TTechclick ⚡ XP 0% All lessons
Sophos · Next-Gen Firewall · Threat ProtectionInteractive · L1 / L2 / L3

Sophos Firewall Threat Protection — IPS, ATP & Zero-Day Sandboxing

Sophos Firewall stops threats in three layers inside one streaming inspection engine: IPS blocks the known exploits coming at you, Advanced Threat Protection (ATP) catches the host that is already infected by spotting its phone-home traffic, and Zero-Day Protection (formerly Sandstorm) detonates unknown files in a cloud sandbox before they reach a user. This lesson maps what each layer stops, how to tune them, and the TLS gotcha that silently breaks sandboxing.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to threat protection on Sophos Firewall (2026): IPS signatures that block inbound exploits, Advanced Threat Protection (ATP) that catches already-infected hosts by their command-and-control traffic, and Zero-Day Protection (formerly Sandstorm) — the cloud sandbox plus deep-learning analysis that judges unknown files before delivery — all in one streaming DPI, with the TLS-inspection gotcha that breaks sandboxing.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Three layers

IPS, ATP and Zero-Day Protection — what each stops.

 2

IPS policies

Signatures, firewall rules, smart filters, tuning.

 3

ATP & C2

Catching the already-infected host by its phone-home.

 4

Zero-Day sandbox

Cloud detonation, deep learning, scoping it sanely.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does IPS catch a PC that is already infected and phoning home?

Answered in Three layers.

2. What judges a brand-new file no signature has ever seen?

Answered in Zero-Day sandbox.

3. Why might an HTTPS download never get sandboxed?

Answered in Zero-Day sandbox.

Most engineers think…

Most people lump it all together as 'the firewall scans for viruses'. In an interview that single sentence collapses three very different jobs into one and gets you caught immediately.

Sophos Firewall stops threats in three complementary layers that share one streaming inspection engine. IPS uses SophosLabs signatures to block inbound known exploits. Advanced Threat Protection (ATP) looks the other way — it catches a host that is already infected by spotting its outbound command-and-control traffic and naming that host. Zero-Day Protection (formerly Sandstorm) is a cloud sandbox plus deep learning that judges unknown files before delivery. Knowing which layer owns which direction — and that HTTPS files need TLS inspection to be scanned at all — is what separates a real answer from a hand-wave.

① Three layers, three jobs — and one streaming engine

The single most useful idea: Sophos Firewall protects you in three layers, each pointed at a different problem, and they all run inside one streaming Deep Packet Inspection (DPI) pass — not three separate scans.

IPS (Intrusion Prevention) blocks inbound known exploits — attacks against your servers and clients matched by SophosLabs signatures. Advanced Threat Protection (ATP) looks the opposite way: it catches a host that is already infected by spotting its outbound command-and-control (C2) chatter, and it names the infected internal host. Zero-Day Protection (formerly Sandstorm) handles the files nobody has a signature for yet — unknown downloads and attachments get detonated in a cloud sandbox and scored by deep learning before they reach the user.

The interview line: IPS = inbound exploits, ATP = outbound C2 from an already-owned host, Zero-Day = unknown files. Together they cover known-bad, already-bad, and never-seen-before. Security Heartbeat ties in — a detection can mark the endpoint red.

Figure 1 — Three layers, three jobs
Each Sophos Firewall layer points at a different problem — known-inbound, already-infected, and never-seen-before.Three layers, three jobsIPS — inbound exploitsSophosLabs signatures block known attacksATP — outbound C2Catches a host that is already infectedZero-Day — unknown filesCloud sandbox + ML verdict before delivery
Each Sophos Firewall layer points at a different problem — known-inbound, already-infected, and never-seen-before.
Figure 2 — One streaming DPI, three checks
Traffic flows through a single inspection engine that applies IPS, ATP and the unknown-file hand-off.One streaming DPI, three checksTraffic inmatched to a firewallruleIPSsignature exploitcheckATPC2 / botnet reputationUnknown fileheld for sandboxVerdictdeliver or block
Traffic flows through a single inspection engine that applies IPS, ATP and the unknown-file hand-off.
Quick check · Q1 of 10 · Understand

Which statement maps the three layers correctly?

