• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Defense > Sophos UTM Home Edition 4 – Definitions and Rules

Sophos UTM Home Edition 4 – Definitions and Rules

July 30, 2015 By Ken Smith

UPDATE: Part 5 – SSL VPN is now available.

In the first and second posts in this  series, we stepped through the installation of the Sophos UTM. Two weeks ago, we finished up the setup process. Now, we’re going to start exploring the meat and potatoes of Sophos’ free UTM solution. This week, I’m going to cover establishing definitions and rules.

 

Definitions

Definitions & Users Menu
Definitions & Users Menu

It is possible to define a variety of objects within the UTM. In this post, we are going to focus in on Network and Service Definitions.  For convenience and ease-of-use, Sophos UTM comes with a myriad of pre-defined Network and Service objects, but you will inevitably want to add your own. The first step is to click on “Definitions & Users” from the vertical menu on the left-hand side of the Dashboard as seen in the figure on the left.

 

 

The Definitions Overview screen provides totals for existing Network and Service definitions and gives a breakdown of the subcategories for both.

Definitions Overview
Definitions Overview

 

Network Definitions

Clicking on “Network Definitions” on the left-hand side will drop you onto a page which lists all Network definitions including Networks, Hosts, DNS Hosts/Groups, and Groups. It is possible to search for specific definitions or filter out unwanted results using the provided drop down menu and search box at the top of the screen. By default, the page only lists ten definitions at a time, but there is a separate drop down box that can increase the results by factors of ten up to “All.”

Network Definitions
Network Definitions
New Network Object
New Network Object

Clicking on the “+ New Network Definitions” button will open up a new frame in which parameters can be set for a new Network object.  First, set a name for your new object. Use the “Type” drop down box to select the subcategory under which your object will fall. In this case, we’ll step through a “Host” object.

The various fields for a Host definition can be seen in the figure on the right. I find Hosts to be particularly useful. If you choose to use your Sophos UTM as a DHCP server, you will use Host objects to define static IP addresses for the various devices and systems on your network.

The IPv4 Address field is for establishing an IP address for your object; obviously, make sure it matches the schema of the network segment in which it will sit. Add a MAC address by pushing the ‘+’ symbol. Be sure to include colons between the octets (and click “Apply” when you are finished). Feel free to add wireless and wired MAC addresses for your object if your wired and wireless networks share the same IP range and you would like to set one IP per object regardless of connection type.

If you would like to use DNS internally, set your Hostname appropriately (and check “Reverse DNS” if you so desire). I tend to use the Comment field to mark the physical location of the device (who doesn’t need a computer in the bathroom?).

Finally, Under “Advanced,” a specific Interface on the UTM can be set. For instance, if you have installed multiple NICs in your UTM and have separate networks for each, this might be a useful option for you.

Other Network definitions can be set in a similar fashion.

Service Definitions

Creating a new Service definition is slightly more straightforward, as there are no differences between the TCP, UDP, and TCP/UDP subcategories. Clicking on “Service Definitions” on the left-hand menu will place you on a page with a list of Service definitions similar to the Network Definitions overview page.

Service Definitions
Service Definitions

There will be many pre-defined services, so always thoroughly check the list before creating a new service. It can be sorted and searched just as the Network definition list could be. Additionally, there are Groups of services on the list (represented by a network folder icon as seen in “File Transfer” in the figure above). These are particularly useful when creating Firewall Rules (see the next section).

New Service Definition
New Service Definition

To create a new Service object, click on the “+ New Service Definition” button above the list. A new frame will expand on the left. Fill in the categories as you wish. Make sure that you name the service appropriately so that you do not forget what it was for at a later time. I have been guilty of this myself and ended up with two or three of the same services defined differently. The comment field can also be helpful in this regard, particularly if multiple services make use of the same ports (ie: FaceTime and the PSN have some commonalities which I occasionally mark in the Comment field).

Once all of your definitions are put into place, you can move onto creating a Firewall Rule to accommodate them.

 

Firewall Rules

Network Protection
Network Protection

One of the most appealing and useful features of the Sophos UTM is it’s firewall functionality. To access the firewall setup, click on “Network Protection” on the left-hand side of the Dashboard. You will be presented with an Overview screen that summarizes the most dropped packets and destinations for the day.

 

Network Protection Overview
Network Protection Overview

To access the list of current firewall rules (in a manner similar to the Network and Service definition sections), click on “Firewall” under “Network Protection” on the left. The rules can be sorted and filtered using the techniques discussed in the previous sections.

Firewall Rules List
Firewall Rules List
New Firewall Rule
New Firewall Rule

The process of adding a rule is very straightforward. Following the pattern established earlier, click on the “+ New Rule” button. There are really only three main parts to a firewall rule: source, service, and destination. While it is possible to create new objects for each of these items on the fly by clicking the ‘+’ button, if you click the folder icon instead, a list of previously-created objects will appear on the left-hand side of the screen. Simply drag-and-drop your desired  objects into place.

For instance, if you want to be able to get to a specific FTP server internally from another internal workstation (and only that host), drop the host name of the FTP server in the Destination box, FTP service in the Services box, and your workstation Host in the Sources box.

Rules can be grouped together for convenience which I highly recommend.

 

Next Time

The next Sophos UTM Home Edition post will cover the setup for an SSL VPN. Super easy, super useful.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Ken Smith

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.