Disclaimer: This information is posted as-is and the content should be referenced at your own risk
In this document, we will show you how you can position an XG86 / XG106 as an alternative replacement of Sophos RED devices with some additional functionalities and capabilities, especially if a split-tunnel is required.
The XG Base License includes RED site-to-site VPN tunnel functionality and offers the same benefit as RED devices.
The following is the configuration we are using as an example for deployment:
London Head-Office has XG135w device deployed as the perimeter firewall. We will deploy the XG86 device in the Mumbai branch-office network via the zero-touch functionality offered by Sophos Central and use the same to configure a RED site-to-site tunnel between branch-office XG86 and head-office XG135w device to access the head-office resources securely.
The following sections are covered:
Configure XG86 via Light-touch functionality from Sophos Central
Head office XG135w side config
Branch office XG86 side config
From the web browser, open the website https://central.sophos.com and enter the credentials to log in to the dashboard page.
Navigate to MY PRODUCTS > Firewall Management and then click on Add Your Firewall option.
Click on the symbol to add the new unregistered XG86 firewall.
Add the serial number of the XG86 device in the text box and click on Next:
Confirm the email ID, serial number and model and then click on Register and Proceed option.
Enter the First Name and Last Name and click on Next:
Note: In this document, we are assuming that the MySophos account does not exist for this customer.
Click on Create account and Register firewall option, so that it will create a new MySophos account and register the device.
A confirmation message will be displayed on the screen and the user will also receive an email to activate and setup a password to login to the MySophos account. Click on Next:
Accept the License Agreement and click on Continue:
Select the appropriate Time zone and then click on Continue:
It will show the license status associated with the firewall. Click on Continue:
Configure the IP address for LAN port and enable DHCP option, if the XG device has to lease the IP addresses to the branch office resources.
You may enable the security features like Sandstorm, IPS and AV scanning, if required and then click on Continue:
It will show the summary of the configuration. Click on Finish button:
Configure the WAN port by clicking on Internet Settings option:
You can either configure Static IP or select Dynamic IP option for the WAN port and optionally configure DNS IP address and finally click on Apply:
Click on the Download option to save the Light-Touch configuration file and then click on Next button:
Click on Continue without waiting. If you are not going to deploy the XG86 device immediately at the branch office.
Note: You may see the following error "An operating system wasn't found. Try disconnecting any drives that don't contain an operating system. Press any key to restart.". This could be caused by the USB drive not being formatted properly before copy-pasting the light touch config file.
It will show the XG device registered in the Firewalls section.
After clicking on the activation link and setting up the password you can login to the MySophos portal to manage the licenses of XG86 device:
Navigate to Network Protection > View Devices and then click on the serial number of the device:
Select the required evaluation license modules that you want to activate and click on Try Now option.
If you already have the subscription key of the device, then click on Add Subscription option to enter the license key and activate it.
Now copy the Light-Touch configuration file in an empty USB stick.
Insert it into USB slot of XG86, and also plug in the internet connection cable on the WAN port before powering on the device.
Once the XG86 loads the configuration from the USB stick and gets an internet connection, it will show the status as Approval Pending in the Firewalls section. Click on Accept services so that it gets integrated with the Sophos central account successfully.
After the device is synchronized with the central account, it will show the firmware version, public IP address associated to it. Click on the name of the firewall and it will automatically SSO into the device webUI to display the same options that are available when the administrator access the device locally.
Once the dashboard page is loaded, it will automatically show a pop-up message window to setup the administrator password. Click on Set password:
Note: The admin password window will be prompted if accessing the XG WebUI via Central for the first time. If configured via Central, a password change prompt on the local WebUI will not appear.
Enter the new administrator password and then click on Apply:
Now let us see the steps to configure RED site-to-site tunnel between branch office XG86 and head office XG135w.
Navigate to CONFIGURE > System services > RED and enable the RED status toggle switch. Enter the required details and click on Apply button to enable the RED service on the device.
Navigate to CONFIGURE > Network >Interfaces and click on Add RED option.
Enter an appropriate name, select the type as Firewall RED Server and tunnel ID as Automatic.
Enter the RED IP as 10.10.10.11, select the required subnet mask, zone as LAN and then click on Save option:
After the red interface is created, click on the icon and then click the Download provisioning file option and save this file which needs to be uploaded on the branch office side XG device later on.
