Sophos Certified Technician

SL80: Sophos Firewall

TECHNICIAN LAB WORKBOOK
Version 21.0v1  November 2024
Sophos Certified Technician

Contents
Introduction ............................................................................................................................................................................................................. 4
About the Lab Environment............................................................................................................................................................................. 4
Accessing the Lab Environment ..................................................................................................................................................................... 4
About this Workbook ........................................................................................................................................................................................ 4
Workbook conventions..................................................................................................................................................................................... 4
Network Diagram .............................................................................................................................................................................................. 5
Read This Before You Start ................................................................................................................................................................................. 6
Preparation ............................................................................................................................................................................................................. 7
Objectives .......................................................................................................................................................................................................... 7
Task 1 – Register for a Sophos Central Evaluation ..................................................................................................................................... 7
Task............................................................................................................................................................................................................... 7
Solution Walkthrough .................................................................................................................................................................................. 8
Task 2 – Activate London Gateway 1 and London Gateway 2 .................................................................................................................. 9
Task............................................................................................................................................................................................................... 9
Solution Walkthrough ................................................................................................................................................................................ 10
Task 3 – Activate New York Gateway ......................................................................................................................................................... 14
Task............................................................................................................................................................................................................. 14
Solution Walkthrough ................................................................................................................................................................................ 14
Getting Started with Sophos Firewall ................................................................................................................................................................ 17
Task 1 – Cannot Connect to the Web Admin Console .............................................................................................................................. 17
Task 2 – Cannot Access Server in New York from London (Scenario 1) ............................................................................................... 18
Base Firewall ........................................................................................................................................................................................................ 19
Task 1 – Cannot Access Server in New York from London (Scenario 2) ............................................................................................... 19
Task 2 – DNAT Not Working (Scenario 1) .................................................................................................................................................. 20
Task 3 – DNAT Not Working (Scenario 2) .................................................................................................................................................. 21
Task 4 – Remote Desktop Not Working ...................................................................................................................................................... 22
Network Protection .............................................................................................................................................................................................. 23
Task 1 – Cannot Register Sophos Firewall with Sophos Central ............................................................................................................ 23
Task 2 – Endpoint Cannot Establish a Heartbeat with Sophos Firewall ................................................................................................. 24
Site-to-Site Connections ..................................................................................................................................................................................... 25
Task 1 – IPsec VPN Could Not Be Established (Scenario 1) .................................................................................................................. 25
Task 2 – IPsec VPN Could Not Be Established (Scenario 2) .................................................................................................................. 26
Authentication ....................................................................................................................................................................................................... 27
Task 1 – User Cannot Authenticate ............................................................................................................................................................. 27
Task 2 – User Not Authenticated With STAS ............................................................................................................................................. 28
Web Protection ..................................................................................................................................................................................................... 29
Task 1 – Site Incorrectly Blocked for User .................................................................................................................................................. 29
Application Control............................................................................................................................................................................................... 30

Page 2 of 38
Sophos Certified Technician

Task 1 – Application Not Working for User ................................................................................................................................................. 30

Remote Access .................................................................................................................................................................................................... 31
Task 1 – Remote Access VPN Could Not Be Established (Scenario 1) ................................................................................................. 31
Task 2 – Remote Access VPN Could Not Be Established (Scenario 2) ................................................................................................. 32
Web Server Protection ........................................................................................................................................................................................ 33
Task 1 – Error Using Webmail Server ......................................................................................................................................................... 33
High Availability .................................................................................................................................................................................................... 34
Task 1 – Cannot Enable High Availability ................................................................................................................................................... 34
Appendix ............................................................................................................................................................................................................... 35
Environment Overview ................................................................................................................................................................................... 35
User Accounts ................................................................................................................................................................................................. 37

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent
of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or
implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

Page 3 of 38
Sophos Certified Technician

Introduction
These labs accompany the Sophos Firewall Certified Technician course (S80) and form the
practical part of the certification. They are estimated to take 6 hours to complete.

