EL8 0 : Soph os XG Fi rew all
Ve rsion 17. 0 .0
De cem ber 2017
Sophos Certified Engineer
Contents In t roduct ion ....................................... ........................... .............. ........................... ........................... ........................... ........................... .............. ........................... ..............5 Prereq uisit es ........................................ ........................... .............. ........................... ........................... ........................... .............. ........................... ........................... .....5 Workbook con ven t ions ....................... .............. .............. ........................... ........................... ........................... ........................... .............. ........................... ..............5 Lab en vironm en t .............. ........................... .............. ........................... ........................... ........................... ........................... .............. ........................... ....................... 6 Environ m en t overview ........................... .............. ........................................ ........................... .............. ........................... .............. ........................................ ............6 User ac cou nt s .......................... ........................... ........................... ........................... .............. ........................... .............. ........................................ ........................... ...7 Net w ork diagram ........................................ .............. ........................... ........................... ........................... ........................... .............. ........................... .......................9 Lab 1: Prep arat ion .......................... ........................... .............. ........................... ........................... ........................... .............. ........................... ........................... ...........10 Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........10 Tas k 1.1
Regist er for a Sop ho s Cent ral Evalua t ion .........................................................................................................................................................10
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................10 Lab 2: Get t in g Start ed wit h XG Firew all .............. ........................................ .............. ........................... ........................... .............. ........................................ .........11 Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........11 Tas k 2.1
Use the Init ial Set up Wizard to con fig ur e a Soph os XG Firew all ............................................................................................................11
Tas k 2 .2
Conf igu re a So ph os XG Firew all us in g a Con figu rat ion Bac ku p File ....................................................................................................14
Task 2 .3
Navigat in g t he WebAdm in ........................................ ........................... ........................... ........................... .............. ........................... ....................16
Tas k 2 .4
Configur e Zon es an d In t erfac es ........................................................................................................................................................................... 17
Task 2 .5
Configure St at ic Rout es ........................... ........................... ........................... ........................... ........................... .............. ........................... ...........18
Task 2 .6
Creat e Defin it ions .............. ........................... ........................... ........................... .............. ........................... .............. ........................................ .........19
Task 2 .7
Config ure DNS Requ es t Rout es ....................................... ........................... ........................... ........................... .............. ........................... ...........2 1
Task 2 .8
Im port CA Cert if icat es ........................................ ........................... ........................... ........................... .............. ........................... ........................... ..2 2
Tas k 2 .9
Creat e a Man ua l Config ur at ion Backu p .............................................................................................................................................................2 3
Tas k 2 .10
Im po rt a Con figur at ion for t he Next Lab ........................................................................................................................................................2 4
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................2 4 Lab 3
Net w ork Prot ec t ion.......................... .............. ........................... ........................... ........................... ........................... .............. ........................... ....................2 5
Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........2 5 Task 3.1
Config ure Loggin g .............. ........................... ........................... ........................... .............. ........................... .............. ........................................ .........2 5
Task 3.2
Creat e Net w ork Fire w all Rules .............. ........................... ........................... ........................... ........................... .............. ........................... ...........2 5
Task 3.3
Inst all t he SSL CA Cert if ic at es .......................... ........................... .............. ........................... ........................... ........................... ...........................2 8
Task 3.4
Install Sophos Cent ral ........................................ ........................... ........................... ........................... .............. ........................... ........................... ..30
Tas k 3.5
Pu blish Servers Using Bu siness Applicat ion Rules .....................................................................................................................................31
Task 3.6
Configure IPS Policies ........................................ ........................... ........................... ........................... .............. ........................... ........................... ..34
Tas k 3.7 - Enab le Adva nced Threat Prot ec t ion .................................................................................................................................................................... 35 Tas k 3.8
Enab le DoS (Denial of Servic e) and Spoof Prot ec t ion ................................................................................................................................36
Task 3.9
Configure Securit y Heart beat ........................... ........................... .............. ........................... ........................... ........................... ...........................38
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................4 2
Page 2 of 86
Sophos Certified Engineer Lab 4
Site- t o- Sit e Con nec t ions .............. ........................... .............. ........................... ........................... ........................... .............. ........................... ....................4 3
Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........4 3 Task 4 .1
Creat e an SSL Site- t o- Sit e VPN ....................................... ........................... ........................... ........................... .............. ........................... ...........4 3
Tas k 4 .2
Creat e an IPsec Sit e- t o- Sit e VPN ........................................................................................................................................................................4 6
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................4 8 Lab 5
Aut hen t ic at ion .......................... .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ..4 9
Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........4 9 Tas k 5.1
Config ur e an Act ive Direc t ory Authen t ic at ion Server .................................................................................................................................4 9
Tas k 5.2
Configure Sin gle Sig n- On Usin g STAS ...............................................................................................................................................................51
Task 5.3
User- Based Polic ies ....................................... .............. ........................... ........................... ........................... .............. ........................... ....................53
Task 5.4
One- Tim e Passw ords .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... .. 55
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................56 Lab 6
We b Prot ec t ion an d App lic at ion Cont rol ....................................................................................................................................................................... 57
Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........57 Tas k 6.1
Creat e Cust om Web Categories an d User Act ivit ies ................................................................................................................................... 57
Task 6 .2
Creat e a Cont en t Filt er ....................................... ........................... ........................... ........................... .............. ........................... ........................... .. 58
Task 6 .3
Creat e a Cust om Web Policy ........................... ........................... ........................... ........................... ........................... .............. ........................... ..59
Tas k 6 .4
Creat e a Surf in g Quot a for Gues t Users ............................................................................................................................................................6 2
Tas k 6 .5
Creat e an App lic at ion Filt er Policy .......................................................................................................................................................................6 4
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................6 5 Lab 7
Em ail Prot ec t ion .............. ........................... .............. ........................... ........................... ........................... ........................... .............. ........................... ...........6 6
Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........6 6 Tas k 7.1
Enab le an d Configure Quaran t in e Digest s .......................................................................................................................................................6 6
Tas k 7.2
Config ur e SMTP Rou t in g an d Prot ec t ion ..........................................................................................................................................................6 7
Tas k 7.3
Config ur e Dat a Cont rol and SPX Encry pt ion ...................................................................................................................................................6 9
Task 7.4
User Quarant in e Man ag em en t .............. ........................... ........................... ........................... ........................... .............. ........................... ...........71
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................72 Lab 8 : Wireless Prot ec t ion .......................... .............. ........................................ ........................... .............. ........................... .............. ........................................ .........73 Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........73 Task 8.1
Creat e a Hot spot .......................... ........................... ........................... ........................... .............. ........................... ........................... ...........................73
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................74 Lab 9 : Rem ot e Access ......................... .............. ........................................ ........................... .............. ........................... .............. ........................................ .................. 75 Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........75 Tas k 9 .1 Config ure an SSL Rem ot e Access VPN .............................................................................................................................................................75 Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................77 Lab 10
Logg in , Repo rt in g an d Tro ub les hoot in g .....................................................................................................................................................................79
Objec t ives .......................... ........................... .............. ........................................ ........................... .............. ........................... ........................... ........................... .........79 Tas k 10 .1
Run, Cust om ize an d Sc hedule Rep ort s .......................................................................................................................................................... 79
Task 10 .2
View Sands t orm Act ivit y .............. ........................... ........................... ........................... ........................... .............. ........................... ....................8 0
Task 10 .3
Use SF Load er Tools.............. ........................... ........................... ........................... ........................... .............. ........................... ........................... .. 8 1 Page 3 of 86
Sophos Certified Engineer Task 10 .4
Connec t ion Table ........................................ ........................... ........................... .............. ........................... .............. ........................................ .........8 1
Task 10 .5
Packet Capt ure .......................... ........................... ........................... ........................... .............. ........................... ........................... ...........................8 3
Task 10 .6
Drop ped Packe t Capt ure .............. ........................... ........................... ........................... ........................... .............. ........................... ....................8 4
Review .............. ........................... ........................... ........................... ........................... .............. ........................... ........................... ........................... ...........................8 5
© 20 17 So ph os L im it ed. All r igh ts reser ved . No pa rt of t hi s do cu m en t m ay b e us ed o r rep rod uc ed in an y f orm or b y an y m ean s w it ho ut t he p rio r writt en consent of Sophos . Sophos and the So phos logo ar e registered tradem arks of S ophos Limit ed. Other nam es, logos and marks m entioned in this docum ent m ay be the tradem arks or r egistered tradem arks of Sophos Limited or their respective own ers. While rea sonable care has be en taken in the preparation of this docu m ent, Sophos makes no warranties, conditions or repr esent ations (w heth er expr ess or implied) a s to its com pletene ss or accuracy. Thi s docum ent is subject to change at any tim e with out notice. Sophos Limit ed is a com pany registered i n England num ber 2096 520 , wh ose regi stered office is at The Pentagon, A bingdon Science Park, Abingdo n, Oxford shire, O X14 3YP.
Page 4 of 86
Sophos Certified Engineer
Introduction These labs accom pany the S ophos C ertified E ngineer Sophos XG Fire w all course and form th e pra ct ical part of t he certification. They are estim ated to t ake 7 hours to com plete. You should com plete each section of labs when dire cted t o do so in t he training content . Throughout t he labs, there are prompt s for i nform ation to be writt en down; you may requi re this inform ation later i n the labs. You will need to com plete the c ourse asse ssm ent w hile y our lab envi ronment is still active, a s th ere may be som e questions based on the live environment. If you need help or suppo rt at any point wh ile completing the labs, please contac t us at
[email protected] and one of the t eam w ill be able to assist you.
Prerequisites Prior to taking this t have:
raini ng, we reco m m end that you should
Completed and passed the Fundam Engineer course
entals
Certified
Workbook convent ions This workbook uses the f
ollowing c onventions throughout:
At th e start of each lab is th e learning object ive, along with any requi rement s that m ust have be en completed prio r t o st arting t he lab. Labs wh ich cover larger subjects are divided into several tasks. Each task has a short description foll owed by t he steps th at are requi red to com plete the task.
Short labs are presented as a single t
Thro ughout the guide the f ollowing s tyles are used:
Bold text
Actions: O n-sc reen elements that you intera ct w ith e. g. m enu item s, buttons, tick boxes, tabs,
To be abl e to com plete these la bs in th e tim e suggested you should have the follow ing know ledge and experi ence:
ask.
Experie nce in installi ng and replaci ng n etw ork gateways and firewalls i n production environment s Knowledge of genera l Windows net working
Important points t
o note
On-sc reen el em ents t hat you do not interact w ith e.g. page titles,
Courier New font
Underlined
Com m ands to be e xecuted Hyperlinks
Variables will be show n betw een ch evron s e.g.
Page 5 o f 86
Sophos Certified Engineer The e nvironment will ope n in a pop-up w indow. I f t he window does not open, ple ase check th at your browser is n ot blocking popups.
Lab enviro nm ent These la bs are designe d t o be com pleted on the hosted CloudShare environm ent . If you are not using CloudShare (e.g. this course is being taught in a classroo m and not com pleted onli ne) some details such as hostnam es and I P addresses m ay vary.
If you need to leave your envi ronm ent and return to it, yo u can again use the Launch Lab Envi ronment link to log back in to the sam e environment . Important note Once you launch y our environm ent , it w ill be available for five days . Once your environm ent expires, it is automatically deleted . If you require a ssist ance, please emai l [email protected] .
You can launc h your lab environm ent on CloudShare by clicking the Launch Lab Envi ronment on 00 -
Environment overview The e nvironment used to com plete these lab s is com prised o f m ultiple comput ers, connected via a si m ple network. Computer
Description This i s t he m ain network you w ill be using during the labs. Networks: 172. 16.1 6.0/ 24, 172. 17.17.0/ 24, 192.168. 16.0/ 24 This is a S ophos XG Firewall, and is t he default g atew ay for th e sophos.local netw ork and has a separate interf ace for a DM Z netw ork. IP Addresses: 172.16.16.16, 172.17.17.16, 172.25.25.16, 172.30.30.16, 10.1.1.100, 10.100.100.65 Thro ughout t his workbook this w This is a Windows 20
ill be referr ed to as
London G atew ay 1
16 R2 dom ain controlle r for t he lab. local domain.
It runs an SMTP server, web m ail, DNS, Active Directory and a c
ertificat e authorit y.
IP Address: 172.16.16.10 Thro ughout t his workbook this w
ill be referr ed to as
London DC
ill be referr ed to as
London Server 2
This i s a Windows 20 16 IP Address: 172.17.17. 20 Thro ughout t his workbook this w
This is a De bian Linux server running a sim subnet.
ple websit e. The server is located on a separate
IP Address: 172.25. 25.40 Thro ughout t his workbook this w This is the DMZ for the lab netw Network: 172. 30.30.0/ 24
ill be referr ed to as
London Intranet
ork.
This is a De bian Linux server running a s
im ple websit e.
IP Addresses: 172. 30 .30.50 Thro ughout t his workbook this w
ill be referr ed to as
Store Webs it e
This is a S ophos XG Firewall, and is th e default gat eway f or the soph os.local netw ork.
Page 6 of 86
Sophos Certified Engineer IP Addresses: 19 2.168.16.16, 172.25.25. 17, 10.2.2. 20 0 Thro ughout t his workbook this w
ill be referr ed to as
New York Ga t eway .
It runs an SMTP server, web m ail, DNS, Active Directory and a c
ertif icate aut hority.
IP Address: 192.168.16.30 Thro ughout t his workbook this w
ill be referr ed to as
New York Server
This is a Debian Linux server w hich provides cent ral DNS and routing f or the sim ulated Internet, a s w ell a s running a w ebm ail ser ver, sim ple website and certificate auth IP Address: 10.1.1.250, 10.2.2.250 Thro ughout t his workbook this w
ill be referr ed to as
ority.
Internet
User account s The table bel ow details the user accounts Username
in the lab environment
.
