Firewall XG / SFOS v16 Beta

Similar documents
Getting Started Guide

XG Firewall. What s New in v17. Setup, Control Center and Navigation. Initial Setup Wizard. Synchronized App Control Widget.

Migration Guide. Cyberoam to Sophos Firewall. For Customers with Cyberoam Appliances Document Date: October October 2016 Page 1 of 21

SonicOS Release Notes

Document Date: January Version: AHM Page 1 of 20

AccessEnforcer Version 4.0 Features List

Sophos Central Partner. help

Appliance Installation Guide

Synchronized Security In Action

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Synchronized Security

Sophos Firewall Configuring SSL VPN for Remote Access

Getting Started Guide

Getting Started Guide

For example, if a message is both a virus and spam, the message is categorized as a virus as virus is higher in precedence than spam.

Using Trustwave SEG Cloud with Cloud-Based Solutions

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Echidna Concepts Guide

Sophos Appliance Configuration Guide. Product Version 4.3 Sophos Limited 2017

Appliance Installation Guide

Enabling and Activating Anti-Spam

Sophos Migration Assistant. migration guide

Microsoft Microsoft TS: MS Internet Security & Acceleration Server 2006, Configuring. Practice Test. Version:

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Cisco Encryption

Using Trustwave SEG Cloud with Exchange Online

High Availability Synchronization PAN-OS 5.0.3

Sophos Mobile as a Service

Barracuda Link Balancer

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

Integration Guide. SafeNet Authentication Manager. SAM using RADIUS Protocol with SonicWALL E-Class Secure Remote Access

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Sophos Virtual Appliance. setup guide

Sophos XG Firewall v Release Notes. Sophos Firewall Manager - Group Level Web Interface Reference and Admin Guide v1605

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Sophos XG Firewall Virtual Appliance. Document Date: January Version: AHM Page 1 of 17

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Contents. Limitations. Prerequisites. Configuration

Microsoft Unified Access Gateway 2010

Ciphermail Webmail Messenger Administration Guide

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

Sophos Mobile SaaS startup guide. Product version: 7.1

"Charting the Course... MOC A Planning, Deploying and Managing Microsoft Forefront TMG Course Summary

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

Installation on Windows Server 2008

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

Important Information

SONICWALL SECURITY HEALTH CHECK PSO 2017

SONICWALL SECURITY HEALTH CHECK SERVICE

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike


Technical Note. FortiMail Best Practices Version 3.0 MR4.

Silver Peak EC-V and Microsoft Azure Deployment Guide

Next Generation Firewall

SONICWALL SECURITY HEALTH CHECK SERVICE

DreamFactory Security Guide

Symantec ST0-250 Exam

Dell SonicWALL NSA 3600 vpn v

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

Centralized Policy, Virus, and Outbreak Quarantines

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

NETWRIX GROUP POLICY CHANGE REPORTER

All-in one security for large and medium-sized businesses.

Installation Guide for Pulse on Windows Server 2012

Module 9. Configuring IPsec. Contents:

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

PineApp Mail Secure SOLUTION OVERVIEW. David Feldman, CEO

New Features and Functionality

DOCUMENTATION. UVM Appliance Azure. Quick Start Guide

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

BIG-IP Access Policy Manager : Implementations. Version 12.1

Version: Date: 14 th October, 2015

EdgeXOS Platform QuickStart Guide

Cisco Passguide Exam Questions & Answers

Sophos Mobile Control startup guide. Product version: 7

Secure Web Appliance. SSL Intercept

Integrating AirWatch and VMware Identity Manager

========================================================================= Symantec Messaging Gateway (formerly Symantec Brightmail Gateway) version

SonicOS Enhanced Release Notes

Citrix SSO for ios. Page 1 18

Parallels Remote Application Server

Enterprise Protection for the Administrator

Sophos Central Admin. help

SOLUTION MANAGEMENT GROUP

WeCloud Security. Administrator's Guide

Step 1 - Set Up Essentials for Office 365

Future-ready security for small and mid-size enterprises

EdgeConnect for Amazon Web Services (AWS)

