New to SOPHOS XG and Frustrated with SSL and Port Forwarding

Hello All, 

Im new to the Sophos family and I have had 3 full days of frustration with trying to install and configure this appliance to work with my Synology NAS. Prior to using a SOPHOS FW I just used a home Linksys router and forwarded ports to the NAS. It was working great, I had SSL working along with other applications running on the NAS.


My problem is I'm not really sure on the process for setting up the more advanced firewall and getting the NAS publicly accessible with SSL. Previously I has my HTTPS/443 forwarded directly to the NAS so when I used entered my domain name It went directly to my NAS login page. I cant get this to work with SOPHOS XG. 


I also don't understand the process for enabling the XG to use SSL authentication.


I guess a I need some basic installation help to templates to get me going.

  • Hi,

    please post your WAF rule?


  • Yendor,

    as starting point, please follow this kb:

    if it does not work, as Ian suggested, post the WAF rule.


  • In reply to lferrara:

    As far as i understand, you compare a WAF (reverseproxy) with a DNAT.

    Of course will a DNAT be straight forward in his process. 

    WAF is more complicated in his implementation. 

  • In reply to lferrara:

    So Im still having issues with getting reverse proxy to work with this WAF rule. Im not quite sure how this works with sophos. Do I set up the reverse proxy on the Synology system of does WAF take care of this? Also How and or what certificates do I use (LetsEncrypt) in the WAF Rule?  I tried uploading the ones I get from lets encrypt through the Synology process however the WAY does not recognize them 

    Im pretty sure the firewall is not allowing the reverse proxy to work. I run and I get this result to there is some type of communication with the NAS if Im not mistaken.









  • In reply to Yendor:


    The NAS only need to know about the network and the certifcate so traffic gets scanned and passed by the XG, the XG WAF does all the rest.


  • In reply to rfcat_vk:

    Ok, how does that happen with a WAF rule? The certs that the sinology lets encrypt app provides are not recognized by the XG

  • In reply to Yendor:


    If you want that external users use https, you need to fix the certificate issue first.

    Before you even upload the certificate on XG, you need to upload the CA that released that certificate.

    So, what is the issue you have with that?


  • In reply to Yendor:

    If you cannot select the Cert, You did not upload the cert with privat key. 

    You need to take the privat key of Lets encrypt and add this key as file to the certificate.

    Otherwise XG cannot use this cert for WAF. 

  • In reply to LuCar Toni:

    I understand this. I'm new to Sophos and how things work here. I am asking on a step by step process on how to import the certificates from what sinology gives (Cert.pem, chain.pem, priv.pem) and get it to work with Sophos. I don't have a *.key files to upload. So how/where to I get this private key to upload to the Sophos appliance.


    Side note: I have got my reverse proxy to work and not my sinology box is publicly available through my firewall with ssl authentication. However the 5024 port is uses and shown rather than the https/443. Any ideas? It is also not available to my internal network users only external subnets

  • In reply to Yendor:

    For the CA, Private key and Certificate, you can check how to do it on the vendor website.

    also on the Sophos Community you can find many threads. For example:

    Hope these 2 links help!