TTechclick ⚡ XP 0% All lessons
Sophos · Firewall · Web & App ControlInteractive · L1 / L2 / L3

Sophos Firewall Web, App & Bandwidth Control — Filter Sites, Name Apps & Protect the Link

Sophos Firewall decides not just what your users can reach, but how much of the link that traffic is allowed to take. This lesson shows how to build web policies from SophosLabs categories, make them identity-aware, control HTTPS the right way with TLS inspection, name the Unknown apps with Synchronized App Control, and use traffic shaping so business apps stay fast while recreational traffic is throttled.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Web Protection, Application Control and Traffic Shaping on Sophos Firewall (2026): build web policies from allow/block/warn/quarantine rules using SophosLabs categories, make them identity- and time-aware, control activities, keywords, file types, SafeSearch and YouTube, why HTTPS filtering needs TLS inspection, how Synchronized App Control names Unknown apps, and how bandwidth policies protect business traffic.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Web filtering

SophosLabs categories, identity- and time-aware web policies.

 2

Activities & HTTPS

Keywords, file types, SafeSearch — and the TLS inspection catch.

 3

Application control

App filters by category/risk + Synchronized App Control.

 4

Traffic shaping

Bandwidth guarantee/limit to protect business traffic.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What does a Sophos web policy rule decide?

Answered in Web filtering.

2. Without TLS inspection, what does the firewall see for an HTTPS site?

Answered in Activities & HTTPS.

3. What helps Sophos name an 'Unknown' application?

Answered in Application control.

Most engineers think…

Most people think a firewall's web filter is just a big block-list of bad sites, and that 'turn on YouTube blocking' is the whole job. That mental model falls apart the moment business video, HTTPS everywhere, and a saturated link enter the picture.

On Sophos Firewall, Web Protection, Application Control and Traffic Shaping are three linked controls attached to a firewall rule. You build web policies from allow/block/warn/quarantine rules keyed on category, identity and time; you control applications by category, risk and technology and let Synchronized App Control name the Unknown ones; and you use traffic shaping to guarantee and limit bandwidth. Crucially, on HTTPS none of the granular filtering works unless TLS inspection is on — without it the firewall only sees the domain. Knowing this split is what separates a real Sophos answer from 'I blocked the website.'

① Web filtering — categories, identity and time

Web Protection on Sophos Firewall is URL/web filtering driven by the SophosLabs URL categorisation database. You do not write one giant block-list; you build a web policy out of ordered rules, and each rule can allow, block, warn or quarantine traffic.

The power is in what a rule matches. A rule can match on web category (block Gambling, warn on Streaming Media), on identity — a specific user or group (Students vs Staff) — and on time via schedules (looser access after hours). Sophos ships default web policies you can clone and tune.

One rule does not enforce itself. A web policy is attached to a firewall rule: the firewall rule matches the traffic (zones, networks, users, services) and then says which web policy applies. The firewall rule is the decision point — remember that, because the same is true for app control and shaping later.

Figure 1 — How a request is decided
Every web request walks the same path: a firewall rule matches it, then the attached web policy decides allow, block, warn or quarantine.How a request is decidedRequestuser opens a siteFirewall rulematches the trafficWeb policycategory + identityActionallow/block/warnLogreport + bandwidth
Every web request walks the same path: a firewall rule matches it, then the attached web policy decides allow, block, warn or quarantine.
Figure 2 — What a web rule can match on
A single web rule on Sophos Firewall can combine all three match criteria.What a web rule can match onWeb categorySophosLabs database, e.g. Streaming MediaIdentity (user/group)Students vs Staff get different accessTime (schedule)Looser access after working hours
A single web rule on Sophos Firewall can combine all three match criteria.
Quick check · Q1 of 10 · Understand

What is the role of a firewall rule for web filtering on Sophos Firewall?

Correct: b. The firewall rule is the decision point: it matches traffic (zones, networks, users, services) and then attaches the web policy, app-control and traffic-shaping policies that apply to that traffic.
👉 So far: Web Protection = a web policy of allow/block/warn/quarantine rules using SophosLabs categories, matched by category, identity (user/group) and time, and attached to a firewall rule.