Navigate to CONFIGURE > Routing > Static routing and click on Add button. Enter the branch office side LAN network IP 192.168.30.0 with subnet mask of /24 and select the RED interface, before clicking on Save button:
Since the Head office device is running on version 18 firmware, navigate to PROTECT > Rules and policies > Firewall rules > Add firewall rule and select New firewall rule option:
Enter and appropriate name, sect the rule position and group, action as Accept and logging option enabled.
Select the source zone as LAN, destination zone also as LAN and then click on Save button:
This completes the configuration on the head-office XG device.
Enter an appropriate name, select the type as Firewall RED Client, enter the public IP or Dynamic DNS hostname of the head office XG device. In the Provisioning file option, upload the provisioning file that was previously downloaded from the head office device.
Enter the RED IP as 10.10.10.12, select the required subnet mask, zone as LAN and then click on Save option:
Navigate to CONFIGURE > Routing > Static routing and click on Add button. Enter the head office side LAN network IP 172.16.17.0 with subnet mask of /24 and select the RED interface, before clicking on Save button:
Navigate to PROTECT > Firewall > Add firewall rule and select User/network rule option:
Enter an appropriate name, set the rule position and group, action as Accept.
Select the source zone and the destination zone as LAN, logging option enabled and then save the firewall rule:
Once the RED tunnel is connected between both the devices, on the branch office XG it will show the remote IP address of head office XG device.
Similarly the head office XG device will show the uplink IP of the RED tunnel as the public IP address of the branch office XG device.
So in this way, we can configure RED site-to-site split tunnel between two XG devices, so that the traffic destined to the LAN resources only would traverse via the RED tunnel and the rest of the internet traffic would go out from the WAN port of the device.
Additionally, with the Network Protection license on XG device, you can use the security features such as Intrusion Prevention System(IPS) as well as Advanced Threat Protection(ATP) to scan the outbound internet traffic and protect from intrusion attacks and block the communication with a known C2(Command and Control) server.
This is especially helpful in split tunnel deployments to secure the traffic and offloading the security scanning from the main head-office firewall for all internet bound traffic, thus the improving performance for both the branch office and the head office firewall.
To enable ATP, navigate to PROTECT > Advanced Threat > Advanced threat protection and enable the toggle switch.
Select the Policy as Log and drop so that it will log the C2C traffic and instantly block it as well.
For IPS scanning, you can create a new LAN-to-WAN firewall and select the Intrusion prevention policy as LAN TO WAN as it contains most of the IPS signatures associated with the outbound traffic.
Additionally, with the help of Web protection license on XG device, you can do the web filtering as well as application filtering on each branch office XG devices locally based on their local policies and requirements thus reducing the load on the head office XG device.
To configure the web filtering and application filtering, you can edit the existing LAN-to-WAN firewall rule and select the pre-defined policies such as Default Workplace Policy for Web policy as and Block generally unwanted apps for the Application control.
Optionally, with version 18 firmware on XG devices, you get additional advantages with Sophos Central integration features such as Grouping in Central Management as well as Central Firewall Reporting(CFR).
For each branch office location, a new group can be created and then XG firewalls belonging to those groups will automatically receive the policy and security configurations of that group.
This is very helpful for MSP customers as they can easily create groups for various typs of customers and locations and maintain consistent security configurations across various locations from a single pane of glass console access.
Central Reporting provides the flexibility to create custom historical reports on network activity.
You can also customize your reports by selecting from a broad range of category options and chart types to create hundreds of unique variations.
unfortunately you cannot select your Sophos ID account during zero-touch and you are forced to use the same email address as you use for Sophos central and emails have to match, therefore it is only for unregistered firewalls, so it can be used only with brand-new XG :(
I also believe that this does not support most often used Standard/unified mode, where all the traffic from subsidiary is routed over to head office to keep the subsidiary secured without additional license.
Those are 2 main show stoppers for most of the deployments.
It is currently correct, the XG Light Touch is only for New Firewalls. That is currently under review, to open this to all firewalls.
Actually you can use both modes and much more for XG to XG. You are not bound to any mode, because there is no mode. You can simply route all traffic to the main XG without any license.
Simply use: Static route 0.0.0.0 to VTI/RED interface. Done!
On HQ, do the same like in RED Standard/unified, NAT, firewall rule. Done!
When you do 0.0.0.0 to VTI/RED interface the red tunnel will be immediately disconnected. This is most probably because also the RED packets are forwarded into itself in the loop.
V.18 SD-WAN Policy Routing fixes this.