Sophos Firewall Web

Protection Overview

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
4005: Sophos Firewall Web Protection Overview

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Sophos Firewall Web Protection Overview - 1

 Sophos Firewall Web Protection Overview
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Firewall can provide web ✓ The multiple layers of protection provided by
protection as a transparent or Sophos Firewall to detect and block attacks
explicit proxy.

DURATION

10 minutes

In this chapter you will learn how Sophos Firewall can provide web protection as a transparent or
explicit proxy.

Sophos Firewall Web Protection Overview - 2

 Web Protection Overview

Protection Control

• Scan for malware with two antivirus • Allow, warn, block and quota access
engines to web content

• Sophos zero-day protection cloud- • Apply rules to users and groups

based sandbox scanning
• Control content based on categories,
• Scan for potentially unwanted file types, URLs and content
applications
• Surfing quotas

Web Protection on Sophos Firewall can be used to defend against malware and to control user
behaviour.

Sophos Firewall can scan for malicious content using two antivirus engines, Sophos and Avira, and
if additional checking is required, it can leverage zero-day protection, a Sophos cloud-based
sandbox solution. In addition to malicious content, you can also choose to block potentially
unwanted applications from being downloaded onto your network.

You can improve your network security by blocking access to risky websites and applying controls
to users’ browsing behaviour. Sophos Firewall comes with several predefined policies to get started
that can be further customized to meet your needs.

Sophos Firewall Web Protection Overview - 3

 Web Protection Overview

Transparent

Explicit

Web filtering on Sophos Firewall can be done either transparently, intercepting traffic as it passes,
or as an explicit proxy, where clients are configured to use the Sophos Firewall as their web proxy.

Sophos Firewall Web Protection Overview - 4

 DPI vs. Web Proxy Filtering
DPI Web Proxy Filtering

✓ Port agnostic protocol detection

✓ Support for FastPath ✓ Enforce SafeSearch
✓ Decrypts TLS 1.3 traffic ✓ Apply YouTube restrictions
✓ Offloads traffic trusted by ✓ Explicit proxy mode
SophosLabs

The DPI (Deep Packet Inspection) engine can perform web filtering for improved performance,
however you can still choose to use the legacy web proxy. Let’s take a look at some of the
differences between DPI and web proxy filtering.

DPI implements proxy-less filtering handled by the IPS (Intrusion Prevention System) engine. It
provides port agnostic protocol detection and supports the partial or full offload of traffic flows to
the network FastPath. It can decrypt and scan TLS 1.3 traffic and offloads the traffic trusted by
SophosLabs.

In comparison, you may want to use the web proxy filtering to enforce SafeSearch or YouTube
restrictions, or because your clients are configured to use the Sophos Firewall as an explicit proxy.

Let’s take a closer look at how the traffic is processed in each of these scenarios.

Sophos Firewall Web Protection Overview - 5

 Firewall Rule > Security Features

The Security Features section of the Firewall Rules provides settings to choose between the DPI
Engine and Web Proxy for each individual rule.

Sophos Firewall Web Protection Overview - 7

 DPI Filtering

Decrypt Web Content

sophos.com on port 80 HTTPS Policy Scan

sophos.com on port 443 Web Proxy

Firewall

sophos.com on port 8080

SSL/TLS Web Content App
IPS
Rules Policy Scan Control

DPI Engine

FastPath

Using the configuration shown here, all the traffic will be handled by the faster DPI engine for IPS
and proxy-less web filtering and SSL decryption on any port for HTTP and HTTPS using port
agnostic protocol identification.

In this configuration the SSL/TLS inspection rules are used to manage the decryption of secure web
traffic.

Using the DPI engine allows the Sophos Firewall to offload safe traffic to the FastPath. This is done
for traffic that the Sophos Firewall qualifies as being safe, or that matches identities for SophosLabs
trusted traffic.

