route on Sophos Firewall
A manual IPsec Route on Sophos Firewall may be necessary when routing, NAT, or SFOS-22 behaviour does not match VPN traffic.
Configure Application Traffic Shaping on Sophos Firewall
Application Traffic Shaping prioritises important applications and limits other traffic. Key aspects include policy, match, direction, testing, and …
Sophos Firewall Troubleshoot VoIP problems with SIP and RTP
VoIP problems often arise from SIP ALG, UDP timeouts, NAT, RTP ports or routing. SIP/RTP analysis, capture and CLI testing are important.
VPN, RED, and Remote Access 17
Sophos Connect, SSL VPN, Entra ID SSO, IPsec, SD-RED, and VPN troubleshooting.
Sophos Connect or SSL VPN: Which remote access solution is right?
Sophos Connect with IPsec, Sophos Connect with SSL VPN, classic OpenVPN clients and ZTNA fit different remote access scenarios.
Configure Sophos Connect on Sophos Firewall
Sophos Connect needs matching IPsec/SSL VPN profiles, users, IP pool, DNS, MFA, firewall rules, provisioning and update process.
Set Up Sophos Firewall SSL VPN Remote Access
SSL VPN Remote Access only works smoothly when the portal, policy, profile, DNS, MFA, Device Access, firewall rules, and routing are checked together.
Migrate legacy Remote Access IPsec before SFOS 22 MR1
Legacy Remote Access IPsec blocks SFOS 22 MR1 and newer. Before upgrading, it needs detection, a replacement, restore checks and removal.
Install Sophos Connect Client on Windows
Sophos Connect on Windows requires client version, profile, platform, MFA/SSO and rules. The connection, DNS and access must then be correct.
Install Sophos Connect Client on macOS
Sophos Connect on macOS depends on client version, Apple Silicon/Rosetta, IPsec or SSL VPN profile, DNS, MFA, and tested firewall rules.
Set up Microsoft Entra ID SSO for Sophos Connect and VPN Portal
Entra ID SSO connects Remote Access with OAuth 2.0, OpenID Connect, and Entra-MFA. Key elements include Redirect URIs, groups, and Device Access.
Check and safely update Sophos Connect Client version
Sophos Connect updates affect VPN profiles, platforms, MFA, SSO, helpdesk and rollback. Version checks, pilots and profile tests are important.
Set up Sophos SSL VPN with Sophos Connect on Windows
SSL VPN with Sophos Connect on Windows needs an OVPN profile, VPN portal access, MFA, client version, DNS test and matching rules.
Set up Sophos SSL VPN with Sophos Connect on macOS
SSL VPN on macOS today often runs with Sophos Connect instead of Tunnelblick. OVPN profile, Apple Silicon/Rosetta, DNS, MFA and maintenance are …
Set up Sophos SSL VPN on iPhone and iPad
SSL VPN on iPhone and iPad uses an OpenVPN-compatible client. OVPN profile, VPN Portal, MFA, DNS and firewall rules are important.
Set up Sophos SSL VPN on Android
SSL VPN on Android requires an OpenVPN client, current OVPN profile, VPN portal access, MFA, DNS test, firewall rules, and device changes.
Safely Categorise Sophos SSL VPN Client in Autostart
The old Sophos SSL VPN Client can start automatically. Auto-Login with password.txt is risky. Important are risk, autostart, and alternatives.
Set up Sophos Firewall Site-to-Site IPsec VPN
Site-to-Site IPsec needs clear networks, profiles, rules, routing, NAT and acceptance tests. Choose policy-based or route-based designs deliberately.
Sophos Firewall IPsec VPN Troubleshooting
IPsec troubleshooting requires a clear sequence: IKE, Phase 2, Security Associations, StrongSwan logs, routing, NAT, firewall rules, and packet flow.
Resolve Sophos Firewall IPsec Remote Access Timeout After 4 Hours
If Sophos Connect IPsec disconnects after about 4 hours or requests OTP again, first check the profile, IKE Key Life, logs, and client distribution.
Setting Up and Troubleshooting Sophos SD-RED
Sophos SD-RED connects remote sites to the firewall. Key aspects include provisioning, ports, LED status, RED interface, DHCP, VLANs, and rules.
Security Features and Inspection 23
MFA, TLS Inspection, WAF, Threat Feeds, IPS, Web Protection, NDR, DNS Protection, and hardening.
Effectively Using Sophos Firewall Health Check
The Health Check highlights risky firewall configurations in the Control Center. Key aspects include score, checks, prioritisation, and follow-up.
Enable MFA for Sophos Firewall WebAdmin, VPN Portal, and Remote Access
MFA effectively protects WebAdmin, VPN Portal, and Remote Access only when Device Access, groups, fallback, rollout, testing, and operation are …
Implementing Sophos Firewall TLS Inspection Correctly
TLS Inspection increases visibility in encrypted connections but can disrupt applications. Important are CA certificate, test group, and rollback.
Distribute Sophos Firewall CA Certificate for TLS Inspection
TLS Inspection works without browser warnings only if clients trust the firewall CA. Important steps include download, distribution, and rollback.
