TRUE or FALSE. When Central Firewall Management is in use, local rules on the Sophos Firewall are only overwritten when a rule with the same name is created in Sophos Central.
TRUE. When Central Firewall Management is in use with Sophos Firewall, local rules on the Sophos Firewall are only overwritten when a rule with the same name is created in Sophos Central.
Sophos Central is a cloud-based management platform that allows administrators to centrally manage multiple Sophos Firewall devices. When this feature is enabled, the configuration of the local firewall is synchronized with the policies and rules defined in Sophos Central.
If a rule with the same name exists in both the local firewall and Sophos Central, the rule defined in Sophos Central takes precedence, and the local rule will be overwritten to match the one in Sophos Central. If there is no corresponding rule in Sophos Central with the same name, the local rule will remain unaffected. This way, administrators can maintain a centralized management approach while also having the flexibility to define specific rules on individual firewalls when needed.
The three features provided by application control are:
Prevent any untrusted application from running: Application control allows administrators to define a list of trusted and untrusted applications. Untrusted applications can be blocked from running on the network, reducing the risk of security breaches and unauthorized software usage.
Protection against risky applications: Application control can identify and block or limit the usage of applications that are considered risky or potentially harmful to the network's security. This feature helps to mitigate security threats posed by certain applications.
Block or limit unproductive applications: Application control enables administrators to restrict or control the usage of certain applications that may be unproductive or unnecessary for business purposes. By limiting access to these applications, organizations can improve productivity and ensure network resources are used efficiently.
The following features are not directly provided by application control:
List all detected application names: While application control does identify and manage applications, it may not necessarily provide a comprehensive list of all detected application names. It focuses on controlling access to specific applications based on predefined policies.
Guarantee bandwidth for business applications: Application control can influence how bandwidth is allocated among different applications, but it may not explicitly guarantee bandwidth for specific business applications. QoS (Quality of Service) settings or bandwidth management features are typically responsible for allocating and prioritizing bandwidth for specific applications.
Clientless SSL VPN access typically supports the following five protocols:
RDP (Remote Desktop Protocol): Used to access and control a remote computer or server's desktop environment.
SMB (Server Message Block): Allows access to shared files, printers, and other network resources on remote Windows-based systems.
VNC (Virtual Network Computing): Enables remote access and control of a desktop environment on a remote computer.
FTP (File Transfer Protocol): Facilitates file transfers between a client and a server over a network.
HTTP (Hypertext Transfer Protocol): Provides access to web-based applications and resources through a web browser without requiring a separate VPN client.
Note: The availability of these protocols may vary depending on the specific implementation and configuration of the clientless SSL VPN solution. Some solutions may support additional protocols, and the list above represents commonly supported ones.
FALSE.
Web protection exceptions in Sophos Firewall are specific to individual web protection policies. They do not apply globally to all web protection policies on the firewall. Each web protection policy can have its own set of exceptions, allowing administrators to define different rules and exceptions based on specific requirements for different user groups, network segments, or web access scenarios. This provides flexibility in managing web traffic and applying different filtering rules as needed for different parts of the network.
TRUE.
Keyword libraries can be uploaded to Sophos Firewall, and they can be applied to any web filtering policy as an added criteria. This allows administrators to define specific keywords of interest and use them as part of the web filtering rules. The actions that can be taken based on these keywords include logging and monitoring the access attempts containing the specified keywords or blocking search results or websites that match the defined keywords.
By using keyword-based filtering, organizations can enhance their web protection strategies and enforce policies to prevent users from accessing specific content that may be considered inappropriate, sensitive, or harmful.
The attack using a spoof email to persuade users to provide sensitive information or credentials is called "Phishing."
Phishing is a type of social engineering attack where the attacker sends deceptive emails that appear to be from a legitimate source, such as a well-known company or organization. The email often contains a sense of urgency or a compelling reason to trick the recipient into clicking on malicious links, downloading malicious attachments, or entering sensitive information like login credentials, credit card numbers, or personal details on a fake website that closely resembles a legitimate one.