② Activities, content controls — and the HTTPS catch

Beyond raw categories, a web policy controls activities and user activities — bundles that represent a behaviour, like 'streaming video' or 'uploading files'. You also layer on keyword and content lists, file-type blocking (stop executable downloads), SafeSearch enforcement (force safe search on Google, Bing and others), and YouTube restrictions (restricted mode).

Why HTTPS needs TLS inspection

Here is the catch every engineer must say out loud. Most of the web is HTTPS, and HTTPS is encrypted. Without TLS inspection (or legacy HTTPS decryption), the firewall only sees the domain (SNI) — not the full URL, the page content, keywords or file types.

That means your clever category, keyword and file-type rules are only partially effective on HTTPS sites until TLS inspection is enabled (with a sensible bypass list for banking and sensitive apps). Domain-level blocking still works; granular control does not.

🌐
Web policy
tap to flip

Ordered allow/block/warn/quarantine rules using SophosLabs categories, matched by category, identity (user/group) and time, attached to a firewall rule.

🔓
TLS inspection
tap to flip

Decrypts HTTPS so the firewall sees the full URL and content. Without it you only get the domain (SNI), so granular web rules barely apply.

🧩
Synchronized App Control
tap to flip

Managed Sophos endpoints report the process behind traffic, letting the firewall name 'Unknown' apps it could not classify alone. Part of Synchronized Security.

📊
Traffic shaping (QoS)
tap to flip

A bandwidth policy with a guarantee and a limit, applied to rules, categories, apps or users — guarantee business apps, throttle recreational traffic.

Say the HTTPS caveat out loud

In an interview, never claim 'I block sites by URL' without adding the caveat: on HTTPS that only works with TLS inspection. Without it the firewall sees the domain (SNI) only, so URL, keyword and file-type rules are partial. Mention a bypass list for banking and sensitive apps to show real-world judgement.

Quick check · Q2 of 10 · Analyze

TLS inspection is OFF. A user visits an HTTPS site you wanted to filter by URL and file type. What happens?

Correct: a. Without TLS inspection the firewall only sees the encrypted session's domain (SNI). Full-URL, keyword and file-type rules need the decrypted content, so they are only partially effective until TLS inspection is enabled.
👉 So far: Activities, keyword/content lists, file-type blocking, SafeSearch and YouTube restrictions add depth — but on HTTPS they need TLS inspection, or the firewall only sees the domain (SNI).

③ Application control — and naming the Unknown apps

Application Control answers a different question: not 'which website', but 'which application'. Application filters identify thousands of apps and let you select them by category (e.g. File Transfer, P2P), risk level and technology, then block, allow or shape them. This catches apps that ride over ordinary web ports and would slip past a pure URL filter.

The problem: some traffic is genuinely Unknown — the firewall's signatures cannot tell what app produced it. That is where Synchronized App Control comes in. As part of Synchronized Security, managed Sophos endpoints report the process behind the traffic, so the firewall can name the Unknown apps and you can then add them to an app filter to block or shape.

The interview line: app control sees apps the web filter cannot, and the endpoint sees apps the firewall cannot. Together they remove the 'Unknown' blind spot.

Figure 3 — Three controls, one firewall rule
Web Protection, Application Control and Traffic Shaping all attach to the firewall rule that matches the traffic.Three controls, one firewall ruleFirewall rulematches trafficWeb policyTLS inspectionApp controlSync App ControlTraffic shapingIdentity + time
Web Protection, Application Control and Traffic Shaping all attach to the firewall rule that matches the traffic.
Figure 4 — Block it vs shape it
Blocking is binary; shaping keeps useful traffic alive while protecting the link. Pick the right tool.Block it vs shape itBlock (web policy)Action: block / warn / quarantineGood for risky or bannedBreaks legitimate use if too broadFix over-blocks with exceptionsShape (QoS)Action: guarantee + limitGood for recreational vs businessKeeps useful traffic aliveProtects ERP / voice from
Blocking is binary; shaping keeps useful traffic alive while protecting the link. Pick the right tool.
'App control is just the web filter again' confusion

A web policy filters by website category; application control filters by the actual app (by category, risk and technology) and can catch apps tunnelling over web ports. And for traffic the firewall can't classify, only Synchronized App Control — using endpoint data — can name the Unknown app. Treating them as the same tool loses you marks and blind spots.

