Sophos Firewall Rule Management PDF

Summary

This document provides a detailed explanation of Sophos Firewall rule management, including packet flow, FastPath, and firewall rule ordering for performance and protection. It includes diagrams and tables to illustrate the concepts.

Full Transcript

Advanced Firewall Rule
Management on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW2010: Advanced Firewall Rule Management on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Firewall Rule Management on Sophos Firewall - 1
 Advanced Firewall Rule Management on Sophos Firewall

In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
packets flow through the ✓ Creating and managing firewall rules
firewall, how they are offloaded
to the FastPath, and how to
order firewall rules for
performance and protection.

DURATION

28 minutes

In this chapter you will learn how packets flow through the firewall, how they are offloaded to the
FastPath, and how to order firewall rules for performance and protection.

Advanced Firewall Rule Management on Sophos Firewall - 2
 Additional information in
Firewall Framework the notes

Incoming packets Outgoing packets

PREROUTING ROUTING FORWARD POSTROUTING

5. Filter
1. RAW packet processing 6. Mangle
2. Conntrack 7. Filter
3. Mangle 8. Conntrack
4. DNAT 9. NAT

Tables
Packet Filter
NAT

When configuring firewalls, it is useful to consider how packets flow through the device and are
processed. Over the coming slides, we will look at the general firewall framework, and then more
specifically at the architecture and FastPath.

In this first example we will consider the packet flow for traffic being forwarded through the
device, either inbound or outbound.

Firewall subsystems offer a way to intercept and manipulate the packets at the different positions
in a network stack in order to implement the firewall functionality. These subsystems are:
Prerouting
Forwarding
Postrouting

[Additional Information]

PREROUTING
Protocol anomaly checks are performed on incoming packets. If necessary, fragmented packets
are reassembled prior to these checks
After anomaly checks, packets are processed through DOS & Spoof prevention modules. If the
traffic is for the local loopback interface or HA dedicated interface the packets will bypass the
DoS & Spoof check
In the next stage packets are submitted to the connection tracking module (Conntrack). If packet
doesn’t match an existing connection a new entry is created. If the packet matches an existing
connection the packet is associated with it. If the connection is Related (e.g., FTP connection)
then a child connection entry is added, which is then associated with its parent connection
entry

Advanced Firewall Rule Management on Sophos Firewall - 3
 The packet is associated with a user ID based on the source IP address
The packet state is inspected, and packets with an invalid state are dropped
For the first packet in a connection the link ID is set as per configured routes for
multilink management, then the packets is associated with its destination zone
DNAT rules are applied

FORWARD
Packets undergo application classification, and are associated with an application
where possible
The packets pass through the packet filter based on the firewall rules
If the packet is accepted it will be submitted to the IPS if it is applied to the
matching firewall rule, or it will go straight to POSTROUTING

POSTROUTING
If the packet is the first in the connection, the masquerading and SNAT policies are
checked and applied to the packet. For existing connections, the already matched
NATing policy is used
The connection tracking module entries are updated
If HA load balancing is enabled, the packet is sent to the load balancer
Finally, Quality of Service is applied

Advanced Firewall Rule Management on Sophos Firewall - 3
 Additional information in
Firewall Framework the notes

Incoming packets Outgoing packets

PREROUTING ROUTING ROUTING OUTPUT POSTROUTING

1. RAW packet processing 8. Conntrack 10. Mangle
2. Conntrack 9. NAT 11. Filter
12. Mangle
3. Mangle INPUT 13. Filter
4. DNAT 14. Conntrack
15. NAT
5. Mangle OUTPUT ROUTING
6. Filter
7. Conntrack

Tables Local Processes
Apache

SSLVPN
Access
Server
Packet Filter
Proxy

Proxy
HTTP

IPsec
WAF
Mail

AV
NAT

This scenario shows how the Sophos Firewall interacts with traffic that terminates on the device
and new traffic generated by the device, either inbound or outbound. For example, traffic for Web
Server Protection terminates on the Sophos Firewall on a virtual server, and a new onward
connection is made to the backend server that is being protected.