Full name Adm inist rat or
Passwor d Sophos 198 5
Scope and privi leges SOPHOS.LOCAL Domain administrator
J ohn Sm ith
Sophos 198 5
SOPHOS.LOCAL Domain User
J ane Doe
Sophos 198 5
SOPHOS.LOCAL Domain User
Sam Spade
Sophos 198 5
SOPHOS.LOCAL Domain User
Luc y Fox
Sophos 198 5
SOPHOS.LOCAL Domain User
Fred Rogers
Sophos 198 5
SOPHOS.LOCAL Domain User
NY Adm in
Sophos198 5
LON-SRV Local A dm inistrator
Root
Sophos1 985
Store Website London Intranet Internet Local A dm inistrator
Page 7 of 86
Sophos Certified Engineer
Sopho s
Sophos1 985
Store Website London Intranet New York Warehouse Internet Local User
Jim Brown
Sophos1 985
Internet Local User
Page 8 of 86
Sophos Certified Engineer
Netw ork diagram
Page 9 of 86
Sophos Certified Engineer
Lab 1: Preparat ion Objectives Upon successful com 1.
pletion of th is lab, you will be able to:
Register for a Sophos Central evaluation
Task 1.1
Regist er for a Sophos Central Evaluat ion
Register for a Sophos C ent ral evaluation and act ivate the accoun t in preparation for conf
Instructions
iguring Security Heartbeat in lab 3.
Notes
On Your Local Comput er 1
Open a w eb browser and navigate to
2
Click th e Sign Up link
3
Follow t he on-screen instruct
htt ps:/ / central. sophos.com
ions to register for a trial
Make sure you use an email address that you can access. You w ill need to use an em ail address that has not alre ady been registere d wit h Sophos Central.
4
Check
ct ivate your Sophos
5
Click Activate in the email
6
Enter and conf irm a passw ord of your choice
7
Select w here to have the data stored
8
Read the stat em ents and select both ch
9
Click Activate Account
You w ill receive an em ail w ith an act ivation link. This m ay take several minut
eckboxe s
Sophos C entral is now ready to use.
10 11
es to arri ve.
This will open the act ivation page.
Use the menu in the top-
right of the screen to
You have registered for a Sophos C
Log Out
ent ral eva luation and act ivated th e account .
Review You have now su ccess fully: 1.
Registered for a Sophos Central evaluation Page 1 0 of 8 6
Sophos Certified Engineer
Lab 2: Getting Start ed w it h XG Firew all Objectives Upon successful com 1. 2. 3. 4. 5. 6. 7. 8. 9. 10 .
pletion of th is lab, you will be able to:
Use th e Initial Se tu p Wizard to c onfigure a Sophos XG Firewall Configu re a new Sophos XG Firewall by i m porting a con figurat ion backup Navi gate th e WebA dm in Configure zones and interfaces Configure static routes Create definitions Configu re DNS request rout es Import CA certificates Create a configuration backup Restore a configu ration back up t o an XG Firewall
Task 2.1 Firewall
Use the Init ial Setup Wizard to conf igure a Sophos XG
You will use the Initial Setup Wizard to c onfigure t he Sophos XG Firewall that is London G atew ay 1. Once you h ave com pleted t he configuration you w ill have I nternet access from London DC with basic security and f iltering polici es applie d.
Instructions
Notes
On London DC 1
Open Chrome and navigate to
htt ps:/ / 172.16.16.16:4444
This is the default
IP address.
You will get a certificate w safe t o proceed. 2
Click th e Click t o begin link to s tart t he Initia l Setup Wiza rd
3
Enter and confirm t
4
Deselect Install the la t est firm ware a utom atically during s etup
5
Select I agree to t he License A greement at the bottom
6
Click Continue
7
The X G Firewall will fail to conn to conf igure the WAN interface
he password
arning but it is
Sophos1985 So th at th e version of XG Firewall you are using m atches t his lab workbook, we w ill not updat e it during the initial setup.
of the page
ect to t he Internet , click Manual Confi gurat ion
Page 11 o f 86
Sophos Certified Engineer 8
Configure the WAN interface wit
h t he follo wing s ettings:
Setting
Lea ve the other sett ings as default. Value
Choose a Port to conf igure
PortB
Interfac e Type
Stat ic IP Address
IP Address
10.1. 1.100
Subnet
/ 24 (255. 255.255. 0)
Gatew ay Nam e
CloudShare
Gatew ay IP Address
10.1. 1.250
DNS Server 1
10 .1.1.250
DNS Server 2
127.0.0.1
9
Click Apply
The XG Firewall w ill apple th e new settings t o the WAN interface.
10
Click OK
The XG Firewall w ill retest the Internet connec tion. A ll test s should be successful.
11
Click Continue lon-gw1.sophos.www
12 13
Use the map to select the
America/ Chicago tim e zone
Lea ve the tim e set as default.
14 15
Click Continue Select
16
Click Continue
17
Click Sign In
Page 1 2 of 86
Sophos Certified Engineer 18
Enter the em ail address and passw ord for your Sophos I D, th en click
Sign In
Your Sophos ID is t he Sophos Cent ral eval uation you creat ed in the first lab. If you do not have a Sophos ID, click Creat e Sophos ID and follo w t he onscreen instruct ions. You can m odify the keyboard layo
ut in
th e left in CloudShare. 19
Sele ct
20
Click Continue
21
Click Confi rm Registr ati on + Evaluat ion License
22
Click Initiat e License S ynchronization
23
Deselect Opt in t o the cust omer expe rience improvement pr ogram
24
Click Continue
25
Deselect Enable DHCP
26
Click Continue
27
Select all four of the Netw
28
and com plete a reCAPTCHA task required Follow any additional on-screen instructions.
A serial num ber has been generated for th e XG Firewall and you have regist ered it for an evaluation using your Sophos ID. The XG Firewall now needs t o synchronize and download that evaluation licens e. As this is a training deplo ym ent, we will not send the anonymous data to Sophos.
We are going to continue to use PortA to connect to t he XG Firewall with t he current IP address. For th is lab we do not require a DHC P server on th is network.
ork Pro tect ion options:
Protect Users from Network Threats Protect Users from t he suspicio ns and malicious websites Scan Files that were downloade d fr om t he web for m alware Send suspicious fi les to Sophos Sandsto rm
Click Continue This configurat ion is used by th e XG Firewall for sending backups and notifications.
29
[email protected]
You can opt ionally configure an external em ail server to use, but by default , it w ill use t he built- in MTA. 30
Click Continue
31
Review your configuration sett
ings then click Continue
It will take a few m inutes for the new conf iguration t o be applie d to th e XG Firewall and for the device to reboot. You can c ont inue to Task 2.2.
You have conf igured a Sophos XG Firewall using t he Initial Se tu p Wizard. This configu ration provides Int ernet acc ess w ith basic securit y and filtering policies applied.
Page 1 3 of 86
Sophos Certified Engineer
Task 2.2 File
Configur e a Sophos XG Firewall using a Configuration Backup
In this t ask, you will configure a new device by restori ng a configuration file. You m ay need to do this if your com pany outgrow s its existing device and buys a larger m odel . The configuration file you im port w ill pre configure New York G ateway f or the remaining labs.
On New York Server 1
Login as NY-SRV\ NYAdmin
The passw ord is
Sophos1985 . Ther e is currently no site-t o-site connection betw een Lo ndon and New York so you w ill lo gin as NYA dm in w ho is a local administ rator.
2
Open Chrom e and navigate to
htt ps:/ / 192. 168. 16.16:4444
The IP a ddress of PortA has been m odifie d on t his device usi ng th e console m enu. You will get a certificate w safe t o proceed.
3
Click th e Click t o begin link to s tart t he Initial S etup Wizard
4
Click th e Restor e Backup link
5
Click Upload
6 7
Sele ct t he file C:\ Conf ig\ NY-GW_Engineer_L ab2_Task2 Click Open
8
Click Apply
9
Enter a nd confirm t he password
10
Deselect Install the la t est firm ware a utom atically during s etup
11
Select I agree to t he License A greement at t he bo ttom of the page
12
Click Continue
13
The X G Firewall will fail to conn to conf igure the WAN interface
arning but it is
Sophos1985 So th at th e version of XG Firewall you are usi ng m atches t his lab workbook, we w ill not updat e it during the initial setup.
ect to t he Internet , click Manual Confi gurat ion
Page 1 4 of 8 6
Sophos Certified Engineer 14
Configure the WAN interface wit
h t he follo wing settings:
Choose a Port to conf igure
PortB
Interfac e Type
Stat ic IP Address
IP Address
10.2.2. 20 0
Subnet
/ 24 (255. 255.255. 0)
Gatew ay Nam e
CloudShare
Gatew ay IP Address
10.2.2. 250
DNS Server 1
10.2.2. 250
DNS Server 2
127.0.0.1
Lea ve the other sett ings as default.
15
Click Apply
The XG Firewall w ill apple th e new settings t o the WAN interface.
16
Click OK
The XG Firewall w ill retest the Internet connec tion. A ll tes ts shou ld be successful.
17
Click Continue
18
Select
19
Click Continue
20
Click Sign In
21
Enter the em ail address and passw ord for your Sophos ID , th en click
Sign In
Your Sophos ID is t he Sophos Cent ral eval uation you creat ed in the first lab. You can m odify the keyboard layo
ut in
th e left in CloudShare. 22
Sele ct
and com plete an reCAPTCHA task required
23
Click Continue
24
Click Confi rm Registr ati on + Evaluat ion License
25
Click Initiat e License S ynchronization
26
Click Continue
Follow any additiona l on-screen instructions.
A serial num ber has been generated for th e XG Firewall and you have regist ered it for an evaluation using your Sophos ID. The XG Firewall now needs t o synchronize and downloa d t hat evaluation licens e. It will take a few m inutes for the new conf iguration t o be applie d to th e XG Firewall and for the device to reboot. You can c ont inue to Task 3.
You have conf igured a new Sophos XG Firewall by restoring a conf
iguration bac kup.
Page 1 5 of 86
Sophos Certified Engineer
Task 2.3
Navigat ing the WebAdm in
Tour the WebAdmin and
identify wh ere var ious configuration el
em ents are located t o m ake navi gation easie r throughout the labs.
Instructions
Notes
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
When you f irst login you will see t he Control C enter. This page gives a realtim e sum m ary of what is happening on your network and on the XG Firewall
4
Select PROTECT > Fir ew all in the left-hand m
5
Firewall rules are w here mos t of th e protect ion configurat ion is a pplied. You can see that your lab envi ronment has been pre configured with a num ber of firewall rules
6
Locate the #Default_Network_Policy on the right side and sel ect Edit
7
This is a basic netw ork rul e that allows t raffic from the LAN zone to the WAN
admin
The passw ord is
Sophos1985 .
enu
firew all rule , th en click on t he ellipses
appli ed to this rule, i nclude intrusion prevention, traffic shaping and filtering
web
8
Select PROTECT > Wireless in the left-hand m
enu
9
In this sect ion of th e XG Firewall you can m anage wirele ss access points and netw orks. Select each tab in turn and review th e configuration avail able in each
10
Select CONFIGURE > VPNin the left-hand m
11
In this section you can configure site-to-
12
Click Show VPN Sett ings
13
Here yo u can find sett ings that you will need to access
enu
site and remote access VPN
s
less freque ntly. T he -to-site and remote
access SSL V PNs 14
Click Close VPN Sett ings
15
Select each of the t abs in turn and review th
16
Select CONFIGURE > Netw ork in the left-hand m
17
In this section you configure the interfaces and other ba
e configuration on each enu sic netw ork settings
such as DNS and DHC P 18
Select CONFIGURE > Rout ing in the left-hand m
19
The XG Firewall supports st atic, policy and dynam ic routing , all of w hich c an be configured in this section
enu
20
Select SYSTEM > Adm ini st rat ion in the left-hand m
21
In this section you configure the
enu
device se tt ings
Page 1 6 of 86
Sophos Certified Engineer 22
Take 5 m inutes to browse t hrough the WebAdmin and fam iliariz e yourse lf wit h where to f ind all o f t he configuration options, this w ill help you when com pleting the labs. You could try to f ind the following in the WebAdm in:
Where do you download the STA S softw are? Where would you configure th scanning?
e primary ant ivir us engine for em ail
Where would you vie w the c urrent IPse c connect ions?
Where would you configure the log settings?
You are now fam iliar with the layout of t he WebA dm in and its navigation.
Task 2.4
Configur e Zones and Int erfaces
You w ill cre ate a new zone for t he intranet servers, and then c onfigure P ortD in the int ranet zone you crea ted w ith a st atic IP address. You will also configure Po rtF w ith det ails for an MPLS connection betw een the head office in London and the branch offic e in New York.
Instructions
Notes
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
Select CONFIGURE > Netw ork in the left-hand menu
4
Select the Zones tab
5
Click Add
6
Configure the zone w
admin
The passw ord is
ith t he following sett ings:
Setting
Sophos1985 .
Lea ve the other sett ings as default. Value
Name
Intranet
Type
LAN
Device A cces s Adm in Services
HTTPS
Netw ork Services
DNS Ping/ Ping6
7
Click Save
8
Select the Interfaces tab
9
Click PortD
Page 17 of 86
Sophos Certified Engineer 10
Configure the interface w
ith t he follo wing set tings:
Setting
Value
Network Zone
Intranet
IPv4 Configuration
Sele ct ed
IP Assi gnm ent IPv4/ / Netm ask IPv6 Configurat ion
Static 172.25. 25. 16
11
Click Save then Update Interface
12
Click PortF
13
Configure the zone w
We will use this port to sim ulate an MPLS betw een London and New York later in t he labs. ith t he follo wing settings:
Setting WAN
IPv4 Configuration
Sele ct ed
IP Assi gnm ent
Static
IPv4/ / Netm ask
10. 100. 100. 65
Gat ew ay Nam e
MPLS GW
Gatew ay IP IPv6 Configurat ion
/ 29
10.100 .100.70 Deselected
14
Click Save then Update Interface
15
Select the WAN Link Manager tab
16
Click MPLS GW Backup
17
We are addi ng t his interface to t he WAN zone so you need to define a default gateway.
Value
Netw ork Zone
To prevent th e MPLS int erface being used for any Internet traffic, set it as a backup ga tew ay with no automat ic failover. None
18 19
/ 24
Deselected
Click Save then click OK You have now created a new zone for the int ranet and configured PortD as an interface in t You have configured P ortF with the sett ings for an MP LS connection between t office in New York.
Task 2.5
he intranet zone.
he head office in Londo
n and t he branch
Configure Static Rout es
In this t ask you will crea te a st atic route on London G ateway 1 t hat w ill route traffic dest (192.168. 16.0/ 24) over the MPLS connection to New York G ateway.
ined for the New Yor k LAN subnet
Instructions
Notes Page 1 8 of 86
Sophos Certified Engineer
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
Select CONFIGURE > Rout ing in the left-hand m
admin
Sophos1985 .
