Checking network activity on Sophos XG Firewall for scanning attempts
Checking network activity on Sophos XG Firewall for scanning attempts
The web server remains outside the DMZ despite previous setup by the previous network team. Recent attacks prompted us to involve the ISP, who pointed out suspicious activity from IP 192.168.1.252—linked to a backup Symantec/Veam server. This device is flooding the router with packets, disrupting services and overwhelming the firewall. At this stage, Symantec appears to be handling more of the workload than the firewall can manage. Recommendations include moving the web server to a DMZ, adjusting router settings, and ensuring the firewall acts as the default gateway rather than the ISP’s router. Currently, we lack a second firewall to isolate the internal network from the web server. We plan to implement this on the designated DMZ port next week. For guidance, consider searching best practices on enterprise network security or consult relevant books and forum discussions to prepare thoroughly.
It’s because it operates on its own network segment, which means a breach there won’t reach the rest of the LAN. You must understand the details behind the issue. Simply moving it to a DMZ won’t solve everything—it only prevents direct access. If it’s already compromised, it might still launch attacks from outside, potentially overwhelming your router.
The concept highlights that public services carry higher risk compared to internal ones, creating a separation so that if external threats breach a DMZ, they’re less likely to reach the LAN. It’s useful to clarify what a firewall truly does and what it doesn’t. A firewall functions as a network security tool that watches and manages traffic according to set rules. Its effectiveness depends heavily on how it’s set up. If you notice suspicious activity from a specific port—like 3389—and you’re unsure if there’s legitimate use, block that traffic with a rule. This represents the main control a firewall can provide.
From your comments, it seems you’re mixing ideas between an Intrusion Detection/Prevention System (IDS/IPS) and a firewall. An IDS/IPS monitors networks for threats or policy breaches, often at a more detailed level. It’s not meant to replace a firewall’s basic blocking role. A firewall focuses on preventing unwanted access by enforcing rules, while an IDS/IPS adds deeper inspection.
Think of it like this: If you’re the store owner trying to stop theft, you’d secure entry points—lock doors, install cameras, and have staff on duty. You can’t just lock the front door permanently because that would stop sales. Instead, you use technology (cameras) and personnel to deter crime without hindering normal business. Similarly, a firewall blocks unwanted traffic, but an IDS/IPS watches for suspicious patterns and alerts you.
Modern firewalls often combine both functions, but their primary job remains traffic filtering based on predefined policies. If you’re unsure about configuration, refer to the official guides—like the Sophos documentation—to ensure proper setup.
Sorry for the delayed response; I was occupied with other clients recently. The company chose to upgrade to the Sophos XGS 136 model with a one-year subscription. This device includes XGS 136 Security Appliance and EU power cord Xstream Protection, as well as 36 MOS for web server security. Are these sufficient for supporting 70-80 users accessing the web server daily? The firewall offers 11,500 Mbps throughput, 1,000Mbps threat protection, and 950 Mbps for Xstream SSL/TLS. Additionally, they plan to bring in an expert in this area rather than relying on temporary fixes. This would simplify my task, allowing me to review the configuration from the ground up and understand policy implementation. We also considered placing the current firewall behind the new one, with the web server isolated in a DMZ on the upgraded system, or keeping the web server in a DMZ on the new firewall if that arrangement isn't feasible. EDIT: They haven’t provided traffic statistics for the web server, but we estimate around 4,500 users daily. Since we don’t manage their pages, this data isn’t available. Will these specifications meet their requirements?