I set this up on a lab unit before I touched production. This is the Sophos Firewall v22 configuration I use to keep rules tight without making the box miserable to run. The basics are simple enough, but the details matter.
Start with preparation. Check device support and free disk space. SFOS v22 wants more room than older releases, so take a backup and confirm the device has the headroom it needs. I export the current config, keep it off-box, and snapshot any hypervisor image. Log into the admin console or Sophos Central and check firmware compatibility before you upgrade. Get clock, DNS and NTP right too; they affect certificate checks and logging. I switch on SSH for a short maintenance window and keep console access ready. If you run High Availability, upgrade the passive unit first and follow the vendor’s HA flow.
When I build firewall rules, I keep them strict and readable. Name every rule with a prefix that shows intent and owner, for example: MGT-SSH-ADMIN, INT-OUT-HTTP-HTTPS. Order rules by purpose, not by protocol. A simple set I use looks like this: management rules first, explicit allow rules for trusted services next, VPN and inter-zone rules after that, a logged allow for guest or temporary access, then a final deny with logging turned on. Keep the rules narrow. Use network objects and host groups instead of wide IP ranges. Use service objects for specific ports, for example TCP/22 for SSH or TCP/443 for HTTPS. Turn on logging for rules that matter. Check hit counts after 24–48 hours and prune rules that never match. For NAT, I prefer source NAT for outbound internet, and I only create DNAT entries where required. For TLS inspection, I test one service and a small user group first; certificate problems break services quickly.
Test every change. I use three checks. First, a connectivity test from a representative client using ping, traceroute and curl for web services. Second, a policy hit test: create a temporary rule that logs and allows traffic, then confirm hits appear in the console. Third, regression testing: run a small set of user tasks that cover mail, file shares and web apps. Gather user feedback after the maintenance window and compare it with log entries. If users report slowness, compare timestamps with the firewall health metrics. For automation, use the Sophos REST API to export and import object lists, rotate simple rules, or push small ACL changes. I script routine exports and simple inventory reports in Python, call the API, and save JSON snapshots. For repetitive rule changes I use object templates and tag rules so the script can match and update them safely.
Keep an eye on network performance and false positives. Enable the Firewall Health Check feature if it is available and schedule it. Watch CPU, memory and interface utilisation in the console. Use flow-based reporting and application control to see top talkers and heavy apps. If a NAT or rule causes asymmetric routing, packet inspection will spike CPU and latency will rise; move heavy inspection off the box or tune the inspection policy. For bandwidth shaping, apply application or user-based shaping so one host does not saturate the uplink. Collect and act on user feedback. Ask a small group to test key applications and record exact times and actions. Compare their reports with firewall logs and connection tables to find the rule or inspection path causing the issue.
My final checklist for a tidy Sophos Firewall v22 configuration: confirm disk and device support, back up the config, use clear rule names and narrow objects, enable targeted logging and hit-count review, script exports and simple rule changes via the API, run targeted tests after each change, and monitor health metrics for CPU, memory and interface load.



