Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 138 replies
  • Subscribers 61 subscribers
  • Views 140479 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: [LetsEncrypt] How To in Sophos Firewall

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

    This recommended Read reviews different options for obtaining a Let's Encrypt certificate.

    Update

    Update: V21.0 supports Lets Encrypt onboard:  Sophos Firewall v21 Early Access Announcement  
    Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues

    UTM has LE Support for WAF (since UTM9.6). However, you can also use LE certificates on Sophos. Many people do not know that you need a small Linux server and 5-10 minutes of your time every three months. You can automate this. 

    First, I want to share LE's "how it works" page. https://letsencrypt.org/how-it-works/

    My Setup

    Internet - Sophos - Ubuntu 20.04 LTS
    Ubuntu has "certbot" installed. Feel free to use other LE modules.
    https://certbot.eff.org/ https://certbot.eff.org/lets-encrypt/ubuntubionic-apache
    Follow straight the Guide for your OS. I am relying fully on those apps for the renewal process.  

    Next, I am choosing the HTTP-01 method for LE, so I need a DNAT for LE to my Ubuntu.

    (V18). 

    PS: I am using HTTP DNAT for the renewal process and will deactivate those rules afterward. But you can also use only the LE IPs: 
    https://community.letsencrypt.org/t/can-i-get-list-ip-from-letsencrypt/57117
    PS2: As explained in this Community thread, you could switch to the DNS validation.  

    The next step would be to check your Domain. Your DNS A-Record should point to your WAN IP. Otherwise, this process won’t work. 
    So perform a dig / nslookup of your domain. It’ll point to your WAN IP, so your DNAT will work, and HTTP packets will be forwarded to Certbot. 
    You can also use the Sophos free DDNS service. https://community.sophos.com/kb/en-us/123126 

    Certbot

    Let us start Certbot and try it. 
    My renewal process is straightforward:


    (Be careful: LE blocks you after a couple of "failed" requests for some time, so check everything.)
    Ultimately, you’ll get four files on your Linux: Public, Chain, Fullchain, and Privatekey Certificates. 

    Upload to Sophos Firewall

    You’ll use this Public and Privatkey certificate. 
    There are a couple of approaches to upload this to Sophos. 

    The first LE Cert can be uploaded. 
    It would be best to use the Public.pem in "Certificate" and the Privatkey in "Private key." 
    PS: you have to rename the Privatkey.pem to Privatkey.key. Otherwise, Sophos won’t take this certificate. 

    Optionally, you can upload the other Chain and fullchain Certificates under Certificate Authorities (Without Private key). 
    Now, you can use this Certificate for WAF/Webadmin. 

    In renewal (each 90 Days), choose a process.

    Automation 

    You can upload the new LE certificate with another Name and replace it in WAF/Webadmin. 
    Or you can "update" the current LE certificate with the new public.pem / private.key. However, for this method, you have to switch to a fallback certificate in WAF/Webadmin because Sophos can't update a currently used certificate.  

    After all, those steps are manually processed every 90 days. 
    You can "script" this if you want to. Basically, upload the certificate to Sophos every 90 Days. 


    Other members of the community have already performed scripts for this.

    If you want to script this, this community can help you if you struggle with a point.
    So kindly open a new thread with your issue with the API, and we’ll try to find a solution. 

    Sophos Factory

    Sophos Factory brings a new Tool to automate Script-based approaches. This means you can easily run a Script like Certbot or Lego in a Sophos Factory environment to generate and upload the certificate to the Sophos Firewall. 

    Sophos Factory offers a free Community Edition. https://community.sophos.com/sophos-factory/ https://community.sophos.com/sophos-factory/b/release-notes-news/posts/get-started-here-sophos-factory-offer-automation-for-all-with-its-free-community-edition

    Within Sophos Factory, it could look like this:

    Each step is a scripting component. Using tools like Lego and Github, the "Pipeline" will run once, generate the certificate, and upload it to the Firewall. 

    Contribution:
          https://zerossl.com/free-ssl/#crt Free alternative to this approach
    For the Github script. 
     Thanks for the PHP Script! 
     for a Powershell Script with WAF integration. 
     is for another version of a Powershell script. 



