Hello everyone! My first post and a recent convert to Sophos XG from PFsense 2.4.4 and I have to say, I am sold.spend the day today quickly shutting down PFsense and bringing up XG (18) Home edt. and I have to say, yes PFsense is a customizers dream, but the speed in which I was able to get XG up and running to near deployment blows PFsense out of the water, never mind the far greater improved GUI. Sold. I should not have to spend the day looking at Suricata logs. So first, my system layout at a high level (which has no issues) - Sophos XG (18) running on VMware 6.5. The server is a Lenovo T140 (16GB, E5-1225v3, 3.2Ghz 4 core) with dual quad port Intel Pro/1000 nics. ESXi is setup as follows: WAN port group goes to own vswitch with dual nic (fail over) to cable modem LAN port group ( vlan ID 4095) to own vswitch with dual nic (load balancing) to Juniper switching environment I run about 7 Vlans (a mgmt vlan & 6 others to break up traffic) XG was configured with 1 WAN & 1 LAN based VMXnet3 cards, 4vCPU, 8GB mem and 100GB SDD partition and based off what I read, that should hold its own with GB internet. So with that being said and coming from PFsense, I have some questions just to get me pointed in the right direction I setup the initial config running the trunk with the mgmt vlan as the native to get me access to the GUI. Once I configured the vlans in XG, in particular the mgmt vlan, I assigned a new IP to that interface, removed the native from the trunk and I got back into the GUI and configured the remaining vlans. My question is the LAN interface, which is no longer being used for anything (has a 10.10.10.1 addy) can that be removed from the zone or in doing so, I will automatically remove the sub interfaces? If I can not remove LAN from the zone, how do I make it "disappear" from any config? I am assuming that the rules are the same as PFsense being all ports denied by default until a rule is put in place on the interface where the traffic ORIGINATES from to block or allow to others vlans? WAN interface with default rule set is deny all (I shut off the user portal and SSL VPN as I am not using either yet) From a deployment stand point, it SEEMS the initial config is a good baseline where I just need to create the VLAN rules and put the WAN interface live and I am ready to go? Then start the fine tuning process. Is there anything that jumps out that I need to tune before go live? XG will be doing the VLAN routing, DHCP and DNS for the network. Are there any specific NAT configs needed beyond the base config? Is IPS, Web filtering, etc "running" out of the box? Seems that there are a few policies running.. Are there any "best practices" docs re setup? I found a bunch of posts and as an example, PFsense has videos galore, XG, well.. getting there.. Alright, its s bit but I am not coming in blind, just want to quickly get it up an running with a good config and tweak from there.. Thanks in advance for your feedback.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Coming from PFsense to Sophos XG(18) and I have some questions..

Hello everyone!

My first post and a recent convert to Sophos XG from PFsense 2.4.4 and I have to say, I am sold.spend the day today quickly shutting down PFsense and bringing up XG (18) Home edt. and I have to say, yes PFsense is a customizers dream, but the speed in which I was able to get XG up and running to near deployment blows PFsense out of the water, never mind the far greater improved GUI. Sold. I should not have to spend the day looking at Suricata logs.

So first, my system layout at a high level (which has no issues) - Sophos XG (18) running on VMware 6.5. The server is a Lenovo T140 (16GB, E5-1225v3, 3.2Ghz 4 core) with dual quad port Intel Pro/1000 nics. ESXi is setup as follows:

WAN port group goes to own vswitch with dual nic (fail over) to cable modem

LAN port group ( vlan ID 4095) to own vswitch with dual nic (load balancing) to Juniper switching environment

I run about 7 Vlans (a mgmt vlan & 6 others to break up traffic)

XG was configured with 1 WAN & 1 LAN based VMXnet3 cards, 4vCPU, 8GB mem and 100GB SDD partition and based off what I read, that should hold its own with GB internet.

So with that being said and coming from PFsense, I have some questions just to get me pointed in the right direction

I setup the initial config running the trunk with the mgmt vlan as the native to get me access to the GUI. Once I configured the vlans in XG, in particular the mgmt vlan, I assigned a new IP to that interface, removed the native from the trunk and I got back into the GUI and configured the remaining vlans. My question is the LAN interface, which is no longer being used for anything (has a 10.10.10.1 addy) can that be removed from the zone or in doing so, I will automatically remove the sub interfaces?
If I can not remove LAN from the zone, how do I make it "disappear" from any config?
I am assuming that the rules are the same as PFsense being all ports denied by default until a rule is put in place on the interface where the traffic ORIGINATES from to block or allow to others vlans?
WAN interface with default rule set is deny all (I shut off the user portal and SSL VPN as I am not using either yet)
From a deployment stand point, it SEEMS the initial config is a good baseline where I just need to create the VLAN rules and put the WAN interface live and I am ready to go? Then start the fine tuning process. Is there anything that jumps out that I need to tune before go live?
XG will be doing the VLAN routing, DHCP and DNS for the network. Are there any specific NAT configs needed beyond the base config?
Is IPS, Web filtering, etc "running" out of the box? Seems that there are a few policies running..
Are there any "best practices" docs re setup? I found a bunch of posts and as an example, PFsense has videos galore, XG, well.. getting there..