The subsystems in this example are:
Prerouting
INPUT [system-destined]
OUTPUT [system-generated]
Postrouting

[Additional Information]

PREROUTING
The prerouting module performs all the same functions as if the packet was being forwarded
through the firewall as in the previous example

INPUT
The INPUT module applies to all packets that are destined for the device
The packets pass through the packet filter based on the firewall rules defined
If the packet is accepted by the firewall it is directed to IPS & Application filter
The connection tracking module entries are updated
If the HA load balancer is configured it will process the packet, otherwise, it will be submitted to
Local Processes

OUTPUT

Advanced Firewall Rule Management on Sophos Firewall - 4
 OUTPUT module applies to the traffic that is generated by the device
Packets are submitted to the connection tracking module (Conntrack). If the packet
doesn’t match an existing connection a new entry is created. If the packet matches
an existing connection the packet is associated with it. If the connection is Related
(e.g., FTP connection) then a child connection entry is added, which is then
associated with its parent connection entry
DNAT rules are applied to the packet
The packets pass through the packet filter based on the firewall rules defined
The packet is submitted to the IPS if it is applied to the matching firewall rule, or it
will go straight to POSTROUTING

POSTROUTING
The postrouting module performs all the same functions as if the packet was being
forwarded through the firewall as in the previous example

Advanced Firewall Rule Management on Sophos Firewall - 4
 Xstream Architecture

SSL Inspection DPI Engine Network Flow FastPath
High-performance, high- Comprehensive threat protection Intelligent offloading of traffic
connection capacity across all in a single high-performance processing to transfer trusted
ports, protocols and applications streaming DPI engine traffic at wire speeds

Enterprise-grade controls to Proxy-less scanning of traffic for Offloading can be controlled
optimize security, privacy and AV, IPS, web threats, application through policy or intelligently by
performance control and SSL inspection the DPI engine based on traffic
characteristics to accelerate
Support for TLS 1.3 and all Decrypting traffic provides more important cloud application traffic
modern cipher suites effective protection from pattern
changing applications

The Sophos Firewall Xstream architecture is a streaming packet processing architecture that
provides extreme levels of protection and performance. The architecture includes:

Xstream SSL Inspection: high-performance, high connection- capacity support for TLS 1.3 and all
modern cipher suites providing extreme SSL inspection performance across all ports, protocols,
and applications. It also comes equipped with enterprise-grade controls to optimize security,
privacy, and performance.

Xstream DPI Engine: deep packet threat protection in a single high-performance streaming engine
with proxy-less scanning of all traffic for antivirus, IPS, and web threats as well as providing
application control and SSL inspection.

Xstream Network Flow FastPath: provides automatic and policy-based intelligent offloading of
trusted traffic processing at wire speed.

Advanced Firewall Rule Management on Sophos Firewall - 5
 Initial Connection
Firewall Stack DPI Engine
Connection management Streaming DPI processing
Allow, block, secure decisions Intelligent offloading
DoS and QoS Proxy-less web filtering
SSL policy and inspection

FastPath
Virtual or hardware accelerated FastPath
Forwarding packets – offloading L2& L3
Direct delivery to DPI engine

Let’s look at how traffic flows through the Xstream architecture.

When a connection is initialized, it is processed by the firewall stack that will make decisions on
whether it should be allowed, provide protection against denial-of-service attacks, and apply
quality of service rules to it.

Advanced Firewall Rule Management on Sophos Firewall - 6
 Full FastPath Offload
Firewall Stack DPI Engine
Connection management Streaming DPI processing
Allow, block, secure decisions Intelligent offloading
DoS and QoS Proxy-less web filtering
SSL policy and inspection

FastPath
Virtual or hardware accelerated FastPath
Forwarding packets – offloading L2& L3
Direct delivery to DPI engine

Once the connection is allowed it can be offloaded to the FastPath, speeding up the flow to wire
speeds.

How does it know to do this?

If we look at the packets that pass through the firewall as part of a connection, we will notice that
the data looked at by packet filtering always remain the same for a connection. Things like the
source and destination IP’s as well as the ports in use. When this is matched to a firewall rule, we
know that any additional packets in that connection will have the same information and will match
the same rule every time. Because of this, we can mark this information for the connection and
skip this processing.

Advanced Firewall Rule Management on Sophos Firewall - 7
 Initial Packet Delivery to DPI Engine
Firewall Stack DPI Engine
Connection management Streaming DPI processing
Allow, block, secure decisions Intelligent offloading
DoS and QoS Proxy-less web filtering
SSL policy and inspection

FastPath
Virtual or hardware accelerated FastPath
Forwarding packets – offloading L2& L3
Direct delivery to DPI engine

Where traffic needs to be scanned using the DPI engine, the initial packets will flow through the
firewall stack and then on to the DPI engine before returning to the firewall stack for delivery.