About the Lab Environment

These labs are designed to be completed on the hosted lab environment. If you are not using the hosted lab environment (e.g., this course is
being taught in a classroom and not completed online) some details such as hostnames and IP addresses may vary. Your instructor will provide
you with details of how to access the lab environment, and any localized changes.
We recommend completing each lab task when directed to do so in the training content.
Before starting lab, please see the getting started video:
https://training.sophos.com/cloudlabs/GetStartedWithYourLab/play.html

Accessing the Lab Environment

You can launch your lab environment by clicking the Launch Lab Environment link in the ‘Lesson Resources’ section of the Course Introduction.
The environment will open in a pop-up window. If the window does not open, please check that your browser is not blocking popups.
If you need to leave your environment and return to it, you can again use the Launch Lab Environment link to log back into the same
environment.
Important note: Once you launch your environment, it will be available for 7 days. Once your environment expires, it is automatically deleted.

About this Workbook

 At the start of each lab is the learning objective.
 Labs which cover larger subjects are divided into several tasks
 Each task has two parts, the task that tells you what needs to be accomplished, and any specific notes required to do so, and a solution
walkthrough that goes through the task step-by-step
 An appendix is available at the end of this workbook, which provides the environment details and the user accounts
 To be able to complete these labs in the time suggested you should have the following knowledge and experience:

Workbook conventions
This workbook uses the following conventions throughout:

Bold text  Actions: On-screen elements that you interact with e.g. menu items, buttons, tick boxes, tabs, etc…
 Important points to note

‘Single quotes’ On-screen elements that you do not interact with e.g. page titles, field names, etc…

Courier New font Commands to be executed

Underlined Hyperlinks

<variables> Variables will be shown between chevrons e.g. <Red ID>

Page 4 of 38
Sophos Certified Technician

Network Diagram

Page 5 of 38
Sophos Certified Technician

Read This Before You Start

Each task will provide the steps required to reproduce an issue. You will need to identify the cause and the best solution and write these
down.
You may find that some issues have multiple problems you need to resolve.
If you are unable to complete any of the tasks in these labs, please visit the URL below to get hints and solutions.
https://training.sophos.com/labs/s80v21/help.html

Page 6 of 38
Sophos Certified Technician

Preparation
Objectives
Upon successful completion of this lab, you will be able to:
1. Register for a Sophos Central evaluation
2. Activate the Sophos Firewalls, and complete the initial configuration using a backup configuration file

Task 1 – Register for a Sophos Central Evaluation

Task

Browse to https://sophos.com/intercept-x and sign-up for a new Sophos Central evaluation.

When you receive the activation email, click the link to complete the account setup.
On Your Local Once you have logged into Sophos Central, use the menu in the top-right to Sign Out.
Computer
Important notes:
 Do not use your primary email address. We recommend using a temporary email account for creating this
evaluation
 Make sure you use an email address that you can access
 You will need to use an email address that has not already been registered with Sophos Central
 You must create a trial to complete these labs to ensure that all features are available
 Do not use an existing Sophos Central account
 If you remain logged in with this Sophos ID when you access the training portal you will not be able to access your
training, ensure that you logout

You have registered for, and activated, a Sophos Central trial to use to complete these labs.

Student Notes

Page 7 of 38
Sophos Certified Technician

Solution Walkthrough
IMPORTANT NOTE: You must create a trail Sophos Central account to complete these labs to ensure that all features are available. Do not use
an existing Sophos Central account.

Instructions

On Your Local Computer

1 Open a web browser and navigate to https://sophos.com/intercept-x
2 Click Free Trial
3 Follow the on-screen instructions to register for a trial

Important: Do not use your primary email address. We recommend using a temporary email account for creating this evaluation.
Make sure you use an email address that you can access.
You will need to use an email address that has not already been registered with Sophos Central.

4 Check your inbox and open the email with the subject ‘Activate your Sophos Central account’

You will receive an email with an activation link.

This may take several minutes to arrive.

5 Click Create Password in the email

This will open the activation page.

6 Enter and confirm a password of your choice

7 Select where to have the data stored
8 Read the statements and select all checkboxes
9 Click Activate Account
10 Close any dialog boxes that appear when you log in

Sophos Central is now ready to use.

11 Use the menu in the top-right of the screen to Sign Out

The next time you login to the Central account you will be prompted to setup MFA (multifactor authentication); follow the on-
screen instructions.
If you need an authenticator app for your phone you can install Sophos Intercept X for Mobile, which is free.

You have registered for, and activated, a Sophos Central trial to use to complete these labs.