Add
4 5
The passw ord is enu
Configure the static route w
ith th e foll owing inform ation:
Setting
This st atic route w ill se nd all traffic destined for th e New Yor k LAN network (192.1 68.16. 0/ 24) over the MPL S interface (PortF) to t he New York Gatew ay (10.100 .100 .70).
Value
Destinati on IP / Netmask
192. 168. 16. 0
Gateway
10.100.100.70
Interface
PortF-10.100.100.65
Distance
0
6
Click Save
7
Open a new tab in Chrome and n
/ 24
aviga te t o htt p:/ / ny-srv. soph os.loca l
Confirm that you are ab le to access this site.
You have crea ted a st atic route on London G ateway 1 t o send any traffic destined for t th e MPLS to New York G atew ay.
he subnet 192 .168.16. 0/ 24 over
The MPLS interf ace is in the WAN zone so the existing # Default_Netw ork_Po licy firewall rule will all ow t he traf fic. New Yor k Gateway has been preconfigured wit 2.
Task 2.6
h t he requir ed firewall rul e from the configuration file you imported in Task
Creat e Definit ions
You w ill cre ate IP Host, F QDN Host and Servi ce definitions in this throughout the labs.
task t hat you w ill use when perform
Instructions
ing other conf igura tion tasks
Notes
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
Select SYSTEM > Host s and Servic es in the le ft-hand m enu
4
Click Add
admin
The passw ord is
Sophos1985
Page 1 9 of 86
Sophos Certified Engineer 5
Configure the object w
ith t he follo w ing informat ion:
Setting
Value
Name
NewYo rk-192.168.16
IP Fam ily
IPv4
Type
Network
IP Address
192 .168 .16.0
Subnet
/ 24 (255. 255.255. 0)
6
Click Save
7
Click Add
8
Configure the object w
ith t he follo w ing informat ion:
Setting
This is the IP address of
London DC
IP Fam ily
IPv4
Type
IP
IP Address
172.16. 16.10
Click Save
10
Select the FQDN Host tab
11
Click Add
12
Configure the object w
London DC.
Value
Nam e
9
ith t he follo w ing informat ion:
Setting
Value
Name
ny-gw.sophos.www
FQDN
ny-gw.sophos.www
This definition is f or the publicly resol vable hostnam e of New York Gateway .
Add New It em
13 14
This is th e netw ork defini tion for th e subnet in t he New York bra nch of fice.
Click Creat e new type Sophos Gateways then click Save
15 16
Click Save
17
Select the Services tab
18
Click Add
Page 20 of 8 6
Sophos Certified Engineer 19
Configure the service with
the f ollowing set tings:
Setting
Value
Name
20
This service definit ion is for access ing th e WebAdm in. It is d efined as TC P traffic com ing from any source po rt and going to por t 4 444 .
WebAdmin
Type
TC P/ UDP
Protocol
TCP
Sour ce Port
*
Destinatio n Port
444 4
Click Save You have creat ed IP H ost def initions f or the New York netw ork and London DC, an FQDN Host definit ion for New York
Task 2.7
Configure DNS Request Rout es
am e server. So that Lond on Gatew ay 1 is able to resolve i nt ernal hostnam es and IP addresses, you will creat e DNS request rout es that define w hich DNS servers should be used for resolving internal domains and subnets.
Instructions
Notes
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
Select CONFIGURE > Netw ork in the left-hand menu
4
Select the DNS tab
The passw ord is
Sophos1985 .
Add
5 6
admin
Configure the request route wit
h t he follo wing inf ormat ion:
Setting
This inst ructs the XG Fire wall to use t he
Value
Host/ Domain Name
sophos. local
Target Servers
London DC
7
Click Save
8
Repeat this t o create a DNS request rout e for 16.16.172.in-addr.arpa
9
Open Comm and Prompt from t he S tart m enu
This is used to define a reverse lookup zone for IP addresses. The first part s of the dom ain a re the network octets f or th e subnet in reverse order, followed by -
Page 21 of 86
Sophos Certified Engineer 10
Use nslo okup to t est th e DNS request routes by running the f commands:
ollowing
nslookup > server 172.16.16.16
Both requests for lon- srv2 answer.
shouldret urnan -
authoritative.
> 172.16.16.10 > lon-srv2.sophos.local 11
Close C om m and Pro m pt You have created DNS request routes on London Gateway 1 so th at it is able to resolve hostnam sophos.local and 172. 16.16.0/ 24 using t he DNS server on London DC.
Task 2.8
es and IP addresses for
Import CA Cert ificat es
In this t ask, you will download and import the CA certificates from the lab t raini ng certificate auth XG Firewall will use th ese in later labs to validate w ebsite cert ificat es.
Instructions
ority in this lab enviro nm ent. T he
Notes
On London DC 1
Open Chrome and navigat e to https: / / ca.inte rne t.www Root CA Cert if icat e (PEM)
2
Interm ediate CA Certif icate
3
(PEM) 4
Navi gate t o htt ps:/ / lon-gw1. soph os.loca l:4444
5
Login to the WebAdmin as
6
Select SYSTEM > Cert if icat es in the left-hand m
7
Select the Certif icate Au t horities tab
8
Click Add
9
Configure the certificate w
admin
The passw ord is enu
ith th e follo wing inform ation:
Setting
The roo t- ca.pem file will be located in \ Users \ Adm in ist rat or\ Dow nload s\ Value
Nam e
AAA Global Training Root CA
Certific ate File Form at
PEM
Certificate
root-ca.pe m
10
Click Save
11
Click Add
Sophos1985 .
You do not need to select a priva te key as t his is a verif ication CA. CA on the f irst page of certificate authorities.
Page 22 of 86
Sophos Certified Engineer 12
Configure the certificate w
ith th e follo wing inform ation:
Setting
Value
Nam e
AAA Global Training Interm ediate CA
You do not need t o select a private key as t his is a verif ication CA.
Certific ate File Form at
PEM
CA on the f irst page of certificate authorities.
Certificate
13
The intermediate-ca.pe m file will be located in \ Users \ Adm in ist rat or\ Dow nload s\
intermediate-ca.pem
Click Save
You have uploaded C A certificat es to London G atew ay 1 for vali dating w ebsite cert ificat es.
Task 2.9
Creat e a Manual Configur ation Backup
The Ini tial Se tup Wiza rd has configured London G ateway 1 so that it autom aticall y send w eekl y configuration backups t o th e adm inistrator. In this t ask, you will take a m anual backup of your current c onfiguration. You w ill r epea t this at the end of each lab throughout this w orkboo k so t hat you can restore your progre ss if necessary. Note : We recomm end that once you have crea ted th e backup that you uploa d it t o cloud storage in case you need to reve enviro nm ent for any reason.
Instructions
rt your
Notes
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
Select SYSTEM > Backu p & Fir m war e in the le ft- hand menu
4
Click Backup Now
admin
The passw ord is
Sophos1985
Wait for the backup to com plete. Local
5
the autom atic backups configured. 6
Click Download
This w ill save th e backup file to London DC.
7
Write down the f ilename of the backup f ile that you downloaded:
____________________________________________
You have downloaded a backup of t
he configuration from
We re com m end that you save yo ur configuration backups to a cloud storage account in case you need to reve rt your enviro nm ent for any reason.
London G ateway 1.
Page 23 of 86
Sophos Certified Engineer
Task 2.10
Import a Config urat ion for t he Next Lab
In prepar ation for t he next lab, yo u w ill im port a c onfiguration file . This w ill a dd a num ber of definitions and firewall rules to London Gatew ay 1, as w ell as configuring addit ional interfaces f or you. ,
Instructions
Notes
On London DC 1
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.loca l:4444
2
Login to the WebAdmin as
3
Select SYSTEM > Backu p & Fir m war e in the le ft- hand menu
admin
The passw ord is
Sophos1985
Choose Fil e
4 5
Sele ct t he file C:\ Conf ig\ Lon-GW1_Engineer_La b2_Task10
6
Click Open
7
Click Upload and Re st ore
8
Click OK
You have import ed the c onfiguration that
This process m ay take 5 m inutes to complete.
is requi red for the n ext lab.
Review You have now su ccess fully: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10 .
Used t he Initial Setup Wizard to c onfigure a Sophos XG Firewall Configu red a new Sophos XG Firewall by import ing a configu ration backu p Navi gated th e WebA dm in Configured zones and interfaces Configured static routes Created definitions Configu red DNS request rout es Imported CA certificates Created a configuration backup Restored a conf iguration bac kup t o an XG Firewall
Page 24 of 86
Sophos Certified Engineer
Lab 3
Network Prot ect ion
Objectives Upon successful com 1. 2. 3. 4. 5. 6. 7. 8. 9.
pletion of th is lab, you will be able to:
Configu re logging Create net work firew all rules Inst all the SSL CA certificat e Inst all S ophos Central Publish servers using Business Applicat Configu re IPS policies Enable Advanced Threat Protect ion Enable D oS and spoof protect ion Configure Security Heartbeat
Task 3.1
ion Rules
Configure Logging
You will revie w t he opt ions th at available for logging, Note : In a production environment
, we would recomm
and t hen enable all of the logging. end being m ore se lective abo ut w hich item s you log.
Instructions
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select CONFIGURE > Syst em Services in the left-hand menu
3
Select the Log Sett ings tab
4
Review
5
Select all of the item s in
6
Click Apply then click OK
by sele cting the top
For the purposes of this training, you will enable all logged, how ever in a production envi ronm ent w e would recomm end being m ore sel ective.
You have en abled logging f or all log types.
Task 3.2
Creat e Network Firew all Rules
You w ill start this t ask be revi ewing t he tw o firewall r ules that w ere i m ported as part of the c onfiguration backup. You w ill then m odify the # Defaul t_Ne tw ork_ Policy that allows out bound traffic so t hat it allows t raffic from DMZ and Intranet zones in a ddition to t he LAN zone, and you will restrict wh ich services are all owed by t his rule. You w ill cre ate firewall rule s t hat allow t raffic t o and from the New York branch office over the MPLS connection. You w ill e nd t his task by t esting that the f ire wall rule s you have created work. Page 25 of 86
Sophos Certified Engineer
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT > Fir ew all in the le ft- hand menu
3
Review t he configuration of t
London Gatew ay 1 as admin You will see that there are some rules that have be en im ported as pa rt of t he configuration backup.
he new firewall rul es:
The LAN to Intranet rule allows HTTP, HTTPS and SS H traf fic f rom th e LAN zone to the Intranet zone The LA N to LAN rule a llows all traf fic bet ween int erfaces in t he LAN zo ne. As part of t he configuration im port, Po rtC has been configured an a LAN interface for t he subnet 172. 17.17.0/ 24, wh ich is w here Londo n Serve r 2 is connected
4
Open the ellipse s m enu for the
5
Modify t he following sett
#Default_N etw ork_ Policy rule and cli ck Edit
ings:
Lea ve the other sett ings as t hey are.
Setting
Value
Source Zone
LAN DMZ
You are adding th e DMZ and Intranet zones to provide Internet access f or them. You are restrict ing wh ich services are allowed out t o the Internet by this default f irewall rule.
Intranet Destination Services
DNS FTP HTTP HTTPS WebAdmin
Web Ma lware and C onten t Scanning Scan HTTP
Sele ct
Decrypt and Scan HTTPS
Sele ct
Detect zero -day threats w ith Sandstorm
Select
Scan FTP for Malw are
Sele ct
Log Traffic Log Firewall Traffic
Sele ct
6
Click Save
7
Click + Add Firew all Rule > User / Netw ork Rule
Page 26 of 86
Sophos Certified Engineer 8
Configure the rule wit
h t he following configuration:
Setting
Lea ve all of the ot her settings as default. Value
About This Rule Rule Nam e
Allow MPLS to New York
Descri ption
Allow traffic betw een London and New York via t he MPLS
Rule Position
Top
Zone
LAN
Sour ce Networks and Devices
London Networks
You are creating s eparate firewall rules for traffic that is goi ng to and from New York over the MPLS conn ect ion so that you do not inadver tent ly all ow other traffic th at should be managed by anoth er firewall rule.
Source
Destination Zone
WAN
Destination Networks
NewYo rk-192.168.16
Match known users
Dese lect
Identity
Advanced Rewrite source address (Masquerading)
Deselect
Log Traffic Log Firewall Traffic
9
Click Save
10
Open the ellipses m enu for the Below
11
Modify t he following sett
Sele ct
rule and click Clone
ings:
Lea ve all of th e other settings as t are.
Setting
hey
Value
About This Rule Rule Nam e
Allow MPLS from New York
Source Zone Networks
WAN NewYork-192.168.16
Destination
12
Zone
LAN
Destination Networks
London Networks
Click Clone
Page 27 of 86
Sophos Certified Engineer
On London Server 2 13
Login as SOPHOS\ lf ox
14
Open Chrome and navigat e to htt p:/ / lon-dc. sophos. loca l
The passw ord is
Confirm that you are a ble to access this webs ite. T his is allo w ed by the LAN to LAN rule .
Sophos1985 .
15
Navi gate t o htt p:/ / intrane t.lon. soph os.loca l
Confirm that you are a ble to access this website.
16
Navi gate t o htt p:/ / store. sophos. dmz
Confirm that you are not able to access this w ebsite. No firewall rule has been created to allow t raffic from the LAN to t he DMZ .
17
Navi gate t o htt p:/ / ny-srv. sophos. loca l
Confirm that you are a ble to access this website. This is accessed using t he MPL S and is routed using the stat ic routes you created.
You have m odifie d t he #Default_Ne tw ork_ Policy so it appli es to traffic from the DMZ and Intranet zones, and restricted th e services it all ows . You have created firewall rul
es to allow t raffic to and from the New York branch office over the
You have test ed the firewall configu
Task 3.3
MPLS connection.
ration.
Inst all the SSL CA Cert ificat es
You w ill use A ct ive Di rect ory Group Policy to deploy the SSL CA Certif icate from th e London G atew ay 1 to com put ers in the SOPHOS.LOCAL dom ain. T his m eans t hat c lients w ill trust webs ite cert ificates generated by t he XG Firewall as part of HTTPS scanning.
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select SYSTEM > Cert if icat es in the left-hand m
3
Select the Certif icate Au t horities tab
4
Click th e Download icon on the right-h and side for
London Gatew ay 1 as ad m in enu
You m ay need to use the horiz ontal scroll bar a t t he bottom of the page to see the Download icon. This is the C A certificat e used for decrypting and scanning t raffic.