Sophos Mobile. server deployment guide. Product Version: 8.1

Sophos Mobile. installation guide. Product Version: 8.5

Risk Intelligence. Quick Start Guide - Data Breach Risk

Sophos Mobile Control SaaS startup guide. Product version: 7

You can find more information about the service at

FortiNAC Motorola Wireless Controllers Integration

HOB HOB RD VPN. RSA SecurID Ready Implementation Guide. Partner Information. Product Information Partner Name. Last Modified: March 3, 2014 HOB

Wireless-G Router User s Guide

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Exam : Implementing Microsoft Azure Infrastructure Solutions

Transcription:

Firewall XG / SFOS v16 Beta Partner Beta Program Name: Company:

Table of Content Welcome... 3 Look & Feel... 4 Base: SFOS migration and performance... 5 Base: HA with dynamic link... 6 Network: Policy base routing... 7 Heartbeat: Purpose based application filter policy... 8 Heartbeat: Heartbeat deployment... 9 Authentication: On appliance and third party OTP server for user authentication...10 RED: Red Site-2-Site... 11 RED: Red 15w... 12 Web Proxy: User / Group filters in policy... 13 Web Proxy: Creative Commons filter safe search with image licensing...14 Web Proxy: Policy warning... 15 Web Proxy: Google Apps Domain... 16 Web Proxy: Third-Party URL list... 17 Mail Proxy: MTA mode deployments... 18 Mail Proxy: SPX reply portal... 19 Page 2 of 18

Welcome Dear Beta-Tester, Welcome to our Beta program for Sophos XG Firewall SFOS v16! We are glad to have you on board, because your feedback will help us to make the new release simply better. Your experiences with the Sophos XG Firewall itself and with many different customer installations in the field will be a real benefit on our way to create a reliable SFOS v16 with useful new features! This document offers descriptions of new and exciting functionalities and a check list with ideas of useful test scenarios. Please feel free to add your own test ideas you know exactly what your customers are looking for and how they like to use our solution. Both would be interesting for us: Does the new feature work as expected what is not working? Do you think that the feature is complete what are you missing how would you design it? During the Beta phase we are offering several options how to get in touch with us depending on the type of information or help we have to share: A feature is not working as expected? You have found a bug? Please go to the Beta forum via https://community.sophos.com/products/xg-firewall/v16beta and post the issue in the Beta forum with a detailed description and - if possible - with some details how our team can reproduce the behavior. Our engineering teams are checking the forum on a regular base. You have a question or a comment related to the Beta phase itself? Please send an email to sfv16@sophos.com Thank you very much in advance for your effort and your cooperation! Page 3 of 18

Look & Feel Questions & Answers How hard was it for you to find the items in the navigation structure? Do you think that your common tasks are spread out to too many screens? Are you struggeling with missing features? How hard was it for you to understand the content of the screens? How hard was it for you to use the screens (even if you understand the content well)? Which are the most used and most important 3 tasks in your daily routine? How high is the chance that you roll back because of an unexpected huge difference to Cyberoam/ UTM? (if so pls. Let us know which differences caused it) If you rolled back, do you plan to give the product another chance in the future? Place your own feedback. Page 4 of 18

Base: HA with dynamic link Provides the dynamic interfaces (DHCP/PPPoE) support in HA Active/Passive mode. Note: Cellular WAN interface is not supported yet. Use dynamic uplink with your HA installation. Does the communication work with the remote device? If the communication does not work, which remote device do you use? Page 5 of 18

Network: Policy base routing SFOS supports advanced routing scenarios: The gateway can now be configured on non WAN zone type of interfaces, too. The gateway reachability can be monitored using health check probing. The policy routing allows various traffic criteria like incoming interface, source network, destination network, layer 4 services, DiffServ code points to route through configured gateway. The policy route has the highest precedence followed by VPN routes followed by static routes. It can be changed from CLI console. The security policy can still override policy routing decision if the primary and/or backup gateway is configured. The admin can achieve various MPLS/VPN fail-over / fail-back scenario using this feature. Note: Cellular WAN interface is not supported yet. MPLS link should be in the WAN zone to support MPLS/VPN failover/failback. Test the several routing scenarios How simple is it to configure the policies? Are all configuration options available, if not what are you missing? Page 6 of 18

