I have a single XGS (XGS87) and a single AP (APX320), so I'd avoided Sophos Central management of the firewall since I saw no real advantage in such a small deployment. But I recently switched the firewall to Sophos Central management to allow me to make changes, if necessary, when I'm remote. (Best practice is not to allow Admin access from a VPN, and I also ran into technical issues trying to do the non-best practice.)
Recently, I've done a little reading on Sophos Central management of APs, and it seems like there are some additional features there (compared to managing from the XGS), but I'm wondering how much of a barrier there is to this administration switch. Can you just delete the AP from the XGS, power cycle it, and register it with Sophos Central and everything works exactly the same with no other XGS configuration/modification?
That is, I can currently see on the XGS a "wlan1", "wlan2", etc, that are associated with my SSIDs, and "wlan1" is bridged with a physical port so that an internal server is directly accessible. This bridged is one Zone, while the two other SSIDs are in another zone, with appropriately different firewall rules.
Are these "wlan1", "wlan2" actually VLANs and does both the XGS and AP remember them, so it all just works after the switchover, or do I also have to delete/recreate things in the XGS as if the AP were brand new and I'm starting from scratch?
(And is it a bad idea to switch an AP to Sophos Central management if I only have one? There seem to be new features there, but it also would mean that if internet connectivity is down I couldn't manage the AP.)
Central does not have a "Separate Zone". So this concept (APX to Firewall Tunnel) is not exist. Bridge to (V)LAN works the same. Central can do a "Private Network" principle: Means, the APX will block…
Central does not have a "Separate Zone". So this concept (APX to Firewall Tunnel) is not exist. Bridge to (V)LAN works the same. Central can do a "Private Network" principle: Means, the APX will block all traffic expect traffic to Internet IPs. This reflect a separate zone in this terms, for guest user.
But most likely you should still use the VLAN concept anyway.
If you migrate to Central, delete the APX in Firewall, remove the Wireless Protection in Device Access in XG. Register the APX in Central, redo your SSIDs config (PSK etc.) and bridge to VLAN. As the VLAN config is done on the XG and has nothing to do with the wireless management, it will use the same mechanism.
In Central you can configure to keep broadcasting, if the APX cannot reach Central, means that the internal connection still is working. And tbh - Managing a APX while your internet is down seems to be a rare use case.
OK, so I would have to redo my SSIDs on the APX and I would also have to rework the XGS to use VLANs where it previously used whatever magical "WLANs" it set up when setting up the SSIDs. (My appliance was initially configured by my reseller, there are no VLANs listed in Network > Interfaces > VLAN, though I see "wlan1", "wlan2", etc, in Network > Interfaces > All as "hardware".)
So if I didn't start with VLANs, but set up the SSIDs via the XGS' Wireless, I am essentially doing everything except the Firewall rules from scratch: so I have to redo SSIDS (on APX), VLANs (on XGS), bridging (XGS), Zones (XGS). As long as I end up creating the same Zones, my firewall rules -- which are zone-oriented -- will stay the same, but that's all the reuse I get.
Not something I would do without lots of planning and the potential for an extended wireless downtime.
But it does sound like a VLAN-orientation is good to have anyhow, so that's another benefit, which I think could be done via XGS-based Wireless management, but maybe not.
(It looks like I gain some analytics on Wireless from Sophos Central, but looks like I lose signal strength, among other things.)