Once the user falls for the deception and provides the requested information, the attacker can use it for various malicious purposes, such as identity theft, financial fraud, or gaining unauthorized access to systems or accounts. Phishing attacks are widespread and can be highly effective if users are not cautious and vigilant about verifying the authenticity of emails and websites.
The web filtering method that can offload traffic to the FastPath is "Web Proxy."
FastPath is a technology used in networking devices, including firewalls and routers, to accelerate the processing of certain types of traffic. It is designed to efficiently handle traffic that matches specific criteria and doesn't require deep packet inspection (DPI) or complex processing. By offloading this traffic to the FastPath, the device can improve performance and reduce the load on its main processing resources.
Web Proxy is a web filtering method that involves a proxy server acting as an intermediary between clients (users) and the internet. When web filtering is applied using a web proxy, the proxy server can analyze and filter web traffic to block access to specific websites or content based on defined policies. Some web filtering solutions may use FastPath technology to handle straightforward web traffic that doesn't require DPI or complex filtering, allowing the main processing resources to focus on more intensive tasks.
You would view information on files that have been referred to Sophos' zero-day protection under:
PROTECT > Advanced threat > Threat intelligence
In this section of the Sophos management console, you can access information related to advanced threat protection, including data on files that have been referred to Sophos' zero-day protection mechanisms. Zero-day protection involves identifying and blocking previously unknown or zero-day threats for which no specific signature or detection method is available at the time of the threat's discovery. Sophos uses advanced heuristics, machine learning, and behavioral analysis to detect and protect against these emerging threats. The Threat intelligence section is where you can review details about how Sophos is handling such threats and take any necessary actions.
The form of single sign-on (SSO) that informs the Sophos Firewall when a user authenticates with a domain controller is "STAS" (Sophos Transparent Authentication Suite).
STAS is a component of Sophos Firewall that enables Single Sign-On functionality with Active Directory. It monitors user logins and logouts from the domain controller and informs the firewall when a user successfully authenticates. This information allows the Sophos Firewall to link network activity to specific user identities, making it easier to implement user-based policies and reporting.
With STAS enabled, the Sophos Firewall can enforce policies based on specific user accounts or groups, providing granular control over network access and security. This integration with Active Directory enhances the overall security posture and simplifies the management of network resources and user access.
The reporting metric that can be used to identify risky users who are responding to spear phishing attempts is the "User Threat Quotient (UTQ)."
The User Threat Quotient (UTQ) is a security metric used by some cybersecurity solutions to assess the risk associated with individual users within an organization. It takes into account various factors, such as users' behavior, interactions with phishing emails, access to risky websites, and other security-related activities. UTQ is often calculated based on historical data and user behavior patterns.
When users engage with spear phishing attempts, such as clicking on malicious links or providing sensitive information in response to fraudulent emails, their UTQ scores may increase, indicating a higher risk level. This helps security administrators and IT teams to identify users who might be susceptible to phishing attacks and require additional training or targeted security measures to mitigate the risk of a successful attack.
By monitoring UTQ scores and focusing on users with elevated risk levels, organizations can proactively address security threats and improve the overall cybersecurity posture.
To make use of lateral movement protection, the two required features are:
Intercept X: Intercept X is an advanced endpoint protection solution that includes various security features like signature-based malware detection, behavioral analysis, ransomware protection, and exploit prevention. It also provides capabilities to detect and block lateral movement attempts within the network.
Intrusion Prevention System (IPS): IPS is a network security feature that inspects network traffic in real-time, looking for suspicious or malicious activity. It helps to identify and block attempts at lateral movement, where attackers try to move laterally from one compromised system to another within the network.
Both Intercept X and IPS play essential roles in detecting and preventing lateral movement, a technique commonly used by attackers to move stealthily through the network and escalate privileges or access valuable resources. By combining advanced endpoint protection with network-based intrusion prevention, organizations can significantly enhance their security posture and protect against lateral movement-based attacks.
TRUE.
It is possible to apply a default application traffic shaping policy to all traffic.
A default application traffic shaping policy allows you to set general traffic shaping rules that will be applied to all network traffic passing through a particular interface or zone on the network. This policy is applied when no specific application-based traffic shaping rules or Quality of Service (QoS) policies are defined for individual applications or services.
