This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG RED 20

Hello all, looking for some help and guidance. 

I have one office with a sophos xg and 4 remote sites using SD RED 20 units. All 4 SD RED 20 units are connected back to the XG using standard/unified mode.  No issues with getting this all connected.

I have also deployed wifi across each location (apx120) which is also working fine.

However. When the tunnel drops at head office where the xg is,  all remote locations lose their internet connectivity even though internet is still functional at the remote sites.

So, reading the vague documentation,  I can avoid this by setting the mode to manual/split and making physical changes to the network.

I have turned off dhcp on the xg for the remote site, dhcp comes from the router at the remote site so that the gateway is the router. Any devices in the remote site now access the internet via the router gateway. Tunnel goes down and internet still works.

My issue is the wifi and the APs. They get their dhcp from the router and not able to contact the xg. I know this is a route issue but I'm not sure what route to add in order to get the APs working again. I need the APs to access the router gateway.

I read an article regarding MAGIC iP and that confused me.

I've spoken to support a few times and they couldn't help. Just sent me the article I had.

Anyone out there who has this working and willing to share and help.

Much appreciated. 

This thread was automatically locked due to age.
  • This is actually the use case for a firewall instead. The problem is, the RED is "headless" without firewall, means the RED will not do anything, if the firewall is not reachable. Therefore there is no difference between Standard/split/unified. Transparent/split could work, as you can implement the RED as a simple client, not a gateway. 

    For such certain installations, you should think of using a smaller Desktop Firewall like XGS107 etc. As you can implement them with great freedom. 


  • I wanted to go that route but my sales account manager (at the time) suggested Reds. When I asked if the above was achievable and work would i was told yes absolutely. Yet here I am with an unworkable solution.

Reply Children
  • RED works like this for a long time. If the connection dies to the Firewall, it will reboot until it can reach the firewall again.

    Therefore having a stable connection or multiple connection etc. are helpful.

    You can workaround this by make both ends high available: Meaning give the firewall two ISPs and give the RED two ISPs. This would greatly reduce the chance, that the RED cannot reach the firewall anymore. 


  • Sorry for the delay in responding. 

    I have asked my Sophos Account Manager for help sorting this out. I'm told that this deployment will work but I'm not convinced.

    So, is it possible for APs to Connect to the XG via the RED but use the local gateway for internet access and not the tunnel?

  • That will work. Would recommend to deploy in Standard/Split Mode and use Central Wireless.