Sophos Control center

The Control center shows the features in use and the health and security of the network.
The Control center is the first page you see whenever you sign in to Sophos Firewall. The page is arranged into
six areas that provide an overview of the features being used and the health and security of your system.
You don't make any configuration changes on this page. For details about the information shown here,
continue on this page. Otherwise, to continue setting up Sophos Firewall, see Interfaces.

Interfaces
Sophos Firewall uses interfaces to connect to your network. If you have a physical device, you have at least
four physical interfaces in the form of network ports. If you have a virtual device, you need at least two
physical network ports.

Sophos Firewall always has one default interface configured on initial start-up using the IP address
172.16.16.16. If you used the initial setup assistant, you might have already changed this and set up additional
interfaces. For example, a WAN interface to access the internet.

Interfaces are assigned a zone. Zones are separated network segments that don't allow traffic to flow
between them without a dedicated firewall rule in place.

The assigned zone determines the network permissions assigned to network traffic on that interface. The
following zones are available:

Zone Description
LAN The LAN zone contains your main internal network where most of your endpoint computers are
located and has the least restrictive default permissions.
WAN The WAN zone connects to the internet. An interface in this zone is normally assigned a public IP
address. However, if you have deployed Sophos Firewall behind another router, a private IP
address may still be used. By default, only those permissions required to allow traffic out to the
internet are allowed in this zone.
DMZ The DMZ zone is a more restricted internal network zone normally used for hosts, such as web
servers. This lets you allow access to web services from the internet without allowing access to
your main internal LAN network.
 Wi-Fi The Wi-Fi zone is like the LAN zone and is assigned to all wireless networks. It has many services
turned on by default to allow connected endpoints access to the internet and other domain
services. This is the interface to which you connect your access points.

You can control permissions for zone services in the device access settings on Administration > Device access.
You can control permissions for specific networks in Firewall rules, which you can set up on Rules and
policies > Firewall rules.

Configure an interface
To configure an interface, do as follows:
1. Go to Network > Interfaces.
2. Click Menu and select Edit interface.
3. Select a zone from the Network zone list.

4. When a zone is chosen, further configuration options are shown. By default, these are IPv4 options.
Select how the interface IP address will be assigned.

If you choose DHCP, no further configuration options are required, and you can save the configuration. See
step 7.
PPPoE connection is normally only used in the WAN zone when setting up a DSL connection to your ISP. You
must enter the information provided by your ISP. See step 6.
5. See the next step to set a static IP address for the interface.
To assign a static IP address to the interface, enter the IP address you want to use and the network's subnet
mask.

6. If you're setting up a WAN interface, you must also enter the name of your gateway and its IP address.
If you're configuring a PPPoE interface, you must enter the following information as provided by your ISP.

Option Description
Preferred IP Preferred IP address for the PPPoE connection. Many internet service providers
assign a static IP address to PPPoE connections. Sophos Firewall allows you to bind
the static IP address to the PPPoE connection.
Depending on the PPPoE server configuration, an IP address other than the
preferred IP address may be assigned to the PPPoE connection.
Gateway name The name of the gateway through which you want to route the internet traffic.
Username PPPoE account username.
Password PPPoE account password.
Access Access concentrator and service name. The firewall starts only those sessions with
concentrator/service the access concentrator that can provide the specified service.
name
LCP(Link Control Select this option only if you want to change the default value, and then enter the
Protocol) echo interval value. The firewall sends echo requests at these intervals to check whether the link
is live.
Note: Clearing the checkbox doesn't turn off LCP. It only resets the interval to the
default value (20 seconds).
LCP failure Select this option only if you want to change the default number of echo requests,
then enter the value. If the firewall doesn't receive a reply from the client after
these requests, it disconnects the PPPoE connection.
Note: Clearing the checkbox doesn't turn off LCP. It only resets the number of echo
request attempts to the default value (3).
Schedule time for The IP address assigned to a PPPoE connection, whether dynamic or static
reconnect (preferred), can have a predefined validity period. When the period expires, the
PPPoE connection is closed and reconnected. To prevent reconnection during
working hours, turn on the PPPoE reconnect schedule.

Note
On reconnection, an address other than the preferred IP address (if specified) may
be assigned to the PPPoE connection.
7. Click Save.
System widget
The system panel is broken down into four areas to give you a quick
overview of various system parameters. The first area has four
icons representing the following:
1. Performance: Shows the
overall performance of
Sophos Firewall in terms of
resource usage, such as
CPU and RAM. By clicking
this icon shows a load
average graph. Load average is the average number of
processes waiting to run on a CPU. Any number greater than
the number of processor cores in the system indicates that,
during the period being measured (for example, 5 minutes),
there was more work to do than the system was capable of
doing.
2. Services: Shows if all services are running as expected.
Clicking the icon shows the services that are stopped or
dead.
3. Interfaces: Shows if there are any issues with the configured
network interfaces. Clicking on this icon Shows details of the
configured interfaces, such as status, bits received, and bits
transmitted.
4. VPN: Shows the status of connected VPN tunnels. Clicking this icon Shows the details of connected
VPN tunnels.

The second area of the panel gives details of connected RED devices (A Remote Ethernet Device provides a
secure tunnel between a remote site and Sophos Firewall ), Wireless APs, Connected remote users, and
total Live users.