By implementing a default traffic shaping policy, you can ensure that all traffic on the network adheres to certain bandwidth limits, prioritization rules, or other traffic shaping parameters. This helps to manage network resources effectively, prevent congestion, and ensure that critical applications receive the necessary bandwidth and performance they require.
The proxy mode that allows you to apply web filtering without additional configuration needed for mobile and guest devices is "Transparent" proxy mode.
In Transparent proxy mode, web filtering is applied without requiring any specific configuration changes on the client devices. The filtering is performed transparently by intercepting and analyzing the web traffic as it passes through the network. Users do not need to configure any proxy settings on their devices, making it ideal for scenarios where you have a large number of mobile and guest devices that you don't want to manually configure.
On the other hand, in "Explicit" proxy mode, users are required to configure their devices to use the proxy server explicitly, which may not be ideal for mobile or guest devices where manual configuration may be cumbersome.
By using Transparent proxy mode, you can enforce web filtering policies without relying on device-specific configurations, providing a seamless and efficient way to apply web filtering to a diverse range of devices on the network.
To support Fast Basic Service Set (BSS) Transition, you must use the "WPA2" (Wi-Fi Protected Access 2) wireless security mode.
Fast BSS Transition, also known as Fast Roaming or 802.11r, is a feature that allows devices to transition quickly and seamlessly between access points within the same Extended Service Set (ESS) or Wi-Fi network. It reduces the handoff or transition time during roaming, ensuring a smoother experience for users as they move between different access points.
While both WPA and WPA2 provide support for Fast BSS Transition, it is highly recommended to use WPA2 as it offers stronger security with the use of AES (Advanced Encryption Standard) encryption. WEP (Wired Equivalent Privacy) is an older and much weaker security protocol that is no longer considered secure and should not be used in modern Wi-Fi networks. Therefore, WPA2 is the wireless security mode of choice to support Fast BSS Transition and provide a high level of security for your Wi-Fi network.
TRUE.
In many SSL VPN implementations, the SSL VPN and User Portal can share the same port.
The User Portal is a web-based interface that allows users to access various resources and services provided by the SSL VPN, such as web applications, file shares, and remote desktops. On the other hand, the SSL VPN is the secure tunnel that enables remote users to connect securely to the internal network.
Having both the SSL VPN and User Portal on the same port simplifies the configuration and makes it more user-friendly. When a user accesses the SSL VPN through the specified port, they are presented with the User Portal, where they can log in and access the available resources and applications.
It is worth noting that while it is common for SSL VPN and User Portal to share the same port, the specific configuration can vary depending on the SSL VPN solution being used and the organization's requirements. Some SSL VPN implementations may allow custom port configurations, but the ability to share the same port is a typical and convenient option in many setups.
The page that lists all current applications that are connecting through the Sophos Firewall is called "Live connections."
The "Live connections" page provides real-time information about the active network connections passing through the Sophos Firewall. It includes details about the current connections, such as the source and destination IP addresses, application names, data transfer rates, connection status, and more.
This page is valuable for network administrators to monitor the network activity, identify active applications and services, and quickly respond to any suspicious or unauthorized connections. It helps to gain insights into the network traffic and understand which applications are using the network resources at any given moment.
The DoS and spoof protection mode that will drop packets if the IP and MAC do not match with any entry in the IP-MAC trusted list is "IP-MAC" protection mode.
In this protection mode, the firewall maintains a list of trusted IP-MAC address pairs. When it receives incoming packets, it checks the source IP and MAC addresses against this trusted list. If the source IP-MAC pair matches an entry in the list, the packet is allowed to pass through. However, if the source IP and MAC do not match with any entry in the trusted list, the packet is dropped as a security measure against potential IP and MAC spoofing attacks.
This protection mode helps prevent attackers from using forged or spoofed IP and MAC addresses to bypass network security measures and launch denial-of-service (DoS) or other malicious attacks on the network. By enforcing the IP-MAC trust relationship, the firewall ensures that only legitimate sources with valid IP-MAC pairs can communicate on the network.