Student Notes

Page 8 of 38
Sophos Certified Technician

Task 2 – Activate London Gateway 1 and London Gateway 2

Task

Complete the initial setup wizard of London Gateway 1, restoring a configuration file at the same time.
• The WebAdmin can be accessed at https://172.16.16.16:4444
On London DC
• Set the admin password to Sophos1985!
• We recommend not installing firmware updates to ensure your Sophos Firewall matches the version this lab was
written for
• Restore the configuration file C:\Config\Support\01_Lon-GW1_Preparation_Task_2
o The password is Sophos1985Backup
o Use the default interface-mapping
• Set the secure storage master key to Sophos1985!!
• The WAN interface IP address is 10.1.1.100/24
• The default gateway and DNS server are 10.1.1.250
• The hostname is lon-gw1-gw.trainingdemo.xyz
• You will need to start a new trial license
IMPORTANT: Once the setup is complete you will not be able to connect to the web admin console until the end of
lab task 1.1.
Complete the initial setup wizard of London Gateway 2, restoring a configuration file at the same time.
IMPORTANT: You will not be able to register London Gateway 2 until London Gateway 1 has rebooted and is ready
to service traffic.
• The WebAdmin can be accessed at https://172.16.16.15:4444
• Set the admin password to Sophos1985!
• We recommend not installing firmware updates to ensure your Sophos Firewall matches the version this lab was
written for
• Restore the configuration file C:\Config\Support\02_Lon-GW1_Preparation_Task_2
o The password is Sophos1985Backup
o Use the default interface-mapping
o The secure storage master key is Sophos1985!!
• Set the secure storage master key to Sophos1985!!
• The WAN interface IP address is 10.1.1.115/24
• The default gateway and DNS server are 10.1.1.250
• The hostname is lon-gw2-gw.trainingdemo.xyz
• You will need to start a new trial license

You have configured a Sophos Firewall using the initial setup wizard. This configuration provides Internet access with
basic security and filtering policies applied.

Notes

Page 9 of 38
Sophos Certified Technician

Solution Walkthrough

On London DC
1 Open Chrome and navigate to https://172.16.16.16:4444

You will get a certificate warning, but it is safe to proceed.

2 Tick the box for I accept the Sophos End User Terms of Use then click the Start setup button to start the Initial Setup Wizard
3 Click the Restore Backup link
4 Click Upload
5 Select the file C:\Config\Support\01_Lon-GW1_Preparation_Task_2
6 Click Open
7 Enter the password Sophos1985Backup
8 Click Apply
9 Use the default interface-mapping, click Restore
10 In the ‘New admin password’ and ‘Reenter the password’ fields enter Sophos1985!
11 Deselect Install the latest firmware automatically during setup

So that the version of Sophos Firewall you are using matches this lab workbook, we will not update it during the initial setup.

12 Click Continue
13 Enter and confirm the secure storage master key Sophos1985!!
14 Select I have stored the master key in a password manager or another secure location, then click Continue
15 The Sophos Firewall will fail to connect to the Internet, click Manual configuration to configure the WAN interface

16 Configure the WAN interface with the following settings:

Setting Value

Choose a port to configure PortB

Interface type Static IP address
IP address 10.1.1.100
Subnet /24 (255.255.255.0)
Gateway name Isp1
Gateway IP address 10.1.1.250
DNS server 1 10.1.1.250

Leave the other settings as default.

17 Click Apply

The Sophos Firewall will apply the new settings to the WAN interface.

Page 10 of 38
Sophos Certified Technician

18 Click OK

The Sophos Firewall will retest the Internet connection. All tests should be successful.

19 Click Continue
20 Select I don’t have a serial number (Start a Trial)
21 Click Continue
22 Click Claim in Sophos Central
23 Enter the email address, then click Continue
24 Enter the password, then click Sign In

If you are prompted to setup multifactor authentication, follow the on-screen instructions

25 Ensure the Claim with 30 days Xstream Protection, Web Server Protection and Email Protection evaluation license. option remains
selected
26 Click Claim firewall
27 Click Continue

It will take a few minutes for the new configuration to be applied to the Sophos Firewall and for the device to reboot.
You can continue to the next step.
IMPORTANT: Once the setup is complete you will not be able to connect to the web admin console until the end of lab task
Getting Started with Sophos Firewall task 1.

28 You will now setup London Gateway 2. Open a new tab in Chrome and navigate to https://172.16.16.15:4444

You will get a certificate warning, but it is safe to proceed.

