Sophos 101 - Initial Setup and Configuration
Вставка
- Опубліковано 19 вер 2024
- Get your Sophos Firewall up and running. This is a walkthrough of the initial configuration and setup after you have installed the software.
The configuration of Rules and Filters: • Sophos XG v17 Configur...
VPN Setup: • Sophos XG V17 VPN Setup
Wired and Wireless LAN: • Creating a wireless an...
VLAN: • Sophos XG VLAN
If you are installing onto hardware for the first time: • Installation - Part 1
#sophos, #sophosxg, #sophosfirewall, #firewall
=================
Affiliate Links:
=================
Hardware Options:
Asus Motherboard: amzn.to/2D1AnJr
Core I3-8100: amzn.to/2YXrTwv
RAM: amzn.to/2U2k5Wj
Case: amzn.to/2D5jJsC
Power Supply: amzn.to/2FUaufm
SSD: amzn.to/2D0155c
Very few people make videos with exhaustive detail.. Thanks!!
Thank you very much for the feedback. It is appreciated.
i wish my screen looked like yours. I think it did a long time ago
It's very nice to study on your video for the begginer
Thanks for the feedback, it is appreciated.
Hi there, i have a question, i have normal router with wifi antenna that my mobile and another devices connect to my router wirelessly, and i have pfsese firewall but it doesn't support wifi my question is how can i connect my pfsese firewall to my router then my wifi devices can connect to my pfsense wirelessly?? Thnx
Thank you for this video. Very few go into much details.
Great to hear and thanks for the feedback!
Great intro video. XG sure is a mixed bag. Sad to hear they are making the UTM end of life in a few years. I wish creating static IPs was easier. This product must be a nightmare for admins to use, the flow is horrible between creating static IPs and MAC hosts compared to the UTM.
“Mixed bag” is a great way to put it. I have switched to the UniFi UDM SE Pro but we still run 3 XG units at work. They are not horrible to maintain but you are right about the static IP especially for home use. In the enterprise most of the static reservation is done in Active Directory so I guess it is not too bad.
Saberia me tirar uma dúvida, o meu xg 105 não inicia. parece que o SSD parou;
Esse seria o meu palpite também.
Hello Sir,
KIndly advice me how to configure a second WAN (2nd ISP) on Sophos XG125, have already configured 1st WAN on port 2. Need the second ISP to be the failover .
You can use the same configuration as this video but instead of failover use balancing. I have not done a video on version 18 yet but I will be.
@@MikeFaucher .Thank you for the advice. The issue i have is that i'm not able to edit/configure port 4 to accept ISP's static settings, how can one edit Port 4?
@@MikeFaucher The 1st ISP has a dynamic ip settings , but second isp says that we need to configure the port to use the static ip addresses they have given us.
@@josephkilonzo5994 The process is the same, if you go to my failover video (ua-cam.com/video/oquqac1CY9Y/v-deo.html) at 8:40 when you plug in your second WAN, you have the option to set up that extra WAN port as DHCP or Static. You should be able to select Static and enter the parameters.
I have XG86 device. However there is no Port1 on the Interface. Only Guest, Port2 and br0. How can I add Port1?
The XG865 has 4 configurable ports that and be setup. If you hare showing a BR0 than you most likely have 2 ports that have bee bridged into one. You can either do a factory reset or delete the BR0 interface and you should get port 1 back. You will lose your configuration in the process. See my other video that will explain how you got the BR0. ua-cam.com/video/XdN1kHhKBHo/v-deo.html
fantastic understanding
Great to hear and thanks for the feedback.
Thank you sir for this intensive introduction to Sophos. Please, what should I do when any system connected to my network is not controlled by the rules of the firewall. Initially, I will have to add the Mac address of the system and then asign the level of internet access. But right now it is no longer functioning.
Please, I need your support.
Thanks
Hard to tell as I do not understand your configuration. MAC addresses are not require unless you setup a MAC filter. Without better understanding your configuration I really can't offer much help. Sorry.
Where is your next video Sir? :) you educate me a lot by this video.
I have many on my channel. ua-cam.com/channels/Bqox9okPrHvJNSZxs7ZjYA.htmlsearch?query=sophos
Thanks for the feed and I am working on the Version 18 videos.
Anybody problems with WAN?