The route with the lowest precedence among the options listed is the "Default Route."
Routing protocols and devices use route precedence to determine the order in which routes should be examined when forwarding traffic to its destination. The default route, also known as the default gateway or 0.0.0.0/0 route, is a special route that matches all packets that do not have a specific matching route in the routing table. It is often used as a last resort when no other more specific route exists for a particular destination.
The precedence order for routes is typically as follows (from highest to lowest precedence):
Static Routes: Manually configured routes that take precedence over dynamically learned routes.
VPN Routes: Routes specific to Virtual Private Networks (VPNs), which can have higher precedence than regular static routes.
SD-WAN Routes: Routes used in Software-Defined Wide Area Network (SD-WAN) environments, which can have a higher precedence than regular static routes or VPN routes in SD-WAN deployments.
Default Route: The route with the lowest precedence that is used when no other more specific route exists for a destination IP address.
So, in this case, the "Default Route" has the lowest precedence among the listed routes.
When creating an IPsec VPN policy, the requirement is that both sides of the VPN must allow the same settings.
IPsec (Internet Protocol Security) is a suite of protocols used to establish secure and encrypted communication between two devices or networks over the internet. When setting up an IPsec VPN, it is crucial that both endpoints of the VPN (often referred to as peers) agree on the same encryption algorithms, authentication methods, and other configuration settings to establish a successful VPN tunnel.
The following parameters need to be consistent between both sides of the IPsec VPN policy:
Encryption Algorithm: Both peers must agree on the same encryption algorithm, such as AES, 3DES, or others.
Authentication Method: The VPN peers must use the same authentication method, such as Pre-shared Key (PSK) or digital certificates, to authenticate each other.
Diffie-Hellman Group: Both sides must agree on the same Diffie-Hellman group, which determines the strength of the key exchange process.
Perfect Forward Secrecy (PFS): If PFS is enabled, both sides must support the same PFS group.
Tunnel Mode or Transport Mode: Both peers must use the same mode to encapsulate the IPsec traffic.
Local and Remote Subnets: The local and remote networks that will communicate through the VPN must be correctly defined on both sides.
By ensuring that both sides of the VPN policy allow the same settings, the VPN peers can negotiate and establish a secure and compatible connection, allowing for encrypted communication between them.
When creating a site-to-site VPN between a Sophos Firewall and another vendor's firewall, the best protocol to use is "IPsec" (Internet Protocol Security).
IPsec is a widely used and highly secure protocol suite for establishing encrypted and authenticated communication channels between two devices or networks over the internet. It provides data confidentiality, integrity, and authentication, making it ideal for secure site-to-site VPN connections.
L2TP (Layer 2 Tunneling Protocol) and PPTP (Point-to-Point Tunneling Protocol) are also VPN protocols, but they are typically used for remote access VPN scenarios and are less suitable for site-to-site VPN connections. SSL (Secure Sockets Layer) is another protocol used for secure communication but is more commonly associated with SSL VPNs, which are different from site-to-site VPNs.
For site-to-site VPN connections between different vendor firewalls, IPsec is generally the preferred choice due to its strong security features, interoperability between various vendors, and its ability to handle site-to-site VPN requirements effectively.
The rule that allows traffic to traverse the NAT in the opposite direction is called the "Reflexive rule."
Reflexive rules, also known as "NAT reflexive rules" or "NAT loopback rules," are used to handle traffic when it comes back from the external network to an internal server or device that has initiated an outbound connection using Network Address Translation (NAT). These rules are essential to enable bi-directional communication for NATed connections.
When a device on the internal network establishes a connection to a server on the external network through NAT, the external server sends the response back to the public IP address of the firewall. The reflexive rule in the firewall's NAT table allows the firewall to recognize that the incoming response is associated with an existing NAT session and forwards the traffic to the original internal device that initiated the connection. This way, the internal device receives the response as if it had communicated directly with the external server, even though the communication was translated by NAT.
Reflexive rules ensure that NATed connections work bidirectionally, enabling internal devices to communicate with external servers and receive responses back without any disruptions caused by NAT translations.