▶ Watch one user's video + SaaS traffic get classified and shaped

How a single user's mixed traffic is filtered and shaped end-to-end. Press Play for the healthy path, then Break it to see the classic HTTPS failure.

① Mixed trafficArjun in Pune streams a video and uses a business SaaS app at the same time; both flows hit the firewall rule carrying his traffic.
② ClassifyThe web policy classifies the categories — recreational Streaming Media vs the business SaaS app — and application control identifies each app.
③ ShapeThe bandwidth policy limits the recreational video to its cap while guaranteeing bandwidth to the SaaS app, so business stays fast.
④ Log via endpointApplication control logs the apps; Synchronized App Control uses Arjun's managed endpoint to confirm and name anything the signatures saw as Unknown.
Press Play to step through the healthy classify-and-shape path. Then press Break it.
Quick check · Q3 of 10 · Apply

The firewall logs a chunk of traffic as 'Unknown' application. What is the Sophos way to identify it?

Correct: d. Synchronized App Control (part of Synchronized Security) lets managed endpoints tell the firewall which process generated the traffic, so it can name the Unknown app and you can then control it in an app filter.
👉 So far: Application Control identifies apps by category, risk and technology to block/allow/shape; Synchronized App Control uses managed endpoints to name the 'Unknown' apps signatures miss.

④ Traffic shaping — protect business bandwidth

Blocking is blunt. Often the right answer is not 'block recreational video' (which breaks legitimate video) but 'don't let it starve the business'. That is traffic shaping (QoS). You create a bandwidth policy with a guarantee and a limit, then apply it to firewall rules, web categories, applications or users.

Prioritise, then throttle

The pattern: guarantee bandwidth for business apps (ERP, Microsoft 365, voice) so they never slow down, and limit recreational categories and apps (Streaming Media, OTT, social) so they cannot saturate the WAN. Because shaping attaches to the same firewall rule, you can shape exactly the traffic a rule already matches.

Common pitfalls to avoid: blocking a whole category that breaks a needed SaaS — fix it with an exception rather than a wider block; recreational video saturating the link — fix with shaping, not a ban; and HTTPS sites only partly filtered — turn on TLS inspection so category, keyword and shaping rules actually apply.

Figure 5 — Protecting the link end to end
Classify the traffic, name the app, then shape it so business stays fast and recreational is capped.Protecting the link end to endClassifyweb category + appIdentify appsignatures + endpointGuaranteebusiness apps reservedLimitrecreational cappedReportbandwidth dashboard
Classify the traffic, name the app, then shape it so business stays fast and recreational is capped.

Priya at a Kochi EdTech firm faces this

During school hours the internet crawls — the ERP and Google Workspace are slow and video lessons buffer, even though the link size should be fine.

Likely cause

Recreational video (YouTube, OTT) is saturating the WAN; no traffic shaping reserves bandwidth for business apps, and a blanket category block was avoided because it would break legitimate educational video.

Diagnosis

In Reports the Streaming Media category is the top bandwidth consumer; the firewall rule carrying student traffic has no traffic-shaping policy and applies one web policy to everyone.

Sophos Firewall ▸ Reports ▸ Applications & web / Bandwidth, then Rules and policies ▸ the relevant firewall rule
Fix

Create a bandwidth (traffic-shaping) policy that limits Streaming Media / OTT apps and guarantees the ERP and Workspace apps; attach shaping to the firewall rule; make the web policy identity-aware so staff get more latitude than students; ensure TLS inspection is on so HTTPS streaming is actually classified and shaped.

Verify

Re-run the bandwidth report — Streaming Media drops to its cap, ERP and Workspace latency falls, and live educational video still works because it was guaranteed, not blocked.

Prove it from the bandwidth report

Never close a 'net is slow' ticket on a hunch. The Sophos bandwidth and application reports show exactly which category, app and user is consuming the link. Read that first, then shape the real culprit — don't guess and block.

Quick check · Q4 of 10 · Evaluate

Recreational video is saturating the WAN, but staff also run legitimate video lessons. Best Sophos fix?