Sophos Firewall Web Protection Overview - 8

 Web Proxy Filtering

Decrypt Web Content

sophos.com on port 80 HTTPS Policy Scan

sophos.com on port 443 Web Proxy

Firewall

sophos.com on port 8080

SSL/TLS Web Content App
IPS
Rules Policy Scan Control

DPI Engine

FastPath

If you enable the web proxy, then HTTP and HTTPS traffic on ports 80 and 443 will be processed by
the web proxy for decryption, web policy and content scanning, before being handed to the DPI
engine for application control and IPS.

HTTP or HTTPS traffic on other ports will still be handled by the DPI engine.

The web proxy is also used in explicit proxy configurations.

When the web proxy is being used none of the traffic can be offloaded to the FastPath.

Sophos Firewall Web Protection Overview - 9

 Deploying Sophos Firewall for Web Protection

Gateway or mixed mode deployments

LAN Zone WAN Zone

Internet
Sophos Firewall

Filter web traffic

If the Sophos Firewall is the network gateway or will be replacing an existing gateway, then web
filtering can simply be enabled for the traffic passing through it.

This deployment scenario is ideal as all traffic must pass through the Sophos Firewall before being
allowed out to the Internet. As such, all traffic entering the network must also pass through the
Sophos Firewall before reaching clients. By implementing in this fashion, all web traffic can be
scanned, decrypted, sent to zero-day protection if needed, and controlled so that users cannot
violate company policy, and hackers cannot pass unseen.

In this deployment scenario, the Sophos Firewall can be used as both a transparent and explicit
proxy.

Sophos Firewall Web Protection Overview - 10

 Deploying Sophos Firewall for Web Protection

Bridge mode deployments

Firewall Internet
Sophos Firewall

Transparently filter
web traffic Other networks such
as DMZ will not be
filtered

In scenarios where the Sophos Firewall will not be the primary network gateway there are two
deployment options.

The first is to add Sophos Firewall to the network in bridge mode, allowing it to transparently filter
the web traffic. This is a good solution if the existing edge device will not be replaced. Similarly, to
the previous solution, anyone behind the Sophos Firewall will not be able to bypass the filter and
will have their traffic inspected. The only exception would be if there were another network, such
as a DMZ hosting public servers, behind the edge firewall.

Sophos Firewall Web Protection Overview - 11

 Deploying Sophos Firewall for Web Protection

Explicit proxy deployments

Switch

Firewall Internet

Configure clients to use

Allow web traffic from
Sophos Firewall as web
Sophos Firewall only
proxy

Sophos Firewall

The other option is for the Sophos Firewall to be on the network but not in the direct flow of
traffic, and to have the clients configured to use it as an explicit proxy.

In this configuration, the Sophos Firewall doesn’t have any control over traffic that is sent directly
to the default gateway, and so it is important that the edge device is configured to only allow web
traffic from allowed devices, including the Sophos Firewall.

Sophos Firewall Web Protection Overview - 12

 Transparent vs. Explicit Proxy
Transparent Explicit

Typically deployed at the gateway

Requires client (operating
Does not require client configuration system/browser/application) to be
configured with the proxy details
Client (operating
system/browser/application) is unaware Firewall must be configured to only
the traffic is being filtered allow web traffic from the proxy to
prevent users from circumventing it
Users cannot circumvent the filtering

The key differences between transparent and explicit proxy web filtering are:

In a transparent proxy configuration, the proxy is typically deployed at the Internet gateway and
the proxy service is configured to intercept traffic for a specified port. The client (e.g., browser,
desktop application etc.) is unaware that traffic is being processed by a proxy. For example, a
transparent HTTP proxy is configured to intercept all traffic on port 80/443. This provides a
standard enterprise configuration where all clients routed to the Internet will be filtered and
protected, no matter what the end users do or change on their machines. An added benefit is a
reduction of client-proxy configuration troubleshooting. Transparent proxies also handle mobile
and guest devices without any additional configuration.