Firewall: Purpose based application filter policy Based on the generic requirement a few more application filter templates are added in system which will be useful for the admin to configure more meaningful application grouping for firewall policy. Below templates are added for the application filter policy can be used in security policy. Block generally unwanted applications (p2p, risk 4&5 file sharing, proxy tunnel, loss of productivity) Block highest risk applications (risk 5) Block high risk application (4&5) Block filter avoidance applications (proxy, can bypass firewall policy) Configure firewall rule with the templates Are these templates matching your required scenarios? Page 7 of 18

Heartbeat: Heartbeat deployment The firewall will maintain the Heartbeat status for the destination server and based on the destination Heartbeat policy traffic will be served. Deploy Heartbeat on several endpoints How do you rate the overall performance? The firewall can detect the missing Heartbeat from the endpoint and drop traffic. Such endpoint system gateway traffic can be filtered by policy rule. Do you experience any issues? Page 8 of 18

Authentication: On appliance and third party OTP server for user authentication One time password (OTP) authentication support has been provided from SFOS v16. A one time password - also called two-factor or multi-factor authentication - is a password that is valid for only one login session or transaction and includes a static component (your primary password) as well as a time dependent or temporary (one time use) passcode. It allows users to configure and use OTP codes to authenticate via different facilities against Sophos XG Firewall. Note: OTP is not supported for admin & support user Soft token: Install the SOPHOS authenticator on a mobile device Activate OTP feature with auto-created tokens Check if the logon is working for defined facilities Hard token Define a token in OTP feature and assign to a user Check if the user is able to logon with OTP Note: SFOS supports TOTP RFC compliance hardware/software tokens Do you think the OTP feature is easy to use? Would you offer/recommend this feature for your customers? For what facilities? Third party OTP server: Integrate SFOS with Radius server supporting OTP server like RSA or Free Radius Page 9 of 18

RED: RED Site-2-Site With this feature two SFOS firewalls can establish a layer 2 (RED) tunnel and can communicate with each other. RED uses a layer 2 tunnel with virtual interface so it is very easy for the admin to define networks which can be accessed across the tunnel using static routes. "Firewall Red Server" and "Firewall Red Client" types are added in the Add RED tunnel interface configuration. The admin can configure one of the end point (a static IP is recommended) as RED server and other (dynamic IP) as RED client to establish a host-to-host layer 2 tunnel with configurable virtual IP. Note: RED Site-2-Site Tunnel is supported only with SFOS. Create a RED Site-2-Site tunnel on the SFOS v16 installations Define static/policy based routing to route traffic via RED Site-2-site tunnel Create a firewall rule to allow site-2-site tunnel traffic Are all configuration functions easy to find? Does your set up work? Page 10 of 18

RED: RED15w SFOS v16 is supporting RED15w with integrated 802.11 a/b/g/n WiFi. RED15w is added in type selection list in "Add RED interface" page and admin can configure the parameters and manage the RED appliance from SFOS. The RED15w wireless AP will be discovered under pending access point once the tunnel is up and the admin can manage his AP from the wireless menu configuration option. Add it to your regular RED and use WLAN on as many as possible devices (PC & mobile devices) Did you find all configuration options and how easy was to setup the conncetion? Did you connect all wireless devices successfully? Which devices did you use? Page 11 of 18

Web Proxy: User / Group filters in policy With the SFOS v16 a web policy can provide an additional layer of filters based on users and group. This allows to create simple firewall rules that use a single web policy for an entire network, while still providing different levels of web access for different groups of users. Configure a policy, for example, if one user needs to get access to a category of websites that is blocked for other users, the administrator just creates a rule in the web policy allowing that category and selecting only that user. No need to clone whole policies or create multiple firewall rules. How easy was it to define and configure a new rule in the web policy? Are all required options covered? Page 12 of 18

Web Proxy: Creative Commons filter safe search with image licensing Creative Commons filter is a new feature which restricts image search results returned by Google, Bing and Yahoo. With Creative Commons filter enabled, the search engines would only return images which have been explicitly marked for sharing, thus filtering out many potentially inappropriate results. Enable Creative Commons filter and search for images on Google, Yahoo and Bing. When enabled, did you see any inappropriate images when doing image searches on Google, Bing & Yahoo? Note: If accessing search engines using SSL, HTTPS scanning will need to be enabled for Creative Commons filter to work properly. Page 13 of 18

