Sophos Network Protection

  • Sophos Phish Threat educates and tests your end users through automated attack simulations, quality security awareness training, and actionable reporting metrics. Learn More Endpoint Protection.
  • The Sophos XG Unified Thread Management (UTM) has a strong feature set offering a hard line of defense. As with any other firewall, it is able to lock down traffic between zones such as LAN, WAN, DMZ, and more while allowing the required traffic through with firewall and NAT rules. But all firewalls do that, right?
  • As technology evolves network security is becoming more and more important in protecting the network for the latest vulnerabilities, especially the zero day threats. Sophos deep learning is a quantum leap beyond basic machine learning, capable of identifying known threats and unknown threats.

As we get closer to launching the early-access program (EAP) for Sophos ZTNA, we wanted to answer a lot of your questions about our solution and what to expect.

Mar 08, 2021 Sophos protections against HAFNIUM. Sophos MTR, network and endpoint security customers benefit from multiple protections against the exploitation of the new vulnerabilities. The Sophos MTR team has been monitoring our customer environments for behaviors associated with these vulnerabilities since their announcement.

You can learn more about ZTNA and register for the early-access program today to stay informed and be the first to know when the EAP starts.

Early-access program registration

The early-access program is expected to start in early March. Learn more and register for the EAP today at!

Frequently asked questions about Sophos ZTNA

What is ZTNA all about?

Please review this previous article for a great overview of Zero Trust Network Access.

What are the benefits of ZTNA compared to remote-access VPN?

While remote-access VPN continues to serve us well, ZTNA offers a number of added benefits that make it a more attractive solution for connecting users to important applications and data:

  • More granular control: ZTNA allows more granular control over who can access applications and data, minimizing lateral movement and improving segmentation. VPN is all-or-nothing: once on the network, VPN generally offers access to everything.
  • Better security: ZTNA removes implicit trust and incorporates device status and health in access policies that further enhances security. VPN does not consider device status, which can put application data at risk to a compromised or non-compliant device.
  • Easier to enroll staff: ZTNA is much easier to roll out and enroll new employees, especially if they are working remotely. VPN is more challenging and difficult to set up and deploy.
  • Transparent to users: ZTNA offers “just works” transparency to users with frictionless connection management. VPN can be difficult and prone to initiating support calls.

What does Sophos ZTNA include?

Sophos ZTNA is a brand new cloud-delivered, cloud-managed product to easily and transparently secure important networked applications with granular controls. It’s scheduled to enter early access soon.

Sophos ZTNA consists of three components:

  • Sophos Central provides the ultimate cloud management and reporting solution for all Sophos products, including Sophos ZTNA. Sophos ZTNA is fully cloud-enabled, with Sophos Central providing easy deployment, granular policy management, and insightful reporting from the cloud.
  • Sophos ZTNA Gateway will come as a virtual appliance for a variety of platforms to secure networked applications on-premise or in the public cloud, with AWS and VMware ESXi support available initially, closely followed by Azure, Hyper-V, Nutanix, and others.
  • Sophos ZTNA Client provides transparent and frictionless connectivity to controlled applications for end users based on identity and device health. It will integrate with Synchronized Security for Heartbeat and device health. It is super easy to deploy from Sophos Central, with an option to deploy alongside Intercept X with just one click, or it can work stand-alone with any desktop AV client (obtaining health status from Windows Security Center). It will initially support Windows, followed by macOS, and later Linux and mobile device platforms as well.

When will Sophos ZTNA be available?

The first phase of the early-access program (EAP) is targeted for early March. Launch is expected to be around mid-year 2021. You can register now for the EAP.

Which types of applications are ideal for ZTNA?

Sophos ZTNA can provide secure connectivity for any networked application hosted on the company’s on-premise network, or in the public cloud or any other hosting site. Everything from RDP access to network file shares to applications like Jira, wikis, source code repositories, support and ticketing apps, etc.

ZTNA does not control access to SaaS applications like or Office365, which are public internet-facing applications servicing many customers by design. Secure access to these applications is provided by the SaaS vendor and the application, and is often further enhanced through multi-factor authentication.

Which client, gateway, and identity platforms will be supported?

  • Client platforms will initially include a clientless option across all client platforms (EAP1), native Windows support (EAP2 and GA), macOS support (early 2022), and then Linux and mobile device platforms (iOS and Android) in the future. Device health will initially be assessed via Synchronized Security Heartbeat status (EAP2 and GA), followed by Windows Security Center (early 2022), with additional device assessments to be integrated in the future.
  • Gateway platforms will be virtual appliances only (no hardware) and initially include VMware ESXi for EAP1, then AWS public cloud for EAP2 and GA. This will be expanded to include other platforms like Azure, Hyper-V, Nutanix, K8S, and GCP following launch.
  • For identity, Sophos ZTNA will initially support Azure Active Directory (AD) for EAP 1 and Okta in EAP2. Supported directory services for EAP 2 and GA include Azure and on-premise AD (including AD Sync supported by Sophos Central today). Customers can take advantage of Azure’s MFA options right away, with support for third-party MFA solutions coming in a future release.

Is ZTNA a stand-alone product or does it require another Sophos product?

Sophos ZTNA is a stand-alone product and does not require any other Sophos Products. It is managed by Sophos Central, which is free, and obviously offers a ton of benefits when customers have other Sophos products. It can easily deploy alongside Intercept X, but Intercept X is not a requirement. Sophos ZTNA can also work alongside any vendor’s desktop AV or firewall.

How will Sophos ZTNA client deployment work?

Sophos ZTNA will be an easy-to-deploy option alongside Intercept X and device encryption when protecting devices from Sophos Central, as shown below…

Will ZTNA integrate with Sophos XG Firewall and Intercept X?

Sophos ZTNA is fully compatible with XG Firewall and Sophos Intercept X. In fact, it takes advantage of Security Heartbeat to assess device health, which can be used in ZTNA policies.

As mentioned above, deployment of the ZTNA client can easily happen as part of an Intercept X roll-out: it’s as simple as checking a box. Of course, Sophos ZTNA can also work perfectly with other vendor desktop AV or firewall products, but it will work better together with Sophos products such as XG Firewall and Intercept X.

How will licensing and pricing work?

Sophos ZTNA will be licensed on a user basis like our endpoint products, not per user-device. So if a user has three devices, they only require one license.

Customers can deploy as many ZTNA gateways as they need to protect all their apps. There is no charge for the gateway or for Sophos Central management.

How does ZTNA compare to…


DUO is an identity technology provider focused on multi-factor authentication (MFA) to help users verify their identity. Identity and MFA – and thus DUO – are parts of a ZTNA solution. ZTNA also verifies device health. Sophos ZTNA will initially support Azure MFA and any identity provider that integrates with Azure, including Duo and other MFA solutions as well.


NAC and ZTNA technologies may sound similar as they are both about providing access, but that’s where the similarities end. Network access control (NAC) is concerned with controlling physical access to a local on-premise network, while ZTNA is concerned with controlling access to data and specific network applications regardless of which network they are on.


While remote-access VPN has served us well, ZTNA has a number of benefits when compared to VPN, as outlined above. Of course, there will be some situations where VPN continues to be a good solution: where a relatively small number of people (e.g. the IT department) needs broad access to network applications and services to manage them. Surfshark on mac.

VPN will still be instrumental for site-to-site connectivity but for most organizations’ users, ZTNA can replace remote-access VPN to provide a better, more granular security solution – all while being more transparent and easier for users.

Download Sophos Antivirus


ZTNA is complimentary to a firewall just like VPN is complimentary to a firewall. The firewall still plays a critically important role in protecting corporate network and data center assets from attacks, threats, and unauthorized access. ZTNA bolsters a firewall by adding granular controls and security for networked applications in the cloud or on-premise.


WAF and ZTNA are designed to protect different types of applications from different types of users. WAF is designed to protect and secure public applications by providing firewall, threat detection, and other hardening like SQL injection attack defenses. ZTNA is designed to control access to internal applications. It is not designed to provide public access; in fact, it is designed to ensure public users cannot access ZTNA-protected apps.

Synchronized Security?

ZTNA and Synchronized Security are both conceptually similar in that they both can use device health to determine network access privileges. In fact, Sophos ZTNA will use Security Heartbeat as a key component in assessing device health.

If a user has a device with a red Heartbeat, their application access can be limited through policy, just as their network access can be limited on the firewall. However, ZTNA goes further than Synchronized Security by also integrating user identity verification.

ZTNA is also more about controlling privilege and access to applications, while Synchronized Security is more about automated response to threats and preventing threats from moving or stealing data.


SASE (pronounced “sassy”) or secure access service edge, is about the cloud delivery of networking and security, and includes many components such as firewalls, SD-WAN, secure web gateways, CASB, and ZTNA. It’s designed to secure any user on any network, anywhere through the cloud. So as you can see, ZTNA is a component of SASE and will be an essential part of our overall SASE strategy.

To learn more about Sophos ZTNA and sign up for the early-access program, visit our ZTNA website.

XG Firewall makes it simple to get up and running quickly with the best network visibility, protection, and response in the industry. We make it easy to protect your network across multiple sites while also enabling access for your remote workers.

Getting started


If you just received your XG Firewall, run through the convenient XG Firewall setup wizard which will have you up and running in a few minutes with essential protection for your network.

If you are running two XG Firewall appliances in High Availability mode for maximum business continuity, then be sure to take advantage of the new Quick HA option in v18.

INSTRUCTIONS: ‘How to deploy in gateway mode’ ► VIDEO ‘Registration and setup wizard’ ►

Get familiar with XG firewall

After the initial setup, review our extensive library of Getting Started How-To videos and the Documentation for XG Firewall. There’s also a great list of articles and videos to review on the Initial Setup Community Forum.

Periodic best practices checkup

To ensure your XG Firewall is protecting your network optimally, follow these best practices after initial setup or periodically.

If you don’t have time to perform these steps, the Sophos Professional Services team of network experts is available to help ensure your firewall is configured optimally. Contact them at [email protected]

Double check your protection licenses

On your XG Firewall go to Administration > Licensing and ensure you have these essential network protection subscriptions:

  • Network Protection – Essential for IPS, advanced threat protection, and botnet protection
  • Web Protection – Essential for web security and control and application control
  • Sandstorm Protection – Essential for the latest threat protection using artificial intelligence and sandboxing analysis
  • Email Protection – Essential for anti-spam and phishing attack protection
  • Web Server Protection – Essential if you have any servers that require public internet access

Update firmware

Always keep your firmware up to date to ensure you have the latest security, performance, and reliability updates. You can get the latest v18 release for your XG Firewall from MySophos.

INSTRUCTIONS: ‘How to download firmware updates’ ► VIDEO: ‘Firmware update and roll-back’ ►

Firewall rule and protection policy recommendations

Of course, by design, your firewall blocks all network traffic – your network is completely locked down – but you enable traffic to flow by creating firewall rules.

Firewall rules enable your network to function, but they also create opportunities for hackers, ransomware, and malware to enter. Hence, it’s essential to protect your network by applying security policies to these firewall rules.

If you’re new to XG Firewall or v18, check out the introductory video on Firewall Rules and the What’s new in v18 for Firewall Rules video.

If your firewall has been running for a while, you may have dozens or even hundreds of firewall rules you’ve added over time. It’s very important that you periodically review all your firewall rules to ensure that there are no avoidable “openings” in your network. Ensure you don’t have any unnecessary or unused rules that are presenting openings that hackers can take advantage of.

Start by checking the ‘Active firewall rules’ widget on the Control Center to identify unused rules:

Then, go through your firewall rules to examine all the active rules to ensure they are needed and proper protection is being applied.

In particular, disable all non-essential port-forwarding rules, and re-evaluate if any of the port-forwarding rules you have can be better accommodated via VPN access or, at the very least, multifactor authentication.

Exposed services and servers through port forwarding are one of the top ways hackers breach your network. VPN and MFA provide much better security for remote access to internal network resources.

Sophos Network Protection

If you are on v17.x we suggest you upgrade to v18 for the latest NAT rule enhancements. If you are on v18 already, review all your NAT rules to ensure all are required and adequately protected by a corresponding firewall rule.

Make sure you’re applying essential protection to all your firewall rules. XG Firewall makes it super easy to assign web protection and control, intrusion prevention (IPS), sandboxing, and file analysis as well as application control.

Sophos Utm Network Protection License

In general, do not apply “Allow All” or “None” when selecting a protection policy. These should only be used in special circumstances or for troubleshooting, never as an active protection policy.

Recommended protection best practices

TLS Inspection

Most internet traffic is encrypted with SSL/TLS making it impossible to secure without proper inspection.

XG Firewall v18 introduced the new Xstream TLS Inspection feature that provides high-performance inspection of encrypted traffic, enabling you to properly protect your network. Ensure you have one or more TLS inspection rules applied to your internet traffic, otherwise a lot of the protection discussed below will be ineffective. (Instructions: ‘SSL/TLS inspection rules’ / Video: ‘Xstream SSL inspection in XG Firewall v18′).

You will need to deploy the XG Firewall SSL certificate on your client machines, which is accomplished easiest on Windows using the wizard in Microsoft’s Group Policy Manager.

After deployment, monitor TLS inspection via the Control Center and add important problematic sites to the exception list with the convenient tools available from the widget.

Web policy and protection

This determines which websites are allowed or blocked and how to protect web traffic. Any firewalls governing internet traffic should have a web filtering policy in place.

There are several built-in policies for schools, workplaces, and more that you can use out-of-the-box to make this easy. Simply choose one appropriate for your organization and customize it to suit your needs. (Instructions: ‘How to implement Web Protection’ instructions / Video: ‘How To: Creating Web Protection rules’).

Malware and content scanning

XG Firewall can scan all web traffic for malicious code and downloaded files.

We strongly recommend that you take advantage of SophosLabs Threat Intelligence and Sophos Sandstorm sandboxing to further analyze files.

Sophos Network Protection Free

To do so, simply check the option to “Detect zero-day threats with Sandstorm” for all rules governing web traffic. (Instructions: ‘How to configure Sophos Sandstorm’).

Sophos Network Protection


Intrusion Prevention looks for activity attempting to exploit vulnerabilities in networked devices. This is a common technique for hackers to get control of servers exposed to the internet and to move laterally within a network. IPS protection signatures are included for all platforms: Windows, Macs, Unix, and more.

Make sure you are applying IPS protection policies that align with the network platforms in your environment – use either one of the built-in policies or create your own. Also, ensure you not only apply IPS protection to internet traffic rules but also rules between different segments of your internal network (e.g. LAN and DMZ) to help catch active threats trying to spread on your network. (Instructions: ‘IPS policies’ / Video: ‘How To: Setting Up And Configuring IPS’).


Advanced Threat Protection is another essential aid in identifying an active threat on your network. It examines outbound traffic for any attempts to contact known hacker command and control servers.

Sophos Network Protection Pro

If an ATP is detected, it indicates you have a bot or threat on your network. ATP setup is super easy. (Instructions: ‘How to configure Advanced Threat Protection (ATP)’).

Firewall best practices for blocking ransomware

Check out this white paper on additional best practices for blocking Ransomware attacks.

VPN connectivity recommendations

With VPN connections being tremendously important these days, here are some additional resources on getting the most from your XG Firewall’s VPN connectivity options.

Site-to-Site VPN: If you want the ultimate in VPN reliability and security between your central office and branch offices or remote locations, Sophos unique RED tunnels are ideal.

You can easily deploy an XG Firewall to a remote location without touching it and set up a RED tunnel in no time. (Instructions: ‘Substituting XG for RED devices via Light-Touch deployment from Sophos Central’).

Remote user VPN: If you have users working remotely, XG Firewall offers a couple of options for secure remote access.

Our previous article outlined the various access options and their pros/cons. We recommend using Sophos Connect Client for the ultimate in ease-of-use. (Instructions: ‘Sophos Connect Client’ / Video: ‘Sophos Connect VPN Client’).

Helpful resources

Customer Resource Center (how-to videos, documentation, and more)

How-To Video Library (dozens of video tutorials to get you started)

XG Community (tap into the vast knowledge and expertise of the XG Firewall community)