In an explicit proxy configuration, the client is explicitly configured to use a proxy server, meaning
the client knows that all requests will go through a proxy. The client is given the hostname, IP
address, and port number of the proxy service. When a user makes a request, the client connects
to the proxy service and sends the request. The disadvantage of the explicit proxy is that each
client must be properly configured to use the proxy.

Sophos Firewall Web Protection Overview - 13

 Chapter Review

DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic
protocol detection and supports offload of traffic flows to the network FastPath. It can
decrypt and scan TLS 1.3 traffic.

When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be
processed by the web proxy for decryption, web policy and content scanning before
being handed to the DPI engine for application control and IPS

If Sophos Firewall is the network gateway, web filtering can be enabled for the traffic
passing through it. When it is not the primary network gateway it can operate in bridge
mode, transparently filtering the web traffic, or be configured as an explicit proxy

Here are the three main things you learned in this chapter.

DPI implements proxy-less filtering handled by the IPS engine. It provides port agnostic protocol
detection and supports the partial or full offload of traffic flows to the network FastPath. It can
decrypt and scan TLS 1.3 traffic.

When web proxy is enabled, HTTP and HTTPS traffic on ports 80 and 443 will be processed by the
web proxy for decryption, web policy and content scanning before being handed to the DPI engine
for application control and IPS. Add Sophos Firewall to the network in bridge mode, allowing it to
transparently filter the web traffic.

If Sophos Firewall is the network gateway, then web filtering can be enabled for the traffic passing
through it. When Sophos Firewall is not the primary network gateway it can operate in bridge
mode, allowing it to transparently filter the web traffic, or be configured as an explicit proxy.

Sophos Firewall Web Protection Overview - 18

Sophos Firewall Web Protection Overview - 19
 Configuring Web Protection
on Sophos Firewall

Sophos Firewall
Version: 19.5v1

[Additional Information]

Sophos Firewall
4010: Configuring Web Protection on Sophos Firewall

November 2022
Version: 19.5v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring Web protection on Sophos Firewall- 1

 Configuring Web Protection on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create policies for web ✓ How Sophos Firewall provides web protection as a
protection and TLS transparent or explicit proxy
decryption and configure global
settings for protection and an
explicit proxy.

DURATION

24 minutes

In this chapter you will learn how to create policies for web protection and TLS decryption and
configure global settings for protection and an explicit proxy.

Configuring Web protection on Sophos Firewall- 2

 Web Policies

Web Protection Policies Policy Rules

• Include options to control end users’ • Define the type of usage to restrict
web browsing
• SafeSearch prevents potentially • Specify content filters to restrict web
inappropriate images, videos, and content that contains any terms in
text from appearing search results the lists
• YouTube restrictions also restrict
search results • Define the action to take when the
• Time quotas can allow limited access firewall encounters traffic that
to restricted websites matches the rule criteria

Web policies can be used to control end users’ web browsing activities. Policies include options for:
• SafeSearch, which prevents potentially inappropriate images, videos, and text from appearing in
Google, Yahoo, and Bing search results.
• YouTube restrictions, which prevent access to potentially inappropriate content by restricting
YouTube search results.
• Time quotas, that allow access to restricted websites, such as online shopping, for a limited
period.

Policies include rules, which are used to:

• Define the type of usage to restrict. This can include user activities, categories, URL groups, file
types, and dynamic categories.
• Specify content filters to restrict web content that contains any terms in the lists.
• Define the action to take when the firewall encounters HTTP traffic that matches the rule
criteria.

Configuring Web protection on Sophos Firewall- 3

 Creating and Editing Web Policies

This shows an example of a web policy. It has an ordered list of rules and a default action, in this
case allow, that determines the behaviour if the traffic does not match any of the rules.

Configuring Web protection on Sophos Firewall- 4

 Creating and Editing Web Policies
Dynamic Categories

User Activities
Categories

URL Groups

Users &
Groups File Types Constraints

Content Filter Action Status

Each web policy rule applies to either specific users and groups, or anybody.

You define the activities, or types of web traffic that are going to be controlled by the rule, and you
can optionally also apply a keyword content filter to the traffic.