Correct: b. IPS = inbound known exploits (signatures), ATP = outbound C2 from an already-infected host, Zero-Day Protection = unknown files sandboxed and ML-scored. Three directions, three jobs, one streaming DPI.
👉 So far: Three layers, one streaming DPI: IPS = inbound known exploits, ATP = outbound C2 from an already-infected host, Zero-Day Protection = unknown files. Heartbeat can mark the endpoint red.

② IPS policies — signatures attached to firewall rules

IPS on Sophos Firewall is signature-based. You don't toggle 'IPS on' globally and walk away — you build an IPS policy, which is a named, tunable set of signatures/rules, and you attach it to a firewall rule. Traffic matching that rule is then inspected. Default policies ship for common directions (for example LAN-to-WAN, or DMZ traffic) so you have a sane starting point.

Tune with smart filters

Inside a policy you tune with smart filters by category (e.g. web-server attacks, browser exploits), severity, and action — typically drop for confident, high-severity signatures and recommend/alert while you observe. The classic mistake is setting every signature to drop: that buries you in false positives. Scope each policy to its traffic direction, keep SophosLabs updates flowing, and promote signatures to block as you gain confidence.

🛡️
IPS
tap to flip

SophosLabs signatures packaged into an IPS policy and attached to a firewall rule — blocks inbound known exploits, tuned by category, severity and action.

📡
Advanced Threat Protection
tap to flip

Catches a host that is already infected by spotting its outbound C2/botnet traffic in DNS/IP/HTTP requests — drops, alerts and names the infected host.

🧪
Zero-Day Protection (Sandstorm)
tap to flip

Sends unknown web/email files to a cloud sandbox, detonates and ML-scores them, and returns a clean/malicious verdict before delivery.

💓
Security Heartbeat
tap to flip

The endpoint-firewall health link in Synchronized Security — a detected threat can mark the endpoint red so policy reacts.

Name the direction each layer guards

In an interview, anchor every answer to direction: IPS guards the way in (inbound exploits via signatures), ATP guards the way out (outbound C2 from an already-infected host), and Zero-Day Protection judges unknown files. Three directions, three jobs, one streaming DPI.

Quick check · Q2 of 10 · Remember

How is IPS actually applied to traffic on Sophos Firewall?

Correct: b. You build an IPS policy (a tunable set of signatures) and attach it to a firewall rule, so matching traffic is inspected. Default policies exist for common directions as a starting point.
👉 So far: IPS = SophosLabs signatures in an IPS policy attached to a firewall rule, tuned by category/severity/action. Don't set every signature to drop — scope by direction and promote with confidence.

③ ATP — catching the host that is already infected

IPS watches attacks coming in. But what about a laptop that got infected off-network and is now sitting inside your LAN, quietly phoning home? That is Advanced Threat Protection's job. ATP inspects DNS, IP and HTTP requests and checks them against SophosLabs threat intelligence for command-and-control / botnet destinations.

When it finds C2 traffic, ATP can drop and alert — but the real value is that it identifies the infected internal host (the source IP and user), so you can isolate and clean the right machine instead of guessing. Pair that with Security Heartbeat marking the endpoint red and you get a fast, targeted response. Tune ATP with exceptions for known-good destinations that happen to look suspicious, so legitimate services aren't dropped.

Figure 3 — IPS vs ATP — opposite directions
IPS and ATP are complementary: one watches the way in, the other watches the way out.IPS vs ATP — opposite directionsIPS (inbound)Blocks known exploitsSophosLabs signaturesPolicy attached to a ruleProtects your assetsATP (outbound)Catches infected hostsDNS / IP / HTTP reputationDrops and alerts on C2Names the infected host
IPS and ATP are complementary: one watches the way in, the other watches the way out.
'IPS will catch the infected PC' is wrong

IPS matches inbound exploit signatures — it is not designed to spot a host that is already owned and phoning home. That outbound C2/botnet traffic is ATP's job, and ATP is what names the infected internal host. Don't ask IPS to do ATP's work.

Quick check · Q3 of 10 · Apply

A laptop infected off-site is now on your LAN, quietly making C2 lookups. Which layer is built to catch it and name the host?

Correct: c. ATP inspects DNS/IP/HTTP against threat intel for C2/botnet destinations, drops and alerts, and identifies the infected internal host. IPS watches inbound exploits; the sandbox judges unknown files.
👉 So far: ATP inspects DNS/IP/HTTP against threat intel for C2/botnet traffic, drops and alerts, and crucially identifies the infected internal host. Use exceptions for known-good destinations.