Page 28 of 86
Sophos Certified Engineer 5
Click th e Downloadicon on th e right-
6
Open t he Downloads folder
7
Change the file extension of
8
Right- click on Local_certificate_authority.tar.gz archive
9
Double-click local_certificate_authority.tar
10
Select Default.pem then click Extract
11
Click OK
12
Change th e file extens ion of
13
Open Administr ative To ols from the Start menu
14
Open Group Policy Management
15
In the left-hand p
Default
This is th e CA certi ficat e used t o genera te self-signed certificates.
.pem
Windows does not have a file associat ion for . pem files.
and select 7-Zip > Open
If you are unable to locate t his file, plea se check you downloaded th e file in step 6 .
ane ri ght- click on Default Domain Policy and select the left -hand pane, expa nd Group Policy Manage ment > Forest : SOPHOS.LOCAL > Domains > SOPHOS.LOCAL.
16
In the left-hand p ane se lect Default Domain Policy > Comput er Conf igurat ion > Policies > Window s Sett ings > Securit y Set t ings > Public Key Policies > Trusted Ro ot Certif ication Authorit ies
17
In the left-hand p
18
ane ri ght- click on Trusted R oot C ertif ication Authorit ies
and select Click Next
19
Click
20
Sele ct t he file C:\ Users\ Administr ator\ Downloads\ SecurityAppliance_ SSL_CA.cer then click Open
21
Click Next tw ice
22
Click Finish
23
Click OK
24
In the left-hand p and select
25
Click Next
26
Click
27
Sele ct t he file C:\ Users\ Admini strator\ Downloa ds\ Defau lt.ce r then click Open
28
Click Next tw ice
29
Click Finish
30
Click OK
31
Close the G roup Policy M anagem ent Editor w indow
This dialog box can take up t seconds t o appear.
o 30
ane ri ght- click on Trusted R oot C ertif ication Authorit ies
This dial og box can take up to 30 seconds t o appear.
Page 29 of 86
Sophos Certified Engineer 32
Close Group Policy M anagem ent w indow
33
Open Comm and Prompt from t he S tart m enu
34
Run gpupdate /force
35
Open Comm and Prompt from t he S tart m enu
36
Run gpupdate /force
Wai t for the comm and to complete.
On London Se rver 2
Wai t for the comm and to complete. If the com m and returns an error , reboot London Server 2 , login as lfox , then run the com m and aga in.
37
Logout of London Sever 2 You have deplo yed the CA cer tificates f rom London G ateway 1 t o com puters in t he sophos. local do m ain using Active Directory group p olicy.
Task 3.4
Inst all Sophos Cent ral
Inst all S ophos Central on
London Server 2 in pre paration for conf iguring Security Heartbeat.
Note Sophos a rapidly devel opedtproduct. The instructions t his w n orkboo are correct at however, yo u Ce m ayntral findisdiscrepancies between he instruct ions andin current v lab ersio of Sopkhos Ce ntral.
Instructions
the tim e of publishi ng;
Notes
On London Server 2 1
Login as SOPHOS\ jsm it h
2
Open Chrome and navigate to
The passw ord is
3
Sign In wit h your email addre ss and password
4
Click Got it , thanks!
Sophos1985 .
htt ps:/ / central. sophos. com
5 6
Select Overview > Prot ect Devices in the le ft-hand m enu
7
Server Installer
8
Once t he installer has downloaded run
Download Windows Server SophosInstall.exe
Click Yes to t he security warning.
9
click Next 10
Once t he com patibil ity checks are com
11
Click Install
plete click
Next Continue on to the next step while the inst aller runs in the backg round. Page 30 of 86
Sophos Certified Engineer 12
Switch back to Sophos C entral in C hrome
13
Select Overview > Global Sett ings in the le ft- hand menu section click
14
Tamper Protect ion
15
Toggle T am per Pr otection off using the sw itch t hen click
16
Select MY PRODUCTS > Server Pr ot ect ion in the left-hand m
17
Select CONFIGURE > Polici es in the left-hand m
enu
enu
lick Base Policy
18
Save
Threat Protection to edit
the poli cy 19
Select the SETTINGStab
20
Deselect Use recommended sett ings
21
Select Enable Sophos Se curi t y Heartb eat
22
Click Save
23
Switch back to t he installe r and click
Finish once the installation i
s com plete
This m ay take up to 15 minutes to complete. You can continue w ith t he la bs wh ile the inst allation takes place.
24
Once t he installation is com
plete, reboo t London Server 2
You have inst alled S ophos Central on
Task 3.5
London Server 2 .
Publish Servers Using Business Applic ation Rules
You will create a Business Application Rule to allow HTTP traffic t o the St ore Website in th e DMZ, and anot her Business Application Rule to all ow RDP traff ic to London Server 2 from an allowed set of IP addresses.
Instructions
Notes
On New York Server 1
Open Chrom e navigate to http:/ / store .sopho s.www
2
Login to the WebAdmin of
3
Select PROTECT > Web Server in the le ft- hand menu
4
Click Add
Confirm that you are not able to access the website.
On London DC London Gatew ay 1 as admin
Page 31 o f 86
Sophos Certified Engineer 5
Configure the w eb server with th e foll owing set tings: Setting
Value
Nam e
Sophos Store
Description
Store w ebsite in London DMZ
Host
Sophos Store
Type
Plaintext (HTTP)
Port
80
Keep alive
Web Server objects are for a s ingle prot ocol, eith er HTTP or HTTPS. If you want to protect bot h protocols yo u will need to creat e tw o Web S erver objects.
ON
Timeout
300
Disable backend conn ection pooling
OFF
6
Click Save
7
Select PROTECT > Fir ew all in the le ft- hand menu
8
Click + Add Firewall Rule > Busi ness Applicati on Rule
9
Configure the rule wit
h t he following settings:
Setting
Value
+
to add it t o the list.
Lea ve all of the ot her settings as default.
About This Rule Application Temp late
Web Server Protect ion (WAF)
Rule Nam e
Store Website
Descri ption
Access to the store website from the Internet
Note was im ported with the configuration file.
Hosted Server Hosted Address
#Port B
HTTPS
OFF
Redirect HTTP
OFF
Listening Port
80
Domains
store.sophos.www
Protected Server(s) Path-specific routing
Dese lect
Sophos Store
Sele ct
Advanced
10
Protect ion
General Web Server Policy
Intrusion Prevention
WAN TO DMZ
Click Save
Page 32 of 86
Sophos Certified Engineer
On New York Server 11
Open Chrom e navigate to http:/ / store .sopho s.www
Confirm t hat you can access the website.
12
Open Re m ote Desktop C onnection from
Confirm t hat you cannot connect .
the Start m enu and connect t o:
lon-gw1.sophos.www:7000
On London DC 13
Click + Add Firewall Rule > Busi ness Applicati on Rule
14
Configure the rule wit
h t he following settings:
Lea ve the other sett ings as default.
Setting
Value
Appl ication Tem plate
DNAT/ Full NAT/ Load Balancing
Rule Nam e
London Server 2 RDP
Description
RDP access to London Server 2 from adm in IP s
Rule Posi tion
Bottom
About This Rule
Source Source Zones
Any
Allowed Client Netw orks
Adm in IPs
Destinat ion & S ervice Destinatio n Host/ Network
#PortB-10 .1.1.100
Services
RDP-7000
Forward To Protect ed Server( s)
London SRV2
Protect ed Zone
LAN
Change Destinat ion Port(s)
Sele ct ed
Mapped Port
3389
Advanced Intrusion Prevention
WAN TO LAN
Log Traffic Log Firewall Traffic
15
ON
Click Save
Page 33 of 86
Sophos Certified Engineer
On New York Server 16
Open Re m ote Desktop C onnection from gw1.sophos.www:7000
17
Login as SOPHOS\ lf ox, using password
18
Logout of London Server 2
the Start m enu and connect t o lonSophos1985
Confirm that you can connect to London Server 2 .
You have created a Business Application Rule to publish and protec
t t he webs ite of a server running in th
e DMZ.
You have creat ed a DNA T rule to route RDP traf fic t o London Server 2 from a list of allowed IP addresses.
Task 3.6
Configur e IPS Policies
In this t ask you will crea te a cust om IPS pol icy for the created in t he previo us t ask.
Store Website server and apply it t o the Business Application Rule you
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT > Intr usi on Prev ent ion in the left-hand m
London Gatew ay 1 as admin
3
Select the IPS Polici es tab
4
Click Add St ore Webs it e
5 6
Click Save
7
Click Store Website to edit t he poli cy
8
Click Add
9
enu
Do not select to clone rules.
Apache Linux Server Sev 4
Page 34 of 86
Sophos Certified Engineer 10
Select the following signature criteria: Setting
Value
Category Apach e HTTP Server
Select
1
Critical
Sele ct
2
Majo r
Sele ct
3
Moderate
Selecting t hese criteria will filter the signatures. Any new signatures that are added that m atch t hese criteri a will al so be includ ed.
Severity
Sele ct
4 - Minor
Sele ct
Linux
Select
Server
Select
Platform
Target
11
Click Save then click Save again
12
Select PROTECT > Fir ew all in the left-hand m
13
Edit Store Website
14 15
enu
Click Save
You have creat ed a cust om IPS policy and applied it to a Busines
s Application Rule.
Task 3.7 - Enable Advanced Threat Prot ect ion You w ill e nable Advanced Threat Protect
ion on London G atew ay 1 , and th en trigger an event .
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT > Advanc ed Th reat in the le ft-hand m enu
London Gatew ay 1 as admin
ON
3
-down sel ect Log and Drop
4 5
Click Apply
6
Open a new tab in Chrome and n
7
Close the tab and sw the le ft- hand menu
aviga te t o http:/ / sopho stes t.co m/ callho me
itch back t o the WebAdmin, then select
Access t o this page should be blocked.
Cont rol Center in
Page 35 of 86
Sophos Certified Engineer 8 9
Click on th e alert 10
icon
Write down the name of the threat that w
as detected:
______________________________________________
You have enabled and test Advanced Threat Prot
Task 3.8
ection on
London G atew ay 1 .
Enable DoS (Denial of Servic e) and Spoof Prot ect ion
In th is task, you will enable both DoS protection and
spoof protect ion.
You w ill generate a brief SY N flood attac h against London Gateway 1 t To test t he spoof protect ion, you will intentionally configure a mism
o test t he DoS protect ion.
atch between MAC and IP addre ss.
Instructions
Notes
On London Server 2 1
Open Chrom e and navigate to
http:/ / blo g.inter net.www
2
Open Comm and Prompt from the Start menu
3
Run the fol lowing comm and: ipconfig /all
4
Write down
Confirm you are able to reach the w
ebsite
On London DC
You w ill nee d t his to c onfigure spoof protection.
______________________________________________
5
Login to the WebAdmin of
London Gatew ay 1 as admin
6
Select SYSTEM > Adm ini st rat ion in the le ft- hand menu
7
Select t he Device Access tab HTTPS column
8
9
Click Apply then click OK
10
Select PROTECT > Intr usio n Preven t ion in the le ft-hand m enu
This enable s access to the WebA dm in from th e WAN zone. We are enabling it here as a m ethod of recovery i n case you become locked out during th is task.
Page 36 of 86
Sophos Certified Engineer 11
Select t he DoS & Spoof Protect ion tab Add
12 13
Enter the MA C Address you wrote down
at t he beginning of this task
Static
14 15
Enter 172.16.16.10
16
Click Save Add
17 18
Important : If you ent er this incorrect ly, you will lock yoursel f out form London G ateway 1.
Enter t he MAC Address 00-50-56-00-00-00
This is not th e correct MAC address for th e London Server 2 and so w ill be detected by the spoof protection
Static
19 20
Enter 172.17.17.20
21
Click Save
22
Configure information: Setting
Value
Enable Spoof Prevention
Sele ct
Restrict Unknow n IP on Trusted MAC
Sele ct
23
24
IP Spoofi ng MAC Filt er IP-MAC Pair Filt er
Click Apply then click OK
If you have m ade a m istake with the tru sted MAC a ddresses, you will lose access to t he WebA dm in. To corre ct your settings login to New York Server and connect to the WebA dm in at htt ps:/ / lon-gw1. sophos.www:4444 . An al ternative m ethod to correct t his configuration is to login to t he Co nsole and run the foll owing com m and: syst em appliance_access e nable This doe s t wo t hings: 1. Enables all form s of acc ess to t he XG Firewall 2. Disable s all access t hrough t he XG Firewall, as th is can only be used f or recovery If you use this comm and, you must remem ber to disable it agai n aft erwards. sele ct t he Apply Flag chec kbox for source SYN
25
Flood att acks 26
Click Apply then click OK Page 37 o f 86
Sophos Certified Engineer 27
Review the settings avai labl e in this section
28
Refresh th e webpage http:/ / blo g.inte rne t.www
In particular revi ew the options avai labl e for each of t he DoS a tt ack types.
On London Server 2 Confirm t hat you can no longer access the website
On London DC 29
Open a new tab in Chrome and n
aviga te t o http:/ / test. inte rne t.www
30
Read the m essage i ncluding the w arning, then click Start
31
Switch back to the WebAdmin
32
Select t he DoS Att acks tab
33
Confirm that the SYN F loo d t raffic was dropped
34
Select t he DoS & Spoof Protect ion t ab
35
Deselect Enable Spoof Prevent ion
36
Click Apply then click OK
37
Refresh th e webpage http:/ / blo g.inte rne t.www
More inform ation about SYN floods can be found online at: htt ps:/ / en.wikiped ia.org/ wiki/ SYN_flood
Source
On London Server 2
You have enabled and tested
Task 3.9
DoS pr otection and spoof protection
Confirm t hat you can access the website
on London G atew ay 1 .
Confi gure Securit y Heart beat
You will enable S ynch ronized Se curit y on London G atew ay 1 , and th en m odify firewall rules to restrict netw the h eartbea t s tatus of source devices.
Instructions
ork access based on
Notes
Page 38 of 86
Sophos Certified Engineer
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin Click here
2 3
Click Activate
4
Enter t he em ail a ddress and password you used t Central evaluation then click
o register for the Sophos
Wait for the registration to com
plete.
Register LAN
5 6
Click Apply
7
Select PROTECT > Fir ew all in the left-hand m
enu
#Default_N etw ork_ Policy rule, then click
8
Clon e Above 9
Modify t he following sett
ings:
Setting Rule Nam e
Value User Internet Access
You are disabli ng Sandst orm in this rule so that t he test f ile used in this task is not ref erred for analysis. You are changing the w eb poli cy so t hat execut ables are not b locked.