Advanced Firewall Rule Management on Sophos Firewall - 8
 Firewall Offload
Firewall Stack DPI Engine
Connection management Streaming DPI processing
Allow, block, secure decisions Intelligent offloading
DoS and QoS Proxy-less web filtering
SSL policy and inspection

FastPath
Virtual or hardware accelerated FastPath
Forwarding packets – offloading L2& L3
Direct delivery to DPI engine

Once the initial connection is made, the FastPath can offload to the DPI engine cutting out the
firewall stack for improved performance.

Advanced Firewall Rule Management on Sophos Firewall - 9
 Full FastPath Offload
Firewall Stack DPI Engine
Connection management Streaming DPI processing
Allow, block, secure decisions Intelligent offloading
DoS and QoS Proxy-less web filtering
SSL policy and inspection

FastPath
Virtual or hardware accelerated FastPath
Forwarding packets – offloading L2& L3
Direct delivery to DPI engine

Once the stream is known to be safe, all processing can be offloaded to the FastPath.

Advanced Firewall Rule Management on Sophos Firewall - 10
 FastPath Offloading

DPI Engine
App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

FastPath

The DPI engine will offload as much traffic as possible to the FastPath, either entirely or those
functions that have been completed; however, there are conditions where the DPI engine cannot
fully offload to FastPath, such as when there is TLS traffic that matches a decryption rule.

Let’s look at an example using this component model where TLS inspection, application control
and IPS are enabled.

When the traffic first comes into the Sophos Firewall, it must be processed by the SlowPath, which
is responsible for:
Determining how to forward each incoming packet
Applying denial-of-service (DoS) protection
Performing ingress decapsulation, including for VPNs
Applying firewall policy
Performing egress decapsulation
And enforcing quality-of-service (QoS)

The DPI engine inspects traffic from a layer-4 and above perspective. It uses a data acquisition
(DAQ) layer, which among other things, provides a high-speed mechanism for moving packets in
and out of the system with zero copy.

Advanced Firewall Rule Management on Sophos Firewall - 11
 FastPath Offloading
Flow classified
Offload DoS, VPN DPI Engine
and firewall actions
App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

FastPath

The firewall sees both directions of the flow and uses this in the classification. Once it has
classified the flow it can offload its decisions to the FastPath.

Advanced Firewall Rule Management on Sophos Firewall - 12
 FastPath Offloading

DPI Engine
App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

DoS VPN FW FastPath VPN QoS

Offloaded decisions are cached so they can be applied to the traffic without having to use the
SlowPath.

The FastPath delivers subsequent traffic directly to the DPI engine through zero-copy using the
data acquisition layer.

Since the traffic in this example is in a TLS connection, the DPI engine must modify the traffic in
order to be able to carry out man-in-the-middle inspection of the traffic. However, once a TLS
connection has been even slightly modified, the Sophos Firewall must continue to modify the
traffic throughout the lifetime of the connection, or the connection will be aborted.

Advanced Firewall Rule Management on Sophos Firewall - 13
 FastPath Offloading
Application identified and
IPS determines there are no
files for AV to scan and that the
DPI Engine flow is trustworthy

App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

DoS VPN FW FastPath VPN QoS

In this example, the application has been identified and IPS has identified that there are no files for
AV scan, so AV will not be required from this point.

Now let’s assume that the IPS determines that the flow is trustworthy, and it can be offloaded.

Advanced Firewall Rule Management on Sophos Firewall - 14
 FastPath Offloading

DPI Engine
App
TLS /
IPS AV
SSL
Web
SlowPath SlowPath
DoS VPN FW Data Acquisition (DAQ) VPN QoS

DoS VPN FW FastPath VPN QoS

At this point categorization and IPS decisions have been cached, however, traffic for the connection
must still pass through the TLS module in order to keep traffic flowing.

So, this is the final offload state of the connection. Firewalling and categorization decisions are still
offloaded to the FastPath, but the DPI engine must still process the traffic due to its involvement in
the cryptographic processing.

Advanced Firewall Rule Management on Sophos Firewall - 15
 Virtual FastPath vs. Network Flow FastPath
Virtual FastPath (VFP) Network Flow FastPath (NFP)
XG Series XGS Series
Virtual SF
Software SF CPU CPU

FastPath
Processing
Xstream Flow Processor

Network Chip Network Chip Network Chip Network Chip

In the XG series and with virtual and software firewalls we used a virtual FastPath that is processed
by the CPU. The XGS series includes an Xstream Flow Processor that sits between the physical
ports and the CPU, with a PCIe (PCI Express) interconnect between them. The Xstream Flow
Processor handles the traffic that is offloaded to the FastPath reducing the load on the CPU for
other tasks that cannot be offloaded.