Web Proxy: Policy warning Currently in SFOS, a web category, URL group or file type can be either blocked or allowed. With policy warning, administrators now have a 3rd option to control access. When an user requests a website or file which is marked as Warn in policy, the user is presented with a warning page. The user can then click on the proceed button (without any administrator intervention) on that page to get access to the site or file for the next 30 minutes. After 30 minutes has expired, the user will get presented with a warning page again for that site or file. Enable the warn action in your web policy Customize the warn page Did you have any problem proceeding to sites after the warning page? Administrators can customize the warning page (just like for the block page) to show a customized message to their users if desired. Note: Dynamic categories do not support the warn action. Page 14 of 18

Web Proxy: Google Apps Domain Google Apps Domain is a feature which restricts logins to Google services to use specific domains only (e.g. the company's domain). This allows an organization to prevent their users from logging into their own personal Google accounts, thus helping to prevent information from leaking outside the organization. Enable Google Apps Domain and input your organization's domain in your web policy. Is it easy to implement? Note: If accessing Google using SSL, HTTPS scanning will need to be enabled for Google Apps Domain to work properly. Page 15 of 18

Web Proxy: Third-Party URL list In SFOS, administrators can create custom web categories by inputting URLs or keywords manually. Third Party URL List is a feature which allows SFOS to retrieve the list of URLs within a custom web category from an external source dynamically (e.g. an URL list maintained by a 3rd party or government organization). Create a small list of URLs, host it on a web server and add it to a custom web category Did the custom category update properly when the list of URLs changed in the file hosted on the external web server? To use this feature, the list of URLs must be listed in a file (supported file formats include.tar,.gz,.bz,.bz2, and.txt) hosted on an external web server. SFOS will update this list every 2 hours. Page 16 of 18

Mail Proxy: MTA mode deployments SFOS can now act as a Mail Transfer Agent (MTA). The MTA mode in SFOS facilitates more control over email traffic in terms of traffic restrictions, routing and filtering. SFOS accepts emails as per configured policies (those are IP Reputation settings, relay permissions and size restrictions). The device stores the emails on disk, which can be viewed in the mail spool (Protect > Email > Mail Spool). Email scanning policies are then applied on the emails to scan for spam and malware, and to apply file type filter, data protection and encryption. Depending upon the policies, emails are blocked, quarantined, modified (subject) or forwarded. Use Case 1: Server Fallback Requirement: SMTP email routing with multiple mail servers for single domain. Use Case 2: Server Down Requirement: Cache mails when mail server is down. Use Case 3: Multiple Domains on Single public IP Requirement: The admin could have more than one email domains on the same public IP to protect. Use Case 4: Invalid HELO/RDNS Requirement: Reject incoming SMTP connections with invalid SMTP HELO message or those coming from hosts with no RDNS entries. Use Case 5: Strict Email Scanning Requirement: The admin wants SFOS to rigorously scan each inbound and outbound email. Is SFOS MTA easy to configure? Does the MTA mode offer all functionality you expect, if not what are you missing? Page 17 of 18

Mail Proxy: SPX reply portal The users can now send secure replies to the SPXencrypted emails they receive. This is possible by enabling Enable Secure Reply Portal and View Original Email Body into Reply with the required SPX template. The admin can SPX-encrypt outbound emails by configuring appropriate SMTP policies. When an email is SPX-encrypted, the recipient receives an encrypted PDF containing the original mail data along with attachments. With the introduction of the SPX reply portal, the recipient can opt to reply by clicking the reply button in secure PDF. On clicking the button, an https link opens in browser where a draft of the reply can be created. On clicking the Send button, the mail will be accepted by MTA and queued for delivery. If the recipient wishes to do so, another reply can be send out by using the same link multiple times. Use Case 1: Reply portal with different SPX password types Requirement: SPX reply portal is supported by all SPX password types in SPX templates. Use Case 2: View original mail in reply portal Requirement: Original mail body should be displayed in SPX reply portal. Use Case 3: Multiple language Requirement: Reply portal supports multiple languages like Hindi, German, Chinese, etc. in replies. How does the SPX reply portal feature meet your expectations? Does the Reply Portal offers all improvements / features you expect, if not what are you missing? Comment Page 18 of 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback