Web Server Protection Sophos Xg

Configure Protection policies; Configure Firewall rules; Combined Rule; Related information; Applies to the following Sophos products and versions Sophos Firewall Prerequisites. Have a Real Web Server added to the XG at Web Server Add. Any certificates uploaded to the XG at Certificates Add. The RDS Gateway should have RPC over HTTPS enabled.

Sophos XG Webserver Protection Licenses, Subscriptions & Renewals Unleash the full potential of your network All XG Webserver Protection Licenses, Subscriptions & Renewals can be found on their own individual product pages or purchase them below, more options can be found on individual product pages. Can't find the part you are looking for? Add a web server protection (WAF) rule With WAF rules, you can protect web applications from attacks and data leakage by filtering HTTP traffic. You configure a WAF rule for an IP address assigned to a network interface, a port, and one or more domain names. XG Firewall matches traffic based on the IP address assigned to the interface.

XG Firewall makes it simple to get up and running quickly with the best network visibility, protection, and response in the industry. We make it easy to protect your network across multiple sites while also enabling access for your remote workers.

Getting started


If you just received your XG Firewall, run through the convenient XG Firewall setup wizard which will have you up and running in a few minutes with essential protection for your network.

If you are running two XG Firewall appliances in High Availability mode for maximum business continuity, then be sure to take advantage of the new Quick HA option in v18.

INSTRUCTIONS: ‘How to deploy in gateway mode’ ► VIDEO ‘Registration and setup wizard’ ►

Get familiar with XG firewall

After the initial setup, review our extensive library of Getting Started How-To videos and the Documentation for XG Firewall. There’s also a great list of articles and videos to review on the Initial Setup Community Forum.

Periodic best practices checkup

To ensure your XG Firewall is protecting your network optimally, follow these best practices after initial setup or periodically.

If you don’t have time to perform these steps, the Sophos Professional Services team of network experts is available to help ensure your firewall is configured optimally. Contact them at [email protected]

Double check your protection licenses

On your XG Firewall go to Administration > Licensing and ensure you have these essential network protection subscriptions:

  • Network Protection – Essential for IPS, advanced threat protection, and botnet protection
  • Web Protection – Essential for web security and control and application control
  • Sandstorm Protection – Essential for the latest threat protection using artificial intelligence and sandboxing analysis
  • Email Protection – Essential for anti-spam and phishing attack protection
  • Web Server Protection – Essential if you have any servers that require public internet access

Update firmware

Always keep your firmware up to date to ensure you have the latest security, performance, and reliability updates. You can get the latest v18 release for your XG Firewall from MySophos.


INSTRUCTIONS: ‘How to download firmware updates’ ► VIDEO: ‘Firmware update and roll-back’ ►

Firewall rule and protection policy recommendations

Of course, by design, your firewall blocks all network traffic – your network is completely locked down – but you enable traffic to flow by creating firewall rules.

Firewall rules enable your network to function, but they also create opportunities for hackers, ransomware, and malware to enter. Hence, it’s essential to protect your network by applying security policies to these firewall rules.

If you’re new to XG Firewall or v18, check out the introductory video on Firewall Rules and the What’s new in v18 for Firewall Rules video.

If your firewall has been running for a while, you may have dozens or even hundreds of firewall rules you’ve added over time. It’s very important that you periodically review all your firewall rules to ensure that there are no avoidable “openings” in your network. Ensure you don’t have any unnecessary or unused rules that are presenting openings that hackers can take advantage of.

Start by checking the ‘Active firewall rules’ widget on the Control Center to identify unused rules:

Then, go through your firewall rules to examine all the active rules to ensure they are needed and proper protection is being applied.

In particular, disable all non-essential port-forwarding rules, and re-evaluate if any of the port-forwarding rules you have can be better accommodated via VPN access or, at the very least, multifactor authentication.

Exposed services and servers through port forwarding are one of the top ways hackers breach your network. VPN and MFA provide much better security for remote access to internal network resources.

If you are on v17.x we suggest you upgrade to v18 for the latest NAT rule enhancements. If you are on v18 already, review all your NAT rules to ensure all are required and adequately protected by a corresponding firewall rule.

Make sure you’re applying essential protection to all your firewall rules. XG Firewall makes it super easy to assign web protection and control, intrusion prevention (IPS), sandboxing, and file analysis as well as application control.

In general, do not apply “Allow All” or “None” when selecting a protection policy. These should only be used in special circumstances or for troubleshooting, never as an active protection policy.

Recommended protection best practices

TLS Inspection

Most internet traffic is encrypted with SSL/TLS making it impossible to secure without proper inspection.

XG Firewall v18 introduced the new Xstream TLS Inspection feature that provides high-performance inspection of encrypted traffic, enabling you to properly protect your network. Ensure you have one or more TLS inspection rules applied to your internet traffic, otherwise a lot of the protection discussed below will be ineffective. (Instructions: ‘SSL/TLS inspection rules’ / Video: ‘Xstream SSL inspection in XG Firewall v18′).

You will need to deploy the XG Firewall SSL certificate on your client machines, which is accomplished easiest on Windows using the wizard in Microsoft’s Group Policy Manager.

After deployment, monitor TLS inspection via the Control Center and add important problematic sites to the exception list with the convenient tools available from the widget.

Web policy and protection

This determines which websites are allowed or blocked and how to protect web traffic. Any firewalls governing internet traffic should have a web filtering policy in place.

There are several built-in policies for schools, workplaces, and more that you can use out-of-the-box to make this easy. Simply choose one appropriate for your organization and customize it to suit your needs. (Instructions: ‘How to implement Web Protection’ instructions / Video: ‘How To: Creating Web Protection rules’).

Malware and content scanning

XG Firewall can scan all web traffic for malicious code and downloaded files.

We strongly recommend that you take advantage of SophosLabs Threat Intelligence and Sophos Sandstorm sandboxing to further analyze files.

To do so, simply check the option to “Detect zero-day threats with Sandstorm” for all rules governing web traffic. (Instructions: ‘How to configure Sophos Sandstorm’).


Intrusion Prevention looks for activity attempting to exploit vulnerabilities in networked devices. This is a common technique for hackers to get control of servers exposed to the internet and to move laterally within a network. IPS protection signatures are included for all platforms: Windows, Macs, Unix, and more.

Make sure you are applying IPS protection policies that align with the network platforms in your environment – use either one of the built-in policies or create your own. Also, ensure you not only apply IPS protection to internet traffic rules but also rules between different segments of your internal network (e.g. LAN and DMZ) to help catch active threats trying to spread on your network. (Instructions: ‘IPS policies’ / Video: ‘How To: Setting Up And Configuring IPS’).


Advanced Threat Protection is another essential aid in identifying an active threat on your network. It examines outbound traffic for any attempts to contact known hacker command and control servers.

If an ATP is detected, it indicates you have a bot or threat on your network. ATP setup is super easy. (Instructions: ‘How to configure Advanced Threat Protection (ATP)’).

Firewall best practices for blocking ransomware

Check out this white paper on additional best practices for blocking Ransomware attacks.

VPN connectivity recommendations

With VPN connections being tremendously important these days, here are some additional resources on getting the most from your XG Firewall’s VPN connectivity options.

Site-to-Site VPN: If you want the ultimate in VPN reliability and security between your central office and branch offices or remote locations, Sophos unique RED tunnels are ideal.

You can easily deploy an XG Firewall to a remote location without touching it and set up a RED tunnel in no time. (Instructions: ‘Substituting XG for RED devices via Light-Touch deployment from Sophos Central’).

Remote user VPN: If you have users working remotely, XG Firewall offers a couple of options for secure remote access.

Our previous article outlined the various access options and their pros/cons. We recommend using Sophos Connect Client for the ultimate in ease-of-use. (Instructions: ‘Sophos Connect Client’ / Video: ‘Sophos Connect VPN Client’).

Helpful resources

Customer Resource Center (how-to videos, documentation, and more)

How-To Video Library (dozens of video tutorials to get you started)

XG Community (tap into the vast knowledge and expertise of the XG Firewall community)

WAF rules allow you to control the HTTP traffic of a web application over the IPv4 protocol.

You can configure more than one WAF rule on a given network interface or port, using different hostnames and certificates. With support for Server Name Indication (SNI), web server protection will present the correct server to each client, based on the requested hostname.

Sophos XG 750 Web Server Protection - Subscription License (1 ..

  1. Go to Firewall and select IPv4 using the filter switch.
  2. Click + Add firewall rule and Business application rule.
  3. Enter the general rule details.

    Application template

    Select Web server protection (WAF) to define an application filter policy for HTTP based applications.

    Rule name

    Enter a name for the rule.


    Enter a description for the rule.

    Rule position

    Arista veos gns3 appliance. Specify the position of the rule.

    Rule group

    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.

    If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.

  4. Enter Hosted server details.

    Hosted address

    Select the interface of the hosted server to which the rule applies. It is the public IP address through which internet users access the internal server/host.

    When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the web application firewall (WAF) because the connection is made through the WAF. The client’s real IP address is available in the HTTP header

    Listening port

    Enter a port number on which the hosted web server can be reached externally over the internet. Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication (HTTPS).


    Select to enable or disable scanning of HTTPS traffic.

    HTTPS certificate

    Only with HTTPS.

    Select the HTTPS certificate to be used.

    Redirect HTTP

    Only with HTTPS.

    Select to redirect HTTP requests.


    HTTPS disabled: Enter the FQDN configured on the web server, for example, shop.example.com.

    HTTPS enabled: Depending on the HTTPS certificate you select, some domains may be preselected. You can edit or delete these domains or add new ones.

  5. Specify Protected server(s) details.
    Path-specific routing

    You can enable path-specific routing to define (a path) to which web servers incoming requests are forwarded.

    You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.

    For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, that is, longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.

    Add new path

    (Only available if Path-specific routing is selected. Only active after at least one web server and one hosted web server have been created.)

    Click Add path to define a new path.

    Web server

    (Not available if Path-specific routing is selected.)

    With this option, you select the web servers that are to be protected. Select a web server from Web server list. The selected web server is displayed on the right side of the table under Selected web server(s).

    A new web server can be created on the Web server > Web servers page.

  6. Specify Access permission details. (Not available if Path-specific routing is selected.)
    Allowed client networks

    Select or add the allowed networks that should be able to connect to the hosted web server.

    Blocked client networks

    Select or add the denied networks that should be blocked to your hosted web server.


    Select a web app authentication profile or click Create new to create a new authentication profile.

  7. Add path Exceptions for the web servers.

    Click Add new exception to specify a new exception.

  8. Specify policies for business applications in the Advanced section.


    Select an application protection policy for the server or create a new one.

    Intrusion prevention

    Select an intrusion prevention policy for the rule or create a new one.

    Traffic shaping

    The traffic shaping policy allocates and limits the maximum bandwidth usage of the user.

  9. Specify additional options for the added server in the Advanced section.

    Disable compression support

    By default, this check box is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, if websites are displayed incorrectly or users experience content-encoding errors when accessing your web servers, it may be necessary to disable compression. When the check box is enabled, the WAF will request uncompressed data from the web servers of this hosted web server and will send it uncompressed to the client, independent of the HTTP request’s encoding parameter.

    Rewrite HTML

    Select this option to have the device rewrite links of the returned web pages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local but the hosted web server’s hostname on the device is yourcompany.com. Thus, absolute links like [a href='http://yourcompany.local/'] will be broken if the link is not rewritten to [a href='http://yourcompany.com/'] before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your web server or if internal links on your web pages are always realized as relative links. It is recommended to use the option with Microsoft’s Outlook web access and/or SharePoint portal server.

    HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, for example, binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting process.

    Rewrite cookies

    Select this option to have the device rewrite cookies of the returned web pages.

    Pass host header

    When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment depends on the configuration of your web server.

  10. Click Save.
    As soon as a new HTTP-based rule configuration has been created and saved or an existing HTTP-based rule configuration has been altered and saved, all HTTP-based business rules will be restarted. Any underlying client connection using a HTTP-based business rule will get lost and has to be re-established.

Web Server Protection Sophos Utm

The WAF rule has been created and appears on the Firewall page when the IPv4 filter is set.