Correct: b. Blocking the whole category breaks legitimate video. A bandwidth policy that limits recreational streaming while guaranteeing business apps protects the link without breaking useful traffic.
👉 So far: Traffic shaping applies a bandwidth guarantee and limit to rules, categories, apps and users — guarantee business apps, throttle recreational traffic, and use exceptions instead of over-broad blocks.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What database powers Web Protection's URL filtering on Sophos Firewall?

Correct: c. Web Protection filters using the SophosLabs URL categorisation database, which sorts millions of sites into categories that web rules match against.
Q6 · Understand

Which actions can a web policy rule take?

Correct: b. A web policy is built from rules, each of which can allow, block, warn or quarantine the matching web traffic.
Q7 · Apply

You must give Staff more web access than Students from the same firewall. What do you use?

Correct: a. Web rules can match on identity (user or group), so one policy can allow Staff and restrict Students without extra hardware.
Q8 · Analyze

Application control reports a flow as 'Unknown'. Why can Synchronized App Control resolve it when signatures cannot?

Correct: d. Synchronized App Control, part of Synchronized Security, uses managed-endpoint data about the originating process to identify and name apps the firewall's own signatures could not classify.
Q9 · Evaluate

A needed SaaS app is being broken because it falls in a category you blocked. Best fix?

Correct: b. The right fix is a targeted exception/allow rule for the SaaS while keeping the category block in place. Disabling protection, turning off TLS inspection or widening the block all do harm.
Q10 · Evaluate

An interviewer asks how to stop recreational streaming from starving business apps without banning video. Best answer?

Correct: a. Traffic shaping with a guarantee for business apps and a limit on recreational categories/apps protects the link while keeping legitimate video working — a block would break useful traffic.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is 'I blocked the website' an incomplete answer for HTTPS filtering on Sophos Firewall? Then compare with the expert version.

Expert version: Because the web is mostly HTTPS, and HTTPS is encrypted. Without TLS inspection the firewall only sees the domain (SNI), so domain-level blocking works but full-URL, keyword and file-type rules — and per-app traffic shaping — barely apply. The complete answer is: build a web policy of allow/block/warn/quarantine rules on SophosLabs categories, make them identity- and time-aware, turn on TLS inspection (with a sensible bypass list) so granular rules actually bite on HTTPS, use application control plus Synchronized App Control to name and control apps, and use traffic shaping to guarantee business apps and limit recreational traffic — all attached to the firewall rule.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

SophosLabs URL categorisation database
Cloud-maintained classification of websites into categories (e.g. Streaming Media, Social Networking) that web rules match against.
Web policy
An ordered set of rules on Sophos Firewall that allow, block, warn or quarantine web traffic by category, identity and time.
Web category
A group of similar sites used as a match criterion in a web rule.
TLS inspection
Decryption of HTTPS at the firewall so it can read the full URL and content for granular web rules; without it only the domain (SNI) is visible.
Activities / user activities
Bundles of categories and file types representing a behaviour (e.g. streaming video, uploading files) controlled within a web policy.
Application Control
Identification and control of applications via app filters by category, risk and technology — block, allow or shape.
Synchronized App Control
Use of managed Sophos endpoint data to identify and name 'Unknown' applications; part of Synchronized Security.
Traffic shaping / QoS
Bandwidth policies with a guarantee and a limit applied to rules, categories, apps or users to prioritise or throttle traffic.
Firewall rule
The match-and-act unit that decides which web, application-control and traffic-shaping policy applies to traffic.

📚 Sources

  1. Sophos — Sophos Firewall: Web protection, web policies and SophosLabs categories. docs.sophos.com
  2. Sophos — Sophos Firewall: TLS inspection / HTTPS decryption for web filtering. docs.sophos.com
  3. Sophos — Sophos Firewall: Application control and application filters. docs.sophos.com
  4. Sophos — Synchronized Security and Synchronized App Control (naming Unknown apps). docs.sophos.com
  5. Sophos — Sophos Firewall: Traffic shaping (QoS) and bandwidth policies. docs.sophos.com
  6. Sophos — Sophos Firewall product page and datasheet. sophos.com

What's next?

You can now control users browsing out. Next, flip it around: the Web Application Firewall (WAF) — Sophos Firewall's reverse-proxy mode that protects the servers you publish to the internet, not the users behind the firewall.

Next · All interview lessons → Practice on exam.techclick.in →