Advanced Firewall Rule Management on Sophos Firewall - 16
 Additional information in
XGS Series FastPath Flow | Initial Packets the notes

CPU
IPS
DAQ DAQ

IPS API

SlowPath
PCI Express
FP2SP API

SP2FP API

FastPath
Xstream Flow Processor

We will now look at what the packet flow looks like with the Xstream Flow Processor.

The initial packets of a connection will always flow through the SlowPath and may also flow
through IPS, as in the example here.

[Additional Information]
NOTE: DAQ stands for Data Acquisition.

Advanced Firewall Rule Management on Sophos Firewall - 17
 XGS Series FastPath Flow | Initial Packets
CPU
IPS
DAQ DAQ
Program FastPath with
relevant state information
e.g., GOTO IPS IPS API

SlowPath
PCI Express
FP2SP API

SP2FP API

FastPath
Xstream Flow Processor

Once the SlowPath has gathered enough information about the connection it can program the
FastPath with the state information using an API.

Advanced Firewall Rule Management on Sophos Firewall - 18
 XGS Series FastPath Flow | FastPath Offload to IPS
CPU
IPS
DAQ DAQ

IPS API

SlowPath
PCI Express
FP2SP API

SP2FP API

FastPath
Xstream Flow Processor

Now the packets are flowing through the FastPath, bypassing the SlowPath, but still going through
IPS.

Advanced Firewall Rule Management on Sophos Firewall - 19
 XGS Series FastPath Flow | FastPath Offload to IPS
CPU
Update connection verdict
e.g., CUT THROUGH IPS
DAQ DAQ

IPS API

SlowPath
PCI Express
FP2SP API

SP2FP API

FastPath
Xstream Flow Processor

Once IPS has enough information about the connection it can update the connection verdict in the
SlowPath through an API, and the SlowPath can update the FastPath with this new information.

Advanced Firewall Rule Management on Sophos Firewall - 20
 XGS Series FastPath Flow | FastPath Offload
CPU
IPS
DAQ DAQ

IPS API

SlowPath
PCI Express
FP2SP API

SP2FP API

FastPath
Xstream Flow Processor

The packets can now fully flow through the FastPath.

Advanced Firewall Rule Management on Sophos Firewall - 21
 XGS Series FastPath Flow | Hand Back to SlowPath
CPU
IPS
DAQ DAQ

IPS API

SlowPath
PCI Express
FP2SP API FastPath can update the
SlowPath to hand a
SP2FP API connection back

FastPath
Xstream Flow Processor

It is also possible for the FastPath to hand a connection back to the SlowPath if it falls outside of
predefined boundaries. This will allow the SlowPath to gather more information about the
connection before offloading to the FastPath again.

Advanced Firewall Rule Management on Sophos Firewall - 22
 Checking FastPath Offload
console> system firewall-acceleration show
Firewall Acceleration is Enabled in Configuration.
Firewall Acceleration is Loaded.
console>

If you want to check if traffic is being offloaded to the FastPath on an XGS series device, you would
start by checking if firewall acceleration is enabled on the console with the command:
system firewall-acceleration show

You can also use the system firewall-acceleration command to enable and disable the FastPath.

Advanced Firewall Rule Management on Sophos Firewall - 23
 Checking FastPath Offload
XGS2100_RL01_SFOS 18.5.0 EAP3-Build247# conntrack –L
proto=tcp proto-no=6 timeout=10796 state=ESTABLISHED orig-src=172.16.16.17 orig-
dst=50.16.7.188 orig-sport=65119 orig-dport=443 packets=24 bytes=11840 reply-
src=50.16.7.188 reply-dst=192.168.29.14 reply-sport=443 reply-dport=65119 packets=22
bytes=5389 [ASSURED] mark=0x8001 use=1 id=2395119104 masterid=0 devin=Port1
devout=Port2 nseid=16777233 ips=0 sslvpnid=0 webfltid=0 appfltid=0 icapid=0
policytype=1 fwid=5 natid=2 fw_action=1 bwid=0 appid=100 appcatid=5 hbappid=0
hbappcatid=0 dpioffload=0x3f sigoffload=0 inzone=1 outzone=2 devinindex=10
devoutindex=11 hb_src=0 hb_dst=0 flags0=0x800a0000200008 flags1=0x5c106804000
flagvalues=3,21,41,43,55,78,87,89,90,96,102,103,104,106 catid=6 user=0 luserid=0
usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=7c:5a:1c:bc:06:ae
src_mac=e8:d8:d1:45:62:89 startstamp=1617256585 microflowid=5777 microflowrev=0
microflowid=5916 microflowrev=0 hostrev=3 hostrev=3 ipspid=0 diffserv=0
loindex=11 tlsruleid=0 ips_nfqueue=1 sess_verdict=2 gwoff=0 cluster_node=0
current_state=13 current_state=13 vlan_id=0 inmark=0x0 brinindex=0 sessionid=82
sessionidrev=22265 session_update_rev=12 dnat_done=0 upclass=0:0 dnclass=0:0
pbrid_dir0=0 pbrid_dir1=0 nhop_id=8 nhop_id=10 nhop_rev=0 nhop_rev=0
conn_fp_id=74 conn_fp_rev=0