Source Zone
LAN
Sour ce Networks and Devices
London-172-17-17
Web Ma lware and C onten t Scanning Detect zero -day threats w ith Sandstorm
Deselect
Advanced Web Policy
Default Workplace Policy
Minim um Sour ce HB Permitted
Yellow
10
Click Clone
11
Open th e ellipses
12
Modify t he following sett
rule, th en click Clone Abov e ings:
Setting Rule Nam e
Value User LAN to Intranet Zone
This rule will only appl y t o com puters connected t o the 172. 17.17.0/ 24 subnet. T his is the netw ork that London Server 2 is connect ed to.
Source Source Netw orks and Devices
London- 172.17. 17
Advanced Minim um Sour ce HB Permitted Block clients wit h no heartbea t
Green Select
Page 39 of 86
Sophos Certified Engineer 13
Click Clone
14
Edit
15
Modify t he following sett
ings:
Setting
This w ill o nly allo w server s connect ed to the 172. 16.1 6.0/ 24 subnet access to th e Int ranet zone.
Value
Source Source Netw orks and Devices
16
Click Save
17
Edit
18
Modify t he following sett
London- 172.16. 16
ings:
Setting
Value
Source Source Netw orks and Devices
London- 172.16. 16 Intranet-172.25.25 DMZ-172.30.30
19
Click Save
20
Open a new t ab in chrom e and naviga te t o htt p:/ / intrane t.lon. soph os.loca l
21
Switch back to the WebAd
22
Select MONITOR & ANALYZE > Cont rol Center in the left-hand m enu
You should be able to access t he website because the London DC is in the subnet 172.1 6.16. 0/ 24.
m in Confirm section now show s the icon for one
clie nt wit h a green hear tbeat
On London Server 2 23
Login as SOPHOS\ lf ox
The passw ord is
24
Open Chrome and navigate to
25
Navi gate t o http:/ / blo g.inte rne t.www/ downloa d/ game.exe
You should see a notificat ion appear in the t op-right c orner of the screen.
26
Navi gate t o http:/ / blo g.inte rne t.www/
Confirm you can access t he website.
27
Navi gate t o htt p:/ / intrane t.lon. soph os.loca l
Confirm you cannot access t he intranet.
htt p:/ / intrane t.lon. sophos.local
Sophos1985 . Confirm you can acc ess the w ebsite as London Server 2 has a green heartbeat .
If the page loads it is a cac hed copy, press Ct rl + R to reload th e page. 28
Logout of London Server 2
Page 40 of 86
Sophos Certified Engineer
On London DC 29
Select MONITOR & ANALYZE > Cont rol Center in the left-hand m enu
30
Click on the yell ow Securi ty Hear tbeat icon
31
Click on th e Sophos C entr al link
32
Sign In wit h your email addre ss and password
33
Click Overview > Alert s in the le ft- hand menu
34
Write down the value of t he descript ion for th e alert for LO N-SRV2:
Confirm section now show s the icon for one clie nt wit h a yello w heartbeat. Review the informat ion shown
____________________________________________ ____________________________________________
35
Select t he checkbox next t
o the alert and click
36
Read the m essage then click
37
Select Overview > Global Sett ings in the left-hand menu
OK
Regist ered Firew all Appliances
38
39
Clean Up PUA
Confirm th at th e Sophos XG Firewall is active.
Write down the nam e of the Sophos XG Firewall that is regist ered in S ophos Central: ____________________________________________
40
Switch back to the WebA dm in
If your session has tim ed out log back in as admin .
41
Select MONITOR & ANALYZE > Cont rol Center in the left-hand m
42
Confirm
This m ay take 1 0- 15 minut es while the detected PUA is clea ned up but is usually quic ker.
clie nt wit h a green hear tbeat 43
Select SYSTEM > Backu p & Fir m war e in the left-hand m
44
Click Backup Now
enu Wait for the backup to com plete.
Local
45
46
enu
Click Download You have enabled Synchronized Securit y on London G atew ay 1 , and t hen m odifie d firewall rul es to restrict netw ork access based on the heartbea t statu s of source devices. You have t rigge red a yell ow heartbeat stat us on London Server 2 to t est your configuration.
Page 41 of 86
Sophos Certified Engineer
Review You have now su ccess fully: 1. 2. 3. 4. 5. 6. 7. 8. 9.
Configu red logging Created network firewall rules Inst alled the SSL CA cert ificate Inst alled S ophos Central Published servers using Business Application Rules Configu red IPS policies Enabled A dvanced Threat Protect ion Enabled D oS and spoof protect ion Configured Security Heartbeat
Page 42 of 86
Sophos Certified Engineer
Lab 4
Sit e-to-Sit e Connect ions
Objectives Upon successful com 1. 2.
pletion of th is lab, you will be able to:
Configu re an SS L site-t o-sit e VPN Configu re an I Psec site- to- site VPN
Task 4.1
Creat e an SSL Sit e-to-Sit e VPN
Create a sim ple S SL site-t o-sit e VPN betw een the head offic e in London and the branc firewall rul es to allow t raffic t o and from the VPN zone.
h office in New York. Configu re basic
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select CONFIGURE > Rout ing in the left-hand m
3
Click th e Delete icon next t o the IPv4 Unicast Route then click
4
Open a new tab in Chrome and n
5
Switch back to the WebAd
6
Select CONFIGURE > VPNin the left-hand m
7
Select the SSL VPN (Site t o Site) tab
enu OK
aviga te t o htt p:/ / ny-srv. soph os.loca l
This deletes the stat ic route for the sim ulated MPL S conn ection. Confirm t hat you cannot access this site.
m in enu
Add
8 9
London Gatew ay 1 as admin
Configure the server connection w
ith t he follo wing s ettings:
Setting Connect ion Nam e
Value NewYork
Descri ption
Site-t o-site VPN to New York
Use Static Virtual IP Address
Deselected
Local Netw orks
London- 172.16. 16 London-172.17.17
Rem ote Networks
NewYo rk-192.168.16
10
Click Save
11
Click th e Download icon for th e NewYork V PN connect ion
12
Select Encrypt Configurati on File
Page 43 of 86
Sophos Certified Engineer 13
Enter the and confirm
14
Click Download
the password
15
Open a new tab and n aviga te t o https: / / ny-g w.s ophos.www:4444
16
Login to the WebAdmin of
17
Select CONFIGURE > Rout ing in the left-hand m
18
Sele ct all of th e IPv4 Unicast Routes, then click
19
Click OK
20
Select CONFIGURE > VPNin the le ft- hand menu
21
Select the SSL VPN (Site t o Site) tab
Important : while you have the WebA dm in for both London Gatew ay 1 and New York Gatew ay open, take extra care to perform tasks on the correct devic e.
New York Gatew ay as admin enu Delete
This deletes the stat ic routes for th e sim ulated MPL S conn ection.
Add
22 23
Sophos1985
Configure the VPN connection w
ith t he following sett ings: configuration file is encrypted.
Setting Connection Name
Value
If the conf igura tion file has not been
London
Descri ption
Site-t o-site VPN to London
Configuration File
C:\ User s\ Administrator\ server_NewYork.epc
Password
Downloads\
Sophos1985
User HTTP Proxy Server
Deselected
Override Peer Hostn am e
Deselected
24
Click Save
25
Click th e SSL VPN (Sit e to Sit e) tab to refresh the page
Confirm that the connection indica tor has tu rned green. Note : a firew all rule to allow VPN traff ic has alre ady been created as part of t he configuration import.
26
Close the tab with
27
Switch back to the
the New York Gat eway WebA dm in
28
Select PROTECT > Fir ew all in the left-hand m
29
Click + Add Firew all Rule > User / Netw ork Rule
London G atew ay 1 WebAdmin
Note Ensure you are accessing t correct XG Firewall.
he
enu
Page 44 of 8 6
Sophos Certified Engineer 30
Configure the rule wit
h t he following configuration:
Setting
Lea ve all of the ot her settings as default. Value
About This Rule Rule Nam e
To VPN
Descri ption
Allow traffic to the VPN zone
Rule Position
Top
Action
Accept
Zone
LAN
In a production environment , you w ould usuall y lim it t he services and apply protection policies. You are creating s eparate firew all rule s for traffic that is goi ng to and from t he VPN zone so that you do not inadve rtently allo w ot her traffic th at should be m anaged by another fire wall rule.
Source
Destination Zone
VPN
Match known users
Dese lect
Identity
Log Traffic Log Firewall Traffic
Sele ct
31
Click Save
32
Click + Add Firew all Rule > User / Netw ork Rule
33
Configure the rule wit
h t he following configuration:
Setting
Lea ve all of the ot her settings as Value
About This Rule Rule Nam e
default. In a production environment , you w ould usuall y lim it t he services and apply protection policies.
From VPN
Descri ption
Allow traffic from the VPN zone
Rule Position
Top
Action
Accept
Zone
VPN
Source
Destination Zone
LAN
Match known users
Dese lect
Identity
Log Traffic Log Firewall Traffic
34
Sele ct
Click Save
Page 45 of 86
Sophos Certified Engineer 35
Open a new tab in Chrome and n
aviga te t o htt p:/ / ny-srv. soph os.loca l
Confirm t hat you
access t his site.
You can test the VPN i n t he other dire ction by browsing t o http: / / londc.sophos.local on New York Server . 36
Switch back to the
London G atew ay 1 WebAdmin
37
Select CONFIGURE > VPNin the left-hand m
38
Select the SSL VPN (Site t o Site) tab
39
Toggle the VPN OFF then click OK
enu
On New York Server 40
Login to the WebAdmin of
41
Select CONFIGURE > VPNin the le ft- hand menu
New York Gat eway as admin
42
Select the SSL VPN (Site t o Site) tab
43
Toggle the VPN OFF then click OK
44
Open a new tab in Chrome and n
aviga te t o htt p:/ / lon-dc. sophos.local
Created a simple SSL site-to-sit
e VPN betw een the head office in London and t
Confirm t hat you cannot access this site. he branch office in New
York.
Configured basic f irewall rules to allo w t raffic t o and from th e VPN zone.
Task 4.2
Creat e an IPsec Sit e-t o-Site VPN
Create an IP sec site-t o-site VPN be tw een the head off ice in London and th conn ect ion has already bee n conf igured on New York G atew ay.
Instructions
e branch office New
York using the wizard. The
Notes
On London DC 1
Login to the WebAdmin of
2
Select CONFIGURE > VPNin the le ft- hand menu
London Gatew ay 1 as admin
Wizard
3 4 5
NewYork , th en click Start Select the Site To S it e image IKEv2
6 7
Click th e blue Next button Sophos1985
8 9
Click th e blue Next button Page 46 of 8 6
Sophos Certified Engineer 10
Setting
Value
Local WAN Port
PortB
IP Version
IPv4
10.1. 1.100
Local Subnet
London- 172.16.16 London-172.17.17 Intranet-172.25.25
Local ID
11
DNS
lon- gw 1.sophos.ww w
Click th e blue Next button
12
Setting
Value
Remot e VPN Server
*
IP Version
IPv4
Local Subnet
NewYork-19 2.168.16
Local ID
DNS
ny-gw .sophos. ww w
13
Click th e blue Next button twice
14
Click Finish
15
Click on th e red
16
Login to the WebAdmin of
17
Select CONFIGURE > VPNin the le ft- hand menu
18
Click on th e red
19
Click on th e Information icon next to t he connection indicator
20
Write down the netw ork m appings crea ted for t he VP N:
OK
On New York Server New York Gatew ay as admin
OK
Wait for t he VP N to est abli sh and t he icon to t urn green.
______________________________________________ ______________________________________________ ______________________________________________
21
Click Close
22
Open a new tab in Chrome and navigate to
htt ps:/ / lon-dc. soph os.loca l
Confirm t hat you
access th is site.
Note The traffic is all owed due t o the VPN firew all rules already creat ed. Page 47 o f 86
Sophos Certified Engineer 23
Switch back to the WebAdmin
24
Click th e gree n
25
Select SYSTEM > Backu p & Fir m war e in the le ft- hand menu
26
Click Backup Now
OK
Wait for the backup to com
plete.
Local
27 28
Click Download
29
Switch back to the WebAdmin
30
Click th e gree n
31
Select SYSTEM > Backu p & Fir m war e in the le ft- hand menu
32
Click Backup Now
On London DC
Wait for the backup to com plete. Local
33 34
OK
Click Download
Created an IPse c site- to-sit e VPN betw een the head office in London and
the branch office New York using the w
izar d.
Review You have now su ccess fully: 1. 2.
Configu red an SS L site- to- site VPN Configu red an I Psec site- to- site VPN
Page 48 of 8 6
Sophos Certified Engineer
Lab 5
Aut hent ication
Objectives Upon successful com 1. 2. 3. 4.
pletion of th is lab, you will be able to:
Configure Active Directory Authentication Configure Sophos Transparent Authentication Suite Configu re User-based policies i ncluding Securit y Heartbeat Configu re One Time Passw ords
Task 5.1
Conf igure an Act ive Direct ory Aut hent icat ion Server
You w ill conf igure an A ct ive Directory aut hent ication server on
London G atew ay 1 , and then im port groups from
You w ill ena ble the Active Directory server as an authentication s
ource for t he firewall servi ces, and test user authenticat ion.
Instructions
Active Di rectory.
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2 3
Select CONFIGURE > Authentication in the left-hand menu Click Add
4
Configure the authent
ication ser ver with the following sett
Setting Server Type
Active Directory
Server Nam e
London DC
Server IP/ Dom ain
172.16. 16.10
Port
389
Net BIOS Dom ain
SOPHOS
ADS Userna m e
Administrator
Password
5 6
ings:
Value
Sophos1985
Connect ion Security
Simp le
Display Name Attribute
displa yName
Em ail Addre ss Attribute
m ail
Dom ain Nam e
SOPHOS.LOCAL
Add link enter dc=SOPHOS,dc=LOCALthen click Add
Page 49 of 8 6
Sophos Certified Engineer 7
Click Test Connect ion
8
Click Save
9
Click th eicon Import
10
Click Start
You should see a m essage appear th at the connect ion was successful.
This w ill open Group im port Wizard.
select dc=SOPHOS,dc=LOCALthen c lick th e blue Next
11
button 12
Expand Sophos Group s
13
Select the following groups:
HR IT Sales Marketing Support
14
Click th e blue Next button three times
15
Click OK
16
Click Close
17
Select t he tab Users
18
Select t he Services tab
Wait for the im port to com plete.
