Sophos XG Firewall
Highlights
- Purpose-built user interface with interactive control center
- Optimized three-clicks-to-anywhere navigation
- Policy Control Center Widget monitors policy activity for business, user and network policies and tracks unused, disabled, changed and new policies
- New unified policy model enabling all business, user and network policies to be managed on a single screen with powerful filtering and search options
- Policy Templates for common business applications like Microsoft Exchange, SharePoint, Lync, and much more defined in XML enabling customization and sharing.
- Policy natural language descriptions and at- a-glance policy enforcement indicators
- Custom IPS, Web, App, and Traffic Shapping (QoS) settings per user or network policy on a single screen
- Layer-8 user identity awareness across key areas of the firewall
- Sophos Security Heartbeat connecting Sophos endpoints with the Firewall to share health status and telemetry to enable instant identification of unhealty or compromised endpoints
- Policy support for Sophos Security Heartbeat to automatically isolate or limit network access to compromised endpoints
- User Threat Quotient for identifying risky users based on recent browsing behavior and ATP triggers
- Application Risk Meter provides and overall risk factor based on the risk level of applications on the network
- Configuration API for all features for RMM/PSA integration
- Discover Mode (TAP mode) for seamless integration for trials and PoCs
- Full-featured centralized management with Sophos Firewall Manager available as a hardware, software, or virtual appliance
- New virtual and software licensing model based on CPU and Memory resources
Base Firewall
General Management
- Purpose-built streamlined user interface
- Three-clicks-to-anywhere navigation
- Self-documenting menu system
- Advanced trouble-shooting tools in GUI (e.g., Packet Capture)
- High Availability (HA) support clustering two devices in active-active or active-passive mode.
- Full command-line-interface (CLI) accessible from GUI
- Role-based administration
- Automated firmware update notification with easy automated update process and roll-back features
- Reusable system object definitions for networks, services, hosts, time periods, users and groups, clients and servers
- Self-service user portal
- Configuration change tracking
- Flexible device access control for services by zones
- Email or SNMP trap notification options
- SNMP and Netflow support
- Central managment support from Sophos Firewall Manager or Sophos Cloud Firewall Manager
- Backup and restore configurations: locally, via FTP or email; on-demand, daily, weekly or monthly
- API for third party integration
- Remote access option for Sophos Support
- Cloud-based license management via MySophos
Firewall, Networking, and Routing
- Stateful deep packet inspection firewall
- FastPath Packet Optimization
- User, group, time, or network based policies
- Access time polices per user/group
- Enforce policy across zones, networks, or by service type
- Zone isolation and zone-based policy support.
- Default zones for LAN, WAN, DMZ, LOCAL, VPN, and WiFi
- Custom zones on LAN or DMZ
- Customizable NAT policies with IP masquerading
- Flood protection: DoS, DDoS and portscan blocking
- Country blocking by geo-IP
- Routing: static, multicast (PIM-SM) and dynamic (RIP, BGP, OSPF)
- Upstream proxy support
- Protocol independent multicast routing with IGMP snooping
- Bridging with STP support and ARP broadcast forwarding
- VLAN DHCP support and tagging
- Multiple bridge support
- WAN link balancing: multiple Internet connections, auto-link health check, automatic failover, automatic and weighted balancing, and granular multipath rules
- Wireless WAN support (n/a in virtual deployments)
- 802.3ad interface link aggregation
- Full configuration of DNS, DHCP and NTP
- Dynamic DNS
- IPv6 support with tunnelling support including 6in4, 6to4, 4in6, and IPv6 rapid deployment (6rd) through IPSec
Base Traffic Shaping and Quotas
- Flexible network or user based traffic shaping (QoS) (enhanced Web and App traffic shaping options are included with the Web Protection Subscription)
- Set user-based traffic quotas on upload/download or total traffic and cyclical or non-cyclical
- Real-time VoIP optimization
Secure Wireless
- Simple plug-and-play deployment of Sophos wireless access points (APs) — automatically appear on the firewall control center
- Central monitor and manage all APs and wireless clients through the built-in wireless controller
- Bridge APs to LAN, VLAN, or a separate zone with client isolation options
- Multiple SSID support per radio including hidden SSIDs
- Support for the latest security and encryption including WPA2 Personal and Enterprise
- Support for IEEE 802.1X (RADIUS authentication)
- Support for 802.11r (fast transition)
- Hotspot support for (custom) vouchers, password of the day, or T&C acceptance
- Wireless guest Internet access with walled garden options
- Time-based wireless network access
