Hello everyone!
My first post and a recent convert to Sophos XG from PFsense 2.4.4 and I have to say, I am sold.spend the day today quickly shutting down PFsense and bringing up XG (18) Home edt. and I have to say, yes PFsense is a customizers dream, but the speed in which I was able to get XG up and running to near deployment blows PFsense out of the water, never mind the far greater improved GUI. Sold. I should not have to spend the day looking at Suricata logs.
So first, my system layout at a high level (which has no issues) - Sophos XG (18) running on VMware 6.5. The server is a Lenovo T140 (16GB, E5-1225v3, 3.2Ghz 4 core) with dual quad port Intel Pro/1000 nics. ESXi is setup as follows:
WAN port group goes to own vswitch with dual nic (fail over) to cable modem
LAN port group ( vlan ID 4095) to own vswitch with dual nic (load balancing) to Juniper switching environment
I run about 7 Vlans (a mgmt vlan & 6 others to break up traffic)
XG was configured with 1 WAN & 1 LAN based VMXnet3 cards, 4vCPU, 8GB mem and 100GB SDD partition and based off what I read, that should hold its own with GB internet.
So with that being said and coming from PFsense, I have some questions just to get me pointed in the right direction
- I setup the initial config running the trunk with the mgmt vlan as the native to get me access to the GUI. Once I configured the vlans in XG, in particular the mgmt vlan, I assigned a new IP to that interface, removed the native from the trunk and I got back into the GUI and configured the remaining vlans. My question is the LAN interface, which is no longer being used for anything (has a 10.10.10.1 addy) can that be removed from the zone or in doing so, I will automatically remove the sub interfaces?
- If I can not remove LAN from the zone, how do I make it "disappear" from any config?
- I am assuming that the rules are the same as PFsense being all ports denied by default until a rule is put in place on the interface where the traffic ORIGINATES from to block or allow to others vlans?
- WAN interface with default rule set is deny all (I shut off the user portal and SSL VPN as I am not using either yet)
- From a deployment stand point, it SEEMS the initial config is a good baseline where I just need to create the VLAN rules and put the WAN interface live and I am ready to go? Then start the fine tuning process. Is there anything that jumps out that I need to tune before go live?
- XG will be doing the VLAN routing, DHCP and DNS for the network. Are there any specific NAT configs needed beyond the base config?
- Is IPS, Web filtering, etc "running" out of the box? Seems that there are a few policies running..
- Are there any "best practices" docs re setup? I found a bunch of posts and as an example, PFsense has videos galore, XG, well.. getting there..
Alright, its s bit but I am not coming in blind, just want to quickly get it up an running with a good config and tweak from there..
Thanks in advance for your feedback.
This thread was automatically locked due to age.