I was managing our APX320s from the XGS2100 and I created Wireless Networks and Access point groups plus Firewall rules. I wanted to see the APs from Sophos Central but I could not register them. So I deleted the APX320s from the XGS and then I was able to register them to Sophos Central. I like the insights and other cool features only available in Sophos Central but now I don't know how I will handle the firewall rules and routing. I had SD-WAN routing to handle the different wireless networks thru our 2 ISPs, I don't see a way to do that on Sophos Central.
So my question is: "Is it possible to manage APX320 APs from both Sophos Central and a XGS2100 at the same time?"
If not then how to I configure SD-WAN routing, Zones and Firewall rules from Sophos Central and the XGS2100?
It is not possible.
But you can definitely do SD-WAN routing, Zones, Firewall rules on the router, and AP management from Sophos Central. Of course, you have replaced the XG's VXLANs with plain-old VLANs…
But you can definitely do SD-WAN routing, Zones, Firewall rules on the router, and AP management from Sophos Central. Of course, you have replaced the XG's VXLANs with plain-old VLANs, and then you just work in the XG using those VLANs. Sophos Central Wireless is the future and managing directly from the XG already has some disadvantages and will fall farther and farther behind.
In general, you only use Sophos Central Wireless to add/enable/disable SSIDs on an AP once it's set up. Updates can be automated. And you can monitor things. But day-to-day operations (SD-WAN, firewall rules, gateways, etc) take place on the XG itself. If the XG is registered with Sophos Central, you can connect to the XG through Sophos Central and can of course do reporting in Sophos Central. After all, firewall rules, ATP, website blocking, etc, are firewall functions not AP functions.
Thanks a lot for the explanation Wayne. I will configure the APX320s on Sophos Central as you recommended.
I was personally very skeptical when LuCar suggested it. (I had wanted an additional AP feature that only runs when they are Sophos Central managed.) What if I lose my ISP... I'd also lose the ability to control my AP too, etc...
But it's worked fine, and like I said newer features are coming to the AP via Sophos Central rather than via the XG, and you get auto-updates, etc. There was one display on the XG (the signal strength display that showed all clients), but you get similar information in Central and overall it's a win.
If you have not already moved them to Sophos Central, find the explanations in these forums. You need to turn off "wireless security" on the XG or it will otherwise intercept the AP trying to talk to Sophos Central. You'll need to set up VLANs that mimic your current VXLANs that the XG automatically makes for SSIDs. Put those VLANs in the appropriate Zones, etc. If you're Zone-oriented, firewall rules, etc, are unchanged. It's just the wireless security and the VLANs on the XG end.
When that's set up, you do the reset thing (I think) on the AP so that it reaches out to Sophos Central and on the Sophos Central end you tell it which AP's going to contact it. (I think you can submit a list of AP serial numbers if you're converting several.)
Then once the AP is registered with Sophos Central you configure the AP to set up the SSIDs again. I only had one AP so WiFi was back on the air in maybe 20 minutes.
Sorry, I forget some of the details, but you will want to be organized and you'll have to do things like coming up with VLANs and their IDs (never use ID 0 or ID 1, by the way), etc. It's totally been worth it from my viewpoint and I have not yet run into the potential downside issue (ISP out) that I feared.