Note that there are no users listed. Users will be added as they auth entic ate w ith t he XG Firewall.
select London DC
19
20
Click Apply then click OK
21
In a new browser tab navigate to
22
In the Captive portal
The authenticat ion serve r has to be enable d as an authentication source f th e required services.
htt p:/ / lon-gw1 .sopho s.loca l:8090
Sign in as jsm it h
or
This will open the capt ive portal.
The passw ord is
Sophos1985
By lo gging in as John Sm ith the user will be added t o the device. 23
Click Sign out
24
In the Captive portal
25
Switch back to the WebAdmin
26
Click Log Viewer in the top-right
Sign in as frogers
-dow n fiel d sele ct Authentication
27 28
The passw ord is
Sophos1985
Verify th at th e login events are present .
Close the Log Vi ewer w indow
29 30
Select t he Users tab th e group name for t he follo wing users: Fred Rogers: ____________________________________________ John Smit h: ____________________________________________
Page 50 of 86
Sophos Certified Engineer 31
Select MOINTOR & ANALYZE > Cur rent Act ivi t ies in the le ft-hand m enu
32
____________________________________________
33
Switch back to t he Captive Po rtal tab
34
Click Sign out You have configured an Active Directory authen authentication s
Task 5.2
tic ation server on
ervi ce as an authentication source
London G atew ay 1 , im ported groups and enabled the
for th e firewall servi ces.
Configure Single Sign- On Using STAS
You w ill configure single sign- on using t he Sophos Transparent Authen London DC and use it t o authenticate users in t he London head office.
ticat ion Suite. For this lab, you will install th e STAS suit e on
Instructions
Notes
London DC 1
Login to the WebAdmin of
2
Select CONFIGURE > Authentication in the left-hand menu Select t he STAS t ab
3
London Gatew ay 1 as admin
ON
4 5
Click Acti vat e STAS
6
Click Add New C ollect or
User inactivit y on t he XG Firewall is for wh en STA S is unable to use WMI for logo ff detection. We do not need t o use it in this environment .
172.16.16.10 then click Save
7 8
Select the Client Downloads tab
You w ill need to select th e ellipses on the right-h and of the menu,
9
Click Sophos Transparent Aut hent icat ion Suite (ST AS)
10
Click Keep to the browser warning a
11
Once t he download is com the plete file Run
12
Click Next
13
Click Next three tim es and then cli ck Install
14
Select SSO Suit e then click Next
15
Enter the login details for
t the bott om of t he scree n Click
Run to t he security w arning.
Note the locatio n of the installa tion folder.
SOPHOS\ STAS then click Next
This w ill inst all both th e STA Collector and STA Agent on Lon don DC. The password is Sophos1985 STAS is an adm inistrat ive user wit h logon as a service right s. Page 51 o f 86
Sophos Certified Engineer 16
Click Finish
17
Run Sophos Trans parent Authent ication Suite from the desktop sho rtcut
This c ompletes the client installa tion.
Start to start the servi ce.
18
19
Select the Exclusion List tab
20
In
21
Type STAS then click OK
22
Select t he STA Collec t or tab
lick Add
172.16.16.16
23 24
The service should now start successfully.
Select t he STA Agent tab
25
172.16.16.0/ 24
172.17.17.0/ 24
26
Select t he General tab
27
Configure the follo wing sett ings:
Net BIOS Nam e
SOPHOS
Fully Qualif ied Dom ain Nam e
SOPHOS.LOCAL
28
Click OK
29
Click Yes to restart t he servi ce
30
Open Administr ative To ols from the Start menu
31
Open Local Securit y Policy
32
Select Securi t y Set t ings > Local Policies > Audit Policy in the left-hand pane
33
In the right- hand pane double -click Audit account logon events
34
Select both Success and Failure then click OK
35
Switch back t o the WebA dm in of London G atew ay 1
36
Select CONFIGURE > Syst em Services in the left-hand m
37
Select the Services tab
38
Click Restart
39
Login as SOPHOS\ jsm it h
You can then close the Local Securi ty Policy.
enu
OK
This w ill cl ear the cached aut hentication st atus on th e XG Firewall.
On London Server 2 You m ay need to lo gout from
lfox first .
The password is Sophos1985 .
Page 52 of 86
Sophos Certified Engineer 40
Open Chrome and navigat e to http:/ / www.go ogle.com
41
Switch back t o the WebA dm in of London G atew ay 1
42
Select MONITOR & ANALYZE > Curr ent Act ivi t ies in the left-hand menu
43
Write down
London DC
If no users a re show, wait a m inute then click to refresh t he tab.
____________________________________________
On London Server 2 44
Logout of London Server 2 You have inst alled and configure t he STA S suite on tested single sign-on t o the firewall .
Task 5.3
London DC, enabled STA S authent ication on London G atew ay 1 , and
User- Based Policies
You w ill modify the f ire wall rules that provide access from required user authentication. Traffic t hat accesses t he Intranet zone will be a zone will be trac ked.
the 172.17 .17.0/ 24 subnet t o the Intranet and WAN zone
ssum ed to be work related and therefore not counted, whereas traffic for t
Instructions
s so that they he WAN
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select PROTECT > Fir ew all in the left-hand m
3
Edit the User LAN t o Intr anet Zone rule
enu
Page 53 of 86
Sophos Certified Engineer 4
Modify t he following sett
ings:
Setting
Value
Identity Match known users
Select
Show capt ive por tal to unknown users
Select
Users or Groups
Any
Excl ude this user activity from data accounting
Select
5
Click Save
6
Edit the User Int ernet Access rule
7
Modify t he following sett
We are sel ecting t he option t o exclude this activity from data account ing so that any use of the intranet does not count t owards any quotas set.
ings:
Identity
8
Match known users
Select
Show capt ive por tal to unknown users
Select
Users or Groups
Any
Excl ude this user activity from data accounting
Deselect
Click Save
On London Server 2 9
Log in as SOPHOS\ jsmi t h
10
Open Chrome and navigat e to http:/ / blo g.inter net.www
11
Click Downloads at the top of t he page
12
Click large.file
13
Open Chrome and navigat e to htt p:/ / intrane t.lon. sophos.local/ intrane tlarge.file
14
Logout of London Server 2
Wait for the downloads to com
plete.
London DC Page 54 of 86
Sophos Certified Engineer 15
Select CONFIGURE > Authentication in the left-hand m
16
Select the Users tab
17
Click John S mit h
18
Click th e View Usage button at t he bottom of t he pa ge
enu
Confirm that only one 111M B down loa d has been accounted for.
19
This is b ecause we h ave excl uded t raffic from account ing.
You have m odifie d Netw ork firewall rul es so t hat t hey are User rul es t hat require an authent
Task 5.4
icated user.
One- Time Passwor ds
You w ill e nable and configure one-tim
e passwords for logging into t
he User Po rtal, a nd t hen test this c onfiguration.
Instructions
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select CONFIGURE > Aut hent icat ion in the le ft-hand m enu
3
Select One-Tim e Password
4
Click Settings
5
Toggle O ne- Time Passw ord ON deselect WebAdmin
6 7
Click Apply
8
Open WinAuth from t he Desktop
9
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.www
10
Login as jdoe
11
Select
12
Switch t o WinA uth and click the
On New York Server
13
The passw ord is
Sophos1985 .
Ct rl + C to copy it t o the clipboa rd Add > A uthent icator
London Gatew ay 1
14
In the field for the secret code, paste the secret using
15
Click Verify Authenti cator , th en click OK
Ct rl + V
Page 55 o f 86
Sophos Certified Engineer 16
Deselect Protect wit h my own password
17
Click OK
18
Switch back to t he User P ortal and cli ck Proceed to Login
19
Login as jdoe using the password and the t
oken
The password is Sophos1985 and the current t oken will be displaye d in WInA uth wh en you click th e revea l token but ton. The token should be appended to the passw ord with no spaces. If you are unable to logi n t his m ay be caused by a time difference betw een Londo n DC and New York Server. To resolve this, click the OP ti me-off set synchronization icon next to the token on London G ateway 1 and enter the current token c ode. London G atew ay 1 can then compensate for the time difference.
London DC Switch back t o the WebA dm in of London G atew ay 1
20 21 22
On t he One- Time Passw ord page, click Settings Toggle O ne- Time Passw ord OFF
23
Click Apply
24
Select SYSTEM > Backu p & Fir m war e in the left-hand m
25
Click Backup Now
enu Wait for the backup to com plete.
Local
26
Click Download
27
You have enable d and conf igured one-tim e passwords for logging into t
he User Po rtal, a nd t hen test ed this conf iguratio n.
Review You have now su ccess fully: 1. 2. 3. 4.
Configured Active Directory Authentication Configured Sophos Transparent Authentication Suite Configured User-based policies including Security Heartbeat Configu red One Time Passw ords
Page 56 of 86
Sophos Certified Engineer
Lab 6 Web Prot ect ion and Applicat ion Control Objectives Upon successful com 1. 2. 3. 4. 5.
pletion of th is lab, you will be able to:
Create custom web c ategori es and user activities to use in a web policy Create a cont ent f ilter Create a custom web policy that appli es different actions t o groups of users Create a surfing quota f or guest users Configu re an application filter policy
Task 6.1
Creat e Cust om Web Categories and User Act ivit ies
In this t ask you will crea te a keyword filter for unprod add additional categori es, a nd create a new user activity f or controlli ng acc ess to specific categories of w used later in this lab when you create a cust om w eb poli cy.
Instructions
ebsite. The se w ill be
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT > Web in the left-hand m
3
Select the Categories tab
4
Click Add
5
Configure the w eb category with
London Gatew ay 1 as admin enu
the following sett
ings:
Setting
This keyword f ilter w ill i dentify keyw ords in t he URL. Value
Name
Keyword filter
Descri ption
Keywords for unproductive web browsing
Classification Configure Category Domain/ Keyword
Unproductive Local
toys games
6
Click Save
7
Select User Activit ies tab
8
Click the Edit
Page 57 o f 86
Sophos Certified Engineer 9
Add the following cat egories:
Tip: You can type to search f or each of these categories.
Keyword filt er Audio Files Video Files
10
Click Save then click Save for all
11
Click Add
12
Configure the user activity w
ith t he follo wing set tings:
Setting
Value
Nam e Category
Cont rolled Categories Hacking Download Freeware & Shareware
13
Click Save You have created a keyword filter for unproduct ive website, modified the existing add additional categori es, a nd created a new user activity f or controlli ng access to s pecific categories of w
Task 6.2
ebsite.
Creat e a Cont ent Filt er
You will create a custom content filter that w ill be used to detect w this cont ent filter in your custom web policy la ter in this lab.
eb page s that contain com m on bully ing term s. You will used
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT > Web in the left-hand m
3
Select the Content Filters tab
4
Click Add Cont ent Filt er
5
Configure the content
London Gatew ay 1 as admin enu
filter with t he foll owing sett ings:
Setting
Value
Name
Bull ying Term s
Descri ption
Comm on bullyi ng term s
6
Click Choose Fil e
7
Sele ct t he file C:\ Samples\ BullyingT erms.txt , th en click Open
8
Click Apply
The form at of this file is a text file with one term per line.
Page 58 of 86
Sophos Certified Engineer
You have created a custom c
Task 6.3
ontent filter that c
an be use d to detect w eb page s that c ontain com m on bull ying term s.
Creat e a Cust om Web Policy
In this t ask, you will clone a n existing web policy and cust the previous tasks. You will test t he web policy with t
om ize i t us ing with the user activities and content
wo different users on
filter you created in
London Server 2 , and t he Policy Te st t ool on London G atew ay 1 .
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT > Web in the left-hand m
3
Click th e Clone
4
Change the nam e of the policy to
5
Click Add Rule
6
Configure the new
London Gatew ay 1 as admin enu
Cust om Work place Policy This will be added to the top of the list of
rule with t he follo wing set tings:
Setting Users
Value Anybody
Activitie s
Unproductive Browsing
Action
Warn
Status
ON
7
Click Add Rule
8
Configure the new
rule with t he follo wing set tings:
Setting Users
9
Value Anybody
Activities
Cont rolled Categories
Action
Block
Status
ON
Click on th e Clone ic Rule Abov e
Clone
10 11
IT Warn
Page 59 of 86
Sophos Certified Engineer 12
Click on th e Add i Below
13
Click in on AllWebTraffic
14
Select t he Content Filters tab
15
Select and wit h content
16
Add Bullying Terms
17
Click th e Status icon for th e new rule to enable i t
18
Click Save then click Skip this step to the m essage that appears
19
Select t he User Notificat ions tab
c
and select
20
Add Rule
Use custom warn m essage
21
Clicking proceed will allow t only do t his if necessary.
emporary acces s to t his site, but you should
You can copy and paste text into t virtual m achine.
he
With th e foll owing t ext: It is likely t hat visit ing this w ebsite is aga inst company policy. If you have a business ne ed to use thi s website and you have rea son to believe that it is safe t o do so you ca n choose to proc eed.
22
Click Apply
23
Select PROTECT > Firew all in the left-hand m
24
Edit
25
Modify t he following sett
enu
firew all rule ings: Setting
Value
Web Ma lware and C onten t Scanning Detect zero -day threats with Sandstorm
Select
Advanced Web Policy
26
Click Save
27
Login as jsm it h
28
Open Chrom e and navigate to
Cust om Workplace Policy
On London Server 2
http: / / bing.com
John Sm ith should be abl e to access th is site. If you are pr om pted to authent icate with th e Captive Portal, l ogin as jsm it h. Page 60 of 8 6
Sophos Certified Engineer 29
Navi gate t o http:/ / sopho stes t.co m/ downl oads
This site should be
30
Navi gate t o http:/ / games .inte rne t.www
John Sm ith should receive for this site as the keywo
31
Navigate to t he Captive Porta l htt ps:/ / lon-gw1 .sopho s.loca l:8090
32
Sign in as lfox
blocked for John
a warning
activity. If you used t he Captive Portal to login, click Sign out
The passw ord is
Sophos1985 . Lucy Fox is in IT.
33
Open a new tab and naviga te t o http: / / bing.com
Lucy Fox should be able to access th site.
is
Do not close th e tab you logged in on as you will use this t o logout. I f you need t o get back t o this t ab the URL i s htt ps:/ / lon-gw1 .sopho s.loca l:8090 34
Navi gate t o http:/ / sopho stes t.co m/ downl oads
This site sh ould be all owed w ith a warning for Lucy Fox because i t is in
35
Navi gate t o http:/ / games .inte rne t.www
Lucy Fox should receive a
36
Navi gate t o http:/ / test. inter net.www/ sands torm
37
The fil e w ill be se nt to Sandstorm for furt her analy sis. I f you lea ve the w ebpage
You can m ove onto the next part of t
it w ill autom aticall y update and provide a l
lab task w hile the file is being analyzed.