To check a specific connection, you can use conntrack on the advanced shell.

If a connection has a connection FastPath ID (conn_fp_id) then it has been offloaded to the
FastPath. If it has not been offloaded, it will say ‘NOT_OFFLOADED’.

Advanced Firewall Rule Management on Sophos Firewall - 24
 Checking FastPath Offload
XGS2100_RL01_SFOS 18.5.0 EAP3-Build247# usfp_table_print.sh worker_sys_cnt
FPCNTR_RX_WIRE : 570376
FPCNTR_RX_KN : 96262
FPCNTR_RX_IPS : 8220
FPCNTR_RX_INJECT : 1231
FPCNTR_TX_DROP : 12
FPCNTR_TX_WIRE : 495911
FPCNTR_TX_KN : 171046
FPCNTR_TX_IPS : 9120
FPCNTR_FROM_WIRE_TO_KN_FORCED : 1928
FPCNTR_FROM_WIRE_TO_KN_NON_ACCEL : 541
FPCNTR_FROM_WIRE_TO_KN_FW_REV_MISMATCH : 79
FPCNTR_FROM_WIRE_TO_KN_CONN_REV_MISMATCH : 1
FPCNTR_FROM_WIRE_TO_KN_CONN_RECLAIM_PENDING : 2
FPCNTR_FROM_WIRE_TO_KN_CONN_RECLAIMED : 16
FPCNTR_FROM_WIRE_TO_KN_TCP_FIN_SYN_RST : 29
FPCNTR_FROM_WIRE_TO_KN_MFLOW_NOT_ACTIVE : 168449
FPCNTR_FROM_WIRE_TO_IPS_INSPECT : 9120
FPCNTR_FROM_WIRE_TO_WIRE_VERDICT_CUT_THRU : 390210
FPCNTR_FROM_INJECT_DROP_MFLOW_REV_MISMATCHED : 2
FPCNTR_FROM_INJECT_DROP_MFLOW_NOT_ACTIVE : 10
FPCNTR_FROM_INJECT_TO_WIRE : 1219
FPCNTR_FROM_KN_TO_WIRE : 96262
FPCNTR_FROM_IPS_TO_WIRE : 8220

You can also review the counters that show how many packets are being offloaded to the FastPath.
On the advanced shell use the command:
usfp_table_print.sh worker_sys_cnt

The WIRE_TO_WIRE counter shows traffic that has been fully offloaded to the FastPath.

Advanced Firewall Rule Management on Sophos Firewall - 25
 FastPath and tcpdump
console> tcpdump “proto 1”
07:01:39.890534 Port1, IN: IP 172.16.16.17 > 8.8.8.8: ICMP echo request, id 1, seq 375, length 40
07:01:39.917063 Port1, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 375, length 40
07:01:39.917067 oct0, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 375, length 40
07:01:40.912820 Port1, IN: IP 172.16.16.17 > 8.8.8.8: ICMP echo request, id 1, seq 376, length 40
07:01:40.939961 Port1, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 376, length 40
07:01:40.939969 oct0, OUT: IP 8.8.8.8 > 172.16.16.17: ICMP echo reply, id 1, seq 376, length 40

There are two important things to note about the FastPath.

First, if you use tcpdump the traffic will not be offloaded to the FastPath. This is to provide full
visibility into the traffic for tcpdump to operate properly.

Second, as the physical ports are connected to the Xstream Flow Processor, which is then
connected to the CPU via PCIe, the ports are virtual interfaces. This means that you will see traffic
going to the virtual port and then through the hardware connection to the Xstream Flow Processor.

