Switch and AP6 URL Allow List for XGS Firewall

Hello Eli,

Thanks for reaching out to Sophos Community.

Could you elaborate further on what you're trying to achieve and configure?

Do you plan to use Sophos DNS Protection on your Sophos Firewall? 

Kindly confirm if my understanding is correct. Thank you

Regards,

Hello Raphael,

what I need is a URL / IP and Ports allow list for the following devices:

- Sophos Switches

- Sophos AP6 Access Points with Captive Portal

This will be configured to a Sophos XGS Firewall Destination Host entry. Like this only qualified devices are allowed to connect. 

Best regards

Eli.

Hi,

you register your devices in your cm account and they negotiate secure connections without you adding rules to the firewall.

ian

Hello rfcat_vk,

we are very strict and only allow specified documented connections to some costumers. Simple allowing SWITCHZONE from NETWORKIP to WAN = ANY is not advisable. 

We need URLs / IPs with Ports and Protocoll to were those devices connect to.

Thank you 

Sincerely

Eli.

Hello rfcat_vk,

we are very strict and only allow specified documented connections to some costumers. Simple allowing SWITCHZONE from NETWORKIP to WAN = ANY is not advisable. 

We need URLs / IPs with Ports and Protocoll to were those devices connect to.

Thank you 

Sincerely

Eli.

Hi,

you don’t setup firewall rules. The cm sets up secure tunnels for at least xgs and aps, so I would assume the same with switches.

You try setting one up in a test environment to see which ports and URLs are used.

ian

with cm initiating the tunnel, if you perform a port scan nothing is shown as open.

They establish a connection to multiple addresses some are needed for registration others are needed for Sophos Central to function.

LIke mentioned above we need official documented URL / IP and Ports - The same as Sophos did for the other Products: Domains and ports to allow - Sophos Central Admin

I am sorry to sound rude but not my job to find out what IP-Ranges and Ports are needed. ;) Even other companies have documentation on how their Cloud Serviced Products connect and what is needed to have stable Firewall Rules. (Cis... and Extr..)

regards

Eli.

Hi Eli,

You do not need firewall rules or open ports for connections to Sophos CM.

I agree the documentation could be improved you probably need to talk to your Sophos account manager.

Ian

Hi Eli  Please refer to KBA and the help section below for more information, hope the above contains the details that you are looking for.

Sophos Switch:

SSL / TLS exclusions are required for registration with Sophos Central
https://support.sophos.com/support/s/article/KB-000043898?language=en_US

Sophos Switch: Unable to register switch on Sophos Central
https://support.sophos.com/support/s/article/KB-000043898?language=en_US

Sophos Wireless :

Sophos Wireless: Access point domain and network requirements
https://support.sophos.com/support/s/article/KB-000036137?language=en_US

https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/Wireless/index.html

Oh yeah that is what I have been looking for thank you so much.

Sincerely

Eli.

Eli Thank you too, I am glad that the shared information helped you and addressed your raised query.