Name: Delta Technical Certifications - Sophos Firewall
Uploaded: 2025-02-27T12:30:41.119Z
Duration: 1 h 53 min 52 s
Description: Delta Technical Certifications - Sophos Firewall

Transcript for "Delta Technical Certifications - Sophos Firewall": Good morning, everybody. Thank you for joining us. It's just ten to 10:00, and we are about to start the Sophos firewall version 19.5 to version 21 engineer architect delta training. During this training, what will happen is we were gonna go through, quite a lot of slides. We will be going through them at quite a speed, but don't worry. They are in the docs section. If you want to click on there, you can download the template. And after the the the session is finished, there'll be a recording available. There'll be a link to the to the exam piece where you'll be able to, go through, submit the answers. And once you've done that, successfully completed that, you will be eligible for any of the updates on qualifications you already have. It won't give any new qualifications, but it will update those ones that you already possess. Okay. Let me move through. There we go. We've talked about that slide. These are the the rough sections that we're going to cover and roughly the timings that it's expected that we will take on each of those areas. Joining me this morning is Dale Cullum, who is going to be answering any questions that you might have in the chat or the q and a. Please pop them in there, and we'll do our best to get to them. If we can't get them today, we will come back to you and let you know what's going on. The first area we're going to cover is active threat response. Active threat response builds on the, Sophos Labs protection that you might be familiar with within the firewall. And what it does is it brings the ability for the MDR team to actually send responses back to your firewall, and not just to your firewall, but to your switch, your access point, and your end point as well. So, should there be any detections that require the use of, a firewall block, the MDR team can push those back in automatically. On the firewall, what we've done, you'll see that active threat response has been re has replaced active advanced protection rather in the left hand menu. More details on that in the the Delta training courses for those. Or, again, look on the the web, and you'll be able to to find out more about that. You'll see the active threat response when you go in there now covers both the MDR active threat response. We do need an MDR license for that to happen, and it also covers the the previous advanced threat protection. The advanced threat response rather from labs is is also controlled in the same place. So there you go. The the labs protection was advanced protection. It's now called XOps threat feeds. It comes from the Sophos labs data and is not specific to you necessarily as a user, but might be, across all platforms. You can see there you can switch that on and off, and you have the option to do logging or logging and dropping. Obviously, log and drop is more secure, and changes to that no longer require restarts to services to make that happen. The MDR threat fee, as I mentioned, come direct from the MDR team and are unique to your site. They are real time intelligence based on your telemetry that you send to the data lake and for any third party integrations that you might have. So, for example, if you have third party firewall, mail protection, productivity protections in there, they will go in. Very similar to the the XOPS threat feeds that they're now called, you can log or log and drop, and then a link there to, to go and have a look at the the login settings, to what's gonna be recorded for those. You can also create exclusions for, the MDR threat feed. So if there's machines where you absolutely do not want to apply those exclusions to, perhaps servers, things like that, you can pop them in there. You can do those based on IP IP address, domain name, things like that. You can do full networks if you want. To be able to use the MDR threat feeds, you need to have, MDR on your estate. You need to have, an active extreme protection bundle. You must be running firewall version 20. It must be registered to Sophos Central, and you must have central reporting enabled. You have to buy extreme as a bundle. You cannot buy it as an a la carte and just bolt on the bits you need. It will not work if you do that. You can also use NDR to provide additional telemetry that will feed in there, and, Intercept X and Synchronized Security needs to be enabled on the firewall to provide lateral movement protection. So, that will stop things moving across the network as well based on what comes down from that MDR active threat feed. So this is, an extensible framework, and not only can we take data in from our own MDR platform, but we can also now start to build in from version twenty one third party threat feeds. You can apply these. You can apply as many as you want based on the amount of, memory and storage that are available on your firewall. That varies between models. If a firewall identifies a device communicating with, something that's in one of those third party threat feeds, it can again do all the different things you would expect based on, the behaviors that we can set. So we can choose to block or just log that traffic. We can assign red heartbeats to endpoints that are communicating with compromised devices. We can inform all the devices on the network that there is a compromised host not to talk to it to prevent lateral movement. And that blocking of traffic, the firewall level does not just apply to surface managed devices. It apply to unmanaged devices as well. So Raspberry Pis, TVs, things like that. I had my TV blocked by one of these requests over Christmas. It was talking to a a website for TV listings that was compromised, and it was actually blocked out. So that's that one. Why might you want to do this? So the ability to block those URLs, domains, and IPs. Customers might want to bring in third party intelligence feeds, perhaps from insurance provider, an external source such as a national cyber security center, and they can bring them in from from wherever to to to apply them for whatever reason they need. We're gonna run through a couple of those here. It might be that they have, threat intelligence coming from industry specific sources, banks, health care providers, perhaps from NHS lists. Perhaps they're they're provided with those. They don't want to get, penalized for not having those in place by their cyber insurer, whatever it is, so they can feed those in. Some customers have intelligence generated by, different third party platforms. Will generate endpoint data that says that there's a a compromise, and you might want to fill that in, particularly for specialist things like, Internet of Things, CNC, SCARDEC systems perhaps where you wouldn't typically have surface on. You might have some intelligence from the manufacturer of those systems to to block those. You might already have some form of threat intelligence that you get, and this allows you to to build on that, bringing it further into what you're doing to to look after your security. You might have your own list of things that you want to block. Schools typically will have access to lists of URLs that they want to block for safeguarding purposes, and and this might be a a good way of getting those into the firewall, without having to enter them manually. A lot of the things that are going to be in there perhaps will already be blocked by XOps, will already be blocked by our web filtering controls, but this does allow you to reassure customers that, you know, we've got our our list of things here. We know they're definitely blocked. So most of the threat indicators identified via XOps. As we talked about, this is where you can add those third party threat feeds. So you can see at the top, you give it a name. You can choose whether you're going to log or drop. So block is log and drop. Monitor is just log. Where does this threat feed sit in your list of third party threat feeds? Is it the top? Is it the bottom? What type of data is in this list? Is it IP forward? Is it domains? Is it URLs? Where are we going to download it from? Do we need some form of authorization to download that list, and how often are we going to refresh that. You can then check that connection works, save that, and pop it into your your firewall. As you can see here, lots of threat feeds will need some form of authentication. You will need to choose what type of authentication you are going to use. You've got basic. You've got digest. You've got various different sorts that you can use in there, and you will then be able to to pop the details in as required and do service certificate validation as required if that's part of the authentication mechanism. You can see here, this is what it looks like once you've started to add your third party threat feeds. We have got, in this example, two active feeds, and this is what we're ingesting from those feeds. You can see there how much of our storage quota we've used in in setting up those third party threat feeds. Bear in mind that that use of threat feeds does include it it is included on your sort of reports drive, so it does increase the speed with which you're going to fill that drive up. You can also search through the third party threat feed. So if you are looking for a particular site and you want to see why it's being blocked, you can go into your active threat feeds, go into your third party threat feeds, and you can do a little search to see if it's on any of those threat feeds and what's blocking it, much as you would if you're doing a a policy test, on a normal firewall rule. So the detection preferences or detection precedences, we start off with the MDR threat feeds. They are the most important, and they are the most specific to you as a user. We then move to the, Sophos threat feeds, but only if this is, set to log only. If this is set to log and drop, we don't drop down. Sophos threat feeds, we will go through next. They are slightly less specific. They are more to all Sophos customers rather than just you. And then finally, if that is set to log only, we'll drop on to the third party threat feeds, and we will do those which are likely to be the least specific, indicators of compromise that you've put into your firewall. This is on the main control center. As you log in to your firewall, it does tend to give you lots of information about what's happening. When I'm