"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Sophos Firewall (SF) can be deployed in two different modes:
This Article provides step-by-step instructions on deploying SF in Gateway mode.
As an example, we are going to consider a hypothetical network with a firewall serving as a Gateway. We will replace the existing firewall with SF without having to change the existing network LAN schema.
A Gateway is a network point that acts as an entry point to another network or subnet to access resources. In the workplace, the gateway is the appliance that routes the traffic from a workstation to the outside network. In homes, the gateway is the Internet Service Provider that connects the user to the Internet.
When deployed in Gateway mode, SF acts as a Gateway for the network(s).
Gateway mode provides an ideal solution for workplaces that already have an existing firewall and plan to replace their existing firewall and add security through SF’s stateful and deep-packet inspecting Firewall, Intrusion Prevention System Services, Malware Scanning, and Email Content Scanning. If you are not subscribed to SF security modules, you may register for a free trial at www.sophos.com.
All the features except Hardware bypass (LAN bypass) are available in Gateway mode.
Throughout the article, we will use the network parameters displayed in the network diagram below.
The network diagram depicts a network where SF is added to the perimeter so it can provide security services. The public servers (Mail, Web, and Database) are configured in the DMZ zone.
Outgoing traffic from the hosts connected to the LAN would be permitted through SF to the gateways, while incoming traffic from the WAN would, by default, not be permitted.
Business Application Security Policies allowing WAN-to-LAN traffic for the appropriate IP addresses and services will be added to allow inbound traffic to the public servers.
SF is shipped with the following default configuration:
Make sure to know the DNS IP address, date, and time zone. An administrator email address will also be needed.
Connecting the Appliance
Connect port A of the Device to the configuring computer’s Ethernet interface. You can use a cross-over Ethernet cable and connect directly or use a straight-through Ethernet cable to connect through a hub or switch. Both cables are provided with the Device.
By connecting the configuring computer to port A, we are assigning port A to the LAN zone.
Set the IP address of the management system to 172.16.16.2/24.
Browse to https://172.16.16.16:4444 to access the SF Admin Console (GUI). The SF login page will be displayed and you will be prompted to enter the login credentials. Use the default username and password to log in.
You can connect to the Admin Console of the device using an HTTP or a secure HTTPS connection from any configuring computer using the latest version of the following web browsers:
Firefox (recommended), Chrome, Safari, or Microsoft Internet Explorer 9 and onward.
If you cannot log in, verify the following configurations:
To deploy SF in Gateway Mode using the Network Configuration Wizard, follow the steps below.
1. Click the admin tab in the top right corner of the Control Center and click Wizard.
2. The Network Configuration Wizard will appear. Click Start to initialize the network configuration process.
3. On the first screen, select Gateway Mode as the mode of deployment and click Next.
4. On the Port Configuration screen, configure the IP Address for Interfaces.
5. On the DNS Configuration screen, enter the DNS Configuration parameters. Click Next.
6. On the Access Configuration screen, select the desired Network policy for LAN to WAN traffic. Network Policy is used to define access rights and protection for the network hosts.
7. On the Mail Server Configuration screen, configure the following parameters:
8. On the Date & Time Configuration screen, select the Time Zone according to the current location and enter the Date and Time accordingly. You can even synchronize SF with the NTP server. Click Next.
9. The Configuration Overview screen will appear, displaying a summary of the Gateway Mode configuration. You can also send App & Threat data to Sophos. Click Finish.
This completes the basic configuration of SF using the Network Configuration Wizard and it is now ready to be used. Verifying the Configuration using the Control Center
Browse to https://172.16.16.16:4444 and log in to the Admin Console using the default username and password. The Control Center is displayed when successfully logged in.
Verify Gateway Status
Check the Gateway Status from the System Panel on the Control Center and verify that the status of the gateway is green i.e. UP.
Verify the IP assignments
Go to System > Network > Interface and check the IP addresses assigned to Interfaces. If you have not configured the IP schema properly, you can run the Network Configuration wizard or update the interfaces through the following Article: Configure Interface in Sophos Firewall
If you are not able to access the device due to incorrect IP address configuration, rollback to factory default settings and re-configure SF by repeating the entire deployment process in this document.
If SF is up and running, you are now ready to use the Device. You can now:
Rollback to factory default settings
Please refer to the article Reset SF Configuration to Factory Default Settings to rollback to factory default settings.
Document Version: 1.0 – 31 July, 2015
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.