Advanced Firewall Rule Management on Sophos Firewall - 26
 Improving FastPath Usage With Policy
Traffic that matches a firewall
rule with no DPI processes
enabled

With a better understanding of how offloading to the FastPath works, we can start to consider how
to make the best use of it. Where possible, try to process traffic so that it matches only the
required security processes. The goal for all the scenarios is where eventually FastPath has to be
the ultimate path for a connection where it does not utilize the host CPU cycles anymore but
rather uses the NPU.

To start, if there is traffic that matches a firewall rule with no DPI processes, this traffic can
normally be offloaded right away as the firewall does not have to perform any complex scanning
on the traffic.

Advanced Firewall Rule Management on Sophos Firewall - 27
 Improving FastPath Usage With Policy
Traffic that matches a firewall Traffic that matches IPS
rule with no DPI processes enabled rules with SophosLabs
enabled offload signatures

Traffic that matches a firewall
rule with an IPS policy set to
‘bypass session’

Similarly, if the firewall rule that is matched has SophosLabs offload signatures, then the firewall
knows that this traffic can be offloaded to the FastPath right away.

The same thing goes for traffic that matches a policy with the IPS policy set to bypass session.

Advanced Firewall Rule Management on Sophos Firewall - 28
 Improving FastPath Usage With Policy
Traffic that matches a firewall Traffic that matches IPS
rule with no DPI processes enabled rules with SophosLabs
enabled offload signatures

Traffic that matches a firewall
Traffic that does not require
rule with an IPS policy set to
TLS decryption
‘bypass session’

If the traffic does not require TLS decryption, then it is possible to offload the entire stream. While
this may or may not happen, it is best to group this traffic together with a firewall rule for
maximum efficiency with FastPath.

Advanced Firewall Rule Management on Sophos Firewall - 29
 Improving FastPath Usage With Policy
Traffic that matches a firewall Traffic that matches IPS
rule with no DPI processes enabled rules with SophosLabs
enabled offload signatures

Traffic that matches a firewall
Traffic that does not require
rule with an IPS policy set to
TLS decryption
‘bypass session’

Traffic that matches a firewall
rule with application control

If the traffic matches a firewall rule with application control as one of the conditions, this will result
in a fast path offload, where the initial part of the TCP session will be going thru the slow path and
once the IPS engine identifies the application and, if this app is allowed according to the policy, the
firewall will offload this connection to the NPU.

Advanced Firewall Rule Management on Sophos Firewall - 30
 Improving FastPath Usage With Policy
Traffic that matches a firewall Traffic that matches IPS
rule with no DPI processes enabled rules with SophosLabs
enabled offload signatures

Traffic that matches a firewall
Traffic that does not require
rule with an IPS policy set to
TLS decryption
‘bypass session’

Traffic that matches a firewall Traffic that is not using the
rule with application control legacy web proxy

Any traffic that uses the legacy web proxy cannot be offloaded to the FastPath. This is important to
know as rules that use the legacy web proxy will most likely process slower over time than those
that take advantage of the new DPI engine.

Advanced Firewall Rule Management on Sophos Firewall - 31
 Additional information in
Firewall Rules the notes

In smaller environments and those with a limited IT staff, simple global rules make for easy
configuration of the Sophos Firewall. By creating ‘allow all’ outbound rules and relying on the
stateful aspect of the firewall, it allows users to access any resource on the Internet using any port
and protocol.

While this is easy and can prevent some headaches related to application functionality, it is not the
most secure route to take. The reason for this is if users can get anywhere, so can an intruder. This
could be from a compromised computer attempting to use a remote access trojan (RAT) to call
home or a man-in-the-middle (MitB) attack where a hacker has taken control of a browsing session
of an unsuspecting user. It could also be a ‘guest’ on the network attempting to use the company
Internet for less-than-business purposes. Whatever the reason, additional steps could help to
prevent certain attacks.

Advanced Firewall Rule Management on Sophos Firewall - 32
 Additional information in
Firewall Rules the notes

By creating more specific firewall rules that are tied to specific zones and even subnets and users,
firewall rules can be a first line of defense. Additionally, the processing of firewall rules uses
minimal resources so being able to remove any packets at this stage will help boost the Sophos
Firewall performance by not passing packets to other more resource intensive modules for
scanning.

