XG Firewall Features - Fully Synchronized, Cloud-Native ...

1 XG Firewall Features Sophos XG Firewall Dynamic Firewall rule support for endpoint health (Sophos Security Heartbeat) to automatically isolate Highlights or limit network access to compromised endpoints Purpose-built user interface with interactive control center utilizing traffic-light indicators (red, yellow, green) synchronized Application Control to automatically, to instantly identify what needs attention at-a-glance identify, classify and control all unknown Mac/. Windows applications on the network The Control Center offers instant insights into endpoint health, unidentified Mac and Windows applications, Cloud Application Visibility enables Shadow IT discovery cloud applications and Shadow IT, suspicious instantly and offers one-click traffic shaping payloads, risky users, advanced threats, network Policy test simulator tool to enable Firewall rule and web attacks, objectionable websites, and much more. policy simulation and testing by user, IP and time of day Optimized two-clicks-to-anywhere navigation User Threat Quotient for identifying risky users based Policy Control Center Widget monitors policy activity on recent browsing behavior and ATP triggers for business , user and network policies and tracks Application Risk Meter provides and overall risk factor unused, disabled, changed and new policies based on the risk level of applications on the network New unified policy model combines all business , Configuration API for all Features user and network Firewall rules onto a single screen for RMM/PSA integration with grouping, filtering and search options Discover Mode (TAP mode)

2 For seamless integration for Streamlined Firewall rule management for large rule trials and PoCs with support for synchronized Security sets with custom auto and manual grouping with at-a- glance mouse-over feature and enforcement indicators Full-featured centralized management of multiple firewalls with Sophos Firewall Manager available All Firewall rules provide an at-a-glance summary of the as a hardware, software, or virtual appliance applied security and control for AV, Sandboxing, SSL, IPS, Web, App, Traffic Shapping (QoS), routing, and Heartbeat Central management of multiple firewalls from Sophos Central providing one management Pre-defined IPS, Web, App, and Traffic Shaping console for all your Sophos IT security products. (QoS) policies enable quick setup and easy customization for common deployment scenarios Easy streamlined setup wizard to enable quick out- ( CIPA, typical workplace policies, and more) of-the box deployment in just a few minutes IPS, Web, App, and Traffic Shaping (QoS) policies Zero-touch setup and configuration in Sophos snap-into Firewall rules and can be edited in- Central for new firewalls that remote staff can utilize place providing a powerful but intuitive model for during the initial startup to configure the device configuring and managing security and control Base Firewall Policy Templates for common business applications including Microsoft Exchange, General Management SharePoint, Lync, and much more defined in Purpose-built streamlined user interface and Firewall XML enabling customization and sharing.

3 Rule management for large rule sets with grouping with at-a-glance rule feature and enforcement indicators Sophos Security Heartbeat connecting Sophos endpoints with the Firewall to share health status Two-factor authentication (One-time-password) support and telemetry to enable instant identification for administrator access, user portal, IPSec and SSL VPN. of unhealty or compromised endpoints Advanced trouble-shooting tools in XG Firewall Features GUI ( , Packet Capture) Upstream proxy support High Availability (HA) support clustering two Protocol independent multicast devices in active-active or active-passive mode. routing with IGMP snooping Full command-line-interface (CLI) accessible from GUI Bridging with STP support and ARP broadcast forwarding Role-based administration VLAN DHCP support and tagging Automated firmware update notification with easy automated update process and roll-back Features Multiple bridge support Reusable system object definitions for WAN link balancing: multiple Internet connections, networks, services, hosts, time periods, auto-link health check, automatic failover, automatic users and groups, clients and servers and weighted balancing, and granular multipath rules Self-service user portal Wireless WAN support (n/a in virtual deployments).

4 Configuration change tracking interface link aggregation Flexible device access control for services by zones Full configuration of DNS, DHCP and NTP. Email or SNMP trap notification options Dynamic DNS. SNMP and Netflow support IPv6 Ready Logo Program Approval Certification Central managment support from Sophos Firewall IPv6 tunnelling support including 6in4, 6to4, 4in6, Manager or Sophos Cloud Firewall Manager and IPv6 rapid deployment (6rd) through IPSec Backup and restore configurations: locally, via FTP. Base Traffic Shaping and Quotas or email; on-demand, daily, weekly or monthly Flexible network or user based traffic shaping (QoS). API for third party integration (enhanced Web and App traffic shaping options are included with the Web Protection Subscription). Remote access option for Sophos Support Set user-based traffic quotas on upload/download Cloud-based license management via MySophos or total traffic and cyclical or non-cyclical Firewall , Networking, and Routing Real-time VoIP optimization Stateful deep packet inspection Firewall DSCP marking FastPath Packet Optimization Secure Wireless User, group, time, or network based policies Simple plug-and-play deployment of Sophos Access time polices per user/group wireless access points (APs) automatically appear on the Firewall control center Enforce policy across zones, networks, or by service type Central monitor and manage all APs and wireless Zone isolation and zone-based policy support.