④ Zero-Day Protection — the cloud sandbox for unknown files

Signatures and reputation can only judge what they already know. Zero-Day Protection (formerly Sandstorm) handles the rest: unknown or suspicious files from web downloads and email are sent to a cloud sandbox (SophosLabs Intelix), detonated and analysed by deep-learning machine learning — and a clean/malicious verdict is returned before the file is delivered. Known-good and known-bad files short-circuit instantly; only the genuinely unknown ones make the round trip.

Scope it sanely — and mind the TLS gotcha

Don't hold and sandbox everything: scope by file type and size (executables, documents, archives up to a limit) so you don't add delay to ordinary browsing. The quiet killer is encryption — files delivered over HTTPS are only inspected when TLS inspection (Decrypt & Scan) is on. With it off, the firewall sees ciphertext, never extracts the file, and the sandbox never runs — the unknown file walks straight through.

Figure 4 — How an unknown file gets a verdict
Only genuinely unknown files take the cloud round trip; the verdict comes back before delivery.How an unknown file gets a verdictFile seenweb download or emailKnown?good/bad passinstantlySandboxdetonate in cloudDeep learningML scores behaviourVerdictclean or blocked
Only genuinely unknown files take the cloud round trip; the verdict comes back before delivery.
Figure 5 — One firewall, three protections plus Heartbeat
IPS, ATP and Zero-Day Protection feed the same firewall, which links endpoint health via Security Heartbeat.One firewall, three protections plus HeartbeatSophos Firewallstreaming DPIIPS signaturesATP (C2 / botnet)Zero-Day sandboxTLS inspectionSecurity HeartbeatSophosLabs Intelix
IPS, ATP and Zero-Day Protection feed the same firewall, which links endpoint health via Security Heartbeat.

Priya at Konnect Logistics in Kochi faces this

A finance user downloaded a 'new invoicing tool' over HTTPS; two days later her PC makes odd outbound DNS lookups and the endpoint goes red in Heartbeat — but Zero-Day Protection logs show the installer was never sent to the sandbox.

Likely cause

TLS inspection was OFF on that web rule, so the encrypted download was never decrypted and the unknown file was never extracted for sandboxing — only ATP caught the aftermath (the C2 chatter).

Diagnosis

The web/firewall rule shows Decrypt & Scan / TLS inspection off; ATP logs show the C2 detection that named her host as the source.

Rules and policies ▸ the web/firewall rule ▸ Decrypt & Scan (TLS) + Active threat response / ATP logs
Fix

Enable TLS inspection on that rule (with a sane bypass list for banking/privacy), confirm Zero-Day Protection is scanning web downloads with file types/size in scope, keep IPS attached, and clean the infected host.

Verify

Re-download an unknown test file over HTTPS and confirm it is held, sent to the cloud sandbox, scored, and a verdict returned before delivery — and that a fresh malicious sample no longer reaches the endpoint.

Prove the file actually reached the sandbox

Never assume Zero-Day Protection is working. Pull the sandbox/Zero-Day report for the download: it shows whether the file was extracted, sent to the cloud, detonated and scored. If there is no record, the file was almost certainly delivered over HTTPS with TLS inspection off.

▶ Watch an unknown download get sandboxed and blocked

How one HTTPS file download is inspected end-to-end. Press Play for the healthy path, then Break it to see the classic failure.

① DownloadA user in Kochi downloads an unknown installer over HTTPS through the firewall.
② TLS decryptTLS inspection decrypts the session so the streaming DPI can extract the file; IPS finds no known exploit.
③ SandboxThe file is unknown, so it is held and sent to the cloud sandbox (Zero-Day Protection) for detonation and deep-learning analysis.
④ Verdict + blockThe ML verdict is malicious; the file is blocked before delivery and the endpoint is flagged via Security Heartbeat.
Press Play to step through the healthy sandbox path. Then press Break it.
Quick check · Q4 of 10 · Analyze

An unknown installer downloaded over HTTPS was never sent to the sandbox. The most likely reason is…

Correct: d. Zero-Day Protection can only sandbox a file it can extract. Over HTTPS, that requires TLS inspection (Decrypt & Scan); with it off the firewall sees only ciphertext and the file passes uninspected.
👉 So far: Zero-Day Protection sandboxes and ML-scores unknown web/email files before delivery. Scope file types and size — and remember HTTPS files are only scanned when TLS inspection is on.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the primary job of IPS on Sophos Firewall?

