This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Basic Question(s)

I am a recently hired Network Specialist (paid intern really) and have been tasked with figuring out how to install Sophos UTM onto a VM setup under Windows Server 2012. I have read through the installation guide on how to do that and it all seems pretty straight forward. I am however confused on where its supposed to sit on my network, and I have no one with that expertise/knowledge here to ask, so hopefully someone can be of some assistance as to what the best practice is.

I'm still trying to map out our network devices but so far I'm able to tell were using a Cisco ASA (5500 series I believe) router that's acting as our firewall and then it goes pretty much straight into our network. What I've read about the setup and after watching some of the "using sophos utm" videos it looks like the UTM can replace our router or at least handles a lot of the same functions, could this be a correct assessment? I am fairly certain it handles all of the firewall rules and filtering but since I'm new to this field I'm not sure if there's something else that a (edge?) router will do that the UTM cannot.

If it turns out my thought that it can replace the ASA is incorrect and it needs to be installed alongside it, is there typically any configuration that needs to be done to allow the UTM to sit in front of it (on the network)? Or does it not typically get placed there, instead being placed behind the ASA in the network. I ask because I've browsed through some of the config on the ASA and I'm seeing interfaces with different IPs assigned and other configurations so I want to make sure I am covering all required bases here before attempting the installation. 

The more I look into this the farther it seems to be from my knowledge, but I would really rather exhaust all of my options before looking into getting a contractor to help/do it.

TLDR: Can the Sophos UTM replace a Cisco ASA? If so is it whats done in most cases or just possible? If it doesn't replace the ASA are there configuration changes that need to take place on the ASA for it to work with the UTM?

Thank you for any help you can provide, sorry about the novice nature of these questions, this is sort of a trial by fire position for me.

Thanks,

Geoff



This thread was automatically locked due to age.
Parents
  • Geoff,

    Does your company have a paid license from Sophos or is just a trial? Also, I would highly discourage you from running a UTM on top Windows for a business installation. Performance and reliability will most likely suffer due to the overhead from Windows. You are better off installing UTM 9 directly on a piece of hardware or using it inside a bare bones hypervisor like ESXi.

    Doug

  • I imagine he's talking about Hyper-V so as long as it's a 'real' VM installation then it should work just the same as ESXi.

    That said I do agree - hardware wins.  We're running 2 UTMs as VMs with a lot of resources thrown at them and they never perform as well as the SG 210's that we're using for our clients.  So I do prefer the hardware versions if at all possible.

  • It is on Hyper-V yes, this was the guide I was given to follow and I set up the VM according to that, just waiting on the go ahead to install it. In regards to putting it straight onto some hardware, I dont believe thats an option for us at the moment but I will do some research and see if I can propose that instead, or an upgrade to that. Can UTM's "profile" be uploaded to a different device later? Or is it best to just set it up again. Also this is a paid license yes, not a trial.

    With the hardware portion, what terms should I research? I'm not used to this type of appliance, I thought it was all just switches, routers, and servers haha.

    Thanks Wayne for the info about your setup, that clears up what I thought I was seeing UTM being able to do. Although I still need to do more research on how to configure the ASA properly since it looks like we need to have the UTM in front of the ASA and before the WAN. So far my interactions with the router have been less than fruitful. Although im hoping it isnt too bad, just changing the interface on the router from our WAN(public ip) to the UTM ip. Once again though another project has taken precedence and I'll have to come back to this.

    Thanks all for the replies, I greatly appreciate it, makes me feel less stressed.

    -Geoff

  • Hi, Geoff, and welcome to the UTM Community!

    It's easy for a first-timer to make incorrect assumptions that result in design decisions that come back to haunt you later (e.g., The Zeroeth Rule in Rulz).  As this is not for your own use at home, I would urge you to find out if  your reseller has enough experience to do things right the first time, or if you need to contact Sophos for a recommendation in your area.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Geoff,

    I may have misunderstood what you're saying, but if you get the UTM in place you don't need the ASA at all.  The UTM will do everything the ASA is doing and make your life as a network admin easier.  As much as I enjoy configuring Cisco equipment, let's be honest - their GUIs leave a lot to be desired and you really need to know what you're doing when working on something like an ASA.  The UTM while just as powerful makes things much easier and gives you the same options (Firewall, NAT, Web Filtering, Routing, AD Integration, VPN, S2S VPN, HTML 5 Portal etc. etc.).

    You say you need the UTM in front of the ASA and before the WAN.  I'm not following you here - your WAN connection lets say is a CAT 5e cable that comes into your closet from your ISP.  That can plug directly into the UTM.  That is eth0 and classified in the UTM as the External Network.  eth1 is then another cable that will connect your UTM to your  network - this will go to your switch.

    Are you saying you HAVE to have a router before the UTM?  Is this something provided by your ISP?  The UTM is more than capable of doing all the routing for you, although you can of course have it behind another router if you so wish.