doing health checks, I find it's a really good place to start. Within there, you will see that we have the active threat feeds, threat response information. You can see if you got any active blocks. You can see where they're coming from, and you can see what they are in there. So you can have a little look and see how much traffic is hitting those blocks if anything. You can then click on that, and it'll take you through, and you can see which machines are hitting that information. You'll see on this screen here, you've probably seen it before under the the active threat response, so the advanced protection as it used to be called. It's now called active threat response in here as well, and you can see, you know, the IP address, the threat feed, and the type of threat that we've specifically seen. In the logs reports, what you'll see excuse me. You'll see the IP address, what is blocking it. You'll see the domain and the the the traffic, whether it's being forwarded, whether it's being blocked. You'll see whether domain names and headers have been blocked. And, finally, you'll see the the legacy HTTPS set there as well. Excuse me. Going into your reports, you'll see in your AccuFet response report, you get some nice graphs here, to to show you what has been hit. These are all very clickable. You can click on any of the names. You can click on the the IP addresses, and it will drill down into those to give you that little bit more detail about that. Do remember when you're in reports that you can click on any of these. You can set up a report, and you can then schedule it to be emailed out to you on a regular basis, whether that's hourly, daily, weekly, and and get these sent out to you. This is the bottom of the reports page. So you can see the trends. You can see the destinations for those reports. And, again, you can click on any of those to to drill in. And, once you've clicked into one of these, you'll see that you start to get a little bit more information. This is one you one once you've clicked on one, we've got more IP addresses. We've got more usernames, things like that, and even the executables that have caused that particular dial out to whatever it is that we've happened to encrypt to, to have blocked. So, in the log viewers, you'll see that we now have an active threat response filter in the log viewer. You can have a look in there. You can see dates, times, IP addresses. This will be happening live. So if you've got something going on here and now, you'll be able to watch it going through. And we've also got in here, DNS protection indicators as well. So some should something be blocked from a a DNS feed, then you'll see that in there as well. Also, within the the logs, you will see in the admin log if we when we add new indicators compromise, you'll see that in there. And then you can actually drill into a little bit more detail in the admin log of where that IOC has come from, whether that's come from, ourselves, whether that's come from other third party threat feeds. Okay. When you are thinking about your third party threat feeds, couple of things to remember. Putting more IOCs in, putting more data in does not necessarily enhance security. If you are doubling up on threat feeds, for example, if you're getting the same data from a couple of places, that's increasing the overheads on your firewall without really increasing your protection. So just be mindful of where your third party feeds come from. Also, be mindful of how often they're updated. We update hours very regularly. I can't speak for the people as to how often they update their feeds. These are a selection of feeds that we have tested. We know they work. There are many others out there. I'm sure you'll have your own particular favorites. I encourage you to to have a play with them, try them, test them, and feel free to share them with them myself if you've you've, tested something that's that's worked well for you. I mentioned earlier that, there is a limit to how many of these you can have. This table, which is in the the documentation pack, will show you each firewall oh, the the size of memory in each firewall of virtual appliance, how many of each type of IRC we can, we can store. Again, it has up to 50 different threat feeds and the number of, indicator compromise we're gonna take will fit into, this amount of memory. There is a little bit of approximation there, but not too bad. Okay. That was designed to take twenty minutes, and there we go. It's just turned ten twenty. We're doing very well. Dale, anything in q and a I need to be aware of, pal? Silent. Okay. Fabulous. We're going to talk about VPN now. So in version 20, we moved from having the VPN portal being part of the user portal to being a completely separate, secure portal. It's containerized and is now on port 443. We'll talk a little bit about that more as we go through the next slide. So as you can see, the in version 20, the VPN portal has moved to four four three on its own. It does share that with WAF if you're using the web application firewall, and it does share that with the SSL VPN transport stream as well. Version 20, the user portal, which was on four four three, has moved to four four four three by default. So, the client download, the clientless bookmarks, if you're doing clientless VPN, the onetime tokens, they're all now in the VPN portal, not in the user portal. Just be aware of those if you're looking for them. VPN portal is live in the one zone as well by default so that people can access it from outside your network, and just just be aware that that is is live there. User portal isn't. So as I mentioned, the current user portal port, which is four four three, is now given to VPN. User portal will be configured four four four three by default. In cases where there is already something on that port, we'll move to sixty five zero zero nine. If your user portal was set up to be in a DMZed or in different zone if you created your own zones, we will copy those settings across the VPN portal. And the MFA and the authentication settings, so if you've got it set to authenticate on AD, you've got it set to authenticate on radius, anything like that, Those settings will be applied to the new VPN portal as well as the user portal while it's moved. Okay. In, in the firewall console, once you go to administration, go to device access, admin user settings, you'll see there that you can see the user portal and the VPN portal. Again, you can change those. Lots of debate about whether it's best to change those, leave those where they are. I I tend to just leave them where they are, but it's entirely up to yourselves. As you can see, that's what it looks like. Now you've you've got the extra column in there for the VPN portal against the user portal. By default, we will copy everything that's in the user portal to the VPN portal. We will also add one if that's not there, and then you can come in and change this as you want to do so. Okay. VPN portal also appears on the MFA settings if you want to be able to change that individually compared to the user portal. And, again, you can change you'll see that you got VPN authentication methods on the the access methods, so that you can choose to enable or disable that differently to the, user portal should you wish to. We have also improved, the IPsec failover between pairs of firewalls now so that you can now start to, know that those connections are going to fail over rather than drop and reconnect. So that just makes connections a little bit more stable. I've certainly noticed that working on my SD WAN setup. You can see in here, we also now have fully qualified domain name host support for SSL VPN. In the past, you had to use IP addresses. With the the latest version, version from '20, you can, start to put FQDN host. You can put group object in there as well to be allowed to, connect into your SSL VPN. Just make life a little bit easier for people to, to be able to manage that. The way that works, the firewall will resolve that name. It'll turn it to an IP address that pushed out to the client. Those addresses are not reresolved until the client reconnect. If it cannot resolve an FQDN, the connection might not always, work properly. It may not connect. It may connect, but not pass traffic as you expect because it's it's failed to resolve something. We've improved SNMP monitoring, of VPN tunnels. So we can now, send that off to SNMP servers, for you to to look at that, things like Libra or, Zabbix, whatever it happens to be that you're using to do your monitoring on. We can now send that back, and you'll see that there's an updated MIB available under the administration page there to to be able to send that back. If you do have SNMP in place, you will need to download that MIB to update to get the additional monitoring capabilities. Wildcard remote gateways for root based VPNs. So this is one that we, we have implemented in version 20. Previously, you had to have, a a fixed IP address in there. We can now put, a star in there. You'll see that is a wild card remote gateway. You will need those, IP addresses to be able to resolve to DNS when you're doing this, but it does mean that if you have a device that, changes IP address frequently, it's on a dynamic IP address for some reason, you can actually get it to connect in still. So perhaps if people are connecting via five g modems, things like that, back to a head office, this just makes that life a little bit easier for them. Moving on to IKEv two, this now supports unique preshared keys. I know some customers in the past have had problems where they've had a single PSK, that has been copied and pasted into multiple connections. When they've done that, pass they may paste it into one wrong and bring down all the other connections. IKEv two now supports unique preshared keys. So, again, you need the local remote ID, but it does allow you to have that ability to to change that key between connections. So mistyping one connection won't bring down all of your connections as it did in the past. We have also updated the the Diffie Hellman groups that we support. We've added some additional ones in there for you, which just gives you a little bit more flexibility, a little bit more interoperability with other firewalls should you need it. Excuse me. So IPsec VPN, this is to do with how we handle connections of RefQDNs and routing to those. This is set in the console. You can't set this through the through the web interface, and it will allow you to to to just optimize that that process of