Securing Sophos Firewall XML API Access
XML API access on Sophos Firewall should only be allowed from defined management networks, automation systems, or integration hosts.
Safely Using Sophos Firewall Bypass Rule
Bypass rules bypass the normal stateful firewall path. Important aspects include usage limits, CLI status, tests, documentation, and rollback.
Sophos Firewall WAF: Securely Publish Web Servers
Web Server Protection publishes HTTP and HTTPS applications as a reverse proxy. Important considerations include choosing WAF or DNAT, certificates, …
Securing Sophos Firewall WAF with MFA
Sophos Firewall can protect WAF-published web applications with MFA. Key aspects include planning, setup, token rollout, testing, and operation.
Set up Sophos Firewall Let's Encrypt certificates
Sophos Firewall can obtain and renew Let's Encrypt certificates directly. HTTP validation, FQDNs, WAF, portals and monitoring are important.
Sophos Firewall Threat Feeds
Threat feeds bring known malicious IPs, domains and URLs into Sophos Firewall as IoCs and are especially useful for exposed services.
Set up and safely test Sophos Firewall IPS
IPS needs a licence, global enablement, the right policy per firewall rule, logging, tests, performance checks and a false-positive process.
Setting Up Sophos Firewall Web Protection with Web Policies
Web Protection requires an appropriate firewall rule, web policy, categories, TLS visibility, QUIC decision, user context, logging, and tests.
Operating Sophos Firewall NDR and Active Threat Response
NDR Essentials and NDR Active Threat Intelligence enhance Sophos Firewall with network detection. Key aspects include usage limits, operation, and …
Setting up Sophos DNS Protection with Sophos Firewall
Sophos DNS Protection enhances the firewall with DNS policies and reporting in Sophos Central. Key aspects include rollout, internal DNS routes, …
Sophos Firewall Spoof Protection and DoS Settings check
Spoof Protection and DoS Settings harden against implausible sources and simple flooding patterns. Routing, tests, logs and narrow exceptions are …
Sophos Firewall: Blocking Countries and Malicious IPs
Country blocking, Black Hole DNAT, and Threat Feeds serve different purposes. Rules, local services, and monitoring are important.
Setting Up and Testing Sophos Firewall Application Control
Application Control identifies applications beyond mere ports. Important aspects include rules, application filters, TLS visibility, logging, and …
Sophos Firewall Understanding and operating zero-day protection
Zero-Day Protection analyzes suspicious downloads and email attachments. Operational control, reports, exceptions and approvals are important.
Set up Sophos Firewall Mail Protection in MTA mode
Mail Protection in MTA mode makes the firewall the SMTP acceptance point. MX, TLS, relay, policies, quarantine and logs are decisive.
Using Sophos Firewall Web Categories and Instant Alerts
Web categories and instant alerts assist in web policy control. Key aspects include usage, prerequisites, configuration, logging, and error patterns.
Clean Sophos Firewall Secure Heartbeat Database in Support Cases
A Secure Heartbeat database maintenance is a narrow support case. Before VACUUM FULL, a backup, maintenance window, disk check, and Sophos approval …
Correctly Blocking QUIC and HTTP/3 on Sophos Firewall
QUIC operates over UDP 80 and UDP 443. On the Sophos Firewall, it's important to understand when Block QUIC protocol is necessary and how to verify …
Manage Sophos Firewall CAPTCHA for WebAdmin and User Portal
CAPTCHA reduces automated login attempts on WebAdmin and User Portal. Important aspects include Device Console status, risk, follow-up, and …
Analysis, Logs, and Troubleshooting 17
Log Viewer, service logs, audit trail, SSH, CLI, packet capture, tcpdump, syslog, and SIEM.
Sophos Firewall Troubleshooting: Services and Logs
In troubleshooting, it's important to know which Sophos Firewall service belongs to which module, which log file is relevant, and when debug or CLI is …
Secure Sophos Firewall Logs for Support and Analysis
In cases of disruptions, VPN issues, or unclear firewall events, a support case requires clean logs, timestamps, and captures if necessary.
Reviewing Sophos Firewall Audit Trail Logs
Audit Trail Logs display configuration changes on the Sophos Firewall. Key aspects include activation, download, evaluation, and retention.
Connect to Sophos Firewall via SSH
SSH on Sophos Firewall is a powerful support access. Important are tight Device Access permissions, ACL exceptions, appropriate console, access …
Sophos Firewall CLI Troubleshooting: Key Commands
Key CLI commands assist with troubleshooting, log analysis, network checks, service status, and debug logging. A secure process is crucial.
Using Sophos Firewall Packet Capture in WebAdmin
Packet Capture shows whether packets arrive, are forwarded, or dropped. Key aspects include test planning, filters, NAT, and evaluation.
Sophos Firewall tcpdump: Capture Packets via CLI
tcpdump provides precise packet captures on the firewall. Key aspects include Advanced Shell, tight BPF filters, PCAP files, stopping captures, and …
Check Sophos Firewall User-ID Limit and VPN Portal Downloads
Sophos Firewall uses internal User IDs for users and groups. The 65,535 limit can disrupt VPN portal downloads in large environments.
