Sophos Firewall Configuration Audit

Audit your Sophos XG or XGS config
in 60 seconds.

Upload your Sophos backup — XML Entities export or the PostgreSQL pgdump tarball. Get a posture score, prioritized risks, Device Access (SFOS-MGMT) review, NAT exposure analysis, and ready-to-paste fixes — without installing an agent or handing over Sophos Central API keys.

Start Free ScanSee Demo

No agent, no API key, no Sophos Central plumbing. Both XG and XGS backup formats handled. Raw backup parsed in memory and discarded.

Both backup formats, one minute

XML Entities export OR the PostgreSQL pgdump tarball — both parsed by the same scanner. No need to convert legacy XG backups before uploading. Full posture report in under 60 seconds.

🎯

SFOS-specific failure modes

Beyond cross-vendor checks: SFOS-MGMT (admin services on WAN), SFOS-NAT (risky DNAT exposure), SFOS-SDWAN (policy routing that bypasses security), SFOS-HYG (patch hygiene). The classes of issue that actually surface on Sophos.

🛡

Security Advisory CVEs tied to your config

SFOS firmware is matched against Sophos Security Advisories, CISA KEV, and NVD. CVEs are only surfaced if the affected feature (SSL-VPN, WAF, ATP, Sandstorm) is actually enabled.

What CRWLR finds in a Sophos config

Firewall Rules from ANY→ANY, wide-open zone pairs, missing source/destination scoping, and rules left enabled after a project closed
Device Access (SFOS-MGMT) — HTTPS, SSH, SNMP, or User Portal exposed to WAN; admin sources not restricted; weak admin password policy
NAT exposure (SFOS-NAT) — risky services exposed through SNAT/DNAT (RDP, SMB, Telnet, FTP); hairpin reachability gaps; loopback NAT misconfigurations
Web Filtering and Application Control depth — categories left in monitor mode, exclusion lists that swallow whole risk classes, application risk levels left unblocked
ATP and IPS coverage — ATP off, IPS profiles in detect-only, Sandstorm bypassed, Heartbeat enforcement missing on rules that should require Synchronized Security
WAF (Web Application Firewall) — public-facing services without a Web Server Protection rule, missing OWASP rule sets, default-allow on form parameter inspection
SD-WAN policy routing (SFOS-SDWAN) — rules that send traffic out a less-inspected interface, bypassing WAF or ATP; failover paths without matching security profiles
SSL-VPN and IPsec — weak DH groups, IKEv1 aggressive mode, PSK strength, SSL-VPN portal without MFA, disabled tunnels left in config
Logging completeness — syslog forwarding off, retention too short, missing categories, no Sophos Central log relay where licensed
SFOS firmware CVE exposure (SFOS-HYG) — current version cross-referenced with Sophos Security Advisories; safe upgrade targets recommended deterministically from vendor data, not guessed
Multi-hop attack paths — compound risk chains (WAN → DMZ via permissive DNAT → trust via flat zone design) with pivot awareness and service scoring
Sample finding— what you get per issue
HIGH

Admin HTTPS reachable from WAN — Sophos Security Advisory SA-2024-0008 applies

Device Access shows HTTPS admin service enabled on the WAN zone with no source-IP restriction. At your current SFOS version, advisory SA-2024-0008 (pre-auth RCE on the web admin) applies. Either restrict the admin source list or patch to a fixed release.

# Web admin: Administration → Device Access
#   1. Uncheck HTTPS for the WAN zone (preferred), OR
#   2. Add a "Local service ACL" rule restricting admin
#      sources to a /32 set you actually trust:

# Administration → Device Access → Local service ACL
#   Add rule:
#     Source zones    : WAN
#     Source networks : <admin-bastion-ip>/32, <office-vpn>/32
#     Services        : HTTPS, SSH
#     Action          : Accept
#   Default-deny everything else from WAN to admin services.

Every finding ships with the web-admin navigation path, the exact backup-line that triggered it, the Security Advisory reference, and a plain-English explanation of why it matters and what changes after you apply the fix.

Frequently asked

Which Sophos platforms and SFOS versions are supported?

Both Sophos XG (legacy) and the XGS series — XGS-87, XGS-107, XGS-116, XGS-126, XGS-136, XGS-2100, XGS-3100, XGS-3300, XGS-4300, XGS-5500, XGS-6500. Tested against SFOS 18.x, 19.x, and 20.x. If you are mid-migration from XG to XGS, both legacy and current backups are handled by the same scanner.

How do I export my Sophos firewall configuration?

From the web admin: System → Backup & Firmware → Backup & Restore → Take Backup → choose unencrypted format. Both backup formats CRWLR ingests work: the XML Entities export and the PostgreSQL dump (.tar.gz containing pgdump). For Sophos Central-managed firewalls, take the backup at the device level — Central exports do not include the per-device rule state.

What does CRWLR actually check in a Sophos config?

140 checks spanning Firewall Rule hygiene, zone and interface segmentation, Web Filtering and Application Control depth, ATP (Advanced Threat Protection) status, IPS profile assignment, WAF coverage, Synchronized Security / Heartbeat state, Device Access (SFOS-MGMT) — admin services exposed to WAN, NAT hygiene (SFOS-NAT), SD-WAN policy routing exposure (SFOS-SDWAN), and SFOS firmware CVE exposure. Full list at /security.

Is my Sophos backup stored anywhere?

No. The backup is decompressed and parsed in memory and discarded at the end of the scan. Only the normalized findings, scores, and per-rule analysis are persisted to your tenant. Pgdump backups can contain sensitive metadata (admin password hashes, RADIUS shared secrets) — the parser drops these fields before any normalized data is written.

Does CRWLR check SFOS firmware CVEs?

Yes. Firmware is matched against CISA KEV, NVD, and the Sophos Security Advisories feed, deduplicated across sources. CVEs are filtered to only those that affect features actually enabled in your config — an SSL-VPN vulnerability is only flagged if SSL-VPN is on, a WAF vulnerability only if WAF rules exist.

How are the SFOS-specific checks different from generic firewall checks?

Sophos has device-class checks the engine runs in addition to the cross-vendor checks: SFOS-MGMT (admin services like SSH, HTTPS, SNMP reachable from WAN), SFOS-NAT (risky services exposed via DNAT — RDP, SMB, Telnet), SFOS-SDWAN (policy-based routing rules that bypass intended security paths), and SFOS-HYG (patch hygiene relative to current SFOS release). These reflect failure modes that show up specifically on Sophos deployments, not generic best-practice nags.

Can I use this across dozens of Sophos firewalls for MSP work?

Yes. CRWLR supports bulk import (drop a ZIP of XG/XGS backups), scheduled re-scans, per-firewall finding acknowledgements, and a fleet dashboard that rolls firmware risk, configuration risk, and external exposure into one composite score across your whole estate. Sophos Central-managed and standalone firewalls both work.

Do I get UI/CLI fixes or just findings?

Both. Every finding includes the exact web-admin navigation path (e.g. Protect → Rules and policies → Firewall rules → ...) and, where Sophos provides a CLI equivalent (advanced shell, `console>`), the corresponding command. Pasteable wherever your team operates from.

Upload your Sophos backup. See the gaps in 60 seconds.

No credit card. No agent to install. The raw backup never touches our storage.

Start Free Scan →
HomeFortiGate auditPalo Alto auditCheck Point auditCisco ASA auditCheck coverageHow we handle your datavs. SkyboxBlog
Sophos Firewall Configuration Audit — 60 Seconds | CRWLR