- Wireless repeating and bridging meshed network mode with supported APs
- Automatic channel selection background optimization
- Support for HTTPS login
- Rogue AP detection
Authentication
- Transparent, proxy authentication (NTLM/ Kerberos) or client authentication
- Authentication via: Active Directory, eDirectory, RADIUS, LDAP and TACACS+
- Server authentication agents for Active Directory SSO, STAS, SATC
- Client authentication agents for Windows, Mac OS X, Linux 32/64
- Authentication certificates for iOS and Android
- Single sign-on: Active directory, eDirectory
- Authentication services for IPSec, L2TP, PPTP, SSL
- Captive Portal
User Self-Serve Portal
- Download the Sophos Authentication Client
- Download SSL remote access client (Windows) and configuration files (other OS)
- Hotspot access information
- Change user name and password
- View personal internet usage
- Access quarantined messages (requires Email Protection)
Base VPN Options
- Site-to-site VPN: SSL, IPSec, 256- bit AES/3DES, PFS, RSA, X.509 certificates, pre-shared key
- L2TP and PPTP
- Remote access: SSL, IPsec, iPhone/iPad/ Cisco/Andriod VPN client support
- SSL client for Windows and configuration download via user portal
IPSec Client (sold separately)
- Authentication: Pre-Shared Key (PSK), PKI (X.509), Smartcards, Token and XAUTH
- Encryption: AES (128/192/256), DES, 3DES (112/168), Blowfish, RSA (up to 2048 Bit), DH groups 1/2/5/14, MD5 and SHA-256/384/512
- Intelligent split-tunneling for optimum traffic routing
- NAT-traversal support
- Client-monitor for graphical overview of connection status
- Multilingual: German, English, and French
|
Sandstom Protection Subscription
Sandstorm Cloud Sandbox Protection
- Full integration into your Sophos security solution dashboard
- Inspects executables and documents containing executable content
- Windows executables (including .exe, .com, and .dll)
- Word documents (including .doc, .docx, docm and .rtf)
- PDF documents
- Archives containing any of the file types listed above
- (ZIP, BZIP, GZIP, RAR, TAR, LHA/LZH, 7Z, Microsoft Cabinet)
- Supports more than 20 file types
- Dynamic malware behavior analysis runs files in real environments
- In-depth malicious file reports and dashboard file release capability
- Average analysis time less than 120 seconds
- Flexible user and group policy options on file type, exclusions, and actions on analysis
- Supports one-time download links
Network Protection Subscription
Intrusion Prevention (IPS)
- High-performance, next-gen IPS deep packet inspection engine with selective IPS patterns for maximum performance and protection
- Thousands of signatures
- Support for custom IPS signatures
- Flexible IPS policy deployment as part of any network or user policy with full customization
ATP and Security Heartbeat™
- Advanced Threat Protection (Detect and block network traffic attempting to contact command and control servers using multi-layered DNS, AFC, and firewall)
- Sophos Security Heartbeat™ instantly identifies compromised endpoints including the host, user, process, incident count, and time of compromise
- Sophos Security Heartbeat™ policies can limit access to network resources or completely isolate compromised systems until they are cleaned up
Remote Ethernet Device (RED) VPN
- Central Management of all RED devices
- No configuration: Automatically connects through a cloud-based provisioning service
- Secure encrypted tunnel using digital X.509 certificates and AES256-encryption
- Virtual Ethernet for reliable transfer of all traffic between locations
- IP address management with centrally defined DHCP and DNS Server configuration
- Remotely de-authorize RED devices after a select period of inactivity
- Compression of tunnel traffic
- VLAN port configuration options (RED 50)
Clientless VPN
- Sophos unique encrypted HTML5 self-service portal with support for RDP, HTTP, HTTPS, SSH, Telnet, and VNC
Web Protection Subscription
Web Protection and Control
- Fully transparent proxy for anti- malware and web-filtering
- Enhanced Advanced Threat Protection
- URL Filter database with millions of sites across 92 categories, backed by SophosLabs
- Surfing quota time policies per user/group
- Access time polices per user/group
- Malware scanning: block all forms of viruses, web malware, trojans, and spyware on HTTP/S, FTP and web-based email
- Advanced web malware protection with JavaScript emulation
- Live Protection real-time, in-the-cloud lookups for the latest threat intelligence
- Second independent malware detection engine (Avira) for dual-scanning
- Real-time or batch mode scanning
- Pharming Protection
- HTTP and HTTPS scanning and enforcement on any network and user policy with fully customizable rules and exceptions
- SSL protocol tunnelling detection and enforcment
- Certificate validation
- High performance web content caching
- Forced caching for Sophos Endpoint updates
- File type filtering by mime-type, extension and active content types (e.g. Activex, applets, cookies, etc.)