When building firewall rules, create rules that are specific to zones and networks and only allow
the protocols necessary for the users or applications to do their work. Some zones may need more
open rules, while others can be locked down more strictly.

While doing the initial configuration, you can leave the catch-all allow rule at the bottom and use
the firewall log to see what is still hitting that rule. This way, you can build up the rules slowly and
be confident that you will not prevent users from being able to work.

When configuring firewall rules the broad approach is:
The more specific the rule, the closer to the top the rule should be
Rules that are processed more often should be above other rules so that the system gets to
them sooner
Unless it is a catch-all, deny rules should be at the top for security

Advanced Firewall Rule Management on Sophos Firewall - 33
 Scenario 1 - Introduction

Guest
Wi-Fi

WAN
LAN

Let’s look at some examples. In our first example, we will consider a small business. They have a
single subnet and started with the default firewall rules put in place by the initial setup wizard.
They need to add to and update the rules in order to increase the security and functionality of the
firewall. To support their requirements, the following rules will need to be created:
A rule to apply web protection for the employees
A rule to allow guests to browse the Internet via the guest wireless network (Sophos wireless
separate zone)
A rule for servers and other hardware that cannot authenticate as a standard user

The default rule will remain as a catch-all for any traffic that is not covered by the above rules.

Advanced Firewall Rule Management on Sophos Firewall - 34
 Scenario 1 - Rules

The setup wizard will create a default rule which allows all traffic out. The issue with this is that we
cannot treat various types of traffic differently for the purpose of scanning and access control.
Additionally, any guest users would be allowed out unchecked. To increase our security and
control, we will create some additional rules. We will look at these in the order they should be
listed in the firewall (they can be created in any order).

First, we will create a rule that will allow employees to access the Internet. We want this one
higher in the list as it will most likely be used a lot by the users. By having it higher up, it will save
the firewall from having to evaluate other rules before reaching it. We want to make sure to enable
user identity to ensure that non-employees and devices do not use the rule. This will give us a rule
that we can add a custom IPS and web policy to as well as other policies in the future.

Advanced Firewall Rule Management on Sophos Firewall - 35
 Scenario 1 - Rules

Next, we will create a rule to target the servers and other devices that cannot authenticate against
the firewall. As our example is a small business, they do not have a lot of these types of devices so
we can create the rule using IP-lists or Hosts to target these devices. This rule will be placed below
the web rule as it will most likely not be as popular as the user web rule.
Again, we will be able to apply custom security policies to this rule to protect the servers and
devices.

Advanced Firewall Rule Management on Sophos Firewall - 36
 Scenario 1 - Rules

Now we will create a rule to allow guests that connect to our guest wireless access to the Internet.
Because we are using a separate zone deployment from the firewall, the connections are placed
into their own subnet in the firewall. We want to ensure that these guests cannot access the
internal network and only the Internet. Additionally, by separating these non-employees, we can
assign more stringent security policies as they will not affect our user's ability to perform their day-
to-day tasks.

Advanced Firewall Rule Management on Sophos Firewall - 37
 Scenario 1 - Rules

Finally, we will update the default rule with the option to match user identity. By doing this, we will
limit who will end up using this rule and it will ensure that random people that connect to the
network will not be able to access the Internet easily. This rule will still give open access to the
Internet for employees so we will need to ensure that we have good security policies in place, and
we monitor the access.

Advanced Firewall Rule Management on Sophos Firewall - 38
 Scenario 2 - Introduction

Users
VLAN DMZ

Guest
VLAN

WAN

Employee
Wi-Fi Server VoIP
VLAN VLAN

In our second example, we will consider a larger business. This business has multiple VLANs and
must meet certain compliance regulations. Because of this, they are more concerned with security.
Additionally, they want to better manage their bandwidth and the rules should allow for traffic
shaping policies to be applied. To support their requirements, the following rules will need to be
created:
A rule to allow guests to access the Internet over the guest VLAN
A rule to allow FTP so that a QoS policy can be applied to it
A block rule for P2P traffic
A rule for employee web browsing
A rule for their VOIP phones
A rule to allow servers in the server VLAN to access the Internet for updates
A rule to allow WAN to DMZ access for shared resources
A rule to allow LAN to DMZ access so employees can use the shared resources

For our purposes, we will limit the number of rules to the above for this example although a large
enterprise may have many more firewall rules in order to meet their security needs.

