Sophos Firewall Overview 19.0v1

Questions and Answers

What is the first step in the packet flow process through the firewall?

POSTROUTING

FORWARD

ROUTING

RAW packet processing (correct)

Which of the following components helps in managing the performance of firewall rules?

Mangle

Firewall Framework

Conntrack

FastPath (correct)

In what order should firewall rules be arranged to optimize performance and protection?

Random order for efficiency

Based on packet type, placement does not matter

Incoming rules first, then outgoing rules (correct)

Outgoing rules first, then incoming rules

Which section is responsible for handling outgoing packets in the packet flow?

POSTROUTING

What role does the Conntrack component play in the firewall packet flow?

It maintains the state of network connections

What happens when a connection is identified as Related?

A child connection entry is added.

During the FORWARD stage, which process occurs after packets are accepted by the firewall rules?

Packets are submitted to the IPS if applicable.

What is checked and applied to a packet if it is the first in the connection during POSTROUTING?

Masquerading and SNAT policies.

Which stage is immediately before the packet filtering occurs?

ROUTING

What is the role of the connection tracking module in the packet processing sequence?

To update connection tracking entries.

What is the purpose of the Prerouting subsystem in a firewall?

To perform protocol anomaly checks on incoming packets.

What happens to fragmented packets during the Prerouting process?

They are reassembled prior to anomaly checks.

What role does the connection tracking module (Conntrack) serve in the packet processing flow?

It keeps track of established connections to manage packet flow.

In what scenario would packets bypass the DoS & Spoof check in the Prerouting stage?

If they are destined for the local loopback or HA dedicated interface.

What is the first action taken on incoming packets in the Prerouting subsystem?

They undergo protocol anomaly checks.

Study Notes

Sophos Firewall Version 19.0v1

• Sophos Firewall version is 19.0v1
• Copyright is held by Sophos Limited, 2022
• No part of the document can be used without prior written consent from Sophos

Additional Information

• Sophos Firewall FW2010
• Advanced Firewall Rule Management on Sophos Firewall
• Version: 19.0v1
• Released in April 2022

Firewall Framework

• Prerouting: Protocol anomaly checks and DOS & Spoof prevention performed on incoming packets to reassemble them
• Routing: Connection tracking to create/associate new connections or associate with existing ones (Related connections receive child entries for connection)
• Forwarding: Packet filtering based on firewall rules, if accepted then submitted to IPS
• Postrouting: Masquerading and SNAT policies are checked; connection tracking updated; if HA load balancing on, packet sent to load balancer; Quality of Service applied.

XStream Architecture

• High-performance, high connection-capacity support for modern cipher suites (TLS 1.3)
• Comprehensive threat protection using a single high-performance streaming DPI engine with proxy-less scanning
• Intelligent offloading of trusted traffic using the Network Flow FastPath for improved performance

Initial Connection

• Firewall Stack processes connection management, allowance, blocking, and QoS (Quality of Service).
• DPI Engine handles streaming DPI processing, intelligent offloading, web filtering, and SSL policy and inspection.
• FastPath handles packets' forwarding and offloading of L2 & L3 to DPI Engine.

Full FastPath Offload

• Firewall Stack handles connection management and QoS (Quality of Service).
• DPI Engine handles streaming DPI processing, intelligent offloading, and policy and inspection.
• FastPath handles forwarding packets, offloading L2 & L3 to DPI Engine.
• Once a connection is allowed, it can be offloaded to FastPath, accelerating wire speed.
• If the data looked at by packet filtering always remains identical for the connection, it can be marked and the process skipped.

Initial Packet Delivery to DPI Engine

• Firewall Stack does connection management, allowance, blocking, and QoS (Quality of Service).
• DPI Engine handles streaming DPI processing, intelligent offloading, web filtering, and SSL policy and inspection.
• FastPath handles forwarding packets and offloading L2 & L3 to DPI Engine
• Traffic needing DPI engine scanning goes through the firewall stack then to the DPI Engine and returns to stack for delivery.

Firewall Offload

• Firewall Stack does connection management, allowance, blocking, and QoS (Quality of Service).
• DPI Engine handles streaming DPI processing, intelligent offloading, web filtering, and SSL policy and inspection.
• FastPath handles forwarding packets using L2 & L3 offloading to DPI Engine.
• Initial connection enables FastPath to offload to DPI Engine, cutting out firewall stack for improved performance.

FastPath Offloading

• Firewall does connection management, allowance, and blocking.
• DPI Engine handles TLS/SSL, application, IPS, and web (AV) scanning and Data Acquisition (DAQ).
• SlowPath handles DOS, VPN and Firewall (FW) actions.
• Firewalls see both directions, classifies, and offloads decisions to FastPath ensuring it is safe and trustworthy.
• Offloaded decisions can be cached allowing for application to the traffic without using SlowPath.
• FastPath delivers subsequent traffic to DPI Engine through zero-copy which helps in the speed to ensure efficient traffic management.

Virtual FastPath vs. Network Flow FastPath

• Virtual FastPath (VFP) uses CPU to process connections.
• Network Flow FastPath (NFP) uses a separate Xstream Flow Processor to handle traffic that is offloaded to the FastPath.

XGS Series FastPath Flow

• Initial packets of a connection go through SlowPath and sometimes IPS
• SlowPath gathers info, programs FastPath with state information using API
• Packets then flow through FastPath, bypassing SlowPath but still going through IPS
• IPS updates connection verdict in SlowPath to update FastPath
• Packets now fully flow through the FastPath

Checking FastPath Offload

• The system firewall-acceleration show command can be used on an XGS device to check if FastPath acceleration is enabled.
• The usfp_table_print.sh worker_sys_cnt command shows the number of packets offloaded using FastPath.
• To verify a connection's usage of FastPath, use the conntrack command in the advanced shell; if it had a connection FastPath ID it used FastPath; otherwise, it says “NOT_OFFLOADED”.

Improving FastPath Usage with Policy

• Traffic matching firewall rules with no DPI processes or IPS/SophosLabs offload signatures can be offloaded straight into FastPath.
• Traffic with an IPS policy set to "bypass session" can also be offloaded to FastPath.

Scenario 1 - Introduction

• Small business setup
• The default firewall rules will be used; however updates are needed to the rules to improve functionality

Scenario 1 - Rules

• Rule for allowing web access for employees that will use a custom IPS and Web Policy.
• Rule to allow servers and hardware that cannot authenticate against the Firewall.
• Rule for guests to access the internet.

Scenario 2 - Introduction

• Multiple VLANs; security, compliance
• Focus on efficient traffic shaping
• Rules include: guest internet access, FTP with QoS, P2P traffic block, and employee web browsing.
• Adding rule for server access, server updates, WAN-DMZ access, and LAN-DMZ access.

Scenario 2 - Rules

• More rules in a larger network
• Additional rules will be needed for VLANs requiring access
• Rules will be further down the list

Description

Explore the features and framework of Sophos Firewall version 19.0v1. This quiz covers advanced firewall rule management, prerouting, routing, forwarding, and postrouting functionalities. Test your knowledge on the XStream architecture and its high-performance capabilities.