Good evening,I come from the SG group and wanted to convert to XG. Currently I am doing all this as a home project.Apparently not all features of the SG have been migrated to XG or have been converted to XG in a very complicated way.WAF was one of them.I can't find an option for this in the firewall and the pages of the Sophos Wiki and FAQ show completely different ways, which have apparently already disappeared.
I have a lot of external domains that are running on the WAN port.I used to control which server and which port delivers the page via WAF.> subdomain1.domain.tld (of course 443 with automatic redirection of 80)> Internal web server 10.10.10.10 Port 12345Or also several domains to a Linux web server, which then receives the requested domain and delivers the appropriate page.Let's Encrypt seems to have disappeared by the way.
Are there up-to-date documents available?
PS: The WAF in the KB is for V17.5. Here is the DOC for V18: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/WAFProtectWebServerAgainstAttacks.ht…
PS: The WAF in the KB is for V17.5. Here is the DOC for V18: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/WAFProtectWebServerAgainstAttacks.html
This pages moved to Firewall rules.
About Lets Encrypt. As already stated, this is not implemented into XG yet. You could automate this integration via script, if you want to. See: https://community.sophos.com/xg-firewall/f/discussions/108931/letsencrypt-how-to-in-xg
Its about where to use those certificates. As we move more and more to the home offices, we should try to smaller the attack surfaces on such products. So disabling some of those services for WAN seems a good idea anyway. For example Webadmin/SSH should be disabled. User Portal, if you do not use it. Only because you use a public signed certificate (LE), does not mean, somebody can use your facilities to try to attack those. Just some thoughts about this.
Okay that the function has moved is nice to know.But the LetsEncrypt topic is not finished :-)Is the function WILL BE implemented soon, or will it not be? If it still comes, the security argument is also not fitting ^^.In general I noticed that the UX from SG to XG has decreased quite a lot. But unfortunately we have to live with that.