IMPORTANT: You will not be able to register London Gateway 2 until London Gateway 1 has rebooted and is ready to service
traffic.

29 Tick the box for I accept the Sophos End User Terms of Use then click the Start setup button to start the Initial Setup Wizard
30 Click the Restore Backup link
31 Click Upload
32 Select the file C:\Config\Support\02_Lon-GW2_Preparation_Task_2

Ensure that you select the correct configuration file.

33 Click Open
34 Enter the password Sophos1985Backup
35 Click Apply
36 Enter the secure storage master key Sophos1985!!
37 Click Restore
38 Use the default interface-mapping, click Restore
39 In the ‘New admin password’ and ‘Reenter the password’ fields enter Sophos1985!

Page 11 of 38
Sophos Certified Technician

40 Deselect Install the latest firmware automatically during setup

So that the version of Sophos Firewall you are using matches this lab workbook, we will not update it during the initial setup.

41 Select I agree to the license agreement at the bottom of the page

42 Click Continue
43 Enter and confirm the secure storage master key Sophos1985!!
44 Select I have stored the master key in a password manager or another secure location, then click Continue
45 The Sophos Firewall will fail to connect to the Internet, click Manual configuration to configure the WAN interface
46 Configure the WAN interface with the following settings:

Setting Value

Choose a port to configure PortB

Interface type Static IP address
IP address 10.1.1.115
Subnet /24 (255.255.255.0)
Gateway name Isp1
Gateway IP address 10.1.1.250
DNS server 1 10.1.1.250

Leave the other settings as default.

47 Click Apply

The Sophos Firewall will apply the new settings to the WAN interface.

48 Click OK

The Sophos Firewall will retest the Internet connection. All tests should be successful.

49 Click Continue
50 Select I don’t have a serial number (Start a Trial)
51 Click Continue
52 Click Claim in Sophos Central
53 Enter the email address, then click Continue
54 Enter the password, then click Sign In

If you are prompted to setup multifactor authentication, follow the on-screen instructions

55 Ensure the Claim with 30 days Xstream Protection, Web Server Protection and Email Protection evaluation license. option remains
selected
56 Click Claim firewall

Page 12 of 38
Sophos Certified Technician

57 Click Continue

It will take a few minutes for the new configuration to be applied to the Sophos Firewall and for the device to reboot.
You can continue to the next task.

You have configured a Sophos Firewall using the initial setup wizard. This configuration provides Internet access with
basic security and filtering policies applied.

Notes

Page 13 of 38
Sophos Certified Technician

Task 3 – Activate New York Gateway

Task

Login as SOPHOS\Administrator.
Complete the initial setup wizard of New York Gateway, restoring a configuration file at the same time.
On New York
Server • The WebAdmin can be accessed at https://192.168.16.16:4444
• Set the admin password to Sophos1985!
• We recommend not installing firmware updates to ensure your Sophos Firewall matches the version this lab was
written for
• Restore the configuration file C:\Config\Support\01_NY-GW_Preparation_Task_3
o The password is Sophos1985Backup
o Use the default interface-mapping
• Set the secure storage master key to Sophos1985!!
• The WAN interface IP address is 10.2.2.200/24
• The default gateway and DNS server are 10.2.2.250
• The hostname is ny-gw.trainingdemo.xyz
• You will need to start a new trial license

You have configured a new Sophos Firewall by restoring a configuration backup.

Notes

Solution Walkthrough

On New York Server

1 Login as SOPHOS\Administrator

The password is Sophos1985.

2 Open Chrome and navigate to https://192.168.16.16:4444

The IP address of PortA has been modified on this device using the console menu.
You will get a certificate warning, but it is safe to proceed.

3 Tick the box for I accept the Sophos End User Terms of Use then click the Start setup button to start the Initial Setup Wizard
4 Click the Restore Backup link
5 Click Upload
6 Select the file C:\Config\Support\01_NY-GW_Preparation_Task_3
7 Click Open
8 Enter and confirm the password Sophos1985Backup
9 Click Apply
10 Use the default interface-mapping, click Restore

Page 14 of 38
Sophos Certified Technician

11 In the ‘New admin password’ and ‘Reenter the password’ fields enter Sophos1985!
12 Deselect Install the latest firmware automatically during setup

So that the version of Sophos Firewall you are using matches this lab workbook, we will not update it during the initial setup.