The two requirements for the secret when creating a multi-factor authentication (MFA) token manually are:
HEX: The secret must be provided in hexadecimal (HEX) format. Hexadecimal is a base-16 numeral system that uses the digits 0-9 and the letters A-F to represent values from 0 to 15.
Minimum of 32 characters: The secret must be a minimum of 32 characters in length. It is important to have a sufficiently long and complex secret to ensure the security of the multi-factor authentication token.
So, the correct requirements for the secret are: HEX and Minimum of 32 characters.
You can add a certificate that can be used in place of the default Appliance Certificate in the following three ways:
Upload a certificate signed by a trusted CA: You can obtain a certificate from a trusted Certificate Authority (CA) and upload it to the Sophos appliance to replace the default certificate. This certificate will be recognized as trusted by clients connecting to the Sophos appliance.
Create a certificate signing request that will be signed by a trusted CA: You can generate a Certificate Signing Request (CSR) on the Sophos appliance and then submit it to a trusted CA. The CA will then issue a certificate based on the CSR, and you can upload the CA-signed certificate to the Sophos appliance.
Create a self-signed certificate: You have the option to generate a self-signed certificate directly on the Sophos appliance. While self-signed certificates are not issued by a trusted CA, they can still be used for encryption and secure communication. However, users may receive security warnings as the certificate is not recognized by a trusted CA.
The other options mentioned, such as "Upload a Sophos signed certificate," "Register with a dynamic CA service," and "Download your certificate from your My Sophos account," are not commonly available methods for adding a certificate to replace the default Appliance Certificate on a Sophos appliance.
The three matching criteria Sophos Firewall uses to automatically assign firewall rules to groups are:
Source Network: The source network is the network or IP address range from which the traffic originates.
Services: Services refer to the specific protocols or ports used by the traffic, such as HTTP (port 80), HTTPS (port 443), FTP (port 21), etc.
Destination Zone: The destination zone is the network zone to which the traffic is being sent.
By using these matching criteria, Sophos Firewall can automatically apply the appropriate firewall rules to traffic based on the specified source network, destination zone, and services. This helps streamline the management of firewall policies, especially in environments with many network segments and complex traffic requirements.
To use NTLM (NT LAN Manager) and Kerberos for web authentication, you need to:
Enable AD SSO (Active Directory Single Sign-On) per zone on the Device Access page: This setting allows the Sophos Firewall to authenticate users accessing web resources using their Windows domain credentials (NTLM and Kerberos authentication). It enables seamless single sign-on for users who are already logged in to their Windows domain-joined computers.
Enable 'Match known users' in web authentication: This option ensures that the Sophos Firewall matches incoming web requests to known users, which is essential for utilizing NTLM and Kerberos authentication methods. By matching known users, the firewall can associate web traffic with specific Active Directory users and facilitate their authentication without prompting for credentials.
Optionally, Enable Client Authentication on the Device Access page: Enabling client authentication can further enhance the security of the web authentication process. It requires clients to present their own SSL certificates during authentication, providing an additional layer of identity verification.
By configuring these settings, the Sophos Firewall can leverage NTLM and Kerberos authentication methods for web access, allowing users to log in to web resources using their Windows domain credentials without the need for additional manual authentication.
If the order for the license has not yet been processed, and you are preparing a hardware Sophos Firewall for installation on a remote site, you should select the option "I don't have a serial number (Start a Trial)" in the Initial Setup wizard.
By selecting this option, you can proceed with the initial setup of the Sophos Firewall without entering a license or serial number. The device will be set up with a trial license that allows you to use the Sophos Firewall with full functionality for a limited period. This gives you the opportunity to configure and test the firewall at the remote site while waiting for the official license to be processed and received.
Once the license order is processed, you can then enter the official serial number and apply the purchased license to the firewall to continue using it beyond the trial period.
The client traffic mode that routes traffic to the network that the access point is connected to is "Bridge to AP LAN."