5 Clients through the built-in wireless controller Default zones for LAN, WAN, DMZ, LOCAL, VPN, and WiFi Bridge APs to LAN, VLAN, or a separate Custom zones on LAN or DMZ zone with client isolation options Customizable NAT policies with IP masquerading Multiple SSID support per radio including hidden SSIDs and full object support to redirect or forward Support for the latest security and encryption multiple services in a single rule including WPA2 Personal and Enterprise Flood protection: DoS, DDoS and portscan blocking Channel width seletion option Country blocking by geo-IP. Support for IEEE (RADIUS authentication). Routing: static, multicast (PIM-SM) with primary and secondary server support and dynamic (RIP, BGP, OSPF). Support for (fast transition). XG Firewall Features Hotspot support for (custom) vouchers, Base VPN Options password of the day, or T&C acceptance Site-to-site VPN: SSL, IPSec, 256- bit AES/3 DES, PFS, RSA, certificates, pre-shared key Wireless guest Internet access with walled garden options L2TP and PPTP.

6 Time-based wireless network access Remote access: SSL, IPsec, iPhone/iPad/. Cisco/Andriod VPN client support Wireless repeating and bridging meshed network mode with supported APs IKEv2 Support Automatic channel selection background optimization SSL client for Windows and configuration download via user portal Support for HTTPS login Sophos Connect IPSec Client Authentication Authentication: Pre-Shared Key (PSK), synchronized User ID utilizes synchronized Security PKI ( ), Token and XAUTH. to share currently logged in Active Directory user ID between Sophos endpoints and the Firewall Enables synchronized Security and Security without an agent on the AD server or client Heartbeat for remote connected users Authentication via: Active Directory, Intelligent split-tunneling for optimum traffic routing eDirectory, RADIUS, LDAP and TACACS+. NAT-traversal support Server authentication agents for Active Client-monitor for graphical overview Directory SSO, STAS, SATC.

7 Of connection status Single sign-on: Active directory, Mac and Windows Support eDirectory, RADIUS Accounting Client authentication agents for Sandstom Protection Subscription Windows, Mac OS X, Linux 32/64. Sandstorm Cloud Sandbox Protection Browser SSO authentication: Transparent, Full integration into your Sophos proxy authentication (NTLM) security solution dashboard Browser Captive Portal Inspects executables and documents containing executable content (including .exe, .com, and .dll, .doc, Authentication certificates for iOS and Android .docx, docm and .rtf and PDF) and archives containing Authentication services for IPSec, SSL, L2TP, PPTP any of the file types listed above (including ZIP, BZIP, GZIP, RAR, TAR, LHA/LZH, 7Z, Microsoft Cabinet). Google Chromebook authentication support for environments with Active Directory and Google Gsuite Aggressive behavioral, network, and memory analysis API based authentication Detects sandbox evasion behavior Machine Learning technology with Deep User Self-Serve Portal Learning scans all dropped executable files Download the Sophos Authentication Client Includes exploit prevention and Cryptoguard Download SSL remote access client (Windows).

8 Protection technology from Sophos Intercept X. and configuration files (other OS). In-depth malicious file reports and Hotspot access information dashboard file release capability Change user name and password Optional data center selection and flexible View personal internet usage user and group policy options on file type, exclusions, and actions on analysis Access quarantined messages and manage user-based block/allow sender lists (requires Email Protection) Supports one-time download links XG Firewall Features Network Protection Subscription Clientless VPN. Sophos unique encrypted HTML5 self-service portal with Intrusion Prevention (IPS). support for RDP, HTTP, HTTPS, SSH, Telnet, and VNC. High-performance, next-gen IPS deep packet inspection engine with selective IPS patterns Web Protection Subscription that can be applied on a Firewall rule basis for maximum performance and protection Web Protection and Control Fully transparent proxy for anti- Top rated by NSS Labs malware and web-filtering Thousands of signatures Enhanced Advanced Threat Protection Granular category selection URL Filter database with millions of sites across Support for custom IPS signatures 92 categories, backed by SophosLabs IPS Policy Smart Filters that enable dynamic policies Surfing quota time policies per user/group which automatically update as new patterns are added Access time polices per user/group ATP and Security Heartbeat Malware scanning.

9 Block all forms of viruses, Advanced Threat Protection (Detect and block network web malware, trojans, and spyware on traffic attempting to contact command and control HTTP/S, FTP and web-based email servers using multi-layered DNS, AFC, and Firewall ). Advanced web malware protection Sophos Security Heartbeat instantly identifies with JavaScript emulation compromised endpoints including the host, user, Live Protection real-time, in-the-cloud process, incident count, and time of compromise lookups for the latest threat intelligence Sophos Security Heartbeat policies can limit Second independent malware detection access to network resources or completely isolate engine (Avira) for dual-scanning compromised systems until they are cleaned up Real-time or batch mode scanning Lateral Movement Protection further isolates compromised systems by having healthy Sophos Pharming Protection endpoints reject all traffic from unhealthy HTTP and HTTPS scanning and enforcement endpoints preventing the movement of threats on any network and user policy with Fully even on the same broadcast domain customizable rules and exceptions Remote Ethernet Device (RED)

10 VPN SSL protocol tunnelling detection and enforcment Central Management of all RED devices Certificate validation No configuration: Automatically connects High performance web content caching through a cloud-based provisioning service Forced caching for Sophos Endpoint updates Secure encrypted tunnel using digital certificates and AES256-encryption File type filtering by mime-type, extension and active content types ( Activex, applets, cookies, etc.). Virtual Ethernet for reliable transfer of all traffic between locations YouTube for Schools enforcement per policy (user/group). IP address management with centrally defined DHCP and DNS Server configuration SafeSearch enforcement (DNS-based) for major search engines per policy (user/group). Remotely de-authorize RED devices after a select period of inactivity Web keyword monitoring and enforcement to log, report or block web content matching keyword Compression of tunnel traffic lists with the option to upload customs lists VLAN port configuration options (RED 50).