13 Select I agree to the license agreement at the bottom of the page

14 Click Continue
15 Enter and confirm the secure storage master key Sophos1985!!
16 Select I have stored the master key in a password manager or another secure location, then click Continue
17 The Sophos Firewall will fail to connect to the Internet, click Manual configuration to configure the WAN interface
18 Configure the WAN interface with the following settings:

Setting Value

Choose a port to configure PortB

Interface type Static IP address
IP address 10.2.2.200
Subnet /24 (255.255.255.0)
Gateway name Isp1
Gateway IP address 10.2.2.250
DNS server 1 10.2.2.250

Leave the other settings as default.

19 Click Apply

The Sophos Firewall will apply the new settings to the WAN interface.

20 Click OK

The Sophos Firewall will retest the Internet connection. All tests should be successful.

21 Click Continue
22 Select I don’t have a serial number (Start a Trial)
23 Click Continue
24 Click Claim in Sophos Central
25 Enter the email address, then click Continue
26 Enter the password, then click Sign In

If you are prompted to setup multifactor authentication, follow the on-screen instructions

27 Ensure the Claim with 30 days Xstream Protection, Web Server Protection and Email Protection evaluation license. option remains
selected
28 Click Claim firewall

Page 15 of 38
Sophos Certified Technician

29 Click Continue

It will take a few minutes for the new configuration to be applied to the Sophos Firewall and for the device to reboot.
You can continue to the next lab.

You have configured a new Sophos Firewall by restoring a configuration backup.

Notes

Page 16 of 38
Sophos Certified Technician

Getting Started with Sophos Firewall

Task 1 – Cannot Connect to the Web Admin Console
Try to connect to the web admin console of London Gateway 1 using either:
 https://lon-gw1.trainingdemo.xyz:4444
On London DC
 https://172.16.16.16:4444
You will be unable to connect.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 17 of 38
Sophos Certified Technician

Task 2 – Cannot Access Server in New York from London (Scenario 1)

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\03_Lon-GW1_Getting_Started_Task_2. The password for the configuration file is
Sophos1985Backup.
Once the backup has been restored, try to navigate to http://ny-server.ad.trainingdemo.xyz this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 18 of 38
Sophos Certified Technician

Base Firewall
Task 1 – Cannot Access Server in New York from London (Scenario 2)
Login to New York Gateway as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\02_NY-GW_Base_Firewall_Task_1.
Server

Login to London Gateway 1 as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\04_Lon-GW1_Base_Firewall_Task_1.
Once the configuration has been restored on both Sophos Firewalls try to navigate to http://ny-
server.ad.trainingdemo.xyz, this will fail.
Note: If the page appears to load it may be cached from the previous task. You may need to force refresh the page,
close the tab, or clear the cache to show the failed state.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 19 of 38
Sophos Certified Technician

Task 2 – DNAT Not Working (Scenario 1)

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\05_Lon-GW1_Base_Firewall_Task_2. The password for the configuration file is
Sophos1985Backup.

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\03_NY-GW_Base_Firewall_Task_2. The password for the configuration file is Sophos1985Backup.
Server
Once the configuration has been restored on both Sophos Firewalls, open Remote Desktop Connection from the Start
menu. Connect to lon-server2.trainingdemo.xyz, this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 20 of 38
Sophos Certified Technician

Task 3 – DNAT Not Working (Scenario 2)

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\06_Lon-GW1_Base_Firewall_Task_3. The password for the configuration file is
Sophos1985Backup.

Once the configuration has been restored on London Gateway 1, open Remote Desktop Connection from the Start
menu. Connect to lon-server2.trainingdemo.xyz, this will fail.
On New York
Identify the cause of the problem and the solution, then write them in the table below.
Server

Student Notes

Cause

Solution

Page 21 of 38
Sophos Certified Technician

Task 4 – Remote Desktop Not Working

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\07_Lon-GW1_Base_Firewall_Task_4. The password for the configuration file is
Sophos1985Backup.

