Hello Everyone,
I am writing this post as I just purchased a Sophos RED 10 Rev. 3 from eBay. I have a Sophos XG with the Home license in my small server rack, and I opened all the ports as described on the technical training guide: https://community.sophos.com/kb/en-us/116573#RED%20technical%20overview
I checked if my Sophos RED is able to ping and connect to the server red.astaro.com (i checked the entire *.astaro.com domain) and I checked if the ports tcp/udp 3400 and udp 3410 are open, and they are.
I have the unlock code provided by the Sophos support, and I created a new interface on the Sophos XG with the RED ID and the Unlock code.
The Network is divided in two parts: the XG is connected to a router which forwards all the traffic there and the RED is connected to another router with a different WAN IP address (they are on two different cities).
The issue here is that this Sophos was already used in another company, and everytime it turns on, it tries to contact the old UTM, as I can see from the NAT Translations on the RED Router:
(x.x.x.x is the WAN IP address)
udp x.x.x.x:42048 192.168.3.142:42048 31.14.131.188:123 31.14.131.188:123 <----Time servers
udp x.x.x.x:42848 192.168.3.142:42848 31.14.131.188:123 31.14.131.188:123 <----Time servers
udp x.x.x.x:42858 192.168.3.142:42858 31.14.131.188:123 31.14.131.188:123 <----Time servers
udp x.x.x.x:49663 192.168.3.142:49663 31.14.131.188:123 31.14.131.188:123 <----Time servers
tcp x.x.x.x:51642 192.168.3.142:51642 132.163.96.4:37 132.163.96.4:37 <----Time servers
udp x.x.x.x:53904 192.168.3.142:53904 31.14.131.188:123 31.14.131.188:123 <----Time servers
tcp x.x.x.x:59325 192.168.3.142:59325 184.72.39.13:3400 184.72.39.13:3400 <----Astaro servers (red-prov-us-aurora.astaro.com)
tcp x.x.x.x:59327 192.168.3.142:59327 184.72.39.13:3400 184.72.39.13:3400 <----Astaro servers (red-prov-us-aurora.astaro.com)
tcp x.x.x.x:59329 192.168.3.142:59329 184.72.39.13:3400 184.72.39.13:3400 <----Astaro servers (red-prov-us-aurora.astaro.com)
tcp x.x.x.x:59367 192.168.3.142:59367 y.y.y.y:3400 y.y.y.y:3400 <----this is the RED trying to connect to the old USG, and I discovered it by searching the IP on Shodan.io
One comment from a post dated 2012 said that in order to factory reset the RED and let it download the new config, you need to block the IP address of the old USG and then, after 3 or 4 times, it will download the new config from the astaro website. I blocked the connections to that y.y.y.y IP either via an ACL or by setting a route to that IP that goes to Null0, so that the RED is unable to connect to it. But it still loops even when I leave it on for an entire night and it never downloads the config from the server, I believe, as it does not connect to my XG.
I also tried to delete the old RED interface and create a new one and make the provisioning of the RED offline (so I downloaded the REDID.red file - it's a 7kb file - and I put in a 1gb USB stick).
When it boots, I see it reads something on the USB drive and then it still goes on and on trying to connect to the same server. (I see the system, router and Internet LED lit, and the Tunnel LED blinks)
Is there a definitive way to make the RED download the config either from the USB drive or from the website?
I do not have the tool redalert.exe, as there is nowhere to be found on the internet, so I am not able to test if the polices are on the astaro servers or not, but I thought that by using the USB drive I would overcome the Astaro server.
Thanks for everyone who will answer!
Jacopo
This thread was automatically locked due to age.