Each rule has an action, allow, warn, quota or block, and this can be overridden. There is also a
separate action applied to HTTPS traffic.

You can set time constraints for the rule. If no time constraints are selected, then the rule will be
active all the time.

Finally, you can enable and disable individual rules. This is especially useful when creating new
rules and testing.

Configuring Web protection on Sophos Firewall- 5

 Web Policies

Below the web policy rules are further options, some of which require the web proxy to be
enforced. These are indicated with a notice. If these options are selected and used with the DPI
engine, they will not be enforced.

The available options are:

• Enforce SafeSearch in common search engines. This is done by modifying the request to enable
the features in the search engine and requires decrypting the web traffic.
• Enforce YouTube restrictions, which is done in the same ways as enforcing SafeSearch.
• Configure how much quota time users have per day.

Configuring Web protection on Sophos Firewall- 6

 Advanced Settings

Advanced settings allow you to:

• Include this policy in logs and reports.
• Prevent the downloading of files greater than the size specified.
• Add X-Forwarded-For header to pass on the IP address of the original HTTP request.
• Allow users to sign into Google Apps, such as Gmail and Drive, only with the domains specified.
• Apply Microsoft Azure AD tenant restrictions.

Again, a notice indicates which settings require the web proxy to be enforced.

Configuring Web protection on Sophos Firewall- 7

 User Activities

User activities are a group of web categories, URL groups and file types

Let’s look at the types of traffic you can select to control in the web policy rules, starting with User
Activities.

User Activities are a way of grouping web categories, URL groups and file types into a single object
to simplify management.

Configuring Web protection on Sophos Firewall- 8

 Additional information in
the notes
Categories

Web categories are what most people think of when they think of web filtering. Sophos Firewall
comes with over 90 predefined web categories, which you can reclassify and apply traffic shaping
policies to.

You can also create custom web categories based on either local lists of domains and keywords or
an external URL database.

[Additional Information]

External URL databases can be from either a HTTP or FTP server. The database should be in one of
the following formats:
• .tar
• .ga
• .bz
• .bz2
• .txt
The database will be checked every two hours for updates.

Configuring Web protection on Sophos Firewall- 9

 URL Groups

Local TLS exclusion list

Managed TLS exclusion

list (read only)

URL groups are used to create a match list of domains for which the default configuration should
not be applied. All subdomains for the entered domains will also be matched.

There are a couple of important default groups:

• Local TLS exclusion list, which you can use to manage domains you do not want to decrypt
traffic for.
• Managed TLS exclusion list, which is a Sophos managed list of domains that are excluded from
TLS decryption. On this page you can see the domains that are included, although you cannot
edit or delete this group.

Configuring Web protection on Sophos Firewall- 10

 File Types

Sophos Firewall can manage access to files through the web policy and comes with several groups
of common file types defined by extension and MIME type.

You can also create custom file types, which can use an existing group as a template to import
already defined types.

Configuring Web protection on Sophos Firewall- 11

 Simulation: Create Custom Web Categories on Sophos
Firewall
In this simulation you will create a
keyword filter, modify the existing
‘Unproductive Browsing’ user
activity, and create user activity for
controlling access to specific
categories of website.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebCategories/1/start.html

In this simulation you will create a keyword filter, modify the existing ‘Unproductive Browsing’ user
activity, and create user activity for controlling access to specific categories of website.

[Additional Information]

https://training.sophos.com/fw/simulation/WebCategories/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12

 Content Filters

Web policies include the option to log, monitor and enforce policies related to keyword lists. This
feature is particularly important in educational environments to ensure online child safety and to
provide insights into students using keywords related to self-harm, bullying, radicalization or
otherwise inappropriate content. Keyword libraries can be uploaded to Sophos Firewall and
applied to any web filtering policy as an added criteria with actions to log and monitor or block
search results or websites containing the keywords of interest.

Comprehensive reporting is provided to identify keyword matches and users that are searching or
consuming keyword content of interest, enabling proactive intervention before an at-risk user
becomes a real problem.