    Revamped RR
    [edited by: Erick Jan at 3:35 AM (GMT -7) on 10 Oct 2024]
    Parents

    • Update: V21.0 supports Lets Encrypt onboard:  Sophos Firewall v21 Early Access Announcement  

      __________________________________________________________________________________________________________________

    • in reply to LuCar Toni

      FINALLY!!!!!!

      Now we need the time server back....

    • in reply to Pedulla

      What kind of use case would you resolve with an NTP Server in SFOS? 

      Just wondering, as i am implementing everything with a simple NAT rule and no changes are required in the deployments. 

      __________________________________________________________________________________________________________________

    • in reply to LuCar Toni

      There are certain devices I don't want to get out to the internet for any reason (think chinese cameras).  But they need to be sync'd to the same time source for chain of custody reasons. 
      I'm currently running a separate time server but I'd rather have it on the FW like the old UTM.
      Unless someone can sight a best practice to the contrary?

    • in reply to Pedulla

      It is fw job to allow chinese camera only to have access to external ntp source. Less roles is more secure.

    • in reply to Pedulla

      Hi,

      Sorry, but before you introduce NTP you should first implement the mail functions for quarantine properly.

      I can't understand at all how you can't simply send quarantine reports like other manufacturers when a mail ends up in quarantine. This is only possible if the person also has an account. This may work with 5 people but not with 50 or 100 who are not automatically loaded via AD by SFOS.


      In the UTM this was simply even automatic, now you need everything extra at SFOS via account for collective mailbox group mail addresses.

    • in reply to Jacobi

      Did you had a chance to look into Central Email, which brings all those features (plus additional features as well)? 

      UTM customers nowadays are advised to migrate to CEMA (Central Email) instead of using the Email Protection of the firewall.

      __________________________________________________________________________________________________________________

    • in reply to LuCar Toni

      Email Protection works pretty well I must admit. But its kind of annoying for my team to find reasons for undelivered mail as it is only visible as a tooltip. The use of rbl is very effective and made reports almost obsolet. 

      Glad LE finally made it to SFOS. 

      Still missing sophos otp for webserver protection though. :(

    • in reply to LuCar Toni

      You could just say, our MTA implementation is crap - and we don't have plans to fix that -> use the cloud product instead.
      or move on to solutions that don't get crippled by their successor products.

    • in reply to Dominik Klaer

      Currently, all of my customers, when they get to choose between UTM and CEMA, they would go with CEMA all the way, as it is the full fetched email product, coming from the Sophos Email Appliance, which was always the primary Email product of Sophos. 

      Nowadays, as Sophos split up the email subscription into an own subscription, everybody can decide what to do with their email product and you are not locked into a bundle. 

      The promos of Sophos also include CEMA and not Email on the Firewall. 

      The Email protection of Sophos works as it is - and it does it job of scanning and filtering emails. Bugs are getting addressed and fixed as well.

      If a customer has certain requirements, you can always interact with Sophos or the Sophos partner to validate the options like moving to CEMA or interacting with another product. 

      __________________________________________________________________________________________________________________

    Reply
    • in reply to Dominik Klaer

      Currently, all of my customers, when they get to choose between UTM and CEMA, they would go with CEMA all the way, as it is the full fetched email product, coming from the Sophos Email Appliance, which was always the primary Email product of Sophos. 

      Nowadays, as Sophos split up the email subscription into an own subscription, everybody can decide what to do with their email product and you are not locked into a bundle. 

      The promos of Sophos also include CEMA and not Email on the Firewall. 

      The Email protection of Sophos works as it is - and it does it job of scanning and filtering emails. Bugs are getting addressed and fixed as well.

      If a customer has certain requirements, you can always interact with Sophos or the Sophos partner to validate the options like moving to CEMA or interacting with another product. 

      __________________________________________________________________________________________________________________

    Children
    • in reply to LuCar Toni

      might be a bit off-topic to continue with MTA in this topic...

      but moving to a cloud-based mail security solution when your emails are already in the cloud (e.g., EXO) makes (some) sense. However, relying on a cloud service to filter emails when you intentionally keep your mail servers on-premises to avoid data being on 'someone else's computer' (aka the cloud) is not just ironic—it's counterproductive and undermines the very reason for keeping things in-house. I'll keep the discussion about the Central Mail Product off this Thread. 

    Unfiltered HTML