getting data through to those remote gateways. IPsec VPN failover groups, We've talked a little bit about how, we've improved that failover on We've also done some work on failing over to different different connections within groups. So what you have now, failover groups will try five times to go back to the primary connection. If that doesn't work, they will then fail to the to the secondary connection. So it's it's trying to bring that primary connection back if it can, rather than just go straight to the the backup connection. Again, further information on this is available. It's on the website. It's in the document section if you want to download that engineer manual from there. Okay. The next section is on authentication. Excuse me. We are working on improving our Azure AD single sign on for users. So that currently works for user authentication on captive portal. We can now import groups from Azure AD, and we can do automatic role updates should you migrate a user from being a user to being a an admin. It now just needs a single connection to Azure AD. In, your Azure ADI, e Azure AD, you will need to create a registration, the application permissions that it will need. You can see their group read to all, user read, user read all. It will guide you through all of this. As you as you do it, there is a a little wizard that could take you through all of that, set up all those permissions, copy your firewall names into the application, and you will then be able to authenticate using your Azure AD. One thing to note is that the the time out on that is based on the the time out of the Azure sign ons rather than anything that's configured on the firewall. That is something that we are looking at, and we shall see how it goes in later version of the firewall. So you can see here, we've got role mappings for users which are coming from AD. You will specify in in Azure AD, a value against different groups, different users, and you can then map those against different profiles on the firewall for them to be able to log in. We can also import groups from Azure AD, which is used to do from, on prem AD. This will allow you to to bring the groups in. And then, again, once you brought the group in, you can, start to map them against different things here, and you can then add them into your firewall so that as people authenticate using their Azure credentials, you can set the policies. You can set quotas. You can set, traffic shaping, whatever it happens to be, web filter policies based on their Azure AD group membership. Sorry. Enter ID group membership. I will get that right one of these days. Oh, dear. Right. Enabling that, we go into authentication. We go into services. You'll see in there file authentication. You've got a little tick box for Azure AD, enter ID, whatever you call it. And you can just pop that in there, and it will then apply to the firewall. You can then pop it in for captive portal and other things as you want. There are some rules you will need to have in place for, having this work because, obviously, if you have a user that does have doesn't have Internet access, they will find it very, very difficult to be able to authenticate to EntraID. The domains that you need are on that link there. And what we suggest is that you create a LAN to WAN rule for those domain names on h t t p h t t p s traffic so that all of that traffic is allowed out to the Internet for users to be able to authenticate. And then once they've authenticated, they will drop on to another firewall rule to be able to continue browsing and actually have that browsing logged against their username or filtering applied against their their user group. Azure authentication tokens are valid for seven days, as I mentioned. The ability to change that is set within Azure itself, within Azure itself, and it's not a function that Sophos had any control over. Because that token is valid for seven days, you users must log out of the firewall or they must log out of captive portal. Otherwise, all traffic will be logged against their username. Even if they log out of this computer, log back in, that token is is still valid. They'll still remain logged in. And even if they log out and a different user logs in, that token may still remain valid. If you're doing things like fast user switching, or or things like that, you may find that traffic get logged against the wrong person because there's a token in place. Automatic role promotion on the firewall. So when the user first logs in, they will get a user created on the firewall as it is currently happening with sort of, on prem AD. Same process. When they next log in, if you if you've changed permissions, they'll be promoted to that point. But do be aware that if you then remove that permission from them in Azure AD, that permission change is not communicated back to the firewall. You will need to manually remove them. In your authentication logs, you will see the Azure AD SSO method in here, and you will actually be able to see the username who's logged in, when they've logged in. You will see when they're using captive portal that it refers to web client because that's the the captive portal that you're going to see in there. And that will let you know that they've logged in. It's seven days from the time they log in. Okay? Just remember that bit. Google Workspace authentication is something that we've also been working on. We have had in the past a couple of little trials with various customers, but now you can see that we've actually started to to implement this officially via LDAP. We also do Chromebook single sign on via LDAP authentication. And the way this works is you will need to configure an LDAP client in your Google Workspace admin console, download the certificate, and create some credentials, upload that certificate to the firewall, configure the credentials, configure the LDAP server, and then you will be able to choose the LDAP service in the authentication services. We see this quite a lot in education. This is, what you will see in your Google Workspace authentication manager. So into app into directory, You create the the object. You create a certificate, and you create a username. So there we go. Come back to your firewall. Install that certificate. One thing to be aware of is that Google creates their own certificates. They are not signed by a third party trusted route, so you will not see them as a trusted certificate. That is normal behavior. That is expected behavior, And don't worry if that's what you're seeing. It doesn't affect the process that we're going to go through. You can then add that as a an LDAP server when you're adding authentication service. It does require that you set it to version three. It does require the credentials that you've created in Google admin. Deselect append based DN because the user will have to specify that for themselves. And when you're looking at the client certificate, just pick that certificate that you uploaded, even though it's self signed, it's absolutely fine. There we go. Once you've done that, you can pop Google Workspace authentication into your authentication services list. You can see here we've got LDAP test, and you are then able to log in using that, set of credentials into the user portal, into captive portal, into various different things. Okay. So that was another ten minutes, and we're running reasonably well at the time, I think. So next is management features, and we're scheduled for fifteen minutes on this one. So let's see if we can keep the timing. The admin console has had a bit of a refresh. You'll see it's got some updated colors like this. We've got, some updates on the sort of drop down menus. You'll see that they've been refreshed. You'll see that this style of menu is being refreshed, and you'll see the buttons have been refreshed as well. So things have taken a little bit of a refresh in there. The control center between version twenty and twenty one has been, revamped. You will notice that in version 21, it's it's a bit wider. It's got some more sections on the on the edge there or another section on the edge, which we talked about earlier. That's the, the the new active threat response panel there. You'll also see that it now starts to resize itself depending upon your browser size. So whereas in past, it was a fixed size. It was it was never changing. It now will start to change within certain parameters on the size of your web browser. Just makes it look a little bit nicer, a little bit more modern. All the useful things that have gone into the web interface, you will see now that you can actually switch, interfaces on and off, which is really nice because it means that you can switch something off and see what happens without losing all of the config, which is what you had to do previously. So what we've got there, click on the the little three bars. You've got a port, on off switch. That will just allow you to disable the port. Do be careful not to disable the port that you're managing the firewall from. I've managed not to do that yet, but there's always time, isn't there? You will be able to see there in the control center when you go into connection interfaces tab. If you've got port switched off, you'll see there that it does now say turned off rather than disconnected or disabled. Ports, you can switch on and off. You can switch on and off any physical ports, any VLANs. You can switch off lag groups. You can switch off bridge groups. You can't switch off individual members of a lag or a bridge. You can't switch off aliases. You can switch off the wireless LAN. You cannot switch off tunnel interfaces. You can switch off red devices. So you can switch off an individual red device just to test something. You can switch off an individual Wi Fi network just to test things as well. So that's enabling table interfaces. SD one routes. SD one routes, you can set positions now at the top or the bottom when you're creating those routes. I tend to create them at the top so that I know the route is going to be taken. Otherwise, you run the risk of the rule that you've just created being missed because it hits another rule first. So do bear bear in mind when you're creating those routes where you're going to put them. Also, when you're adding SD one routes, we've now added more options to to sort of move them to a position rather than having to try and drag them up and down. You can clone. You can do the add above, add below as well. Just a minute. Life will be easy when you're adding those SD one routes trying to to pop a