In the "Bridge to AP LAN" client traffic mode, the wireless access point (AP) acts as a bridge between the wireless clients and the wired LAN to which the AP is connected. All wireless clients associated with the access point will be bridged directly to the AP's LAN interface, allowing them to communicate directly with devices and resources on the wired network.
In this mode, wireless clients receive IP addresses from the same network subnet as the wired LAN, and they can access resources on the LAN without any additional routing or firewall configurations. This mode is suitable for scenarios where you want wireless clients to be a seamless extension of the wired LAN, and they can access local resources without any network segmentation.
The configuration that allows Sophos Firewall to forward lease requests to an existing DHCP server is called "Relay."
In the context of DHCP (Dynamic Host Configuration Protocol), DHCP relay is a feature that enables a network device (such as a router or firewall like Sophos Firewall) to forward DHCP client requests to a central DHCP server located in a different network segment or broadcast domain.
When a DHCP client initiates a request for an IP address lease, it sends a DHCPDISCOVER message as a broadcast. However, broadcast messages cannot pass through routers, and DHCP servers typically reside on different network segments from the clients. In such cases, the DHCP relay feature is used to capture the broadcast DHCPDISCOVER message and forward it as a unicast packet to the DHCP server.
The Sophos Firewall can act as a DHCP relay agent, intercept DHCPDISCOVER messages from clients, and forward them to the appropriate DHCP server. This allows clients on different network segments to obtain IP address leases from the central DHCP server, ensuring proper IP address allocation across the entire network.
The Sophos Connect IPsec VPN client supports the following two protocols:
IPsec (Internet Protocol Security): Sophos Connect primarily uses IPsec to establish a secure and encrypted connection between the client device and the Sophos Firewall or other IPsec-enabled VPN gateways. IPsec provides a robust and widely used framework for secure communication over the internet.
SSL (Secure Sockets Layer): While Sophos Connect primarily uses IPsec for its VPN connections, it also supports SSL VPN connections. SSL VPNs are often used for remote access and provide a web-based interface for users to access internal resources securely via a web browser without the need for a separate VPN client installation.
In summary, the Sophos Connect IPsec VPN client supports IPsec for its primary VPN connections and also has the capability to support SSL VPN connections for remote access scenarios.
TRUE.
Application rules are indeed applied to users and groups. In the context of network security and firewall configurations, application rules are used to define policies that control the access and usage of specific applications or services on the network. These rules can be applied based on individual users or groups of users.
By associating application rules with users or user groups, administrators can enforce different access policies based on user identities. For example, certain users or groups may be granted access to specific applications, while others may be restricted from using certain applications altogether. This level of granularity allows for effective control over the network's application usage and ensures that the network resources are utilized efficiently and securely.
So, the statement "Application rules are applied to users and groups" is TRUE.
When you download the IPsec remote access configuration, the file type that includes the advanced configuration is the ".json" file.
The ".json" file contains the advanced configuration settings for the IPsec remote access VPN. JSON (JavaScript Object Notation) is a lightweight data-interchange format that is easy for machines to parse and generate. It is used to store and transmit structured data, including configuration parameters, in a human-readable format.
The ".ovpn" file is typically associated with OpenVPN configurations, and it is not directly related to the IPsec remote access VPN.
The other file types listed (".scx", ".xmlA50", and ".tgb") are not commonly used for IPsec remote access configurations.
The control port used in RED (Remote Ethernet Device) connections is "UDP: 3410."
RED is a feature in Sophos Firewall that allows remote offices or branch locations to connect securely to the central Sophos Firewall over the internet. The RED device acts as a secure VPN endpoint, simplifying the network setup and providing a secure tunnel for the remote office's traffic.
When a RED device establishes a connection with the central Sophos Firewall, it uses UDP port 3410 as the control port to manage the VPN tunnel and perform necessary communication with the central firewall. The actual data traffic between the remote office and the central Sophos Firewall typically uses different ports as defined by the VPN configuration.
The two statements that correctly describe how firewall rules are applied are:
Packets are tested against firewall rules in order, and the first match is used: When a packet arrives at the firewall, it is evaluated against the firewall rules in a sequential order. The firewall will stop processing rules when it finds the first rule that matches the packet's characteristics, and the corresponding action defined in that rule will be applied to the packet. Any subsequent rules are not evaluated for that specific packet.