Alright, its s bit but I am not coming in blind, just want to quickly get it up an running with a good config and tweak from there..

Thanks in advance for your feedback.

This thread was automatically locked due to age.

0 rfcat_vk over 4 years ago

Hi and welcome,

you cannot remove/delete the physical interface when VLANs are assigned to it.

You don't select it in any config but it will appear in your reports. You can assign it an IP address with ave limited range and no DHCP so if something goes wrong with your VLAN switch you can still access the XG GUI.

You will need to add a default firewall rule at the bottom because there is bug in the current v18 release

source LAN, DMZ, WIFI, WAN, VPN -> ANY, destination LAN, WIFI, DMZ, WAN, VPN -> ANY, action drop (log if you want to).

When setting up firewall rules try to avoid using ANY as the service. Tunng IPS does not seem to improve performance but is required if you have a high speed internet connection disable TCP and IP flood at the very least. IPS works LAN to WAN.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Steve Savenelli over 4 years ago in reply to rfcat_vk

Ian,

I am finally getting back to this after some craziness at work.. I appreciate the response and have a little bit of followup.

rfcat_vk said:

you cannot remove/delete the physical interface when VLANs are assigned to it.

Got it, makes sense. Also I am assuming that the "Wireless zone" is specifically created for Sophos APs only? I utilize Unifi, so it is of no use to me, is there a way to remove, or just let it sit there?

rfcat_vk said:

You don't select it in any config but it will appear in your reports. You can assign it an IP address with ave limited range and no DHCP so if something goes wrong with your VLAN switch you can still access the XG GUI.

Done. great idea BTW

rfcat_vk said:

You will need to add a default firewall rule at the bottom because there is bug in the current v18 release

source LAN, DMZ, WIFI, WAN, VPN -> ANY, destination LAN, WIFI, DMZ, WAN, VPN -> ANY, action drop (log if you want to).

I am assuming the bug is that dimmed out rule at the bottom of th elist that you are unable to do anything with, so you need to add it manually?

rfcat_vk said:

When setting up firewall rules try to avoid using ANY as the service. Tunng IPS does not seem to improve performance but is required if you have a high speed internet connection disable TCP and IP flood at the very least. IPS works LAN to WAN.

ok, makes sense. So I am going to disable the TCP & IP flood on the LAN TO WAN policy. I am thinking about internally, IPS would seem a little overkill on inter-vlan (all depending), so I plan to drop it on the vlans where I have desktops/laptops as a watchdog per say and keep the vlans without, dont think it is needed. We are a full McAfee shop on the endpoint which is updated regularly so I am not worried that much about endpoint exposure.

So far, I like the product, seems very robust in its testing.. So I have a few more questions..

As far as rules go, PFsense had rules setup by vlan, here it seems to be zone based and moving top to bottom, hits the Traffic to Internal first, then Traffic to WAN, then DMZ and based on that when developing rules, I am guessing XG follows the same top to bottom pattern, albeit not vlan specific when placed in that bucket. Is there a best practice around this?

Right now, there are no internet facing servers, so by looking at the policies that are in pace for IPS, email, etc.. it seems like a good start, anyhting else I should add beyond what is currently turned on?

DNS is killing me and I hope they fix this very soon as I should not have to ping a internal host via its FQDN, but its host name only. So two things, where do I add the "domain" in the setup or is that an add under FQDN like *.local.lan or should I just do "*.local and keep it simple. Secondly, it also seems that DHCP does not auto populate DNS entries, again should be the status quo as many have this as standard (Did not UTM do this?) and there does not seem to be the ability to add a static entry right from the DHCP client list either. With that said, I am guessing when I manually add, it has to be FQDN based as well? What a pain.

Lastly, in PFsense the interface IP served as the entry point to the GUI and you needed to put top to bottom rules in place to deny access to port 80/443 then allow all for each vlan and if you wanted a vlan to get access, add a rule to allow access to the mgmt vlan ports. How does access to the GUI get controlled in XG? I'd rather not try to re-create the wheel if there is an easy way

Thank you again for your feedback, very useful in my new journey.
Cancel
Vote Up 0 Vote Down

Cancel