couple of them in. There are some improvements in the web console. So you'll see now that we've got the the activate deactivate button, which will allow you to just tick the tick the connection, hit activate, tick the connection, hit deactivate rather than having to click on individual circles. So you can do multiple connections in one go as well if you wish. Once we've done that, you'll see now that there are, the options to click on things with a little pencil. We'll take you to edit that, host. It says you happen to dive in and out of things to try and work out what's going on. Also in there, you'll see the XFRM tunnels. You'll see in here, I'm not quite sure what we're talking about in this one at the moment, XFRM tunnels. So, yeah, it's bringing them out in separate interface view. So it's it just brings them out so you can see them a bit better rather than trying to hide them away underneath VPN. Also in here, static route management improvements. You can now switch on static routes and switch them off temporarily, which allows you to to sort of test routes and test failovers quite quickly from the firewall if you're doing things like that. You also have the ability to clone routes. You also have the ability to give them description, something that a lot of customers have asked for over over time. It's it's something that you used to have on UTM, the ability to to give a route a descriptive name. Quick mouthful of coffee. You also have ECMP support on there as well now. So, you can see here, you can, create different types of routes. You can choose which interface it's going to go out of. So this one, we're we're sending it out of the black hole route, rather than sending it out over a route somewhere else. Object reference lookup is is a lovely little field that we've we've started adding now. So when you're in your host and services and you have a an object in there, you'll see it has a usage count. These are set, calculated overnight. It will do them once a day. If you want to refresh it, just click the little two arrows there, and it will refresh. It will count what something's used on. What you can then do is you can click on that number, and what it will do is it will show you all the places that that particular object is being used. You can then click on, the object. You can click on the object and open the object configuration. You can see this one's got a slightly different little icon next to it that will take the configuration page for that particular rule. So it just allows you to to to jump between things a little bit easier and work out, you know, where something is what it's being used for before you start deleting it. We've also got that on interfaces, zones, gateways, and SD WAN profiles. So you can start to see where that is being used very, very easily, where that particular thing is being used in the firewall. We will perhaps you can you can count that up and again click on it very easily, and it will show you straight away. The excuse me. Because of that now, we're able to say, actually, yeah, if you want to delete this object, it is being used in other places. Don't delete it because it's gonna cause all kinds of havoc. So you'll see now you get a warning before you actually try and delete something like that. If you do then go on to delete it, any dependent configurations will be deleted. So just be aware of that as well. Object usage. We've added that into the firewall. We've also added an XML API setting to go with that. So if any of you are managing firewalls using APIs, just be aware that we've updated the APIs as we've gone along. We've started to add these things in. So you see you've got some network objects. We've got some service objects here. Again, all of that is in the training materials if you want to download them. If you've been wondering how to use the API, today is your lucky day. You can see there some some instructions on how to set up an XML request because what you need to do initially is is do that first request, in in such a way that, you know, you send a username and password. You do need to switch this on in the console. You then send it, a request, and you'll see there at the bottom, we're sending a request with this query attached to it. Here's our username and password. Here's what statistics we want to get. The firewall will then return to us a little XML page like this. If you've got a pre preferred XML view, you can download it, stick it in there, copy and paste it, stick it in there, and you'll get that usage data. This is just one of many, many things that you can pull down via the XML APIs. Filter policies is a is another one. If you're dealing with schools, and the policy I have to talk about school's loss, and you want to do sort of monitoring of filter policies, things like that, you can use the API to download it, hand it off to somebody and say, go review that without giving access to the firewall. The API does support filtering. So you can choose to just pick up particular, connections, just pick up particular policies. You have three options. You have like, equals, and not equals are the the choices you have. And this is where having a a standard naming scheme for firewall rules, web policies, things like that really comes in useful when you're gonna be bringing those connections out and doing that filtering policy on them. What's this one? Yes. So what you'll see here, this is filtering on a criteria of like. I remember the the the full list we saw earlier, this has fetched it down to just the the New York connections because we've filtered on like New York. So there we go. That's object usage, XML API support. We're a little bit early. So, Dale, how are we doing in the question and answers? Anything that we need to be aware of? All quite on the Preston front. Brilliant. Okay. So we have now reached the network and routing section. So, again, this is scheduled for fifteen minutes, so it should be finishing just after eleven. I'm just flicking through my slides here just to make sure I know what's coming up next. Because somehow my notes and my slides have got out of synchronization, and it's calling me all kinds of grief. Okay. So, in version 20, the SD one gateway limit is now determined by the type of the firewall that you are running, which means that the larger firewalls, can have more gateways. So as you can see there, the basically, the two up firewalls have 3,072 gateways. The 43 and the 45 have got 2,048. The 87 and the one zero seven have 64. Everything else remains a 24 as it did previously. There we go. Dynamic routing now supports more multicast groups, up to 4,000 multicast groups. What else have we got? Additional improvements. BGP for I six has been added, and now it's a unified service with BGP I p four. It has been added to the existing interface. You'll see some bits for I p v six in there, but it hasn't really changed what's what's in there. You'll you'll see it's very, very similar. Up to 200 I p v six peers, 200 I p v four peers, so that's 400 in total, but it is specifically 200 of each type, not 200, not 400 as a as a group. BGP IP six supports redistributing OSPF version three routes, static routes that configured on the firewall, and connected routes for things directly connected to the firewall. And I p v six networks shared to I p v six neighbors and I p v four networks, and all by default. Yeah. So that just just happens. There's no configuration required for that. This is what the the I p v six configuration looks like. In there, you'll see, there's a new option to start, to set route IDs automatically. Again, it's up to you how you how you do that. I tend not to do it automatically. I can do it manually, but, it's nice to have that ability to to switch that on. We also have in there, the ability to filter on IPV version. So we could say, actually, we just wanna do four, we just wanna do six. There we go. And, finally, the last step on that, determine which networks you want to share with, all the routers over BGP. Come on. There we go. This is the information section of that firewall. So into con into configure, into routing, into information, and you'll be able to see what the, BGP system is doing. The dedicated sections on the page, it's split into IP four, IP six so that you can see what each one is doing individually rather than getting it too cluttered for you. In terms of redistributing, OSPF, you've got a a little tick box there to enable. You've got a tick box to enable redistributing connected as well. Unless you tick both of unless you tick those, that will not happen. And just be aware of that one if you're expecting it to pass route and it hasn't, that those boxes are not ticked. I p v six prefix delegation. So it prefix delegation is a a a DHCP six feature that allows the server to delegate a subnet prefix to the to the clients. So perhaps your ISP would give you a prefix, and you'd delegate that out to your your workstations. It makes it easier theoretically to use I p v six within your own networks, And it generally makes it nice and easy, nice and simple, and is slightly more secure, so that IP filtering IP prefix filtering can happen at the ISP level, to try and make sure that all of your devices are in the right IP addresses. The way that it works out here is that you will have, at the ISP, you will request an I so start at the workstation end. The workstation requests an IP address from the firewall. The firewall has, at some point, requested a local prefix. It's given that from the ISP. It knows the local prefix. It hands an address within that subnet back to the workstation. The next workstation, again, will request from the firewall. The firewall already knows the prefix and passes another address within that prefix back to the workstation. Let's carry on. You can see here this is where you, allow this on your network configuration. So on your network into interfaces, enable your I p v six config. Choose DHCP and then choose your prefix delegation enabled here. You can specify your preferred delegation if you have one at this point, or you can just leave it entirely up to your ISP to give you, the correct one. Once you've done that, you will see there on our one interface, we now have our I p v four and our I p v six addresses. And, again, if we click on our little more information button, you'll see our ability to switch on and off. You'll see our DP address and the prefix delegation that we've been granted for this connection. Okay. What you then need to do is you'll need to find one of your internal