    I'm not sure if you can send PMs on here or not but if you figure it out I'll be more than willing to provide my email address to you if you'd like to discuss the project.  Sounds like this may be your first 'big' production / live project (correct me if I'm wrong) so I'd be more than willing to answer any questions you have since I've gone through this myself and currently run all of our servers from the Data Center off of an active/passive UTM configuration and have gone through the hardware and software setup and installations.

    - Wayne.

Reply
  • Geoff,

    I may have misunderstood what you're saying, but if you get the UTM in place you don't need the ASA at all.  The UTM will do everything the ASA is doing and make your life as a network admin easier.  As much as I enjoy configuring Cisco equipment, let's be honest - their GUIs leave a lot to be desired and you really need to know what you're doing when working on something like an ASA.  The UTM while just as powerful makes things much easier and gives you the same options (Firewall, NAT, Web Filtering, Routing, AD Integration, VPN, S2S VPN, HTML 5 Portal etc. etc.).

    You say you need the UTM in front of the ASA and before the WAN.  I'm not following you here - your WAN connection lets say is a CAT 5e cable that comes into your closet from your ISP.  That can plug directly into the UTM.  That is eth0 and classified in the UTM as the External Network.  eth1 is then another cable that will connect your UTM to your  network - this will go to your switch.

    Are you saying you HAVE to have a router before the UTM?  Is this something provided by your ISP?  The UTM is more than capable of doing all the routing for you, although you can of course have it behind another router if you so wish.

    I'm not sure if you can send PMs on here or not but if you figure it out I'll be more than willing to provide my email address to you if you'd like to discuss the project.  Sounds like this may be your first 'big' production / live project (correct me if I'm wrong) so I'd be more than willing to answer any questions you have since I've gone through this myself and currently run all of our servers from the Data Center off of an active/passive UTM configuration and have gone through the hardware and software setup and installations.

    - Wayne.

Children
  • Wayne,

    The portion about having the UTM in front of the ASA was actually just directed to me by my boss, I found that out after putting in the original post, so I was just kind of working under that assumption. As to why we would do that instead of replacing it I'm not sure, it may be because of our ability to ensure it will be able to function the same as our ASA. Personally I can view the config on the ASA and sort of make out a good portion of what I'm seeing and after viewing some of the UTM setup videos I can see how they would translate but its still a bit of an unknown. So I am kind of at a point where I can attempt to copy over the config into UTM after setup, and attempt to just remove the ASA to see if it works, but I suppose I am worried I will break our network.

    Hopefully the above clears up some of the confusion, this sounds like it may just be an issue of not fully understanding (for all parties involved) what the UTM can do. I will try and do more research on how I can get the UTM configured to do what our ASA does and pass that on up the foodchain to see if we can remove the redundant portion(ASA).

    Thanks Again,

    Geoff

  • Geoff,

    Since it sounds like your company does not have any experience with UTM it may be advisable to first set up a small test network with the UTM before trying to replace your ASA. I'm sure your company won't appreciate losing internet access or something worse happening during a business day. It doesn't have to be anything special, it can be as simple a PC or 2 sitting behind the UTM. With a test network you can learn how to properly configure internet access, accessing logs, etc without causing business interruptions. When your company feels comfortable with the risk you can then swap units without a risking a total network failure. You'll have issues after swapping, but atleast you'll know basic internet access works.

    And my biggest tip I always give to fellow paid customers is talk to your reseller! They will be your first line of support at 3am when your UTM fails so it's good idea get to know them. It's possible they may not offer after hours support and that's important to know. Many resellers are willing to talk to you on the phone for no cost about questions like this so you're not waiting for a forum response. 

    Doug

  • ummmmh. This could be a tricky job. You need to understand your network topology before attempting this.

    For instance, I'm about to rip out 2x ASA 5510 (active/failover) to replace with 2x SG310 UTM. However, this network has a DMZ and a DMZ sandwich setup which adds to the complication with regards to NAT and firewall rules etc as well as multiple vpn connections etc
    Now, I'm not suggesting your network is as complex etc but you need to look at the ASA and it's physical, virtual connections to the switch etc to see just how it is configured.

    It might not be as simple as you think. But back to the original question..... the UTM is very capable of replacing the Cisco and actually has more going for it. The hardware has better performance and the price is very competitive. We compared the UTM SG310 to the new Cisco 5515x and it won hands down.

  • Hello,

    Thank you everyone for your help with this, it really does seem like my options are limited to either setting up a test network to ensure it works, working more closely with our reseller or attempting to get a contractor to help. I personally want to do the test network route so I can learn as much as possible but the timeframe may not permit. Either way it was greatly appreciated to know the UTM can do as much if not more than the current ASA I'm using, it cleared up a lot of confusion.

    Thanks,

    Geoff T.