Advanced Firewall Rule Management on Sophos Firewall - 39
 Scenario 2 - Rules

Catch All rule

To get started, we have a block rule that needs to be created. As a general practice, block rules
should be placed as high up in the list as possible. This way they are processed first before any
other rule has a chance to allow the traffic.
Additionally, we will create a catch all rule with some strict rules for any traffic that does not match
a firewall rule. By doing this, we can enforce strong policies and control what traffic is allowed in or
out.

As we proceed through the examples, pay attention to the icons to the right of the rules as well as
the other information.

Advanced Firewall Rule Management on Sophos Firewall - 40
 Scenario 2 - Rules
A block rule for P2P traffic

Catch All rule

In larger networks, it is common to see the network divided into various subnets for management
and efficiency. Often, these subnets take the form of VLANs and make it very easy for
administrators to manage the members. For businesses running voice over IP, the VoIP phones and
equipment often have their own VLAN that they reside in.
We will want to create a rule for this VLAN as high up as possible. We want to ensure speedy
processing of this traffic to avoid any delays on calls and this will allow us to apply proper security
and QoS to these devices.

Advanced Firewall Rule Management on Sophos Firewall - 41
 Scenario 2 - Rules
A block rule for P2P traffic

A rule for their VOIP phones
A rule for employee web browsing

Catch All rule

Just like in our previous example, we will create a rule for web traffic since it is very popular in
businesses. It is something that often needs controlled and secured. Again, because of the rules
high use, we want it near the top for processing.

Advanced Firewall Rule Management on Sophos Firewall - 42
 Scenario 2 - Rules
A block rule for P2P traffic

A rule for their VOIP phones
A rule for employee web browsing

A rule to allow servers in the server VLAN to access the Internet for updates

A rule to allow guests to access the Internet over the guest VLAN

Catch All rule

We have already mentioned that VLANs exist in this network, and we will want to create some
additional rules for any other VLANs that will need access through the firewall. In our example, we
have a servers VLAN and a guest VLAN that need access. These rules will not be targeted as often
as web or VoIP rules so they will be placed further down.
And of course, we will add security policies to the guest access rule to secure not only their access
out but also to ensure they do not access the internal networks.

Advanced Firewall Rule Management on Sophos Firewall - 43
 Scenario 2 - Rules
A block rule for P2P traffic

A rule for their VOIP phones
A rule for employee web browsing

A rule to allow LAN to DMZ access so employees can use the shared resources

A rule to allow servers in the server VLAN to access the Internet for updates

A rule to allow guests to access the Internet over the guest VLAN

A rule to allow WAN to DMZ access for shared resources

We also have a DMZ in the environment that is hosting some servers. We will need to create a rule
that allows employees to access these servers. This rule will be higher up as these servers hold a
necessary business application and are used quite often by the employees.
Another rule will need to be made to allow users from the WAN to access the DMZ. This is not as
common in our example so the rule for this is placed further down. If the servers were hosting a
popular public service, we could move the rule up in the list or even create a web server protection
rule if the server were hosting a web site.

Advanced Firewall Rule Management on Sophos Firewall - 44
 Scenario 2 - Rules

Finally, we will finish this with a rule to allow FTP traffic. The purpose of this rule is so that we can
apply policies to control this traffic. As it is not commonly used and no other rule will catch the
traffic, it ends up at the bottom of our list.

As mentioned earlier, there may be many more rules that are needed to ensure that employees
can access everything and as the list grows, we would also consider adding the rules to groups to
better organize them.

Advanced Firewall Rule Management on Sophos Firewall - 45
 Chapter Review

FastPath can offload traffic to increase the speed of connections, but not all traffic will
be offloaded. Firewall rules can be created to maximize the amount of traffic offloaded
to the FastPath

Firewall rules can be ordered for performance and protection. Firewall rule groups can
help to organize devices that have many rules

The general rules are; the more specific the rule, the closer to the top the rule should be,
rules that are processed more often should be above other rules, and unless it is a catch-
all, deny rules should be at the top for security

Here are the three main things you learned in this chapter.

FastPath can offload traffic to increase the speed of connections, but not all traffic will be
offloaded. Firewall rules can be created to maximize the amount of traffic offloaded to the
FastPath.

Firewall rules can be ordered for performance and protection. Firewall rule groups can help to
organize devices that have many rules.

The general rules are; the more specific the rule, the closer to the top the rule should be, rules that
are processed more often should be above other rules, and unless it is a catch-all, deny rules
should be at the top for security.

Advanced Firewall Rule Management on Sophos Firewall - 50
Advanced Firewall Rule Management on Sophos Firewall - 51