When do I use MAC Host / IP Host

I never use MAC Lists in my life, as it is way to complicated to maintain all those devices. But from my point of view, i look at the bigger installations (more than 20 devices online). I do not want to keep up with the entire MAC List and maintain all new devices and delete the old ones etc. 

MAC in firewall rules is a relic of a old time, using NAC to maintain a network. If you look at solutions on the market, using MAC to do this stuff, they can easily get messy, if looking at bigger networks. Of course for smaller networks or even home networks, this is not the case but even there: What do you do with guests, what do you do with a device, switching macs? it is always not easy to relay on such static measures. Also most customers could use a layer 3 switch and therefore MAC filtering will not work (because MAC gets replaced). 

You can simply create a mac list with all your macs, place it in a firewall rule and block / allow the access. 

XG Firewall really comes into play if you get a authentication method into place, which replace this entire "i create a object for the task". See: https://support.sophos.com/support/s/article/KB-000035643?language=en_US 

• If MAC Binding is enabled and the MAC address is not entered in the MAC address List, Sophos Firewall will automatically bind the MAC address of the user’s device on their first login.

If you use IP hosts in a firewall rule, you need to make sure, the same host gets the same IP all the time. Therefore you need to figure out, if you want to use the static IP leases of XG itself or you have a own DHCP server. Again, if you have a automatic authentication service, it will replace this method of static IP hosting and map a person (user) to a IP and you can use the person in a firewall rule. 

Hello,

thanks for the feedback.

I don't necessarily want to switch to or use a MAC host. I see that this is of course a lot of effort to manage these MAC addresses.

Of course I would like to use the XG with DHCP. At the same time I would also like to use static DHCP, I assign an IP address to a client outside the DHCP range within the same IP segment.

That means, using MAC host and IP host addresses makes no sense on the XG if I understood it that way, or the effort is far too great.

Somehow I lack the approach to the SG firewall.

I did not understand the authentication of the clients.
Can you please describe in more detail how everything works in connection with the XG firewall.

Thanks and regards

You use the MAC address as part of dhcp fixed address assignment because there is no way of knowing where the request originated from without it.

ian

I did not understand what you mean to say to me now.

ok, what options do I have to be able to set up the same use case in the manner of the SG firewall.

I would like to build the type of IP and Mac binding. I also have microcontrollers that cannot log in.

How do I deal with such clients?

In SG you "should" not use a static DHCP lease within the DHCP lease range. But SG allowed it anyways, even if this causes much trouble in networks. See UTM online help:

Note – To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 – 192.168.0.210.

In XG, we avoid this to happen in the first place by blocking the static mapping to the lease range. So for example you can setup a DHCP lease range of 192.168.100.0 - .50. And static map .51-254 for your devices based on the static mapping. The static mapping is done based on the DHCP server. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/NetworkConfigureDHCPServer.html

But again: This is not the same as on UTM. The approach is differently, therefore this looks odd to people, knowing UTM. UTM used the unified approach to do this (since 9.1) in the network context. So you can maintain your static IP based on a object in network objects: One object which contains the MAC and the static IP etc. 

In XG, we build the entire authentication method differently. So we do not need a static mapping anymore and can use the context of a user. To get a user information (What is your currently logged in user name?) we need a authentication method. Most likely this is build for a AD environment. But there are several other methods for other customers as well. 

The most used on home deployments, which do not have AD, or anykind of authentication service in place is clientless based.

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/ClientlessUsers.html

So it relay on again a administrator, maintaining this in different screens (DHCP static lease + mapping the IP to a User). 

There are other methods like a client based approach: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/AuthenticationClientDownloads.html

But those tools require you to install a piece of software. 

This is not great for home users to begin with, as Sophos heavily requires some sort of authentication. Because if you start with AD or Radius, you can completely automate this process. Like STAS: It will simply map every device to a username and work that way. Or our own endpoint client will do the same for windows clients as well. Or Intercept X for server will map all RDP Sessions to individual sessions etc. There is also NTLM/Kerberos to map a existing username to a device. For IoT Devices, there is Radius WPA2 Enterprise to map the mobile device to a username etc. 

The question remains of what you want to achieve: Smaller customers (XGS107 for example) are basically using LAN to WAN Rules and turn on the IPS, web filtering and do not use segmentation (As they likely have only 5 devices for example). And bigger customers uses AD or Azure AD and turn on the authentication on that level. 

There are internal feature request to extend the usability for smaller customers to reduce the amount of windows you have to create something, but this is not a easy task to begin with. 

As stated above: You can simply create static mapping of DHCP and create this object in network IP host object or clientless and use this one. 

It is a one time job, to create those objects but i guess, for 50 clients you are done in a short amount of time, if you have the list already in front of you. Keep in mind: You can use Import/Export for this: 

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122450/creating-xml-objects-with-notepad-for-mass-import

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/128124/lazyness-at-your-service-automated-load-of-object-through-api-from-csv

Hi,

thank you for your detailed answers.

So if I understand correctly, the XG is more developed for authentication processes, i.e. user logins.

What now of course does not exist for my home needs to work with AD or Azure.

In addition, I have a lot of clients, my network structure corresponds to a very high expansion of SmartHome. I have a total of just over 100 clients. That's why I switched to the XG from my first SG125 tests, which were great in terms of functionality and real benefits, because unfortunately I got over 50 clients.

Can you give me a tip now how I should manage my clients.

At first I expressed myself incorrectly with the assignment of the IP address in the DHCP. The XG also no longer allows you to assign addresses within the DHCP area.

I have various devices for my various smart home clients that should not have access to the Internet, etc.

Of course, I would like to, absolutely not want to do without MAC addresses, even if this sometimes offers the least security, etc.

How do I go about my network with various network areas and distribute clients in these network segments
can manage.

I have already taken care of the MAC host.
I have not created an IP host.

Static IP addresses are all already created. The clients are of course all on DHCP.

So if you already did the mapping in DHCP, you need to setup the clientless user. 

The clientless user will authenticated the device to XG itself without any authentication service. 

You can work with clientless users or clientless groups. For example: Create a clientless user like TV1 and create a group called IoT. TV1 with IP 192.168.0.1 is mapped as a clientless user. (Make sure DHCP is mapping MAC of TV1 to its IP 192.168.0.1). 

Then you create a firewall rule with "Match known users". There you select the group IoT and allow the access to WAN for example. 

XG will internally map the IP to the user and the rule will match the traffic based of your TV1. 

The same will be done for TV2 and TV3 etc. You can also work with the user object. So you can create a firewall rule with TV1. 

You will see this under live users in current activities.

Here a screenshot of one of my firewalls doing this for a training environment. 

Basically all the users are clientless and matched against IPs. 

Here are the matching of the Clientless users:

Here is the firewall Rule, matching the general WAN Traffic:

And a other rule for example, only allowing the trainer to access another network and not the students.  

Hello,

Thank you very much for this great answer.

It's an approach that I would never, never have come up with, not in the slightest.

Ok, I will try that out, that is limited for me in the application case.

But the way I see it, the XG is a completely different product.

Why ??? But that would be an answer in my other or new thread better off.

Greetings and thank you for your effort.

greeting