I set this up on a lab unit before touching production. I describe the Sophos Firewall v22 configuration I use to balance security and performance. Read this and apply the checks and steps to your appliance. Expect concrete examples, commands and the tests I run.
Start with preparation. Check device support and free disk space. SFOS v22 needs more disk room than older releases, so make a backup and verify the device has the required headroom. I export the current config, save it off-box, and snapshot any hypervisor image. Log into the admin console or Sophos Central and confirm firmware compatibility before upgrading. Make sure clock, DNS and NTP are correct; they affect certificate checks and logging. I enable SSH for a short maintenance window and have console access ready. If you use High Availability, plan the upgrade for the passive unit first and follow the vendor’s HA flow.
When I build firewall rules I keep them strict and readable. Name every rule with a prefix showing intent and owner, for example: MGT-SSH-ADMIN, INT-OUT-HTTP-HTTPS. Order rules by purpose, not by protocol. A simple set I use looks like this: management rules first, explicit allow rules for trusted services next, VPN and inter-zone rules after that, a monitored allow for guest or temporary access, then a final deny with logging turned on. Make rules narrow. Use network objects and host groups instead of wide IP ranges. Use service objects for specific ports, for example TCP/22 for SSH or TCP/443 for HTTPS. Turn on logging for rules that matter. Check hit counts after 24–48 hours and prune rules that never match. For NAT, prefer source NAT for outbound internet, and only create DNAT entries where required. For TLS inspection, test with a single service and a small user group before enabling it broadly; certificate issues break services fast.
Test every change. I use three verifications. First, a connectivity test from a representative client using ping, traceroute and curl for web services. Second, a policy hit test: create a temporary rule that logs and allows traffic, then confirm hits appear in the console. Third, regression testing: run a small suite of user tasks that cover mail, file shares and web apps. Gather user feedback after the maintenance window and correlate it to log entries. If users report slowness, compare timestamps with the firewall health metrics. For automation, use the Sophos REST API to export and import object lists, rotate simple rules, or deploy small ACL changes. I script routine exports and simple inventory reports in Python, calling the API and saving JSON snapshots. For repetitive rule changes I use object templates and tag rules so the script can match and update them safely.
Keep an eye on network performance and false positives. Enable the Firewall Health Check feature if available and schedule it. Monitor CPU, memory and interface utilisation in the console. Use flow-based reporting and application control to see top talkers and heavy apps. If a NAT or rule is causing asymmetric routing, packet inspection will spike CPU and latency will rise; move heavy inspection off the box or tune the inspection policy. For bandwidth shaping, apply application or user-based shaping to stop a single host from saturating uplinks. Collect and act on user feedback. Ask a small group to test key applications and record exact times and actions. Correlate their reports with firewall logs and connection tables to find the rule or inspection causing the issue.
My final checklist for a tidy Sophos Firewall v22 configuration: confirm disk and device support, back up config, use clear rule names and narrow objects, enable targeted logging and hit-count review, script exports and simple rule changes via the API, run targeted tests after each change, and monitor health metrics for CPU, memory and interface load. Those steps keep security tight and network performance predictable.