Correct: a. IPS is signature-based intrusion prevention — it blocks known exploit attempts aimed inbound at your assets. Unknown files are Zero-Day Protection's job; infected-host C2 is ATP's.
Q6 · Understand

Advanced Threat Protection (ATP) is best described as detection of…

Correct: b. ATP checks DNS/IP/HTTP requests against threat intelligence to spot command-and-control/botnet communication from a host that is already compromised, then drops, alerts and names that host.
Q7 · Apply

You need a verdict on a brand-new file type no signature recognises. Which layer handles it?

Correct: c. Unknown/suspicious files are sent to the Zero-Day Protection cloud sandbox, detonated and ML-scored, returning a clean/malicious verdict before delivery — exactly what signatures cannot do.
Q8 · Analyze

Why can ATP catch a threat that IPS misses entirely?

Correct: b. They guard opposite directions. IPS matches inbound exploit signatures; ATP spots the outbound command-and-control traffic of a host that is already owned — and identifies that host.
Q9 · Evaluate

What is the safest way to roll out IPS without flooding the SOC with false positives?

Correct: d. Blocking every signature at once is the classic false-positive storm. Scope by direction, tune by category/severity, observe in recommend/alert mode, then promote confident signatures to drop.
Q10 · Evaluate

An HTTPS-delivered unknown file reaches a user without ever being sandboxed. The strongest fix is to…

Correct: a. Without TLS inspection the firewall sees only ciphertext and cannot extract the file, so the sandbox never runs. Enabling Decrypt & Scan (with a sane bypass list) lets unknown HTTPS files be inspected.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: which layer catches a PC that is already infected and phoning home, and why isn't that IPS? Then compare with the expert version.

Expert version: Advanced Threat Protection (ATP) catches it. IPS is signature-based and points inbound — it blocks known exploit attempts aimed at your assets, not the outbound traffic of a host that is already owned. ATP inspects DNS, IP and HTTP requests against SophosLabs threat intelligence for command-and-control/botnet destinations, then drops, alerts and — the key bit — identifies the infected internal host so you can clean the right machine. Zero-Day Protection is a third, separate layer that sandboxes unknown files. Three directions, three jobs, one streaming DPI.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

IPS (Intrusion Prevention System)
Signature-based detection and blocking of inbound known exploits using SophosLabs signatures.
IPS policy
A named, tunable set of signatures/rules — filtered by category, severity and action — attached to a firewall rule.
Advanced Threat Protection (ATP)
Detection of already-infected hosts by their outbound C2/botnet traffic in DNS/IP/HTTP requests; drops, alerts and names the host.
Command-and-Control (C2)
The channel infected malware uses to phone home and receive instructions; ATP watches for it.
Zero-Day Protection (Sandstorm)
A cloud sandbox plus deep-learning analysis that judges unknown web/email files before delivery.
Cloud sandbox
An isolated cloud environment where an unknown file is detonated and observed to produce a verdict.
SophosLabs Intelix
The SophosLabs cloud threat-intelligence and file-analysis service behind these protections.
Deep Packet Inspection (DPI)
The single streaming engine that inspects traffic content so IPS, ATP and file extraction share one pass.
TLS inspection (Decrypt & Scan)
Decrypting HTTPS so its content and files can be scanned; required for sandboxing HTTPS downloads.
Security Heartbeat
The endpoint-firewall health link in Synchronized Security; a detection can mark an endpoint red.

📚 Sources

  1. Sophos Firewall — Intrusion Prevention (IPS) policies and SophosLabs signatures. docs.sophos.com
  2. Sophos Firewall — Advanced Threat Protection (ATP): detecting compromised hosts and C2 traffic. docs.sophos.com
  3. Sophos Firewall — Zero-Day Protection: cloud sandbox & deep learning (formerly Sandstorm). docs.sophos.com
  4. Sophos Firewall — TLS / SSL inspection (Decrypt & Scan) and HTTPS file scanning. docs.sophos.com
  5. Sophos — Security Heartbeat and Synchronized Security. sophos.com
  6. SophosLabs Intelix — cloud threat intelligence and file analysis. sophos.com

What's next?

Got threats covered? Next, go deep on web protection, application control and traffic shaping — how Sophos Firewall filters web categories, identifies and controls apps, and shapes bandwidth so the important traffic always wins.

Next · All interview lessons → Practice on exam.techclick.in →