1. RED (Remote Ethernet Device)

Shows the number of RED tunnels established, followed by the total
number configured. For example, 1/4. Clicking the widget shows a list
of RED tunnels.
2. Wireless APs Shows the number of active access points,
followed by the total number of access points configured. For
example, 2/3. Pending access points, if any, are shown separately in a bracket in red color. Clicking the
widget redirects to the Access points page.
3. Connected remote users Shows the total number of users connected remotely through SSL VPN.
Clicking the widget redirects to the Remote users page.
4. Live users Shows the total number of live users. Clicking the widget redirects to the Live users page.

The third area of the panel gives details of the system resources currently being used by Sophos Firewall.
These are as follows:
1. CPU: Shows the current CPU load as a percentage.
2. Memory: Shows the current usage of the system RAM in
percentage.
3. Bandwidth: Shows the current bandwidth of traffic passing
through Sophos Firewall.
4. Sessions: Shows the current sessions for users connected to
Sophos Firewall.
 5. Decryption capacity: Shows the decrypted SSL/TLS connections of your firewall's decryption capacity
in percentage.
6. Decrypt sessions: Shows the current number of decrypted SSL/TLS connections.
Decryption details are updated every five minutes.

Traffic insight widget

This section provides statistics on

network traffic processed by Sophos
Firewall in the last 24 hours. It helps
you see who uses most bandwidth,
which websites and applications are
most used, and where there are
unusual traffic patterns.

The following statistics are available:

1. Web activity: The graph shows
how much data users
transferred over the last 24
hours, which helps understand
the web surfing trend. It also
shows the maximum and
average amount of data
transferred, in bytes, over the
last 24 hours, which helps you
spot unusual traffic patterns.
2. Cloud applications: This graph
shows the number of cloud
applications users connect to. It
also shows traffic, in bytes, that is sent to and from these applications by your network.
3. Allowed app categories: The graph shows the amount of data transferred, in bytes, for the top five
application categories. This shows the most-used applications in the last 24 hours, which helps you,
identify which applications consume the most bandwidth. Clicking the bar of a specific application
category in the graph redirects you to the filtered application report of that category.
4. Network attacks: The graph lists the top five hosts that were denied access to the network due to
health reasons. Clicking the bar of a specific attack category in the graph redirects you to the filtered
report of that category.
5. Allowed web categories: The graph shows the amount of data transferred, in bytes, for the top five
web categories. This shows the most-visited websites in the last 24 hours, which helps you identify
which websites consume the most bandwidth. Clicking the bar of a specific web category in the graph
redirects you to the filtered report of that category.
6. Blocked app categories: The graph shows the top five denied application categories and the number
of hits per category. This helps you find out the applications with the most failed access attempts.
Clicking the bar of a specific application category in the graph redirects you to the filtered application
report of that category.
User and device insights

The User & device insights panel shows details of user and device activity on your network and helps you
identify devices at risk.
Security Heartbeat: Shows the total number of connected endpoints with Security Heartbeat turned on and
the number of these that are at risk, have a missing Heartbeat, or have produced a warning. Clicking the
relevant box shows more details about the endpoints to enable you to quickly find the affected devices.
Synchronized Application Control
Threat intelligence
ATP
SSL/TLS connections
Active firewall rules

Shows the number of firewall rules by rule type and rule status. It shows the traffic, in bytes, that matched the
firewall rules in the past 24 hours.
To see the data volume, hover over the chart.
To see the rules in the Firewall rule table, select a firewall rule status. The rule table sets a filter based on your
selection.
All administrators, irrespective of their rights, can see the firewall rules.
Note
A rule might be in more than one status list for a short time. That's because it stays on a list for a certain time,
even if its status changes. See the following example:
Rule name: Test
Rule creation: 10 AM. Test rule is listed under New until 10 AM the next day.
Rule change: 11 AM. Test rule is listed under Changed until 11 AM the next day.
Usage check: If Sophos Firewall performs a usage check at noon and the Test rule remains unused, the rule is
listed under Unused until the next usage check.
Turned off: 01 PM. Test rule is listed under Disabled. A disabled rule is listed under Changed and Disabled.
Reports

Depending on the modules subscribed, at most, five critical reports from the table below are shown:

Report name Number/data shown Subscription module

High risk <number of> risky apps seen Web Protection

applications yesterday

Objectionable <number of> objectionable websites Web Protection

websites seen yesterday

Web users <data transfer> (in bytes) used by Web Protection

top 10 users yesterday

Intrusion attacks <number of> intrusion attacks Network Protection

yesterday

Web server <number of> web server attacks Web Server Protection
protection yesterday

Email usage <data transfer> (in bytes) used Email Protection

Email protection <number of> spam mails yesterday Email Protection

Traffic dashboard - Either Web Protection or

Network Protection

Security dashboard - Either Web Protection or

Network Protection

Messages panel
The panel shows information that allows you to monitor and track system events.
Examples of alerts include:
The default password for the “admin” user has not been changed. We highly recommend you to change the
password. This alert is shown when the default password for the super administrator isn’t changed.
New firmware available for Sophos Firewall or connected devices such as APs or RED devices.
The default web admin console password has not been changed.
HTTPS or SSH based management is allowed from the WAN. This is not a secure configuration. We
recommend using a good password.
Your Sophos Firewall is not registered.
The modules expired.
Icons are used for easier identification of messages.
: Indicates alert messages.
: Indicates warnings.
: Indicates firmware download notifications.