address internal interfaces, bridge groups, whatever it happens, VLine groups. Enable your I p v six configuration on there. Set it as delegated. Choose the upstream interface that you are going to rely to. So you can see here you could have different interfaces going to different panel links, having different prefix delegations perhaps. Choose your upstream interface. Choose the I p v six addresses that you are going to, push back from this subnet, and then allow that to advertise, and that will push those out to your machines as they need it. You'll also then see on the interface remember on our one interface there, we have our DHCP. On our land bridge here, you'll see we have the delegated, IP addresses so that we'd know that all of those are being pushed out to our workstations. We know where they're being pushed from, I should say. If you then go into IPv6 router advertisement, you'll be able to see that the router advertisement is being created. You'd be able to hover over that show prefix, and you'd be able to see what is being pushed out. So remember when I said you could create multiple ones in here, you can see we've got a couple, where we were able to see different things based on which connection people are connected to. Okay. So, prefix delegation configuration. In the router advertisement, you can modify the default configuration should you need to. The prefix advertisement, the configuration can't be changed. It comes with ISP. This is for the root advertisement within your own network. So this is effectively the the DHCP server in your own network. Excuse me. This is what it would look like, on your workstation. So you get an IPV four address. You get an IPV six address, and it's then down to you how you choose to to manage those, how you choose to do those. Prefix delegation is not supported on PPPoE, something I'm not happy about because all my connections are PPPoE. I don't have the luxury of fiber run like Dale. Not that I'm rubbing that in at all, Dale. It only supports 48, 50 two, 50 six, and 60 prefix lengths. Those are the only ones we support. You can't go bigger or smaller than that. The prefix length for the downstream interface is fixed at a slash 64. You cannot change that either. You cannot modify the the the the advertisement that's being given to you by your ISP, and, a DHCP version six server on the downstream interface can only be used to supply additional options. It can't give out IP addresses because we're doing that through the advertise through the advertisement that we've created. Any questions so far? I p v six still. Fabulous. Okay. DHCP Relay of our XFRM tunnels. As of version 21, we can now do DHCP relay via, route based IPsec VPN tunnels and not just, policy based IPsec VPN tunnels. So here we have an example deployment where we've got a a DHCP server in our head office here, 1 7 2 16 16 10, and we've turned our firewall at the end of the VPN tunnel into DHCP relay agent for devices at this end of the tunnel. To configure that, what we've got is, within network and DHCP. We're gonna create a a relay. We're gonna choose which interface that goes out of. This is the the client side interface, so this is the the local LAN. We pop in the IP address of the DHCP server. And oh, here we go. Also, within, firewall, we have updated that over Azure, templates for firewall deployment. What you'll see in the past is that we had those as as as two armed deployments, two legged deployments. We've now, turned that into a single legged deployment or single armed deployment. When deployed in that single arm mode, part b is mapped to Ethernet zero, which is the one interface, and that is the only interface that is supported in a single legged deployment, single ARM deployment. Not all the features that you might expect are available if you run it single legged because, obviously, you're not doing some of the filtering and things. You you proxy won't work. Perhaps things like that that that we can't do in a single arm deployment, but it does make it easier to to to pop it into Azure if you're doing that. WAF is another thing that won't work. IPS is another thing that won't work. And bear in mind, you cannot migrate double to single and single to double. Once you've chosen your deployment method, you are, I'm afraid, stuck with that deployment method. Okay. Let's Encrypt. Let's Encrypt. Everybody, I'm sure, knows what Let's Encrypt certificates do. They're lovely. They're free. We like free, don't we? Everybody likes free. Sophos firewall now support Let's Encrypt certificates. So what can we use them for? Well, we can use them for all of our web portals. We can use them for WAF. We can use them for VPN. We can use them for hotspot pages as well. We cannot use them for remote access or site to site VPN. We cannot use them for Chromebook SSO either. Remember what I said about those being Google certificates? You have to remember the Google certificates. The validation process for those looks a little bit like this. The firewall requests a certificate for domain. Let's Encrypt gives the firewall a token that needs to be created. That is then, a port 80 connection back to the firewall. The firewall will then give Let's Encrypt a token back. Once it's done that, Let's Encrypt will give it the certificate for whatever domain is that we happen to have asked for. In terms of what that looks like for you, there are a number of things that you will need to do. So you'll need to register for Let's Encrypt. You'll need to create a a DNS record for people to be able to look up that domain name that you're going to to get the certificate for that points to your firewall. The firewall then can request that certificate, and then you choose to use that certificate in that configuration however you're going to use it. So registering for Let's Encrypt can be done at the firewall, system certificates. You can hang up on option Let's Encrypt. You can go in here. You can register. Once you've registered, you'll see you get this deregister. You add your DNS record in whatever DNS program you choose to use, or whatever DNS provider you choose to to to use, I should say. Add a certificate. Come in here. From the action, choose request. Let's encrypt certificates. Give it a name. Choose the domain name. It does not support wildcards. It has to be full names at the moment. You can have more than one full name on the certificate. You can have more than one, the SDN certificate. You cannot have a wildcard, unfortunately. Once you have done that, you will see that the certificate request goes into your certificates list. What will happen is over time, you will see that that changes from a certificate request to, let's encrypt. At that point, you know that the certificate has been generated and assigned back to the firewall. What you've then got when you're in your, certificate configuration on your admin portals or whatever it happens to be, You'd be able to choose a certificate from your drop down list in there. So in this case, we've got administration, admin user settings. We've chosen from our certificate list our Let's Encrypt certificate, and then we can start to use that certificate. Dead easy, dead simple. Lovely. Okay. Next, we are on to DNS protection. So, DNS protection is now included with your extreme license. It is not available to purchase as a separate license. It it is very, very quick to deploy. It is literally pop the IP addresses in central, set up the policies, and away you go. It protects against all parts and protocols because every DNS request that is being looked at, and it can integrate with MDR and XDR if you are using those as well. So why use DNS protection? So, basically, with the firewall, by default, what we're doing is we're doing a lot of web filtering, hit t t b h t t b s protection. There are lots of other services that are going on that can be, used maliciously by by bad actors, and DNS protection is aimed at blocking some of those different things from happening. So, the the first thing that we're gonna say is, you know, it's it's reliable. It's fast. It's smooth. Slow DNS can make it feel like your connection's really laggy. So it's it's a part of a a good fast connection. Because we are restricting this to Sophos customers to known IP addresses, we know that we're we're scaling it appropriately. It also builds in our, intelligence data, our incident response data that we take from from any engagements that we have to block malicious sites. But not only malicious sites. We can actually use it to block things that are unproductive. So for example, we can put restrictions on, YouTube, Facebook, things like that. We can enforce Google strict safe search, things like that at the DNS level so that even if you have someone that comes from the BYOD connected to your wireless network, they are still getting your filter policy applied to them without having to install certificates and all the headaches that go with that. It's blocking access to to risky servers. It's blocking access against malicious and compromised servers so that we are able to keep you safer, and it also provides a layer of analysis for the for the MDR team, for yourself to be able to see what people are looking at and to determine what's going on in your network at any time. So the way that it works is, surface DNS protection resolves all types of records. However, we're only checking against these types of records here. So you've got a a a a a, which is the I p v six names, c names, and HTTPS. The other records, such as MX and things, TXT records, we're not protecting against those. That request will then go to, the DNS protection service. It will check against our database of malicious domains, and if there's a problem, it will bounce that back. It will then protect against 80 odd categories based on what policies you have set up in Sophos Central. Again, if it passes both of that, the client will will be sent the the real address of the domain. If it fails either of those, it will be sent to a a sync call page. So the client will get a a message that says, sorry. This page cannot be accessed today. So, other things that happen when it's doing this is the the first part of that check is it will check where the request has come from. Has it come from an IP address or an FQDN that we know about? Has it come from one of your client networks? If not, then that request is going to be bounced back. It also integrates with the data lake. So as I mentioned earlier, if you've got XDR, you'll be able to see that DNS data. If you've got