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\04_NY-GW_Base_Firewall_Task_4. The password for the configuration file is Sophos1985Backup.
Server
Once the configuration has been restored on both Sophos Firewalls, open Remote Desktop Connection from the Start
menu. Connect to lon-server2.trainingdemo.xyz then login as johnsmith with the password Sophos1985, this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 22 of 38
Sophos Certified Technician

Network Protection
Task 1 – Cannot Register Sophos Firewall with Sophos Central
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\08_Lon-GW1_Network_Protection_Task_1. The password for the configuration file is
Sophos1985Backup.
Once the configuration has restored on London Gateway 1, login as admin with the password Sophos1985!.
Navigate to SYSTEM > Sophos Central.
Register with the email address [email protected] and the password Sophos1985, this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 23 of 38
Sophos Certified Technician

Task 2 – Endpoint Cannot Establish a Heartbeat with Sophos Firewall

Important: You must have successfully registered the Sophos Firewall with Sophos Central to complete this task.
London Server 2 cannot establish a heartbeat with London Gateway 1.
On London DC
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 24 of 38
Sophos Certified Technician

Site-to-Site Connections
Task 1 – IPsec VPN Could Not Be Established (Scenario 1)
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\09_Lon-GW1_Site_to_Site_Task_1. The password for the configuration file is Sophos1985Backup.

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\05_NY-GW_Site_to_Site_Task_1. The password for the configuration file is Sophos1985Backup.
Server
Once the configuration has restored on both Sophos Firewalls, try to establish the IPsec connection, this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 25 of 38
Sophos Certified Technician

Task 2 – IPsec VPN Could Not Be Established (Scenario 2)

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\10_Lon-GW1_Site_to_Site_Task_2. The password for the configuration file is Sophos1985Backup.

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\06_NY-GW_Site_to_Site_Task_2. The password for the configuration file is Sophos1985Backup.
Server
Once the configuration has restored on both Sophos Firewalls, try to establish the IPsec connection, this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 26 of 38
Sophos Certified Technician

Authentication
Task 1 – User Cannot Authenticate
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\11_Lon-GW1_Authentication_Task_1. The password for the configuration file is
Sophos1985Backup.
The Secure Storage Master Key is Sophos1985!!.
Once the configuration has restored on London Gateway 1, navigate to https://lon-gw1.ad.trainingdemo.xyz:8090
and login as johnsmith with the password Sophos1985, this will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 27 of 38
Sophos Certified Technician

Task 2 – User Not Authenticated With STAS

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\12_Lon-GW1_Authentication_Task_2. The password for the configuration file is
Sophos1985Backup.
The Secure Storage Master Key is Sophos1985!!.
Log off from London DC.
Login as TRAININGDEMO\johnsmith with the password Sophos1985 by right-clicking on London DC and using the
option to Connect without credentials.

Open Google Chrome and login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to MOINTOR & ANALYZE > Current activities.
John Smith will not be authenticated.
Identify the cause of the problem and the solution, then write them in the table below.
Note: we have seen the solution take some time to take effect.
Once you have completed this lab log back into London DC as Administrator.

Student Notes

Cause

Solution

Page 28 of 38
Sophos Certified Technician

Web Protection
Task 1 – Site Incorrectly Blocked for User
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\13_Lon-GW1_Web_Protection_Task_1. The password for the configuration file is
Sophos1985Backup.
Once the configuration has restored on London Gateway 1, navigate to https://lon-gw1.ad.trainingdemo.xyz:8090
and login as lucyfox with the password Sophos1985.
Navigate to http://mail.internet.www, this will fail. This site should be accessible to all users in Lucy Fox’s
department.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 29 of 38
Sophos Certified Technician

Application Control
Task 1 – Application Not Working for User
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\14_Lon-GW1_Application_Control_Task_1. The password for the configuration file is
Sophos1985Backup.
Wait for the configuration to be restored and the Sophos Firewall to reboot.

Login as lucyfox with the password Sophos1985.

Open PuTTY from the Desktop. Connect to internet.www, this will fail.
On London
Server 2 Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 30 of 38
Sophos Certified Technician

Remote Access
Task 1 – Remote Access VPN Could Not Be Established (Scenario 1)
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\15_Lon-GW1_Remote_Access_Task_1. The password for the configuration file is
Sophos1985Backup.
The secure storage master key is Sophos1985!!

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\07_NY-GW_Remote_Access_Task_1. The password for the configuration file is
Server
Sophos1985Backup.
The secure storage master key is Sophos1985!!
Once the configuration has been restored on both Sophos Firewalls, try login to the remote access VPN in Sophos
Connect as johnsmith with the password Sophos1985, this will fail.
Note: If the VPN configuration is missing import the file C:\Config\Support\SophosVPN.scx
Identify the cause of the problem and the solution, then write them in the table below.
Note: when the VPN connects it can cause the RDP connection to disconnect and reconnect. This is because the
network settings of the computer are being updated.