38
Once t he file has been analyzed it will be dow
39
Switch
ink once it is com plete
warning for
his
nloaded Sign out
On London DC 40
Switch back to the WebAdmin
41
Click Log Viewer in the top-right
42
Select t he Policy Test tab
Page 61 of 86
Sophos Certified Engineer 43
Setting
Value
URL
http:/ / test. inter net.www/ keyword s
User Authenticated User
Select [email protected]
Test Method
Test Firewall Policy
Source IP
172.17.17. 20
Source Zone
LAN
44
Click Test
45
Review the results of th
e test
You have cloned a n existing web policy and cust the previ ous t asks. You have tested the w 1.
Task 6.4
om ized i t using w ith t he user activities a nd cont ent filter you created in
eb pol icy with tw o different users on
London Server 2 , and t he Poli cy Test t ool on London G atew ay
Creat e a Surf ing Quot a for Guest Users
You will configure a surfing quota for guest users policy.
will create a guest user and test your quota
Instructions
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select PROTECT > Web in the le ft- hand menu
3
Select the Surfin g Quot as tab
4
Click Add
Review the default Surfing Quotas that are preconfigured.
Page 62 of 86
Sophos Certified Engineer 5
Configure the Surfi ng Quota with the f ollowing s ettings: Setting
Value
Nam e
Guest User Surfing Quota
Descri ption
6 hours, non-cyc lic
Cycle Type
Non-Cyclic
Validity
Unlimit ed
Maximum Hours
6 Hour( s)
6
Click Save
7
Select CONFIGURE > Authentication in the le ft-hand m enu
8
Select the Groups tab
9
Click Guest Grou p Guest User Surf ing Quota
10 11
Click Save
12
Select the Guest Users tab
13
Click Add Mult iple
14
Enter the following det
ails:
Setting
Value
Num ber of User s
5
User Validity (Duration in Days)
1
Validity Start
After First Login
15
Click Add
16
Select t he checkbox for
17
Write down the usernam e and password for the guest
guest-00001 then click Print user:
Username ____________________________________________ Password ____________________________________________
18
Click Cancel
19
Open a new tab and n aviga te t o htt ps:/ / lon-gw1 .sophos.loca l:8090
20
Login as guest-00001
21
Open a new tab and n aviga te t o https: / / www.go ogle.com
22
Navi gate t o http:/ / blo g.inte rne t.www/ downloa d/ large .file
23
Switch back t o the WebA dm in of London Gatew ay 1
User the password you wrote down f th is user.
or
Page 63 of 86
Sophos Certified Engineer 24
Click guest-00001
25
Click View Usage Note I t m ay take a couple o f m inutes for this sect ion to update.
26
sections 27
Switch
Sign out
test ed your quota policy.
Task 6.5
Creat e an Applicat ion Filter Policy
In th is task, you will create an application filter policy that blocks recreatio n applications such m edia streaming and social m edia . You will apply the policy to a f ire wall rule and test it.
Instructions
as peer-to- peer sharing, gaming,
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Click th e How- To Guides link i n the t op-right
3
On th e page that loads you w ill see tw o videos have l oaded in the Featured
4
Close the tab and switch
5
Select PROTECT > Appli cat ion s in the le ft-hand m enu
6
Select t he Applica t ion Filter tab
7
Click Add
8
Configure the Appl ication Fil ter w ith t he following sett
back to the WebAdmin
Setting
Value
Name
Blo ck non-business apps
Temp late
Allow All
9
Click Save
10
Click Block non-business apps
11
Click Add
14
appli cations w ill be al lowed unless t hey are explicitly denied
the following categories:
12
13
ings:
Gaming P2P Streami ng Media Social Network ing Deny
Click Save, then click Save again
Page 64 of 8 6
Sophos Certified Engineer 15
Select PROTECT > Fir ew all in the left-hand m
16
Edit the #Default_Network_Policy
enu
rule
select Block non-business apps
17 18
Click Save
19
Click th e How- To Guides link i n the t op-right -
20
application filter 21
Select SYSTEM > Backu p & Firm war e in the le ft- hand menu
22
Click Backup Now
Wait for the backup to com plete. Local
23
Click Download
24
You have created an appli cation filter policy that blocks recrea tion applications such as peer-to-peer sharing, gaming, m edia stream ing and social med ia. You have applied the policy to a firewall rule and tested it .
Review You have now su ccess fully: 1. 2. 3. 4. 5.
Created custom web c ategori es and user activities to use in a web policy Created a cont ent f ilter Created a custom web policy that appli es different actions to groups of Created a surfing quota f or guest users Configu red an appli cat ion filter policy
users
Page 65 of 86
Sophos Certified Engineer
Lab 7
Em ail Prot ect ion
Objectives Upon successful com 1. 2. 3. 4.
pletion of th is lab, you will be able to:
Enable and configure quarantine digests Configu re an Email Protect ion Poli cy f or MTA mode Encrypt em ails t hat m atch a Data Co ntrol List using SPX Manage quarantined item s as a user
Task 7.1
Enable and Configure Quarant ine Digest s
Enable quarantine digests f or users so that you will receive one a ft er com pleting ot her tasks in t his lab. You w ill also overri de the quarantine dige st settings, by disabl ing them for a specific user.
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select SYSTEM > Adm ini st rat ion in the left-hand m
London Gatew ay 1 as admin
3
Select t he Time tab
4
Write do wn t he current time on
enu
London G atew ay 1 :
____________________________________________
5
Select PROTECT >Email in the le ft- hand menu
6
Select t he Quarant ine Digest tab
7
Select Enable Quarant ine Digest
8
Configure the digest w
ith t he foll owing sett ings:
Setting
Value
Email Frequency
Daily
This w ill a llo w you to receive one in tim for the last t ask in this lab.
Send Mail Daily At
30 m inutes later than the current tim e of
Important use the time you wrote dow n earlier in this t ask.
London G atew ay 1 From Em ail Address
9
Configure the q uarantine dige st to be sent30 m inute s later than the curre nt time of London G atew ay 1 . e
adm inistrat [email protected]
Display Nam e
Quarantin e Digest
Reference User Portal IP
PortC
Click Apply then click OK
Page 66 of 86
Sophos Certified Engineer 10
Click
You can use th is to apply the quarant ine digest settings t o exi sting users, a nd t o edit t he em ail ad dresses associ ated with each user.
11
Select all o f t he users then click Apply
12
Click OK
13
Select CONFIGURE > Authentication in the left had m
14
Select t he Users tab
15
Click John S mit h Disable
16
17
enu
You can enable and disable quarant digests p er user.
ine
Click Save You have enabled quara ntine digests for users, and over ride n t he quarantine digest sett specific u ser.
Task 7.2
ings, by disa bling them for a
Configure SMTP Rout ing and Prot ect ion
You w ill configure SM TP routin g and protect ion on London Gatew ay 1 using MTA m ode. You w ill then test the c onfiguratio n by sending test em ails from a m ail server that is on an separate domain.
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select SYSTEM > Adm ini st rat ion in the left-hand m
3
Select t he Device Access tab
4
Select t he SMTP Relay column on the
5
Click Apply and click OK
6
Select PROTECT >Email in the left-hand m
7
Select t he General Se t t ings tab
8
Scroll
London Gatew ay 1 as admin enu
WAN row
You need to do this to be able to accept email from the Internet in MT A mode.
enu
9
lon-gw1.sophos.www 10
Click Apply then click OK
11
Select t he Relay Sett ings tab
12 13
Select London DC
14
Click Apply 1 se lected it ems
15
Click Apply
Page 67 of 86
Sophos Certified Engineer 16
Select t he Policies tab
17
Click Add Poli cy > SMTP Rout e & Scan
18
General SMTP Policy
19 20
Add New It em , then click Creat e new Configure the address group wit
h t he follo wing s ettings:
Setting
Value
Name
21
Sopho s Domains
Group Type
Email Addre ss/ Domain
Type
Manual
Em ail Addr ess(es) / Domain(s)
sophos. ww w
Click Save
22
-down select Static Host
23
London DC
24
ON
25
Quarantine
26
With Callout (Recommended)
27
ON
28
Single Anti-Virus
29
Select Detect zero-day threats w
30
Review the opt ions in this section
31
ith Sandstorm
ON
32
Execut able Files
33
None
34
Click Save
35
Open a new tab in Chrome and navigate to
36
Login to SquirrelMail as jbro w n
37
Click Drafts in the le ft- hand menu
38
Click Normal Email in the m ain window
39
Click Resume Draft
40
Click Send
41
Repeat this f or al l of the ot her draft em ails
On New York Server http:/ / mail .inte rne t.www The passw ord is
Sophos1985 .
Page 68 of 86
Sophos Certified Engineer
On London DC 42
Open a new tab in Chrom e and navigate to dc.so phos. local/ mewebmail
43
Login t o MailE nable as frogers
44
Verify t hat y ou have received:
https :/ / lonThe passw ord is
The nor m al e m ail
The fi le type e m ail wit h the attach m ent replace d with a text f ile
45
Switch back to the
46
Select t he Mail Logs tab
47
Review the actions t aken on the test em
London G atew ay 1 WebAdmin
ails
You have conf igured SM TP rout ing and protec tion f or the sophos.local domain usin configuration by sending e m ails from a domain outside the netw ork.
Task 7.3
Sophos1985
g MTA mode, and test ed the
Configure Data Cont rol and SPX Encr ypt ion
You w ill configure a D ata Control P olicy f or emails th at you w ant t o encrypt, create a new SPX T Reply P ortal, and test this c onfigurat ion by enabling Data Pro tec tion in t he SMTP policy.
Instructions
em plate that enable s t he SPX
Notes
On London DC 1
Login to the WebAdmin of
2
Select PROTECT >Email in the left-hand m
3
Select the Dat a Cont rol List tab
4
Click Add
London Gatew ay 1 as admin enu
You can create new Data Control Lists to m eet your needs, or m odify exi sting ones.
5
Global CCLs
6
Global
For this example w e will create a fairl y general Data C ont rol Li st b y selecting the signatures that are not country specific.
7
Select all of the filtere d signatures
8
Click Save
9
Select the Encryption tab
10
Portal Settings gw1.sophos.www
11
Click Apply
lon-
Page 69 of 86
Sophos Certified Engineer 12 13
Add Configure the tem plate with t he foll owing sett ings: Setting
Lea ve the other sett ings as default.
Value
Nam e
Recipient Passw ord and Reply Portal
Organization Nam e
Sophos
Passw ord Type
Specified by recipient
Enable SPX Reply Port al
Enable
14
Click Save
15
Select the Policies tab
16
Click General SMTP Policy
17
ON
18
Financial inform ation
19
field on select
20
In the
21
Click Save
22
Open a new tab in Chrome and navigate to dc.so phos. local/ mewebmail
23
Login t o MailE nable as frogers
Accept wit h SPX
sele ct Recipient Password and Re ply Port al
https :/ / lonThe passw ord is
Sophos1985
24 25 26
Select Mailbox-f rogers > Draft s in the left-hand m enu Select t he email in the m ain window, then click Open Review the em ail then c lick Send
On New York Server 27
Open a new tab in Chrome and navigate to
28
Login to SquirrelMail as jbro w n
29
Click SPX Regist rat ion Request fr om Sophos
30
Click the link in the email to register
31
Type and confirm the password
32
Swit ch bac k to SquirrelM ail and refresh th e inbox
33
Click Credit card details
34
Click th e Download link a t t he bottom of the page
35
Open t he dow nloaded PDF
http:/ / mail .inte rne t.www The passw ord is
Sophos1985 .
You will get a certificate erro r but it is safe t o proceed.
Sophos1985? then click Register
If the em ail has not been delivered, use the Mail Spool tab on London G ateway 1 to ret ry delivery.
Page 7 0 of 8 6
Sophos Certified Engineer 36
Enter t he password Sophos1985? and c lick SUBMIT
37
Click th e Reply butt on at the top of the page
This butt on can be used m ultiple tim es and is active for 30 d ays. If the reply butt on is not prese nt, resend th e email from Fred R ogers.
38
Enter a reply m essage to Fred R ogers then c lick Send
39
Swit ch bac k to Mail Enable i n Chrome
40
Open the em ail wit h the subject
41
Select SYSTEM > Backu p & Fir m war e in the left-hand m
42
Click Backup Now
On London DC
43 44
RE: Credit card details
This w ill be your reply from th e SPX Reply Portal. enu Wait for the backup to com plete.
Local Click Download You have configured a Data C ontrol Pol icy for em ails t hat you w ant t o encrypt, created a new SPX T SPX Reply Po rtal, and test ed this c onfigurat ion by enabling Data Protect ion in the SMTP policy.
Task 7.4
em plate to enable the
User Quarant ine Managem ent
You w ill r evie w the inform ation that is sent t o users in the Quarantine Di gest em ails, then access t he quarantine in the User Portal.
Instructions
Notes
On London Server 2 1
Open Chrome and navigat e to htt ps:/ / lon-dc. soph os.loca l/ mewebmai l
2
Login as frogers
3
Read the quarantine digest em Portal
The password is ail then click the
My Account link for t he User
.
The quar antine digest email m ay not have bee n sent yet dependi ng on t he tim e you set in task 1. You can st ill login to t he User Portal to view th e quarantine by naviga ting t o: htt ps:/ / lon-gw1 .sopho s.loca l
4
Login as frogers
5
Select SMTP Quarant ine in the left-hand m
The passw ord is
Sophos1985 .
enu
Page 7 1 of 86
Sophos Certified Engineer 6
Write down w hich em ails are shown in t he quarantine: ____________________________________________ ____________________________________________ ____________________________________________ ____________________________________________
7
Click th e Release link for one of the em
8
Switch back to t he Ma ilEnable tab and refre sh t he inbox to confirm have now received the released e
ails that you
m ail
You have revi ewed t he inform ation that is sent t o users in the Quarantine Di gest em ails, and accessed the quarantine in th e User Portal.
Review You have now su ccess fully: 1. 2. 3. 4.
