Sophos Firewall Os

| Posted on by



Table of Contents

GB-OS firewall and UTM appliance. IPFire: Active: Linux distribution: x86, x86-64, ARM: RAM: 1 GB Storage: 4 GB: GPLv3: Free: IPFire is a hardened Open Source Linux distribution that primarily performs as a Router and a Firewall; a standalone firewall system with a web-based management console for configuration. Kerio Control: Active: Linux.

Introduction

  1. The Sophos Firewall OS is the new firmware that combines the best of both Sophos and Cyberoam Next-Generation Firewall technology bringing in key innovations such as RED, stronger email protection with SPX encryption and built-in DLP, Security Heartbeat, Advanced Threat Protection and a smart, task-oriented GUI.
  2. Sophos Central provides the ultimate cloud management platform for all your Sophos products including XG firewall at no extra charge. Group Firewall Management in Sophos Central enables you to make policy, setting, or object changes across your entire estate of XG Firewalls with just a few clicks.

This guide provides detailed step-by-step instructions to upload, provision, install and configure the new Sophos XG Firewall in a ProfitBricks virtual Data Center (VDC).

Prerequisites

Sign up with Sophos to buy and download the Sophos XG Firewall ISO or alternatively request a free trial here: https://secure2.sophos.com/en-us/products/next-gen-firewall/free-trial.aspx

This will provide you with

  • An ISO image.
  • A valid serial number.

Upload ISO image

  1. Use a FTP Client, such as FileZilla, to upload the Sophos XG ISO to your ProfitBricks account using your DCD login credentials.
  2. Upload the ISO into the 'iso-images' folder.
  3. Once the internal processing of the image is finished you will receive an email.

Create or use virtual data center

Login in to the DCD and create a new data center or select an existing one.

Reserve IP Addresses

Since the firewall is a permanent device in your network, it is recommended to use a fixed IP address.

  1. Open IP Manager from the top navigation bar.
  2. Click on Reserve IPs, provide a name and set Number of IPs to 1. Make sure the correct region of your data center is selected.
  3. Click the button Reserve IPs.

Create Jump Server Instance

Initial configuration of the Sophos XG needs to be done from a web page running on the XG. This web page is only accessible from the internal LAN interface of the XG and not from the public (internet) interface of the XG. In order to access the web page, a jump server, located in the same internal LAN as the XG, is therefore needed.

  1. In your VDC, use a Composite Instance to create a Windows 2012 server which will be used as a jump server.
  2. Use the default settings for the server configuration.
  3. Select the ProfitBricks image windows-2012-r2-server as boot volume.
  4. Increase storage size (Size in GB) to 15 in order to accommodate minimum requirement of Windows Server 2012 R2.
  5. Provide a Password for the administrator account.
  6. Attach the server to the Internet Access box.

Create Sophos XG Firewall Instance

  1. Create the Sophos XG server using a composite instance.
  2. Use the following settings for the server configuration (based on the recommended requirements by Sophos):
  3. Cores: 2
  4. RAM: 4
  5. HDD size: 64 GB

Do not select any boot image.

Select ISO Boot Device

  1. Select the Sophos XG instance, go to the Inspector sidebar and select the Storage tab. Now click on Add CD-ROM.

  2. In the Create New CD-ROM pop-up, click on No Image Selected, navigate to Own Images and select the previously uploaded Sophos XG ISO.

  3. Leave Boot from Device unchecked

  4. Click on Create CD-ROM Drive
  5. When using the uploaded image for the first time, you will be asked to provide the operating system. Select Linux and confirm.
Appliance

Configure Network

Sophos Firewall Os Software

  1. Connect the first network interface (NIC 0) of the XG with the second NIC (NIC 1) of the jump server.

  2. Connect the second network interface (NIC 1) of the XG with internet access. Note: The interfaces on the XG need to be created in this exact sequence otherwise the further configuration will not work. The network topology should look like pictured below.