Student Notes

Cause

Solution

Page 31 of 38
Sophos Certified Technician

Task 2 – Remote Access VPN Could Not Be Established (Scenario 2)

Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\16_Lon-GW1_Remote_Access_Task_2. The password for the configuration file is
Sophos1985Backup.
The secure storage master key is Sophos1985!!

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\08_NY-GW_Remote_Access_Task_2. The password for the configuration file is
Server
Sophos1985Backup.
The secure storage master key is Sophos1985!!
Delete the ‘SophosVPN’ connection in Sophos Connect using the configuration icon.
Import the automatic provisioning file from C:\RemoteAccessVPN\VPNConf.pro and login as johnsmith with the
password Sophos1985. This will fail. Ensure you are using the newly imported VPN
lon-gw1.trainingdemo.xyz.
Identify the cause of the problem and the solution, then write them in the table below.

Note: when the VPN connects it can cause the RDP connection to disconnect and reconnect. This is because
the network settings of the computer are being updated.

Student Notes

Cause

Solution

Page 32 of 38
Sophos Certified Technician

Web Server Protection

Task 1 – Error Using Webmail Server
Login to London Gateway 1 as admin with the password Sophos1985!.
Navigate to SYSTEM > Backup & Firmware and restore the backup
On London DC
C:\Config\Support\17_Lon-GW1_Web_Server_Protection_Task_1. The password for the configuration file is
Sophos1985Backup.
The secure storage master key is Sophos1985!!

Login to New York Gateway as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
On New York
C:\Config\Support\09_NY-GW_Web_Server_Protection_Task_1. The password for the configuration file is
Server
Sophos1985Backup.
The secure storage master key is Sophos1985!!
Navigate to https://webmail.trainingdemo.xyz/MEWebMail and login as fredrogers with the password Sophos1985.
This will fail.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 33 of 38
Sophos Certified Technician

High Availability
Task 1 – Cannot Enable High Availability

If you have not resolved the issue from the previous task

On London DC Login to London Gateway 1 as admin with the password Sophos1985!.

Navigate to SYSTEM > Backup & Firmware and restore the backup
C:\Config\Support\18_Lon-GW1_High_Availability_Task_1. The password for the configuration file is
Sophos1985Backup.
Login to the WebAdmin of London Gateway 2 as admin with the password Sophos1985!.
Enable High Availability using the following settings:
 Initial device role: Auxiliary
 HA configuration mode: Interactive mode
 Passphrase: Leave as default
 Dedicated HA Link: PortH
Login to the WebAdmin of London Gateway 1 as admin with the password Sophos1985!.
Enable High Availability using the following settings:
 Initial device role: Primary (active-passive)
 HA configuration mode: Interactive mode
 Passphrase: Leave as default
 Dedicated HA Link: PortH
 Dedicated peer HA link IPv4 address: 10.4.4.15
 Select ports to be monitored: PortA, PortB, PortC
 Peer administration IPv4 address: 172.16.16.100
High availability will fail to initiate.
Identify the cause of the problem and the solution, then write them in the table below.

Student Notes

Cause

Solution

Page 34 of 38
Sophos Certified Technician

Appendix
Environment Overview
The environment used to complete these labs is comprised of multiple computers, connected via a simple network.

Computer Description

LON-GW1.AD.TRAININGDEMO.XYZ This is a Sophos Firewall and is the default gateway for the London head office networks.
Throughout this workbook this will be referred to as London Gateway 1.
Interfaces
PortA: LAN: 172.16.16.16 (/24)
PortB: WAN: 10.1.1.100 (/24) GW: 10.1.1.250
PortC: LAN: 172.17.17.16 (/24)
PortD: INTRANET: 172.25.25.16 (.24)
PortE: DMZ: 172.30.30.16 (/24)
PortF: WAN: 10.3.3.100 (/24) GW: 10.3.3.250
PortG: MPLS: 10.100.100.65 (/29)
PortH: HA: 10.4.4.16 (/24)

