Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Switch and AP6 URL Allow List for XGS Firewall

Hello Sophos Team,

is there a Documentation on what URLs / IPs need to be in a Firewall Rule for Destination Host?

I know the Ports that are needed: HTTPS / NTP / DNS -> Forwarded to Firewall IP and Uplink to DNS Protection

Just found a List for the other Services: Domains and ports to allow - Sophos Central Admin

Would love to establish secure connections for the Sophos Cloud Managed Products.

Sincerely

Eli.



This thread was automatically locked due to age.
Parents
  • Hello Eli,

    Thanks for reaching out to Sophos Community.

    Could you elaborate further on what you're trying to achieve and configure?

    Do you plan to use Sophos DNS Protection on your Sophos Firewall? 

    Kindly confirm if my understanding is correct. Thank you

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hello Raphael,

    what I need is a URL / IP and Ports allow list for the following devices:

    - Sophos Switches

    - Sophos AP6 Access Points with Captive Portal

    This will be configured to a Sophos XGS Firewall Destination Host entry. Like this only qualified devices are allowed to connect. 

    Best regards

    Eli.

  • Hi,

    you register your devices in your cm account and they negotiate secure connections without you adding rules to the firewall.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello rfcat_vk,

    we are very strict and only allow specified documented connections to some costumers. Simple allowing SWITCHZONE from NETWORKIP to WAN = ANY is not advisable. 

    We need URLs / IPs with Ports and Protocoll to were those devices connect to.

    Thank you 

    Sincerely

    Eli.

  • Hi,

    you don’t setup firewall rules. The cm sets up secure tunnels for at least xgs and aps, so I would assume the same with switches.

    You try setting one up in a test environment to see which ports and URLs are used.

    ian

    with cm initiating the tunnel, if you perform a port scan nothing is shown as open.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • They establish a connection to multiple addresses some are needed for registration others are needed for Sophos Central to function.

    LIke mentioned above we need official documented URL / IP and Ports - The same as Sophos did for the other Products: Domains and ports to allow - Sophos Central Admin

    I am sorry to sound rude but not my job to find out what IP-Ranges and Ports are needed. ;) Even other companies have documentation on how their Cloud Serviced Products connect and what is needed to have stable Firewall Rules. (Cis... and Extr..)

    regards

    Eli.

  • Hi Eli,

    You do not need firewall rules or open ports for connections to Sophos CM.

    I agree the documentation could be improved you probably need to talk to your Sophos account manager.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi Eli,

    You do not need firewall rules or open ports for connections to Sophos CM.

    I agree the documentation could be improved you probably need to talk to your Sophos account manager.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data