Keyword lists are plain text files with one term per line.

Configuring Web protection on Sophos Firewall- 13

 Simulation: Create a Web Content Filter on Sophos Firewall

In this simulation you will create a

custom content filter that will be
used to detect web pages that
contain common bullying terms.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/ContentFilter/1/start.html

In this simulation you will create a custom content filter that will be used to detect web pages that
contain common bullying terms.

[Additional Information]

https://training.sophos.com/fw/simulation/ContentFilter/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14

 Applying Policies

Once you have created your web policy you can apply it in firewall rules.

Configuring Web protection on Sophos Firewall- 15

 Web Policies

If there are options that cannot be enforced, this will be indicated in the firewall rule with a
warning triangle. Hovering over the warning will provide additional information.

Configuring Web protection on Sophos Firewall- 16

 Simulation: Create a Custom Web Policy on Sophos Firewall

In this simulation you will clone and

customize a web policy by adding
additional rules. You will then test
the policy using two different users
and the Policy Test tool.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicy/1/start.html

In this simulation you will clone and customize a web policy by adding additional rules. You will
then test the policy using two different users and the Policy Test tool.

[Additional Information]

https://training.sophos.com/fw/simulation/WebPolicy/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17

 Additional information in
Web Protection the notes

When any web filtering is enabled Sophos Firewall will:

• Automatically block websites that are identified as containing child sexual abuse content
by the Internet Watch Foundation (IWF)
• Hide the domain name in logs and reports
• Not support any policy or exclusion to allow the sites

We minimize the availability of online sexual abuse content.

Specifically:
• Child sexual abuse content hosted anywhere in the world
• Non-photographic child sexual abuse images hosted in the UK

When any web filtering is enabled, Sophos Firewall will automatically block websites that are
identified as containing child sexual abuse content by the Internet Watch Foundation.

No policy or exclusions can be configured to allow these sites, and the domain names will be
hidden in the logs and reports.

[Additional Information]

Find out more about the IWF at https://www.iwf.org.uk

Configuring Web protection on Sophos Firewall- 18

 Additional information in
Protection Settings the notes

There are several protection settings that can be managed in Web > General settings, including:
• Selecting between single and dual engine scanning.
• Scan mode.
• And the action to take for unscannable content and potentially unwanted applications.

[Additional Information]

Zero-day protection requires the Sophos scan engine; this means that you need to either select
Sophos as the primary scan engine (CONFIGURE > System services > Malware protection) or use
dual engine scanning.

The ‘Malware Scan Mode’ can be set to ‘Real-time’ for speedier processing or ‘Batch’ for a more
cautious approach.

Then we must decide on how to handle content that cannot be scanned due to factors such as
being encrypted, or password protected. The safest option is to block this content, but it can be
allowed if required.

An option is available as part of web protection to block Potentially Unwanted Applications from
being downloaded. Specific applications can be allowed by adding them to the Authorized PUAs
list; and this is applied as part of the malware protection in firewall rules.

Configuring Web protection on Sophos Firewall- 19

 Protection Settings

The HTTPS decryption and scanning settings on this page allow you to change the signing CA and
modify the scanning behaviour for the legacy web proxy. These settings do not affect the TLS
decryption rules.

Configuring Web protection on Sophos Firewall- 20

 Zero-Day Protection

The global zero-day protection configuration is in PROTECT > Zero-day protection > Protection
settings.

Here you can specify whether an Asia Pacific, Europe or US datacenter will be used, or let Sophos
decide where to send files for analysis based on which will give the best performance. You may
need to configure this to remain compliant with data protection laws.

You can also choose to exclude certain types of file from zero-day protection using the predefined
file type options.

Zero-day protection scanning is enabled in the Web filtering section of firewall rules.

Configuring Web protection on Sophos Firewall- 21

 Advanced Settings

On the General settings tab there are also some advanced settings where you can enable web
caching and caching Sophos endpoint updates.