Thanks alot Sir ! do you have a complete video on it
There are way too many options in Sophos to do in one video. I have done several on my channel and I have included the link below. It would be easier if you once you got it configured and running you narrow what features you would me to focus on and that way I can add it to my list.
ua-cam.com/users/MikeFauchersearch?query=sophos
Mike could you explain how to put in order firewall rules. Sophos is saying we should block everything in top rule and than allow what we want in bottom rules.
There are different approaches. If you block "All" as Sophos recommends, you will have to create rules for every user or PC on your home network. which means no one can connect unless you create users and allow them. In a business environment that is the preferred way as you typically authenticate to an active directory. In a home network, you will typically filter/control the entire network so you will apply some default rules that are global and not user specific. It would be helpful if you could describe your network, #users, Vlans, etc. then I could make a more specific recommendation.
Mike thanks for taking the time.
I have a typical network. With one vlan and 1 dafault rule, vlan I’m using for guest.
I’m using the default rule as my main rule
But the problem I’m have is, (VPN’s) people can bypass my system with vpn’s. Like X-VPN and others like it. Wondering if you see this in your network. My system is deployed in a multi home environment with about 200 users.
@@wallywoll7334 VPNs are tricky. I would try the following. Create an application rule that will be assigned to both VLAN and your main network firewall rules (see my video on creating application rules and filters) and add a block for all VPN's. It supports 105 different ones among those is X-VPN. If you apply this application rule to each firewall rule, the clients should not be able to connect going out. There maybe some free games that stop working though as some use VPNs in multi user gaming. As for my network here is a link to my basic config (thedocsworld.net/home-network/). Its missing a few things but it is close. Hope this helps and let me know how it turns out and let me know if I can help.
@@MikeFaucher Its in a routers way as well lol :)
Thank you for the videos, i am setting up the Sophos XG home routers for family members and the Sophos instructions are out of date and was floundering . It did not help that i have been deploying Kerio Control routers for my clients for 8 years so had to get out of my standard way of thinking and figure this out.
Thank you and glad you like it. I have several other XG videos on my channel as I am a big fan of the software. You are right, it is a little different but very powerful when you get used to it. Good luck and thanks for the feedback.
Hello! Thanks for the video! I just have one issue I'm facing.. I must download the firewall offline due to it being the router of my network that is connected to a VM workstation and a VM Active Directory, running on Windows Server 2019 on an Host-Only NIC. But I keep on being stuck on the "Finishing" screen. How can I solve this?
The only thing I can think of is it appears you only have one NIC and you need at least two. The finish process takes about 4-6 minutes but I do not think it will do the final configuration with only 1 NIC.
@@MikeFaucher That wasn't the issue in my case, however I'd like to thank you for the response and help. I indeed only have 1 NIC in the workstation that is Host-Only and 2 in the Firewall (NAT and host-only), since this is my router that connects me to the WAN. I solved this issue, what I did wrong was I had changed the IP of the configuration set-up in the manual part, I simply had to click on "register offline" (I had tried both)
Now, I got another issue. I need internet through the Firewall. So, that means ports 443 (HTTPS), 80 (HTTP) and 53 (DNS TCP/UDP) both need to be opened in both in and outbound traffic. How do I do this? Just make another Firewall Rule?
Sorry, I'm an IT Student 😅
@@user-il5cw4pp6v I am at a disadvantage not quire seeing how you have things hooked up but yes, you do need a firewall rule to allow traffic to pass.
@@MikeFaucher Thanks for attempting to help me out. I really do appreciate both the effort and time.
As for my current configuration, this is the set-up in VMware workstation 16 Pro:
Sophos XG Firewall: (17.5.9)
Active Directory Domain Controller
Windows 10, 2004 (one VM)
All of the network instruments have host-only NICs, except the FW (it has a NAT NIC too). Meaning my DC and WS don't have direct internet. So, the internet must be configured somewhere in the Sophos XG web-interface. I know I must make a FW rule, which I have done. But what do I do now and most particularly, where?
@@user-il5cw4pp6v Are you trying to authenticate via AD? If so that is a whole process in its self. If you have this in a VM them first make sure the correct virtual Nics are called out in the network settings. The firewall rule should be the same as the one video. Try on on rule after you have defined your wan and lan interfaces.
Hi there, thankyou for your useful tutorial video. My question is when we install sophos firewall by default all port all black from outside?? I mean all incoming traffic from outside or internet for more security ?? Or we must make a rule in firewall??
Look at my Sophos XG Firewall and the configuration and filtering video. You have to create a "defualt" rules that control traffic the way you want.