Enabled and configured quarantine digests Configu red an E m ail P rotect ion Poli cy for MTA m ode Encrypted emails that m atch a Data Control L ist using SPX Managed quarantined item s as a user
Page 7 2 of 8 6
Sophos Certified Engineer
Lab 8: Wireless Prot ect ion Objectives Upon successful com 1.
pletion of th is lab, you will be able to:
Create a hot spot for an int erface on t he XG Firewall
Task 8.1
Creat e a Hotspot
You w ill create a hotspot on Port Server 2 .
C of London G atew ay 1 , then create vouchers for the hotspot and t
Instructions
est access from
London
Notes
On London DC 7
Login to the WebAdmin of
London Gatew ay 1 as admin
8
Select PROTECT > Wireless in the le ft- hand menu
9
Select the Hotspots tab
10
Click Add
11
Configure the hotspot w
ith the f ollowing inform ation:
Setting
Lea ve the other sett ings as default. Value
Name
PortCHotspot
Interfaces
PortC
Hotspot type
Voucher
Voucher Definitions
1 Day
Administrative
jsm it h@sop ho s.lo cal
User s
Redire ct to URL aft er login
ON
URL
http:/ / store .sopho s.ww w
12
Click Save then click OK
13
Open a new tab and n aviga te t o htt ps:/ / lon-gw1 .sophos.loca l
14
Login as jsm it h
15
Select Hotspots in the left-hand m
10
17 18
enu 1 Day
16
Click Create Vouchers
Page 7 3 of 8 6
Sophos Certified Engineer 19
Write down one of t he voucher codes: ____________________________________________
20
On London Server 2 Open Chrome and navigat e to http: / / bing.com
You w ill be redi rected t o t he hotspot .
21
Enter the voucher code
Wait t o be redir ected .
22
Navi gate t o http:/ / bing .com
23
Switch back t o the WebA dm in of London G atew ay 1
24
Select SYSTEM > Backu p & Fir mw are in the left-hand m
25
Click Backup Now
that you wrote down and click
Login
Confirm you are abl e to access the website.
London DC
enu Wait for the backup to com plete.
Local
26 27
Click Download
28
Select PROTECT > Wireless in the left-hand menu
29
Select t he Hotspots tab
30
Click th e Delete You have created a hot spot on PortC for an interfac acces s from London Server 2 .
OK e on the XG Firewall, created vouc hers for th e hotsp ot and t ested
Review You have now su ccess fully: 1.
Created a hot spot f or an interfac e on th e XG Firewall
Page 7 4 of 8 6
Sophos Certified Engineer
Lab 9: Remote Access Objectives Upon successful com 1.
pletion of th is lab, you will be able to:
Configu re an SS L rem ote access VPN
Task 9.1
Conf igure an SSL Remote Access VPN
In this t ask, you will configure an SS L remote acc ess V PN with one- tim e password authenticat by installing the VP N clie nt and connecting f rom New York Server .
Instructions
ion, and then t est t he configuration
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select CONFIGURE > VPNin the le ft- hand menu
3
Click Show VPN Sett ings
4
Configure the follo wing settings: Setting
Value
Overri de Hostnam e
lon-gw1.sophos. ww w
IPv4 DNS
172.16. 16.10
Dom ain Nam e
sophos.local
5
Click Apply then click OK
6
Click Close VPN Sett ings
7
Select t he SSL VPN (Remot e Access) tab
8
Click Add
Page 7 5 of 86
Sophos Certified Engineer 9
Configure the VPN with
the f ollowing set tings:
Lea ve the other sett ings as default.
Setting
Value
General Sett ings Nam e
SSL VPN for Sales
Policy Members
Sales
Identity
Tunnel A ccess Use as Default Gatew ay
Off
Permitted Network Resources (IPv4)
London-172.16.16 Intranet-172.25.25
10
Click Apply then click OK
11
Select CONFIGURE > Authentication in the left-hand m
12
Select t he One-Time Passwor d tab
13
Click Settings
14
Toggle One- Time Passw ord ON
enu
SSL VPN Remot e Access
15 16
Click Apply
17
Select t he Services tab Same as Firew all
18 19
Click Apply then click OK
20
Open Chrome and navigat e to htt ps:/ / lon-gw1 .sopho s.www
21
Login as jdoe using the password and the token
On New York Server You will get a cert ificate error; it is safe to proc eed. The password is Sophos1985 and the current token w ill be displayed in WInA uth wh en you click th e revea l token but ton. The token should be appended to the passw ord with no spaces. If you closed WinAut h earlier, you should be abl e to open it from the system tray. 22
Select SSL VPN in the le ft- hand menu
23
Click Download C lient and Configurati on for Windows
24
Once t he download is com plete run jdoe@sop hos.loc al_ssl _vpn_cl ien t .exe from the Downloads folder
25
Click Yes to the security w
arni ng
Page 7 6 of 8 6
Sophos Certified Engineer 26
Click Next
27
Click I Agree for the agree m ent
28
Click Install
29
Click Install to inst all the SS L VPN netw ork adapter
30
Click Next then click Finish
31
Right- click on the Sophos SSL VPN Cli ent icon i n the syst em t ray
32
Click Connect
33
Login as jdoe using the password and the token
34
In Chrom e navigate to working correctly
35
Open Comm and Prompt from t he S tart m enu
36
Run tracert –d lon-dc.sophos.local
37
Right- click on the Sophos SSL VPN Client icon i n the syst em t ray
38
Click Disconnect
39
Switch back to the WebAdmin
40
Select t he One-Time Passwor d tab
41
Click Settings
42
Toggle O ne- Time Passw ord OFF
43
Click Apply
44
Select SYSTEM > Backu p & Fir mw are in the left-hand m
45
Click Backup Now
The password is Sophos1985 and the current t oken will be displaye d in WInA uth wh en you click th e revea l token but ton. The token should be appended to the passw ord with no spaces.
htt p:/ / lon-dc. sophos. loca l to confirm the VPN i s
Confirm t hat t he traffic is going via the VPN (10.81.234.* ) and n ot via NY-G W (192.168.16.16).
London DC
Wait for the backup to com plete. Local
46
47
enu
Click Download You have configures an S SL re m ote access VPN with one-t ime passw ord authentication, installi ng t he VP N client and connecting f rom New York Server .
and tested t he configuration by
Review You have now su ccess fully: Page 77 o f 8 6
Sophos Certified Engineer 1.
Configu red an SSL rem ote access VPN
Page 7 8 of 8 6
Sophos Certified Engineer
Lab 10 Loggin, Report ing and Troubleshooting Objectives Upon successful com 1. 2. 3. 4. 5. 6.
pletion of th is lab, you will be able to:
Run, cust omize and sc hedule repo rts Review Sophos Sa ndstorm activity Use SF Loader tools View t he connection t able Use the WebAdm in Log V iew and Packet Capture Use the drop-pack et-capture comm and
Task 10.1
Run, Cust omize and Schedule Report s
In this t ask, you will run a repo rt and f ilter it to cust om ize the vie w. You will then create a bookmark f executive repo rt t o be sent b y em ail.
Instructions
or the report, a nd schedule an
Notes
London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select MONITOR & ANALYZE > Report s in the le ft-hand m enu
3
Click on th e FROMdate
4
Select the date
5
Click Generate
you started this course
6
section click on
7
Review t he informat ion on this page
8
Click Bookmark in t he top-rig ht
HTTP
This w ill apply relevant filters to th e report. Y ou can opt ionally sel ect ot her entries in the report to filter it furt her.
HTTP Applicati ons
9 10
Click Save
11
Select the Bookmarks tab
12
Click Show Report Sett ings
13
Select the Report Schedulin g tab
14
Click Add
Notice that you can sele ct bookmarked reports organized by group.
Page 7 9 of 86
Sophos Certified Engineer 15
Configure the report notification w
ith t he follo wing set tings:
Setting
If you select
Value
Report
Bookmark
bookmarked report to be
sent via em ail.
Selected
Nam e
Executive Report
To Email Address
adm inistrat [email protected]
Report Type
Report Group
Report Group
Executive Report
Email Frequency
Daily
Report Period
Previous Day
-dow n select the next neare
16
st hour to the current
time 17
Click Save
When the tim e for the repor t to be sent has passed, re view t he em ail in MailEnable.
18
Select SYSTEM > Backu p & Fir m war e in the left-hand m
19
Click Backup Now
Wait for the backup to com plete. Local
20 21
enu
Click Download You havel run a report and filter it t
o cust om ize the view. Y ou then created a bookmark for t
he report, a nd scheduled an
executive re port t o be sent b y em ail.
Task 10.2
View Sandst orm Act ivit y
In this task, yo u will rev iew the report for the f
ile that was subm itted to Sandstorm
Instructions
in the Web Protection la
b.
Notes
London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Select PROTECT > Advanc ed Th reat in the le ft- hand menu
3
Select the Sandstorm Activity
4
Click th e Show Report li nk next to the document that w Sandstorm
5
Review t he inform ation, then close the report
tab
You have rev iewed the report for a file that
as sub m itted to
was subm itted t o Sa ndstorm for analysi s.
Page 80 of 8 6
Sophos Certified Engineer
Task 10.3
Use SF Loader Tools
You w ill use the SF Loa der tools to review t
he firm wares th at are installed on the device, to and reset the
Instructions
admin password.
Notes
On London G at eway 1 1
Logi n t o the console of
London Gatew ay 1
2
Type 7 then press Enter
3
Type R then press Enter
4
As soon as the device reboot
5
Type 0 then press Enter
6
Type 3 then press Enter
7
Write down t he following details from
Once you have clicked inside th e console window you m ay need to pre ss a butt on to wake up t he scree n, we would re comm end Ctrl so you do not enter a character at the password prompt. The password is Sophos1985
This w ill reboot th e device. s, keep pressing E nt er repeatedly unt il a scree n This w ill choose SF Loader. This will open Appli ance Inform ation menu. Appl iance info:
Model: ____________________________________________ FwLoader Versio n: ____________________________________________ Loaded Firmwares: ____________________________________________
8
Press Enter
9
Type 2 then press Enter
This w ill br ing back t o options m enu.
10
Type 1 then press Enter
11
Type 5 then press Enter
12
At the password pro m pt login with the password
You have used the SF Loade password.
Task 10.4
This w ill se lect t he Tro ubleshoo t m enu This option is used to reset the default adm in password. This w ill reboot th e device.
r tools to review t
admin
The password has been re set t o the default setting of admin .
he firm wares that are install ed on th e device, to and reset the adm in
Connect ion Table
In this t ask, you will revi ew t he connection t able usi ng both t he WebA dm in and the com m and line consol e.
Page 81 of 86
Sophos Certified Engineer
Instructions
Notes
On London DC 1
Login to the WebAdmin of
2
Select MONITOR & ANALYZE > Diagnos t ic s in the left-hand menu
3
Select the Connection
The passw ord is
admin
tab -down sel ect 30 Sec
4 5
London Gatew ay 1 as admin
Open C omm and Pr ompt from t he Star t m enu and
the comm and:
telnet mail.internet.www 25 6
Switch back to the WebAdmin
7
Click Display F ilt er type 25
8 9
Click Apply then click OK
10
Write down the f ollowing details about t
he connection:
In Interface ______________________________________________ Source IP
______________________________________________ Destinat ion IP ______________________________________________ Protocol ______________________________________________
11
Switch back to the Co
12
Type: quit
m m and P rompt
Then press Enter 13
Switch back to the WebAdmin
14
Click Refresh
15
Switch back to the Co
16
Run t he comm and: telnet 10.1.1.250 25
The connection should disappea the connect ion l ist
r from
m m and P rompt
On London G at eway 1
Page 82 of 86
Sophos Certified Engineer 17
Logi n using tpassword he admin
18
Type 4 then press Enter to access th e console
The password is
19
Run the foll owing com m and:
system diagnostics utilities connections v4 show src_ip 172.16.16.10 dest_ip 10.1.1.250 20
Run the fol lowing comm and: exit
21
Type 0 then press Enter
You have rev iewed the conn ection table using both t
Task 10.5
admin .
This is all one comm and wit h no line break.
he WebA dm in and the com m and line consol e.
Packet Capt ure
You w ill use the packet c
apture and Log Vi ewer in t he WebA dm in to s ee a filtere d view of packets relating to a log entry.
Instructions
Notes
On London DC 1
Login to the WebAdmin of
London Gatew ay 1 as admin
2
Click th e Log Viewer li nk in the top- right 172.25.25.40 and press Enter
3
On London Server 2 4
Open Chrome and navigat e to htt p:/ / intrane t.lon. sophos.local
If you are prom pted t o login, do so as lfox .
On London DC 5
Switch back t o the Log V iewer window and c
lick Refresh
172.25.25.40
6 7
Scrol l to t he right and click t
8
Toggle Pa cket Captu re ON
he Open PCAP link for that entry
Page 83 of 86
Sophos Certified Engineer
On London Server 2 9
Refresh the page htt p:/ / intrane t.lon. sophos.local
10
Switch back t o the Packet C apture window
11
Click Refresh
12
You will see the rela ted packet c aptu re entries
13
Click Display F ilt er and revie w the sett ings that have bee n appli ed
On London DC
You have used the packet
Task 10.6
capture and Log Vie wer in t he WebA dm in to see a f iltere d view of packets relating to a log entry.
Dropped Packet Capt ure
In this t ask, you will use the drop-packet-
capture console com
m and so see detail ed packet inform ation on packets t hat t he XG
Firewall is dropping.
Instructions
Notes
On London G at eway 1 1
Logi n t o the console of
2
Type 4 then press Enter
London Gatew ay 1
The passw ord is
3
Run the fol lowing comm and: drop-packet-capture “ip proto 1”
admin
ICMP.
On London I nt ranet 4
Login as root
5
Run the fol lowing comm and: ping 172.16.16.10
The passw ord is
.
Page 84 of 8 6
Sophos Certified Engineer
On London G at eway 1 6
When you see the dropped packets being logged press
7
Review t he informat ion that is lo gged
8
Run the fol lowing comm and: exit
9
Type 0 then press Enter
CTRL+ C
On London I nt ranet 10
Press CTRL + C You have used the drop-packetFirewall is dropping .
capture console com
m and so see detai led packe t inform ation on packets t hat t he XG
Review You have now su ccess fully: 1. 2. 3. 4. 5.
Run, cust omized and s cheduled repo rts Used SF Loader tools Viewed t he connect ion table Use d t he drop-pa cket-capture comm and Used the WebAdm in Log V iew and Packet Capture
Page 85 of 86
globaltraining @soph os.com