MDR, the MDR team will be able to look at that DNS data and use that to filter if there has been any attacks, things like that going on. So this is kind of a little bit of why might you want to use this over and above the firewall. So DNS inspection and blocking at the firewall, we're doing ATP for c two domains, command and control domains only. Sophos DNS protection on top of that is going to give you all high risk and unwanted domains. Yeah. But connecting to those risky domains at the firewall, you've only got HTTPHTTPS protection. So if someone was to try and connect over SSH or over FTP, they'd still be able to. With DNS protection, that would be blocked at the SSH or the the the FTP level as well. And in terms of visibility and threat hunting, firewall is logging the traffic that's going through. It's not locking logging those DNS lookups. Sophos DNS protection is logging all of those DNS lookups. So it just gives us a little bit more, accountability, a little bit more reporting. In terms of licensing, it is configured with extreme is included with extreme protection, no additional charge. Even for customers that might be in year three of a three year extreme license bundle, they will still get that DNS protection for that final year, and it will be any new extreme subscriptions going forward. You will need a software central account to configure and manage that DNS protection. So for those firewall customers who have purely been managing the firewall on its own web interface, they will need to upgrade, and add their central account. Obviously, that is free, to to to manage that DNS side of it and register the firewall in there. There is a DNS protection course within the Sophos Academy. You could filter that down to just DNS protection. You've got a forty five minute course, talks all about DNS protection and what you can do with it and how it works and how to use those, configuration tools to manage that. There is a link to the softwares academy in the training pack. No. I keep mentioning the training package in documents under the the screen, and that will allow you to, to go through and see all the courses, including the ones that we're we're we're merging today. Onto ZedTNA zero trust network access protections. So in its most basic form, ZedTNA is all about making sure that the user is who they say they are, that the device is safe, and allowing them access to whatever resources they have permissions to access based on them being who they say they are and their device being healthy. So, let's have a little bit look at more detail on that. Why use zed t n a instead of a VPN? So, a couple of reasons why we want to do that. Security, we are only allowing them access to specific things. So rather than a VPN where they perhaps have access to the whole network, with zed 10 a, we are access giving them access to a specific server, a specific file store, a specific web app on a specific server. And that means that, you know, should that user device be compromised, should something happen to that user, or that device, they can only access the resource that they've got. They couldn't be used to launch an attack on another device on the on the on the VPN. In terms of flexibility, it is very, very flexible because you can use it not just to VPN into devices within, your own environment. You can use it to connect to SaaS resources as well. So you could actually start to say, right. Well, I want to put, for example, Salesforce behind zed t n a, and it gives you the ability to protect that SaaS traffic in the same way that you would, protect on prem resources. Because it uses your existing identity provider services, whether that's AD, Entra slash Azure, Okta, it means that the user doesn't have to have another login prompt. Yeah? And because they're signing to zed t and a and they get the authentication cookie, they can be signed in for a lot longer knowing the cookie is gonna be fresh and the machine is gonna be checked every time they use it. And and it's just a little bit easy for the user perhaps. And it's more efficient because we're only sending the traffic that we actually need to send back to our our, on prem results. We're not sending perhaps all of our Internet browsing traffic back that way as we would if we had a full tunnel VPN. Okay. Sophos, ZedConnect consists of effectively three parts. The first bit is the management interface, which sits in Sophos Central. This is where you get your report. It's where you create your resources. It's where you create your gateways and deploy ZTNA from. You then have a gateway. The gateway can be, a virtual machine on premise or or in the cloud. It can be Sophos firewall on premise. And what it does is it is the the connector between the user and the resource. So it sits in the middle of the the the the chain, if you will. And the third part is the agent. So that installs on the device, and it will take whatever traffic you configured in your resources in central. It will capture it, send it to the gateway, the gateway will send it to the, to the resource and vice versa. It's available currently for Windows and Mac, and you can just push it out alongside Sophos endpoint from Sophos central very, very quickly, very, very easily. It will be able to interrogate the device, say, have you got IV, are you up to date, have you patched, All that sort of stuff, and and pass that back to back to the gateway to determine whether the user is allowed to access the resource or not. So let's have a look at what that looks like in practice. Excuse me. Here we have the user, and they've got the zedina client installed. The policy and the reporting come from central. The traffic goes through our cloud or through, public Internet depending upon the usage model into your firewall, into the appropriate firewall for where the resources are located. So this firewall here is providing access to on prem servers, file stores, and applications. This firewall is using, providing access to the same resources in the cloud. Both of those are continuously checking with this client. Are you healthy? Are you up to date? Is that user still the user that's logged in? Should any of those things change, access to those resource will be blocked very, very quickly. And then once that device returns to health, the user re logs in, access will restart within five, ten seconds back to those resources. It's very, very quick, very, very efficient. The licensing model is per user. You can create as many gateways as you want depending upon where your resources are, and you can put those in as as many as you want. You can cluster them. You can have failovers. It's it's entirely up to you. What we charge for is a per user number of users who are going to be using zedDNA. And that does not have to be ever in your organization. You could say, right, actually, we've only got 10 or 12 users who are going to be zedDNA users. Everybody else doesn't need access. And then you just license those users. For the cost, you may find that it's just as well to actually do everybody, and then you can start to use it for doing things like network segmentation as well. It's a very, very useful and flexible little tool. There are some requirements to, using zed 10 a. A. So the first thing is you need to have a directory service which you synchronize with Sophos Central. So that's, Azure AD. That can be active directory. That can be Okta. You need an identity provider to authenticate your users. This can be Azure AD, Okta, or active directory. This slide is ever so slightly out of date. That's the the problem with with sticking three things together. The latest versions now have Active Directory built in as well. Sophos firewall version 19.5 m r three or later will need, be needed on your firewall. Once you've done that, the firewall has all the requirements for running zedDNA. You will need a validated domain in Sophos Central. So you will need to be able to go into Sophos Central. You will need to to run through the process where you pop a TXT record in the DNS and say, yes. This is really my domain. You'll also need a public DNS CNAME record for the gateway so that we can access that gateway over the Internet. And the last thing you're gonna need is a wildcard. So you create a wildcard certificate. So, I have one, which is star.dagglishfamily.com. All of my applications sit inside there. So I have Linux. I have Zabbix. I have Libra. And and they're all accessible via my zed t n a gateway, but I don't need to create separate certificates for each one. I just use the wild card, and it will apply it as appropriate to those resources. So configuring, zDNA, very, very easy. Validate the remaining central, configure the resources, configure the gateway. Central will push that configuration to the firewall that you choose as appropriate. Create that alias, and then start to add any resources that you want. It can probably now be done in around twenty five, thirty minutes depending upon how long it takes you to get certificates, how long it takes for your DNS records to go live. It's very straightforward. When you're configuring a gateway, the process is something like this. We're gonna choose either an on premise or for firewall Sophos Cloud. We give it a name, and we choose an FQDN. We pick from our validated domains because we can have more than one domain if we want on a firewall. In here, you'll get options for platform types, and you'll see in there ESX. You'll see hyper v. You'll also see firewall. You'll pick your identity provider. Again, these are from your list that you've set up in central. And then you're going to pick the firewall that we're actually going to assign this one to. Once you've done that, you hit save and generate. That configuration will be pushed to the firewall. When you're doing it to the firewall, it will ask or you do it to a surface cloud, it'll ask you a couple of extra questions on which point of presence you're going to put this in. Always try and do this to the region closest to your resources, just to remove latency. You wouldn't perhaps choose Europe, Ireland. If your resources were somewhere in Australia or America, you'd probably choose an American data center to to push and do in that case. This is where you upload your certificate, your private key. Once you've done that, it will finish that configuration, and it will give you a a piece of information like this. It'll say, can you add this alias domain for me into your DNS? You copy and paste that. You've seen in that your your firewall, and where you