You can also configure some web proxy settings:

• The port that clients should use to configure the Sophos Firewall as an explicit proxy.
• The ports that can be connected to.
• And the minimum TLS version.

Configuring Web protection on Sophos Firewall- 22

 Web Proxy Content Caching

The Sophos Firewall can be configured to cache web content, which can save bandwidth for sites
with limited or slower Internet access; however, the web proxy is required in order to enforce this.

Configuring Web protection on Sophos Firewall- 23

 User Notifications

In the User notifications tab, you can modify the images and text shown on the warn and block
pages. The text can include variables to display the category detected, and to link to suggesting a
different category.

You can preview what the message will look like when users see it using the link.

Configuring Web protection on Sophos Firewall- 24

 Policy Overrides

Web policy overrides settings allow authorized users to override blocked sites on user devices,
temporarily allowing access.

You define which users (for example this could be teachers in an education setting) have the option
to authorize policy overrides. Those users can then create their own override codes in the Sophos
Firewall User Portal and define rules about which sites they can be used for. In the WebAdmin you
can see a full list of all override codes created and disable or delete them, as well as defining sites
or categories that can never be overridden. There is also a report providing full historical insight
into web override use.

Configuring Web protection on Sophos Firewall- 25

 Policy Overrides

Override code rules can be broad – allowing any traffic or whole categories – or more narrow –
allowing only individual sites or domains – and can also be limited by time and day. To avoid abuse,
codes can easily be changed or cancelled.

Configuring Web protection on Sophos Firewall- 26

 Policy Overrides

Codes can be shared with end users, who enter them directly into the block page to allow access
to a blocked site.

Configuring Web protection on Sophos Firewall- 27

 Simulation: Delegate Web Policy Overrides on Sophos Firewall
In this simulation you will enable
web policy overrides for Fred
Rogers. You will then create a web
policy override and use the access
code generated to allow John Smith
to access a site that is currently
blocked
LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html

In this simulation you will enable web policy overrides for Fred Rogers. You will then create a web
policy override and use the access code generated to allow John Smith to access a site that is
currently blocked.

[Additional Information]

https://training.sophos.com/fw/simulation/WebPolicyOverrides/1/start.html

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 28

 Exceptions

The exceptions found within the web protection in the Sophos Firewall can be used to bypass
certain security checks or actions for any sites that match criteria specified in the exception. There
are a few predefined exceptions already in Sophos Firewall and more can be created at the
administrator's discretion. It is important to note that exceptions apply to all web protection
policies no matter where they are applied in Sophos Firewall.

Configuring Web protection on Sophos Firewall- 29

 Exceptions

Exceptions can be matched on any combination of:

• URL patterns, which can be either simple strings or regular expressions.
• Website categories.
• Source IP addresses.
• And destination IP addresses.

Please note that many websites have multiple IP addresses, and all of them would need to be
listed. Where multiple matching criteria are used, then the traffic must match all the criteria to
match successfully. You can then select which checks the exception will bypass.

Configuring Web protection on Sophos Firewall- 30

 Chapter Review

Web policy rules can apply to specific users and groups, or anyone. They define the
activities or types of web traffic and have an action to allow, warn, apply quota or
block. A separate action can be applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It
provides an option to use the web proxy or the DPI engine. Some policy options can only
be enforced by the web proxy

Web policy overrides allow authorized users to override blocked sites on user devices,
temporarily allowing access

Here are the three main things you learned in this chapter.

Web policy rules can apply to specific users and groups, or anyone. They define the activities or
types of web traffic and have an action to allow, warn, apply quota or block. A separate action can
be applied to HTTPS traffic.

The web filtering policy is selected in the security features of the firewall rule. It provides an option
to use the web proxy or the DPI engine. Some policy options can only be enforced by the web
proxy.

Web policy overrides allow authorized users to override blocked sites on user devices, temporarily
allowing access.

Configuring Web protection on Sophos Firewall- 35

Configuring Web protection on Sophos Firewall- 36