Analyse Dropped Packets on Sophos Firewall
Drops are not automatically errors. For analysis, Log Viewer, Packet Capture, Firewall ID 0, Rule ID, NAT ID, routing, and return path are key.
Resolve Sophos Firewall ARP Issues After Migration
After a firewall change, old ARP entries can block WAN or alias IP addresses. Important are ARP cache, provider device, and tests.
Correctly check Sophos Firewall Missing Heartbeat Alerts
Missing heartbeat alerts occur when the firewall sees traffic without a matching security heartbeat. Endpoint status, DNS and logs are important.
Testing Sophos Firewall Performance with iPerf
iPerf measures TCP or UDP throughput between endpoints. The test becomes meaningful only with a clear path, direction, and evaluation.
Configure sFlow Monitoring on Sophos Firewall
sFlow makes traffic patterns and noticeable flows visible. Important aspects include Collector, Sampling, Interface Selection, Limits, and Operational …
Setting Up Sophos Firewall SNMP Hardware Monitoring
SFOS 22 extends SNMP to include temperature, fans, power supplies, and PoE. Key aspects include Device Access, MIBs, SNMP version, monitoring targets, …
Conducting an Internet Speed Test on Sophos Firewall via SSH
A speed test on the Sophos Firewall helps isolate WAN and client issues. Key aspects include SSH testing, WAN path, unit, test file, and …
Enable and Operate Sophos Firewall Central Reporting
Central Firewall Reporting transfers firewall logs to Sophos Central. Important aspects include log selection, retention, Report Hub, and syslog …
Send Sophos Firewall Syslog to SIEM
Syslog brings Sophos Firewall logs into SIEM, SOC, or central log servers. Important aspects include log types, transport, TLS, validation, and …
Operations, Maintenance, and Recovery 15
Backup, firmware, SFOS upgrades, task queue, services, Config Studio, reimage, SSD, HA, and RMA.
Create or Restore a Sophos Firewall Backup
Backups are only useful with the file, password, Secure Storage Master Key, target version, and restore compatibility. Mandatory before updates, …
Sophos Firewall firmware update preparation and best practices
Firmware updates on Sophos Firewall require preparation, backup, risk assessment, a maintenance window and targeted validation after the update.
Check Sophos Firewall before SFOS 22 Upgrade
Before an SFOS 22 upgrade, platform, interface names, storage space, backup, HA, IPsec, STAS, and recovery should be prepared.
Check Sophos Central Firewall Management Task Queue
The Task Queue shows whether central firewall changes have been successfully applied. Important are status checks, skip, retry, and follow-up.
Performing a Sophos Firewall Firmware Update
Installation is just a short part of a firmware update. Preparation, backup, SFOS-22 check, hardware, and rollback are crucial beforehand.
Restart Sophos Firewall services safely
Service restarts can stabilise firewall modules, but they change state. Logs, risk, access and follow-up checks matter first.
Using Sophos Firewall Config Studio
Config Studio assists in reading, comparing, and controlling firewall configurations. Key aspects include backup import, API output, review, and …
Sophos Firewall WebAdmin Restart GUI
WebAdmin GUI not responding? A targeted restart of tomcat and apache often helps. You should check access, system status and logs beforehand.
Reinstall Sophos Firewall OS: USB reimage
A reimage fully overwrites the firewall. Before starting, check backup, SSMK, installer image, restore compatibility, HA and post-checks.
Check Sophos Firewall SSD Health via SMART
The SMART endurance value helps assess SSD wear on Sophos Firewall hardware. Important aspects include Advanced Shell, HA nodes, and trends.
Sophos Firewall Check storage space and manage reports
Memory warnings first require the cause to be clarified. Partitions, reports, logs, mail queue, quarantine, virtual disk and data loss are relevant.
Setting Up Sophos Firewall High Availability (HA)
HA connects two Sophos Firewalls into a cluster. Important aspects include prerequisites, licensing, HA link, QuickHA, updates, operation, and …
Sophos Firewall Scripts Without Cronjob: Risks and Alternatives
Local scripts on Sophos Firewall jeopardise support, HA, updates, and troubleshooting. Important are risks, alternatives, and minimum checks.
Open a Sophos support ticket: preparation and portal
A good Sophos support ticket reduces follow-up questions. Serial number, license status, support entitlement, error description, logs, screenshots, …
Sophos hardware defect and prepare RMA properly
In the event of a Sophos hardware defect, preparation is important: serial number, warranty, support case, backup, HA status, replacement device and …
Miscellaneous and Legacy 2
Special cases, older clients, and topics that do not fit neatly into the main areas.
Understanding Sophos Firewall Home Edition and Sophos Home
Sophos Home Edition, XGS with Base License, and Sophos Home suit different private scenarios. Important factors include benefits, limitations, and …
Connect UniFi Device to Cloud Controller via Sophos Firewall
UniFi devices need a reachable controller address for L3 adoption, suitable outbound ports and often a DNS entry. Firewall rules, DNS, Inform URL and …