Sophos XG is a powerful firewall platform that’s designed for business/enterprise use but also offers a Home version that has most of the same features with a few exceptions (i.e. sandstorm). While most of the default settings should suffice, here are some settings I change with a new install of Sophos XG for a fairly basic home network (no servers). This is based on Sophos XG V17-MR3.
Note: Anytime you change a setting, be sure to click ‘Apply’ on the very bottom of the web browser.
1. Browse to the ‘Administration’ page under ‘System’ and select the ‘Device Access’ tab. Uncheck ‘User Portal’ on the ‘WAN’ line in the ‘Local Services ACL’ section. This is enabled by default and allows users to access the User Portal page from outside your network by opening port 443.
2. Browse to the ‘Administration page under ‘System’ and select the ‘Time’ tab. Select ‘Use pre-defined NTP server’. This will keep the Sophos XG time up-to-date with a Network Time Protocol (NTP) server.
3. Browse to the ‘System Services’ page under ‘Configure’ and select the ‘Log Settings’ tab. Uncheck ‘Invalid Traffic’ in the ‘Firewall’ section under ‘Log Settings’. If you keep this enabled, you will see a significant amount of entires in your Log Viewer with the message, “Could not associate packet to any connection”. More information is provided in this Sophos Knowledge Base Article.
4. Browse to the ‘System Services’ page under ‘Configure’ and select the ‘Traffic Shaping Settings’ tab. Set your ‘Total Available WAN Bandwidth’ to match your internet connection speeds. Note that these values are in KBps (KiloBytes per second) and not Kbps (Kilobits per second). Most internet speed tests show you results in Mbps (Megabits per second) but you can easily convert this to KBps using an online convertor such as on Google (search for ‘Mbps to KBps’ on Google).
5. Browse to the ‘Advanced Threat’ page under ‘Protect’ and the first tab you’ll be on is the ‘Advanced Threat Protection’. Set the ‘Enable Advanced Threat Protection’ to ‘ON’. Set the ‘Policy’ to ‘Log and Drop’. According to the Sophos XG Knowledge Base, Advanced Threat Protection (ATP) “can help rapidly detect infected or compromised clients inside the network and raise an alert or drop the traffic from those clients.”
6. Browse to the ‘Intrusion Prevention’ page under ‘Protect’ and select the ‘DoS & Spoof Protection’ tab. Scroll down to the ‘DoS Settings’ and enable ‘ARP Hardening’. This will restrict your devices from sending an Address Resolution Protocol (ARP) reply only if the destination IP is a local address and both the sender and destination IP address are in the same subnet. Basically, ARP replies will only be allowed within the same subnet.
7. Browse to the ‘Email’ page under ‘Protect’ and select the ‘General Settings’ tab. Click the ‘Switch to Legacy Mode’ button under ‘SMTP Deployment Mode’. I’m still trying to learn the difference between the two modes and the benefit of using one or the other if you’re not running an email server at home. The reason I switched to Legacy Mode is because I was unable to send any email when it was in MTA mode. Additionally, on this same page, scroll down to the ‘SMTP TLS Configuration’ and ‘POP and IMAP TLS Configuration’ sections and enable ‘Disable Legacy TLS protocols’ in both sections. As the description next to the option mentions, this is recommended to overcome TLS vulnerabilities by disabling protocols lower than TLS1.1.
8. While you can use the DNS servers provided by your ISP, I prefer to use different DNS servers for better performance and increased privacy. You can use a tool such as namebench to determine which DNS servers will provide the best performance and some research to decide which DNS servers will suit your needs (Cloudflare, Google, OpenDNS, Quad9, etc.). Browse to the ‘Network’ page and select the ‘DNS’ tab. Under the IPv4 section, select ‘Static DNS’ and enter the DNS servers you prefer. Personally, I use CloudFlare’s DNS servers of ‘18.104.22.168’ (DNS 1) and ‘22.214.171.124’ (DNS 2), and Google’s DNS server of ‘126.96.36.199’ (DNS 3). You can leave the IPv6 fields blank but if you want to add the IPv6 addresses, they are ‘2606:4700:4700::1111’, ‘2606:4700:4700::1001’ and ‘2001:4860:4860::8888’ for Cloudflare (DNS 1 & 2) and Google (DNS 3). Leave the ‘DNS Query Configuration’ set to ‘Choose server based on incoming request type’.
Note: If you decide to use a separate DNS server such as Pi-hole, the Sophos XG DNS server is still being utilized by the pharming protection feature which is enabled by default (‘Web’ -> ‘General Settings’ -> ‘Advanced Settings’). I use Pi-hole as my DNS server but leave pharming protection enabled to help protect against domain name poisoning attacks.