  3. Select the jump server and in the Inspector sidebar, select the Network tab, go to NIC 1 and set the Primary IP in this private LAN to 172.16.16.10

  4. Now select the Sophos XG server and in the Inspector sidebar select the Network tab, got to NIC 0, disable the DHCP option and set the Primary IP in this private LAN to 172.16.16.16

  5. For the Primary IP of NIC 1 of the XG, select your previously reserved IP address.

Provisioning

Now provision all changes by clicking on the Provision button on the top of the designer or Provision xx changes in the Inspector sidebar. The background validation should contain no error or warnings. Click on Provision Now to finally provision all instances and their configurations.This process will take several minutes. The current status can be followed in the Inspector sidebar.

When all jobs have been provisioned a box will pop up letting you know provisioning has been completed successfully. Click the OK button.

Sophos Firewall Os Default Password

Install Sophos XG Firewall

  1. In the ProfitBricks DCD, select the Sophos XG instance.
  2. In the Inspector sidebar, click the button Remote Console.
  3. A new browser window should open. Click inside the window and type y and press enter. (Notice: The installer is configured to use a US keyboard layout.)

The installer will now format the empty storage volume, create a new file system, and install all necessary files. A progress indicator allows you to monitor the progress. Fan ho a hong kong memoir.

  1. After all files have been installed, press y to reboot the firewall.

  2. At this point, the system is running Sophos XG Firewall Software Appliance. After the first boot, the system will present details about the hardware configuration and prompt for a password. The default password is admin.

  3. Accept the EULA by pressing a.

  4. Per default, the Sophos XG assigns the IP address 172.16.16.16 to its first NIC. At this IP address the web based Admin Console is also accessible. In order to activate the firewall, an internet connection is required. Verify the network configuration before starting the actual web based configuration. Using the console, in the Main Menu select 1 for network configuration.

  5. Select 1 for interface configuration.

  6. Make sure that interface Port1 contains the IPv4 address 172.16.16.16. A gateway does not need to be configured. Press enter to continue.

  7. Make sure that interface Port2 contains the reserved public IPv4 address assigned by the ProfitBricks DHCP server. This IP address should match the one displayed in DCD under the network setting of your Sophos instance. For external communication a gateway IP address must also be set. Again, this should be automatically assigned via the DHCP server.

  8. If any of the IP addresses are not correct, press y on the following screen and enter the correct IP address.

Web-based Activation of Sophos XG

The web-based Admin Console of the Sophos XG is available at https://172.16.16.16:4444. Use the jump server to access this page.

  1. Open a Remote Desktop Connection to the public IP address of the Windows jump server. You will find the public IP address in the NIC 0 Primary IP field in the Inspector sidebar after selecting the jump server in your VDC. Note: This IP address has been dynamically assigned and may change after a power off of the server.

  2. Use your browser on the jump server, open https://172.16.16.16:4444 and log into the Admin Console using the default credentials username - admin and password - admin. You might need to wait a couple of minutes before the http server on the firewall is correctly loaded and the web page is accessible. The browser's certificate error can be safely ignored. (Note: It might be helpful to download Chrome on your Windows jump server or otherwise you need to lower all IE security settings to a minimum in order to properly use the Sophos Admin Console.)

  3. When you now log in for the first time, you will need to activate your device. Enter a valid serial number you have received from Sophos. Then click on Activate Device.

  4. Note: in some cases, the public IP address configured via DHCP is not persisted on the firewall. In this case, the activation will fail with the error message No internet connection. Check your internet connection as described in the product documentation. Go to Basic Setup, select Static as IP Assignment and provide the following information:

  5. IP address: enter the reserved public IP address you assigned to NIC 1 of your Sophos instance
  6. Subnet Mask: 255.255.255.0
  7. Default Gateway: can also be found in the NIC 1 setting in DCD but is always the .1 of the subnet of your device.
  8. DNS: 8.8.8.8 (public Google DNS)

and click on Save Changes.

  1. Now try to activate the device once more.
  2. After the successful activation, you will need to register your device. Click Register Device to initiate the registration process.

  3. After clicking Register Device, you are redirected to the MySophos portal website. If you already have a MySophos account, click on Login. If you are a new user, sign up for a MySophos account after clicking on Create Sophos ID.

  4. After successful login, click Continue on the next window.

  5. After successful registration of the device, you need to synchronize license details with Sophos servers. Click Initiate License Synchronization to initiate the process.

