This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access Points limits in the Sophos XGS model

There is any UPDATED formal documentation from Sophos regarding how many Access Points can be managed by Firewall according the model?

This is the only documentation I have found but it's not updated. I'm interested for the new model XGS



This thread was automatically locked due to age.
Parents Reply Children
  • According the size and the business of the company I can agree with You but it's not for our case.

    We have a Sophos XGS dedicated only as AP controller for the management of many APs and subnets.

    Angelo Orlando | Global IT Project Coordinator | Sharbatly Fruit KSA

  • But why use the firewall for managing the Access points in the first place? You could do this in Central Wireless and bridge to a VLAN, which is managed by the Firewall. There is essentially no need to do this on a firewall anymore. Central offers this for free. 

    __________________________________________________________________________________________________________________

  • I'm doing myconsiderations about the option you mentioned despite for us, with many different VLANs ,can be bit complicated.

    What about the WiFi HotSpot and the creation of vouchers for the guests?  This does not appear managed by Sophos Central.

    The captive portal in the Sophos XGS is only for wiFi or can be bound to a network zone ?

    Angelo Orlando | Global IT Project Coordinator | Sharbatly Fruit KSA

  • You can do SSID + Voucher / Hotspot creation in Central as well. Even Social login (facebook etc.) is possible. 

    Then you would bridge to a VLAn and the firewall will take over the VLAN routing and other matters. 

    __________________________________________________________________________________________________________________

  • Sorry LuCarToni, but not everything in Central is shiny…

    Separate zone networks are quite easy to configure on a firewall and no VLAN capable switching infrastructure is needed.

    Doing this in central is much more complex and needs VLANs on the switches and a routing-infrastructure or firewall that handles the inter-vlan traffic.

    On a firewall one SSID can effortless be configured multiple times (e.g. bridge-to-vlan or separate zone in HQ, bridge-to-lan in home offices or smaller sites), in Central it has to be unique.

    In most cases I as the administrator can at least decide, which approach is more suitable for my/customer‘s networks.

    The APX320X is forcing the Central management. This AP is one year in the market now and still has no management through the firewall. Are there any plans left to make the management of this model a decision for the admin again?

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • Separate zone is not a scaling solution. Essentially it was designed for the customer to have a way to build a VLAN within the product, if you dont have a VLAN solution on hand. 

    But customers started to use this on bigger installation. Separate Zone means: Per SSID and per access point one VXLAN Interface.

    This means: You have 100 access points and 2 SSIDs = 200 VXLAN Interfaces. That can be an issue for firewalls (linux systems). 

    The concept of doing separate zones in smaller setups is fine for me. To do this in a bigger scale (like in this setup) is just not the way to go. You should move to VLAN. And to do it in Central or one the firewall does not matter. 

    You need to differentiate between smaller project (one access point, one firewall) and large projects like this one. 

    Plans to add the firewall support on APX320X are stopped. https://partnernews.sophos.com/en-us/2021/07/products/end-of-sale-ap-100x-outdoor-access-point/

    Essentially i would always go Central Wireless. A firewall is not a wireless controller. 

    BTW: In Central you can go with guest network as well, which essentially does the same in a simpler setup. 

    __________________________________________________________________________________________________________________

  • Actually this conversation is because after adding the 25th AP to our XGS136 we started to have random problems

    on many of our APs! So APs in rotation restarting after 5-10mins.... The firmware for the APs is the last one!

    As for awed.log

    • Connection error: Connection reset by peer
    • ll_read:short rad or connection erro
    • erro while writhing to socket, dropping

    After removing the 25th AP the problems appear mitigated!

    I just need confirmation for this model it was reached a manufacturer hardware limit.

    In the previous model XG135 20 APs was the advised limit as for documentation! 

    Considering on this firewall the average for CPU is always around 5% I cant believe different problems from a limit manufacturer imposed.

    By the way all the conversation to avoid using the Firewall as AP Controller (now that the functionality no need anymore licensing)

    it's a good option, so thanks for the advice.

    Angelo Orlando | Global IT Project Coordinator | Sharbatly Fruit KSA