go, you'll then see on your firewall in the control center, you get the zero trust network access active. A little got you from personal experience. If you are going to set up zed 10 a and high availability, set up high availability first. Otherwise, only one of your firewalls will get that zed 10 a ability. I had that problem with my firewalls, and it is something that is going to be fixed in a later release. It may already have been done. I just haven't test tested it yet. In terms of creating resources, again, this is relatively straightforward. Pretty much anything you want can be pushed into, zed 10 a. We have some inbuilt ones for you, so web applications and the firewall admin port so that you can share that through zed t and a if you want. Show resource and user portal. When you create these resources, you can have a user portal that shows people all the different things they have access to. And you'll see here we've got an agent method, agent, and agentless. Agentless resources do not require the zed t n a agent, but they do not do the the machine health checking under the user identity checking. This can be used to provide access to, external tablets and things for web applications, whilst we're still working on the the mobile zed 10 a client. The alternative are what we call agent based resources. You see here we have a few more different types of resource that you can create, and you can also then start to build your own ones, As you'll see on this next slide, we could choose other. We give it a an internal name. Let's see what people are gonna refer to it as internally. So this would be, for example, if you have a a an AD server or you have an Internet server, this would be its internal name that the firewall can be looking up. This is what you're gonna refer to it as when people are outside. You can then choose, up to 20 different port groups, TCP and UDP to to allow you to create those, resources and make them as as flexible as you need to. You then choose from your identity provider, the different groups that you're going to allow access to that resource. And once you've done that, you can publish that, and it's available. Again, there is a training course on this. In the training materials, there is a link to that course. By all means, get yourself along there. This one's a little bit longer than the previous one. This is two and a half hours, but it will give you a really good, insight into ZedTNA. Okay. Moving on to hardware. So for those of you who might not be aware of it, a couple of months ago, we refreshed our desktop firewall range. All of those apart from one three eight so we now got the 88, the one zero eight, the one one eight, the one two eight, the one three eight. Apart from the one three eight, all have dual band Wi Fi six. Some of them have gone fanless, or they have improved thermal management, so they are running much quieter than the previous ones. They are all putting through a lot more data than previous models. And, indeed, some of them are actually starting to push the low end, one up models. So the 20 hundreds, the the 30 hundreds, again, at the point where they're being pushed by some of these firewalls in terms of of throughput. They all have 2.5 gig Ethernet interface interfaces, and, they all have SFP ports, which is some protection, isn't it? They all have SFP, and the one three eight has s f two SFP ports on there. So you can actually start to feed through much more data through them. One of the things that we had you been familiar with the NPU, the the extreme process that was on a number of our firewalls, the models up to the one two eight are now single architecture. We've gone back to single architecture. However, the virtual fast path on that allows much, much more throughput than than was previously possible. IPSec traffic is up to three times quicker once you get to version 21 because that's where the the the support for those firewalls really starts to to take off. The one three eight remains dual architecture with the hardware fast path. Okay. Looking at the, the throughput there, you can start to see some of the the increased throughput compared to the the 80 sevens and the one zero seven, things like that. You will see that the the one three eight there, you have the the two s SFP plus. And our slides need updated. You will see that the wireless ones available. They all have the same storage. They all have the same, sorry. They all have the same storage once you get to the one zero eight. The 88, again, like the 80 sevens, they don't have any room for onboard reporting. Everything must report back into Sophos Central. They all support the, the VDSL SFP, but only the one one eight upwards have the the ability to take the the Flexiport five g module. There is a new five g module, that requires at least, version 20 m r two to be able to support it. And that module is not supported in the existing one three eight, one one six, and one three six models. So you need to have the new firewall if you want to have the new five g card. Okay. If you want to find out more about the XGS, Sophos news, Sophos website, links for both of those in the training materials as needed. Other enhancements and changes. We're getting through towards the end of our slides now. We've only got about 20 left. Woo hoo. So different things that are happening here. Let's have a little look. Come on. Click. Click. IP v six to IP three four through explicit proxy. So, if you're using your firewall as an explicit proxy, so you specify in your browser, you can now do I p v four to I p v six proxy connections. You do need to configure this. There are some firewall rules that you will need to put in place, before this actually works. And it it's it's effectively two connections. So what you will have is you will have connection from no. Let me get this the right way around. One we call a parent connection, one we call a child connection. So the the parent connection is the I p v six connection out to the the the WAN. No. The IPV section to the firewall. So this is you can see here from the LAN and the WAN, and it specifically goes to the proxy on the firewall. So that's the parent connection. The child connection oh, sorry. Parent connection. What you've configured on there is you've configured your web policy. You've configured any scanning. You've configured it to use web proxy rather than API, and you're configuring whether you want to do any decryption of traffic. The child connection is the I p v four rule. So the I p v four rule is, where you choose your internal networks that you are going to proxy, and specify the source zones where the I p six devices are making their requests from. What services they're gonna be able to access, and let's go. Yep. What you then do in your browser, you configure your proxy like this as a manual proxy, and you can then use those devices to go I p v four out over to the I p v six Internet through your firewall. Okay? That's that configuration. Enhancements to the web application firewall, some GeoIP blocking abilities, some custom site config, and some HSPS MIME type sniffing. So let's go through those. HTTPS strip transport, ensures that things are only accessed, using HTTPS, so it's effectively redirecting to HTTP. It lets the browser know that we we've got HTTPS, and what that basically means is that we'll always use HTTPS. Even if someone types in HTTP, we'll force them to use that. The MIME type sniffing, add a no sniff header to browsing traffic to to protect against MIME sniffing attacks, basically, and always use the declared MIME type rather than trying to guess it because that's usually where you get the the the things going wrong. In terms of geo IP blocking on the firewall on the web application firewall rule, you'll see now that you do have a a list of countries that you can choose to block, and you can do, individual countries. You can do country groups such as content level. Be aware that that relies on the correct GeoIP block, the correct GeoIP geographical location being assigned to an IP address. If if it's not assigned to the right IP address, then, you know, you can have people come from one place you don't expect. And, bear in mind that we are starting to see reports of people using VPNs to hide their locations as part of attacks. Yeah? So people might be popping up as being in, you know, Chichester when really they're they're not in Chichester or wherever it happens to be. So just be aware that GeoIP blocking is not infallible. If you see someone being geo blocked, they will get a forbidden page like this. You cannot, edit that page. It's it is purely a case of they are gonna be given a forbidden page. You will see log entries like that, to show you where the address has been blocked from to test it. And in the reverse proxy logs, if you want to go and look at such things, you're actually seeing here that you got, a a Northcore error with the the client address, and you'll see there it's it's been denied by the server config and then the reason why it's being denied. It's the same message you would see if the if you'd blocked it by IP address range as well. So just be aware that it can be an IP address range or a geo blocking restriction. You'll get the same access denied method in both cases. You can do from the command line this command, which will allow you to see where an address is geographically tagged to. Again, not all addresses will have an a geolocation tagged to them, and that may not be correct in all cases. So if you do get someone saying, you know, I can't access your website or whatever it is, and you go, well, you should be able to because you're in Europe or Belgium or Holland or whatever, you can drop the command line. You can do the show country host, and it'll say his votes words coming from, and and this is where we think it actually is. Custom ciphers. Custom ciphers. What we have in here now is the ability to change TLS versions. And you have some preconfigured options. So version one, version 1.1. Yeah. You get the idea. The ability to do custom Cypher configuration allows you to actually go in here and say, right. I'm gonna do custom, and these are all the Cypher suites that are available to me. And these are actually what I want to use, out of that. There is two sets of documentation you're going to need to look at to be able to manage that properly. One is our documentation. The other I would suggest looking at is the mod SSL documentation, on the Apache website. Links for both are available in the training document. I