Sophos XG v18: How to configure Web Server Protection on Sophos XG version 18


The article instructs the configuration of the Web Server Protection feature on the Sophos XG firewall device with the latest version currently at version 18. With Web Server Protection, Sophos will stand by and communicate directly with the client outside the Internet instead. Web server as when NAT. This helps to protect the Web server from outside attacks


How to configure

  • Log in to Sophos XG device by Admin account
  • Go to SYSTEM -> Choose Hosts and services -> In IP Host -> Create 1 host web server with the IP
  • Go to PROTECT -> Choose Web Server -> In Web servers -> Click Add
  • Enter name for Web server
  • In Host: Choose web server host which was created before
  • In Type: Choose Plaintext (HTTP) if your web do not have SSL certificate, choose Encrypted (HTTPS) if your web have SSL certificate
  • In Port: Choose port follow type you choose
  • In Keep aliveEnable it
  • In Timeout: Keep default

-> Click Save

  • Go to SYSTEM -> Choose Certificates -> In Certificates -> Click Add -> Here we will upload certificates of the web server you are using (if your web server uses SSL certificates)
  • Go to PROTECT -> Choose Rules and policies -> In Firewall rules -> Click Add firewall rule -> Choose New firewall rule
  • Enter name for rule
  • In Rule position: Choose Top
  • In Rule group: Choose None
  • In Action: Choose Protect with web server protection
  • In Preconfigured template: Choose None
  • In Hosted address: Choose port which you want public web server
  • Choose HTTPS if web server uses SSL certificate
  • Choose Redirect HTTP if you want to convert HTTP requests to HTTPS
  • Choose HTTPS certificate if web server uses SSL certificate and choose certificate which was uploaded before
  • In Domains: Keep default
  • In Protected servers: Choose web server which was created before
  • In Access permission: Keep default
  • In Protection: Choose functions which you want to protect your web server
  • In Intrusion prevention: Choose WAN to LAN
  • In Traffic shaping: Choose None or the quota to limit the bandwidth to access the web server
  • Choose Pass host header if you want to keep the same request from client to web server
  • Choose Rewrite HTML if the web server’s public domain name is not the same as the web server’s local domain name
  • Choose Disable compression support if you want the traffic to be uncompressed when accessing the web server

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.