Sophos Firewall provides comprehensive traffic processing from layer 2 to layer 7, offering protection and security across the higher layers of the network stack.
Follow these recommendations if you're new to Sophos Firewall. You learn how to secure access to your Sophos Firewall, test and validate it, and finally how to go live once you feel comfortable.
Secure administrator access to Sophos Firewall
- Configure a complex administrator password. Change the default admin password or use public key authentication for administrators. For more information, see Set up public key authentication for administrators.
Configure sign-in security.
- Sign out administrator session: Specify the inactivity period of the administrator.
- Prevent brute force sign-in attacks: Specify the number of unsuccessful attempts to sign in within a time frame from the same IP address. Specify the duration of blocked access.
- Recommended settings: We’ve specified all our recommendations as default settings, for example automatic installation of hotfixes, device access to Sophos Firewall.
When you use the default password of the admin account, the following restrictions apply:
- You can't use the Secure Copy Protocol (SCP) in the LAN and WAN zones.
- A prompt to change the password is shown when you sign in through SSH from the LAN zone.
- When you access the web admin console from the LAN zone, you'll see the setup wizard. If you have already run the wizard, the change password menu is shown.
- You can't sign in through SSH from the WAN zone. Sophos Firewall closes the connection silently.
- You can't access the web admin console from the WAN zone. A forbidden error is shown.
Test and validate
Whenever possible, test Sophos Firewall offline first, that is, configure the policies on a test network or in a lab and validate that the required access permissions are being implemented as expected.
To simulate the integration of your real network with it, you can deploy Sophos Firewall on the live network but with a different gateway IP address and point the users to the new gateway. This allows a staged approach to integrating Sophos Firewall into your live network, ensuring that the process does not interrupt day-to-day operations.
Additionally, carry out acceptance testing and an iterative process of tuning to finalize the configuration.
Once you’ve tested and validated Sophos Firewall, you can move to it either by switching IP addresses and removing the old device or by changing the default gateway.
Add new services
Sophos Firewall offers a wide range of new features compared to your previous vendor. Read more about these features in the help. Finally, complete the migration by adding any new feature, service, or function that fits your business need.