Great Instructions! BUT, I greatly appreciate advice to setup Sophos UTM Home as Bridge setup: WAN >> Cable/Modem (SB6190) >> Bridge Protectli/SophosUTM >> DD-WRT
Router (DHCP/WiFi) >> LAN. The router is set (192.168.10.2). I need UTM as a Bridge/Firewall/IPS so hoping is can be 192.168.10.1. When I set eth0 IPv4/GW on UTM, I do get an IP from the modem but cannot get access to the Internet from a Protectli port or from the DD-WRT router. Admin on UTM is on eth2 at 192.168.10.112. Can you give some advice and also point me to a good video on this? Thanks!
Gary D Thanks for the question. I will add it to the list of future videos.
ty sir
Thank you for the feedback. I appreciate it.
Hi Mike, can you help me, the static IP of my Firewall Sophos XGS 107 I changed it and my bad. Now, I can’t browse. Please help how to get back the IP address to open the Firewall interface. Thank and advance Mike.
Hard to answer this question as I do not know anything about your configuration. If you used the default LAN, you should be able to access the interface with 172.16.16.16, but if you changed it to something else, then I have no way to answer your question. If you are still able to get an IP address for your computers such as 192.168.1.5, then you could try 192.168.1.1:4444. Worst case, you may have to reset you device if that is an option. Sorry I can't be more help.
@@MikeFaucher thank you Mike, it was a great help.
@@jaycayanes1700 Glad to hear that. Thanks for the feedback.
You are fantastic man
Thanks for the feedback.
in case anyone else has this issue,
port 8090 is a login screen also, but it doesn't respond to admin / admin, you have to use 4444, so there is 3 www server ports apparently.
Thanks for the input!
Does the firewall rules set have implicit deny at the end?
Normally in business it is best practice but in this example I expect all IOT devices to use the internet not the LAN.
@@MikeFaucher 'As we see fit'... of course. security wise, i can only think of why you wouldn't want to phone home. There have been some pretty shifty in-secure iOT devices out there
Hi, how to change Sophos home Dashboard's language?
Take a look at this. support.home.sophos.com/hc/en-us/articles/360043006531-How-to-change-the-Sophos-Home-Dashboard-language Hope that helps.
we are backup XG210 and restore on XG310 ?
As long as your 310 has the same or more NICS.
@@MikeFaucher Have a more NICS
@@tanasmith1000 Network Connections. RJ45.
Thank you!
Glad you found it useful.
Hi, can we block apps like telegram or WhatsApp or Skype or wechat?? On sophos firewall??
Yes
Yes, you can either create a Web Policy or an Application Filter for that
When the adimn password is changed... Does this mean that my Router Admin password has also changed?
Yes, exactly.
how do i find which device was used for the setup? e.g. xg450 etc
I used a regular Core I3 desktop computer. Their home version is free and runs on most hardware
@@MikeFaucher thank you mike!
@@candicefernandes5455 Anytime. Good luck if you end up trying it.
Want to thank you for your very informative and helpful content.
A recent problem surfaced at a client and I hope you or anyone can help.
Problem summary:
Invalid certification error for https sites.
Infrastructure overview:
Head Office has an XG230 FW appliance and AD integrated.
Remote office has RED appliance and use XG-230 as Internet gateway.
Description:
All has been going well until recently the users in the remote access complained they cannot open https sites.
However this does not happen to the users at the head office.
Also users over remote VPN do not have the problem either, even those from the remote office
Research points to DST Root CA X3 2021 expiration as the source of the problem.
So why only RED users are affected when they rely on the FW rules as head office users.
Any insight will be appreciated.
Interesting question and do not know the answer. I have not seen this condition unless there are differences in permissions/setting between the groups. You may want to post that question with the Sophos community or support. They are slow but they do respond.
@@MikeFaucher Ok thank you for responding. Yes I find their support lacking.
@@jasoncummings7052 We have paid support and it takes a long time on hold. They do not support the free version at all.
Thank you Sir
My Pleasure, glad you liked it.
Kindly plz.. provide PPT WORD MODE IT WILL HELP A allot
Thanks for your feedback. Will consider it on future videos.
Saya sedang berjualan sophos mohon di bimbing
Sorry, Not sure I understand the question?
the sound is not good I am quite disappointed
Thanks for the feedback. I ham always trying to improve. This is an older video. Thanks