When do I use MAC Host / IP Host

Question

Hello, 
 can someone explain to me when I should use a MAC host and / or an IP host, when does that make sense. 
 Or do I even have to create both, although in my other thread it was already discussed why there is not a finished client object. 
 It is absolutely not understandable for me what it is supposed to create a MAC host or IP host separately. 
 Well, that would be worth an answer in my other thread. 
 Back again, when do I use a MAC host or IP host. 
 I absolutely do not understand this type, because a client basically has a MAC and IP, at least for my understanding when trying to work with rules. 
 
 Thanks and greetings

LuCar Toni · Accepted Answer

In SG you "should" not use a static DHCP lease within the DHCP lease range. But SG allowed it anyways, even if this causes much trouble in networks. See UTM online help: 
 Note &ndash; To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100 &ndash; 192.168.0.210 . 
 
 In XG, we avoid this to happen in the first place by blocking the static mapping to the lease range. So for example you can setup a DHCP lease range of 192.168.100.0 - .50. And static map .51-254 for your devices based on the static mapping. The static mapping is done based on the DHCP server. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/NetworkConfigureDHCPServer.html 
 But again: This is not the same as on UTM. The approach is differently, therefore this looks odd to people, knowing UTM. UTM used the unified approach to do this (since 9.1) in the network context. So you can maintain your static IP based on a object in network objects: One object which contains the MAC and the static IP etc. 
 In XG, we build the entire authentication method differently. So we do not need a static mapping anymore and can use the context of a user. To get a user information (What is your currently logged in user name?) we need a authentication method. Most likely this is build for a AD environment. But there are several other methods for other customers as well. 
 The most used on home deployments, which do not have AD, or anykind of authentication service in place is clientless based. 
 https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/ClientlessUsers.html 
 So it relay on again a administrator, maintaining this in different screens (DHCP static lease + mapping the IP to a User). 
 There are other methods like a client based approach: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/AuthenticationClientDownloads.html 
 But those tools require you to install a piece of software. 
 
 This is not great for home users to begin with, as Sophos heavily requires some sort of authentication. Because if you start with AD or Radius, you can completely automate this process. Like STAS: It will simply map every device to a username and work that way. Or our own endpoint client will do the same for windows clients as well. Or Intercept X for server will map all RDP Sessions to individual sessions etc. There is also NTLM/Kerberos to map a existing username to a device. For IoT Devices, there is Radius WPA2 Enterprise to map the mobile device to a username etc. 
 
 The question remains of what you want to achieve: Smaller customers (XGS107 for example) are basically using LAN to WAN Rules and turn on the IPS, web filtering and do not use segmentation (As they likely have only 5 devices for example). And bigger customers uses AD or Azure AD and turn on the authentication on that level. 
 
 There are internal feature request to extend the usability for smaller customers to reduce the amount of windows you have to create something, but this is not a easy task to begin with.

LuCar Toni · Answer

As stated above: You can simply create static mapping of DHCP and create this object in network IP host object or clientless and use this one. 
 It is a one time job, to create those objects but i guess, for 50 clients you are done in a short amount of time, if you have the list already in front of you. Keep in mind: You can use Import/Export for this: 
 https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122450/creating-xml-objects-with-notepad-for-mass-import 
 https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/128124/lazyness-at-your-service-automated-load-of-object-through-api-from-csv

When do I use MAC Host / IP Host

Top Replies