should have had a recording of me saying that, shouldn't I? Links in the recording document. Maybe they'll do that for next time, but you never know. Okay. Other, things. We we we touched briefly on this one early, didn't we, actually, when we're talking about the interface? You can see the version 19.5, that very squashed little screen. Version 20, increases horizontal resolution to 1,920 pixels, otherwise known as full HD. It just makes it look a little bit nicer on screen, a little bit better for you to use. Something else a little bit nicer is automatic firmware rollback. So from version 20 of the firewall, Sophos firewall will automatically roll back to the previous version of the operating system should the upgrade fails. Okay? If you are in, the, the the way that this works in is that the primary will try and upgrade first and do the upgrade. It then passes the auxiliary. The auxiliary runs the primary restarts. The auxiliary will then once that successfully restarted, apply its own firmware and then pass the traffic back to the primary. If at any point in that cycle that fails so say the primary doesn't upgrade, the cluster will remain on the previous version. If the primary fail if the primary upgrade the auxiliary then fails, the primary will roll back to the previous version. If that does happen, if an automatic update does fail, you'll get errors logged in the log viewer. You'll get errors logged in the control center, and, you know, log a support ticket and people jump on, pull pull logs off to see what's been going on with your firewall to try and get to the bottom of it for you. Backup and restore. Oh, this is this is exciting. We can now restart backups from Wi Fi devices onto non Wi Fi devices, something for a long time you couldn't do. There are some provisos to this, though, which is that if you are going to go from a wireless device to a a non wire non wireless device, you will need to move all of your wireless settings from the device before you back it up. Otherwise, it will not restore. Okay? Another subtle change is that backup files now include the build number of the software. So, the the backup file now has the serial number of the firewall, the model number of the firewall, or the model of the firewall, the version of Sophos Firewall operating system which running, and the build number, and the date and time the backup was generated. So, that was as of nineteen point five point three, m r one. So everything after that will now be updated. We've also created a backup and restore assistant. The backup and restore assistant will allow you to do any to any, backup and restore. So from different models of firewalls to other models of firewalls. So it's no longer from 3,300 to a 3,300. You can go from a 3,300 to a 43 or down to a 31. As you go through that, you'll see that you get some port mapping. You will be able to then choose to map things to ports. You'll be able to choose to map things to aliases and create those if you're going down to devices with fewer ports in place. So, this is being used quite a lot. People upgrading from XG to XGS with the end of XGA lives in a little over two months now or two months, I suppose, isn't it tomorrow? That is something that's in place. Again, if you are thinking about swapping from XG to XGS, now is a really, really good time, and you will get, a a license overlap to allow you to do that, with as little interruption to service as possible. Further details, as always, in the training pack. Another little change that snuck in there is, unrestricted access to the one port is no longer supported. So in the past, you could tick one. You could tick on your your one port the on your one zone, the admin ports for your firewall. In future, this is not possible. It will not allow you unrestricted access, so you have to type to a particular IP address or a particular range of IP addresses. And, also, as part of that, if that actually isn't used for a period, then we can actually automatically disable that access as well. I think it's a ninety day period. That was reduced 19.5 m r two, and it's all about trying to make things a little bit more secure. You might have seen in the news recently a couple of firewall companies that have had ports exposed to the Internet and, all the mischiefs that's being caused with that happening. Other enhancements, secure storage master key is now mandatory. We did have some issues with people not putting that in and then not being able to do backup restores, things like that. User deletion API documentation has been updated. The Sophos authentication for thin client downloads being removed as we now use multi hosts for sync client instead. Some daylight savings time issues that we had in the Jordan time zone have been fixed, and, the email notifications, the the branding, the text on those have been updated to Sophos firewall, rather than x g slash x g s, just to make things a little bit more consistent. Oh gosh. Authentication. Login performance has been improved for radius, single sign on, STAS, and sync sec. Transparent AD single sign on when HSTS is enforced is also in place, enabling Kerberos and NTLM handshakes over HTTP and HTTPS. What else have we got? IPSec VPN. Yeah. The the speed of bringing back VPN connections during network changes has been has been improved. So when you make those changes, a little tunnel will still drop and come back. That time that takes drop and come back has has come back. We mentioned already the seamless failover of dynamic routes. The we we haven't been to seamless failover of dynamic routes. Dynamic routes will now failover seamlessly. That goes alongside all those other things with like the seamless VPN. The red tunnel reestablishment is much quicker on failover, and the the link between us and AD during that failover, if it's required, is is much better. In terms of web protection, we've done some work to improve the enforcement of strict safe search, to enforce those YouTube restrictions. You've seen a lot of of work going to the Google app, workspace authentication, the Google app logins, and Azure AD tenant restrictions. And those have all fed back into the firewall there. Where else are we? Two bits I don't really use, but, I realize these are useful for some people. Better integrations with Akamai and Cloudflare. So you've now got the ability to integrate with Akamai secure Internet access, to use that protection solution. If you're using that, on your clients, you can now configure firewall to use that same authentication, that same protection. And the the Cloudflare magic one, we now integrate directly with that. So if you're using that in your organization for anything, your Sophos firewalls will integrate to that too. Okay. Couple of things. Version 21 is not supported on XG or SG appliances. Yeah. It's only supported on XGS and the virtual appliances, and upgrading to version 19 requires that you be on, upgraded to version 21 requires that you be on version 19 or later, but 19.5. M r one, m r s, m r three, they will all upgrade. But you must be at least 19 before you try and upgrade to version 21. Wow. Now the bit you've all been waiting for, the link for the training quiz. So when you do the quiz, please ensure that you use your partner portal ID email address so that we can match your quiz to your training account. The process can take up to ten days. It may be quicker. It may not. We hope it's quicker, but things happen. People get busy. If you follow that link there, scan the QR code, making sure you scanned it appropriately through whatever protection mechanism you use, because I spent all day talking about that yesterday, to to check that it's a valid link. Follow that link. Fill that in. We'll get an email, and we will then add the relevant courses to your training records so that you're showing as having the, the the the updates applied. Dale, anything from q and a? Okay. Let me come on stage for a minute so I'm not just a voice in your head for a change. Can you hear me now? I can hear you now. It's brilliant. Excellent. Okay. So there was only one question, which which I've answered, which is in relation to why the one three eight the XJS one three eight was the only, desktop appliance with dual architecture. So, I mean, I've explained a little bit about the various different use cases that we've looked at in terms of the environmental kind of performance. You know? Lots of people like the, you know, the the the silent functionality and and things like that. And and for us as well, the one three eight is, I I guess, a bit of a a launch point into the one u, models. You know? It's the unit that supports the, the SFP plus. Nothing to do with sunscreen. And, yeah, that is a bridge it's a bridge model for us. But I I don't know whether you've got any additional kind of, thoughts on that, Rob. Yeah. The the the I think you've you've hit the nail on the head multiple times there, Dale. It really is about that one three eight being, designed for more throughput and having those bigger connections, because you'll notice that in terms of performance, it doesn't sit terribly far above the one two eight, just a little bit by being neural architecture, but it's about having that improved connectivity. So if you wanted to put 10 gig connection into it, it will do that, rather than having having the one gig connections that the the one two eight has. Excellent. Yes. So so that was the, the only question. So I've had had quite an easy ride this morning. You've you've had a much tougher much tougher break, but good job. Well, thank you very much. What I'm going to do then is, at that point, I think we've got one more slide, which is I don't know. We we maybe got two more. We've got this one, which says feedback is always welcome. Not as welcome as 10 pound. Not as welcome as 10 pound. Is that any better? Can you hear me now? Yeah. Okay. I think I think I've talked my headset out. What I was saying is feedback is always welcome. I know we are doing, some office hours tomorrow, ten till twelve UK time. I wasn't sure, Stephanie, whether that's just for firewall or if that's firewall and endpoint as well. Not sure. No. Okay. Do have a go at the exam before then. It is 20 questions. The passing score is 80%. So that's, what, 16 that you gotta get right. And they're they're pretty much yes, no questions. So, do have a go. We'll be here for office hours in the morning if needed. And, with that, thank you very much for your time. Have a pleasant afternoon. And we wrapped up six minutes early. Wonderful.