Sophos Firewall Configuration Quiz

Questions and Answers

What is the maximum packet size specified in network settings known as?

Data Segment Size (DSS)

Maximum Segment Size (MSS)

Maximum Transmission Unit (MTU) (correct)

Packet Size Limit (PSL)

Which interface types are supported by Sophos Firewall?

Physical and VLAN interfaces (correct)

Wireless and Hybrid interfaces

Bridge and Virtual interfaces

Virtual and Network interfaces

What does the MSS setting define in the context of network transmission?

The total number of packets in a transmission

The maximum size of a single packet that can be transmitted (correct)

The threshold size for packet fragmentation

The combined size of all packets sent in a session

What does LAG stand for in the context of Sophos Firewall interfaces?

Link Aggregation Group

When packets exceed the MTU size, what happens to them?

They are divided into smaller packets

What happens if VLAN filtering is enabled but no VLANs are specified?

Tagged traffic from all VLANs is dropped.

What is the default behavior of the Sophos Firewall regarding ARP broadcasts in bridge interfaces?

ARP broadcasts are forwarded by default.

What happens to Ethernet frames if filtering is selected without specifying permitted frame types?

Traffic for any unlisted frame types is dropped.

How does the Sophos Firewall handle traffic from bridge interfaces that lack an IP address?

Traffic matches NAT rules is dropped without logging.

What is the purpose of enabling Spanning Tree Protocol (STP) on bridge interfaces?

To prevent broadcast storms and enable failover.

What is the maximum number of VLANs supported by the Sophos Firewall?

4096

How can filtering of Ethernet frames be customized on bridge interfaces?

By filtering using a 4-digit hexadecimal ID.

What does enabling MTU support for jumbo frames allow for interfaces?

Payload size limits to 9000 bytes or more.

What does VLAN 1 represent in the Sophos Firewall configuration?

Reserved for the physical LAN.

What is a consequence of not overriding source translation for SNAT rules in a bridge interface without an IP address?

Traffic may be dropped due to mismatched rules.

What is the purpose of the VLAN ID when creating a VLAN on a physical interface?

It uniquely identifies the VLAN within the network.

Which of the following statements about Link Aggregation Groups (LAG) is true?

LAG combines multiple ports into a single logical interface.

What is a requirement for the Active-Backup LAG mode?

Only one interface is active at a time in the group.

Which of the following is NOT a characteristic of VLAN configuration?

An IP address is required on the physical port before creating a VLAN.

What does LACP (802.3ad) provide in a Link Aggregation configuration?

Automatic load balancing across links.

Study Notes

Sophos Firewall Configuration

• Sophos firewall version 19.0v1
• Document date April 2022
• Copyright 2022 Sophos Limited. All rights reserved.
• Sophos and Sophos logo are registered trademarks of Sophos Limited.
• Other names, logos, and marks in the document may be trademarks of Sophos Limited or other owners.
• Document is subject to change without notice.
• Sophos Limited registered in England #2096520.
• Registered Office: The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Interface Configuration

• Learn advanced configuration settings for physical and virtual interfaces.
• Knowledge experience recommended includes understanding interface types supported by Sophos Firewall and configuring firewall interfaces.
• Duration: 9 minutes

Interfaces

• Sophos Firewall supports various interface types:
  • Physical and Wireless interfaces
  • Bridge
  • VLAN
  • Alias
  • LAG (Link Aggregation)
  • RED

Edit Interface

• Menu beside interface allows editing and viewing settings, such as Maximum Transmission Unit (MTU) and Maximum Segment Size (MSS).
• MTU: Largest packet size a network can transmit in bytes.
• MSS: Amount of data (in bytes) that can be transmitted in a TCP packet.
• Packets larger than MTU value are divided into smaller packets.

MTU and MSS Configuration

• Configure MTU and MSS for interfaces, including support for jumbo frames (more than 1500 bytes).
• Configure settings in WebAdmin's 'Advanced settings'
• Configure settings in console.

Bridge Interfaces: VLAN Filtering

• Bridge interfaces offer additional controls, including filtering VLANs.
• Define which VLANs can pass across the bridge.
• If filtering, but no permitted VLANs specified, Firewall drops all tagged traffic from all VLANs. Untagged traffic and system-generated traffic are not affected.

Bridge Interfaces: Advanced Settings

• By default, bridge forwards ARP broadcasts for destination MAC address discovery.
• Advanced settings allows clearing the ARP broadcast checkbox to prevent ARP broadcast storms.
• Spanning Tree Protocol (STP) prevents bridge loops.
• Filter Ethernet Frames: default is to allow all types. Can filter using 4-digit hexadecimal IDS (e.g. 809B for AppleTalk).

Bridge Interfaces with No IP Address

• Firewall drops traffic related to bridge interfaces without an IP address if traffic matches a firewall rule with web proxy filtering, or matches a NAT rule.
• Dropped packets are not logged.
• Instructions to prevent NAT rules from dropping traffic:
  • Go to Rules and policies > NAT rules and edit the SNAT rule.
  • Select Override source translation for specific outbound interfaces.
  • Set Outbound interface to bridge interface without IP address.
  • Set Translated source (SNAT) to Original and click Save.

VLANS

• Create multiple VLAN interfaces on one physical interface.
• Allows tagged and untagged traffic on the same interface.
• VLAN support follows IEEE 802.1q standards.
• Physical interface does not need configuration.
• Supports up to 4096 VLANs (0, 1, 4095 are reserved).
• VLANs 2-4094 are configurable.

VLAN Configuration

• A VLAN can be created on a physical interface such as PortA or eth0.
• Multiple VLAN interfaces can be created on one physical port.
• VLANs can be created for virtual interfaces, such as bridges and LAGs.
• A zone must be selected for the new VLAN network and then a valid VLAN ID assigned to the interface.
• An IP address needs to be assigned to the new VLAN interface.

Link Aggregation

• Combine multiple ports/interfaces into a single logical interface (LAG).
• Advantages: Scale bandwidth, provide link redundancy, facilitate load sharing, no changes to hardware.
• Supported LAG modes:
  • Active-Backup (failover).
  • LACP (802.3ad) (failover, load balancing)
  • All connected devices must support LACP.
• Member interfaces must be the same type and have the same speed.
• All links should be full-duplex
• Link aggregation is also known as: port trunking, link building, NIC bonding, NIC teaming

Link Redundancy

• 'Active-Backup' LAG mode handled by Sophos firewall.
• Supports devices that do not understand LACP.
• Can failover between links of different speeds.
• Active-Backup mode: Firewall manages links, one active, one backup, no bandwidth increase, but allow for link failover between different speeds.

Chapter Review

• Configure MTU and MSS using WebAdmin or console 'Advanced settings'.
• Create multiple VLAN interfaces allowing tagged and untagged traffic.
• LAG combines multiple physical links into a single logical link for increased bandwidth and automatic failover.

Description

Test your knowledge of Sophos Firewall version 19.0v1 and its advanced interface configuration settings. This quiz covers various interface types supported by the firewall and requires familiarity with physical and virtual interfaces.