Packets that don't match a firewall rule are dropped: If a packet does not match any of the configured firewall rules, the default behavior for many firewalls is to drop the packet by default. This ensures that only packets explicitly allowed by the firewall rules are allowed to pass through.
The other statements are not accurate:
"Packets are tested against all firewall rules, and the best match is used" is not generally true for most firewalls. Once a packet matches a rule, the evaluation stops, and the first matching rule is used.
"All firewall rules are applied to all packets" is also not true. Only the first matching rule is applied to a packet, and subsequent rules are not considered for that packet.
"Packets which match a DNAT rule are ignored by the firewall" is not true either. A DNAT (Destination Network Address Translation) rule changes the destination address of the packet and might lead to further processing based on the new destination, but it doesn't cause the packet to be ignored by the firewall. The packet will still be evaluated against other applicable firewall rules.
The deployment mode that can be used for evaluating the capabilities of Sophos Firewall without making any network changes is "Discover Mode."
Discover Mode is a feature available in Sophos Firewall that allows you to deploy the firewall in a non-disruptive way to monitor and analyze network traffic without actively enforcing any security policies. In this mode, the firewall acts as an invisible observer, passively analyzing the network traffic and providing insights into the potential security risks and threats that would have been blocked if the firewall was in full enforcement mode.
By using Discover Mode, you can assess how Sophos Firewall would function in your network environment without actually altering the network traffic flow or applying any security rules. This makes it an ideal mode for evaluation and testing before implementing the firewall in a production environment. Once you are satisfied with the results and ready to enforce security policies, you can switch to the appropriate deployment mode, such as Gateway Mode or Bridge Mode, to actively protect and control your network traffic.
The three requirements for a successful installation of STAS (Sophos Transparent Authentication Suite) on your servers are:
An account with logon as a service rights: STAS requires a service account with "logon as a service" rights to run as a service on the server. This permission allows the STAS service to start and operate properly.
An account with access to the Windows security log: STAS needs access to the Windows security log to read and analyze user logon events for authentication purposes. The service account used by STAS should have the necessary permissions to access the security log.
Active Directory: STAS is an authentication suite that works in conjunction with Active Directory. It relies on Active Directory to retrieve user logon events and perform user authentication for various services, such as firewall authentication, VPN authentication, or web proxy authentication.
An IIS Server and SQL Server are not directly required for the installation of STAS. STAS primarily interacts with Active Directory and the Windows security log for its functionality. It doesn't require an IIS Server or a separate SQL Server for its core operation.
TRUE.
RED (Remote Ethernet Device) connections are always automatically added to the VPN zone in Sophos Firewall.
When you configure and connect a RED device to a Sophos Firewall, the RED connection is automatically recognized as a VPN connection and added to the VPN zone. This simplifies the setup process, as you don't need to manually create a separate zone for the RED connection. The VPN zone allows the RED device to securely communicate with the central Sophos Firewall and access resources on the network.
RED connections are designed to provide secure site-to-site connectivity for remote offices and branch locations, and their integration into the VPN zone ensures that traffic from the RED device is treated as part of the VPN network and can be subject to the appropriate VPN rules and security policies.
When used with a Sophos Firewall, STAS (Sophos Transparent Authentication Suite) supports the "Microsoft Active Directory" directory service.
STAS is an authentication suite that works in conjunction with Active Directory to provide transparent user authentication for various services, such as firewall authentication, VPN authentication, web proxy authentication, etc. It leverages the logon events from Active Directory to identify and authenticate users accessing different resources on the network.
While STAS supports Microsoft Active Directory, it does not support other directory services like Open LDAP directory server, Lotus Domino, Apple Open Directory, or Apache Directory Server for its core functionality.
As of my last knowledge update in September 2021, you can store up to 10 backups on Sophos Central.
Please note that the features and limitations of Sophos Central might have changed or been updated since my last knowledge update. For the most current information, I recommend checking the official Sophos Central documentation or contacting Sophos support.
