Sophos XG v17: How to configure Web Server Protection to protect your web server

Overview

The article guides how to configure the Web Server Protection feature on the Sophos XG firewall device, with this feature, we can protect our web server comprehensively. Sophos XG will act as the interface representative. Next to the requests instead of the web server when we are NAT, that makes our web server less outside attack

Diagram

How to configure

  • Log in to Sophos XG by Admin account
  • Go to SYSTEM -> Choose Hosts and services -> In IP Host -> Create 1 host web server with the IP
  • Go to PROTECT -> Choose Web Server -> In Web servers -> Click Add
  • Enter name for Web server
  • In Host: Choose web server host which was created before
  • In Type: Choose Plaintext (HTTP) if your web do not have SSL certificate, choose Encrypted (HTTPS) if your web have SSL certificate
  • In Port: Choose port follow type you choose
  • In Keep alive: Enable it
  • In Timeout: Keep default

-> Click Save

  • Go to SYSTEM -> Choose Certificates -> In Certificates -> Click Add -> Here we will upload certificates of the web server you are using (if your web server uses SSL certificates)
  • Go to SYSTEM -> Choose Firewall -> Click Add firewall rule -> Choose Business application rule
  • Enter name for rule
  • In Hosted address: Choose WAN port which you want to public web
  • Choose HTTPS if your web server uses SSL certificate
  • Choose Redirect HTTP if you want when users access the web using HTTP will automatically switch to HTTPS
  • In Listening port: Choose port follow web server which you choose before
  • In HTTPS certificate: Choose certificate of web server which was uploaded before
  • In Domain: Keep default
  • In Protected server(s): Choose Web server which was created before
  • In Access permission: Keep default
  • In Protection: Select the protection method that you want to use to protect your web server
  • In Intrusion prevention: Choose WAN to LAN to protect web server
  • In Traffic shaping: Set quotas for traffic from outside the internet to the web server if you want
  • Choose Pass host header if you want to keep the same request from client to web server
  • Choose Rewrite HTML if the web server’s public domain name is not the same as the web server’s local domain name
  • Choose Disable compression support if you want the traffic to be uncompressed when accessing the web server

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.