Sophos XG Firewall Architect (XGFA) (19.5)

This course is designed for experienced technical professionals who will be administrating Sophos Firewall and provides an overview of the product, including an introduction to the major capabilities and core configuration concepts.

Target audience

This course is designed for experienced technical professionals who will be planning, installing, configuring and supporting deployments in production environments. And for individuals wishing to obtain the XG Firewall Certified Architect certification.


On completion of this course, trainees will be able to:

  • Deploy Sophos Firewall in complex network environments
  • Explain how Sophos Firewall processes traffic and use this information to inform the configuration
  • Configure advanced networking and protection features
  • Protect web applications using the web server protection


Prior to attending this course, trainees should:

  • Have completed and passed the Sophos Firewall – Certified Engineer course

We recommend students have the following knowledge and experience:

  • Windows networking and the ability to troubleshoot issues
  • A good understanding of IT security
  • Configuring network security devices
  • Configuring and administering Linux/UNIX systems


To complete this course, trainees must take and pass an online assessment. Trainees will have 3 hours to complete the assessment; the pass mark is 80% and trainees will have 3 attempts to pass.


3 days

Show details

Course Modules

Module 1: Sophos Firewall Deployment (25 mins)

  • Considerations for Deploying Sophos Firewall in common scenarios
  • Deploying Sophos Firewall in Discover Mode
  • Labs (50 mins)
    • Register for a Sophos Central evaluation
    • Activate the Sophos Firewall

Module 2: Getting Started with Sophos Firewall (25 mins)

  • Advanced Interface Configuration on Sophos Firewall 
  • Advanced Routing and SD-WAN Configuration on Sophos Firewall
  • Dynamic Routing on Sophos Firewall 
  • Considerations for Configuring Device Access on Sophos Firewall 
  • Labs (85 mins)
    • Multiple WAN Link
    • SD WAN Profiles
    • Create a policy-based route for an MPLS scenario
    • Configure Device Access
    • Bridge Interfaces

Module 3: Base Firewall (45 mins)

  • Advanced Firewall Rule Management on Sophos Firewall
  • Advanced NAT Configuration on Sophos Firewall 
  • Network Traffic Shaping on Sophos Firewall
  • Labs (35 mins)
    • Load-Balanced NAT
    • Local NAT Policy
    • Install Sophos Central

Module 4: Network Protection

  • Advanced IPS Configuration
  •  Advanced DoS Protection
  • Managing and Deploying Security Heartbeat on Sophos Firewall
  • Labs (40 mins)
    • Advanced DoS Policy
    • Source-based Security Heartbeat
    • Destination-based Security Heartbeat
    • Missing Security Heartbeat

Module 5: Site-to-Site Connections (45 mins)

  • Advanced IPsec Site-to-Site VPN Configuration on Sophos Firewall
  • Advanced Remote Ethernet Device (RED) Configuration on Sophos Firewall
  • Labs (60 mins)
    • Create an IPsec site-to-site VPN
    • Configure VPN network NATing
    • Configure VPN failover
    • Enable RED on the Sophos Firewall
    • Create a RED tunnel between two Sophos firewalls
    • Configure routing for the RED tunnel 
    • Configure route-based VPN

Module 6: Authentication (10 mins)

  • Advanced STAS Configuration 
  • Labs (35 mins)
    • Configure an Active Directory Authentication Server
    • Configure Single Sign-On using STAS
    • Authenticate users over a site-to-site VPN

Module 7: Web Protection (15 mins)

  • Managing TLS Decryption for Web Protection on Sophos Firewall
  • Labs (25 mins)
    • Install the SSL CA Certificate
    • Configure TLS Inspection Rules
    • Configure a custom web policy for users

Module 8: Remote Access (10 mins)

  • Advanced Sophos Remote Access VPN Configuration on Sophos Firewall 
  • Labs (45 mins)
    • Sophos Connect
    • Auto provisioning

Module 9: Wireless Protection (30 mins)

  • Troubleshooting Access Point Deployment
  • Wireless Authentication
  • Configuring Wireless Mesh Networks
  • Troubleshooting Wireless Performance

Module 10: Web Server Protection (40 mins)

  • Overview of Web Server Protection on Sophos Firewall 
  • Configuring Web Server Protection on Sophos Firewall
  • Troubleshooting Web Server Protection Policies
  • Configuring Web Server Authentication on Sophos Firewall
  • Labs (20 mins)
    • Web Application Firewall
    • Load balancing with Web Server Protection
    • Web server authentication and path-specific routing

Module 11: High Availability (30 mins)

  • Overview of High Availability on Sophos Firewal
  • Configuring High Availability on Sophos Firewall
  • Managing High Availability on Sophos Firewall
  • Troubleshooting High Availability on Sophos Firewall
  • Labs - High Availability (35 mins)
    • Active-passive cluster
    • Disable High Availability
  • Labs - Troubleshooting (20 mins)
    • Debug logging 
    • Retrieving log files 
    • Troubleshoot an issue from an imported configuration

Module 12: Public Cloud (70 mins)

  • Overview of Sophos Firewall on Public Cloud 
  • Basic Sophos Firewall Deployment on Azure
  • Sophos Firewall Deployment Scenarios on Azure 
  • Basic Sophos Firewall Deployment on AWS
  • Sophos Firewall Deployment Scenarios on AWS
  • Connecting to Amazon VPC on Sophos Firewall 
  • Simulations (20 mins)
    • Deploy Sophos Firewall on Azure
    • Deploy Sophos Firewall on AWS

Module 13 Course Review (10 mins)

  • How to find help from Sophos
  • Course review