- YouTube for Schools enforcement
- SafeSearch enforcement
Application Protection and Control
- Enhanced application control with signatures and Layer 7 patterns for thousands of applications
- Micro app discovery and control
- Application control based on category, characteristics (e.g., bandwidth and productivity consuming), technology (e.g., P2P) and risk level
- Per-user or network rule application control policy enforcement
Web and App Traffic Shaping
- Enhanced traffic shaping (QoS) options by web category or application to limit or guarantee upload/download or total traffic priority and bitrate individually or shared
Email Protection Subscription
Email Protection and Control
- E-mail scanning with SMTP, POP3, and IMAP support
- Reputation service with spam outbreak monitoring based on patented Recurrent- Pattern-Detection technology
- Block spam and malware during the SMTP transaction
- Second independent malware detection engine (Avira) for dual-scanning
- Live Protection real-time, in-the-cloud lookups for the latest threat intelligence
- Automatic signature and pattern updates
- File-Type detection/blocking/scanning of attachments
- Accept, reject or drop over-sized messages
- Detects phishing URLs within e-mails
- Use pre-defined content scanning rules or create your own custom rules based on a variety of criteria
- TLS Encryption support for SMTP, POP, and IMAP
- Append signature automatically to all outbound messages
- Email archiver
Email Quarantine Management
- Spam quarantine digest and notifications options
- Malware and spam quarantines with search and filter options by date, sender, recipient, subject, and reason with option to release and delete messages
- Self-serve user portal for viewing and releasing quarantined messages
Email Encryption and DLP
- Patent-pending SPX encryption for one-way message encryption
- Recipient self-registration SPX password management
- Add attachments to SPX secure replies
- Completely transparent, no additional software or client required
- DLP engine with automatic scanning of emails and attachments for sensitive data
- Pre-packaged sensitive data type content control lists (CCLs) for PII, PCI, HIPAA, and more, maintained by SophosLabs
Web Server Protection Subscription
Web Application Firewall Protection
- Reverse proxy
- URL hardening engine with deep-linking and directory traversal prevention
- Form hardening engine
- SQL injection protection
- Cross-site scripting protection
- Dual-antivirus engines (Sophos and Avira)
- HTTPS (SSL) encryption offloading
- Cookie signing with digital signatures
- Path-based routing
- Outlook anywhere protocol support
- Reverse authentication (offloading) for form-based and basic authentication for server access
- Virtual server and physical server abstraction
- Integrated load balancer spreads visitors across multiple servers
- Skip individual checks in a granular fashion as required
- Match requests from source networks or specified target URLs
- Support for logical and/or operators
- Assists compatibility with various configurations and non-standard deployments
- Options to change Web Appliaction FIrewall performance parameters
- Scan size limit option
- Allow/Block IP ranges
- Wildcard support for server paths
- Automatically append a prefix/suffix for authentication
Logging and Reporting
NOTE: Individual log, report, and widget availability depends on enabled software subcriptions.
- Hundreds of on-box reports with custom report options: Dashboards (Traffic, Security, and User Threat Quotient), Applications (App Risk, Blocked Apps, Search Engines, Web Servers, FTP), Network and Threats (IPS, ATP, Wireless, Security Heartbeat), VPN, Email, Compliance (HIPAA, GLBA, SOX, FISMA, PCI, NERC CIP v3, CIPA)
- Current Activity Monitoring: system health, live users, IPsec connections, remote users, live connections, wireless clients, quarantine, and DoS attacks
- Report anonymization
- Report scheduling to multiple recipients by report group with flexible frequency options
- Export reports as HTML, PDF, Excel (XLS)
- Report bookmarks
- Full log viewer with retention customization by category
|