LON-GW2.AD.TRAININGDEMO.XYZ This is a Sophos Firewall and is a gateway for the London head office networks. Throughout this
workbook this will be referred to as London Gateway 2.
Interfaces
PortA: LAN: 172.16.16.15 (/24)
PortB: WAN: 10.1.1.115 (/24) GW: 10.1.1.250
PortC: LAN: 172.17.17.15 (/24)
PortD: INTRANET: 172.25.25.15 (.24)
PortE: DMZ: 172.30.30.15 (/24)
PortF: WAN: 10.3.3.115 (/24) GW: 10.3.3.250
PortG: MPLS: 10.100.100.66 (/29)
PortH: HA: 10.4.4.15 (/24)

LON-DC.AD.TRAININGDEMO.XYZ This is a Windows domain controller for the ad.trainingdemo.xyz domain. It runs an SMTP server,
webmail, DNS, Active Directory, and a certificate authority. Throughout this workbook this will be
referred to as London DC.
Interfaces
LAN: 172.16.16.10 (/24)

LON- This is a Windows 10 Computer. Throughout this workbook this will be referred to as London
SERVER2.AD.TRAININGDEMO.XYZ Server 1.
Interfaces
LAN: 172.16.16.20 (/24)

LON- This is a Debian Linux server running a simple website. The server is located on a separate subnet.
INTRANET.AD.TRAININGDEMO.XYZ Throughout this workbook this will be referred to as London Intranet.
Interfaces

Page 35 of 38
Sophos Certified Technician

INTRANET: 172.25.25.40 (/24)

INTRANET: 172.25.25.41 (/24)

STORE.AD.TRAININGDEMO.XYZ This is a Debian Linux server running a simple website. Throughout this workbook this will be
referred to as Store Website.
Interfaces
DMZ: 172.30.30.50 (/24)

NY-GW.AD.TRAININGDEMO.XYZ This is a Sophos Firewall and is the default gateway for the ad.trainingdemo.xyz network.
Throughout this workbook this will be referred to as New York Gateway.
Interfaces
PortA: LAN: 192.168.16.16 (/24)
PortB: WAN: 10.2.2.200 (/24) GW: 10.2.2.250
PortC: LAN: 172.25.25.17 (/24)
PortD: MPLS: 10.100.100.70 (/29)
PortE: WAN: 10.3.3.200 (/24) GW: 10.3.3.250

NY-SERVER.AD.TRAININGDEMO.XYZ This is a Windows 2016 Server. In this environment it’s used as a client. It runs an SMTP server,
webmail, DNS, Active Directory, and a certificate authority. Throughout this workbook this will be
referred to as New York Server.
Interfaces
LAN: 192.168.16.30 (/24)

WAREHOUSE.AD.TRAININGDEMO.XYZ This is a Debian Linux server running a simple website. The server is located on a separate subnet.
Throughout this workbook this will be referred to as New York Warehouse.
Interfaces
LAN: 172.25.25.60 (/24)

INTERNET.WWW This is a Debian Linux server which provides central DNS and routing for the simulated Internet, as
well as running a webmail server, simple website, and certificate authority. Throughout this
workbook this will be referred to as Internet.
Interfaces
WAN: 10.1.1.250 (/24)
WAN: 10.2.2.250 (/24)
WAN: 10.3.3.250 (/24)

Page 36 of 38
Sophos Certified Technician

User Accounts
The table below details the user accounts in the lab environment.

Username Full name Password Scope and privileges

TRAININGDEMO\administrator Administrator Sophos1985 AD.TRAININGDEMO.XYZ

Domain administrator

TRAININGDEMO\johnsmith John Smith Sophos1985 AD.TRAININGDEMO.XYZ

Domain User

TRAININGDEMO\rbrown Rob Brown Sophos1985 AD.TRAININGDEMO.XYZ

Domain User

TRAININGDEMO\spage Sally Page Sophos1985 AD.TRAININGDEMO.XYZ

Domain User

TRAININGDEMO\lucyfox Lucy Fox Sophos1985 AD.TRAININGDEMO.XYZ

Domain User

TRAININGDEMO\fredrogers Fred Rogers Sophos1985 AD.TRAININGDEMO.XYZ

Domain User

root Root Sophos1985 DMZ Website

London Intranet

New York Warehouse

Internet

Local Administrator

sophos Sophos Sophos1985 DMZ Website

London Intranet

New York Warehouse

Internet

Local User

Jbrown Jim Brown Sophos1985 Internet

Local User

Page 37 of 38
[email protected]