  6. If the license has been successfully synchronized, you will see the Welcome page. Start the Network Configuration Wizard by clicking on Click Here.

  7. The wizards walks you through the steps to setup initial configuration of your Sophos XG Firewall so that you can begin creating your security policies.

Sophos Network Configuration Wizard

  1. The Network Configuration Wizard will appear. Click Start to initialize the network configuration process.

  2. On the next screen, select Gateway Mode as the mode of deployment and click the > button.

  3. On the Port Configuration screen, configure the IP addresses of the interfaces. Usually, you will not need to change the settings. Click > when ready.

  4. On the DNS Configuration screen, enter the IP address of your organization’s DNS servers or add IP address of public DNS servers. The example below uses Google’s DNS servers. Click > when ready.

  5. On the Default Network Policy screen, select the desired Network Policy. You can leave this unconfigured for now. (Note: all configuration settings performed during the Network Configuration Wizard can also be changed afterwards.)

  6. On the Mail Server Configuration screen, configure the following parameters:

  7. The email address that will receive system notifications.
  8. The mail server IP address and port number.
  9. The email address of the administrator who will send the notifications.

Click > when ready.

  1. On the Date & Time Configuration screen, select the Time Zone according to your current location and enter the Date and Time accordingly. Preferably, select Automatically Synchronize with NTP Server and Use pre-defined NTP Server.Click > when ready.

  2. The Configuration Overview screen will appear, displaying a summary of the Gateway Mode configuration. If you don’t want to send App & Thread data to Sophos, disable the option. Click Finish to complete the basic configuration.

  3. Confirm the configuration by clicking on OK.

  4. The reconfiguration will take a couple of minutes. Afterwards the wizard will finish and you will be redirected to the login page.

  5. Your Sophos XG Firewall is now installed and preconfigured in Gateway Mode. For further configuration, please see the official Sophos XG Reference Guide.

The Sophos XG is a next-generation firewall packed with enterprise-grade features. The team at Sophos have been kind enough to offer a FREE software version of this firewall for home users, which I have managed to install using VMware ESXi.

Having the ability to install the firewall onto an ESXi server meant I could provision multiple VM's on one machine and on the same network. Before setting the Sophos XG firewall up, I searched online to find guides on how to do this and to my surprise, I didn't find much, hence the reason for this post.

If your struggling to configure ESXi to work with the firewall or you just want some guidance then follow these steps to get your Sophos XG firewall up and running.

Example topology: The topology below is that of a small example network which will be referred to throughout this guide to help you set your firewall up.

Let me just explain this topology a little further..

  • ISP router is at the edge of the network and is in modem only mode. You can keep it in routing mode but you may suffer from dropped connections, it is also suggested that you have WiFi off as you don't want your internal hosts bypassing the firewall.
  • ESXi server will have x2 physical interfaces, one acting as the WAN interface and the other the LAN interface. The topology shows two virtual machines on the ESXi server, one being the XG and the other Server 2012 (optional). The red dotted line is referring to the interface on the XG that will connect to the ISP router whereas the green dotted line refers to the internal interface connecting to the access point. The vSwitches and NICs are explained in more detail later.
  • The device named 'AP' is the internal router. This will be put into access point mode only and set with a static IP address and default gateway which will point to the internal interface of the Sophos XG.

Before we begin, let's make sure we have the right hardware and software.

Requirements:

  • ISP Router
  • Server with at least 500gb to 1TB storage and x2 NICs
  • VMware ESXi software (Installed on your server)
  • VMware vSphere software (Used to access ESXi and the VM's within)
  • Additional router (This is used to connect your LAN clients)

Optional:

  • VMware Workstation software (This is a paid software and is similar to vSphere however it does offer additional features)
  • Server Operating System such as Server 2012 (Can be used to add devices to a domain and as a DHCP server)
Sophos

Step 1: Installing and Configuring ESXi

  • Install VMware ESXi onto your server. When the install has finished, you should be presented with a screen like the one below. Before we go any further, it is important that you have your server connected via ethernet to the same network as your LAN.

Sophos Firewall Appliance

We will now configure ESXi with an IP address so that we can access it via vSphere/Workstation.

  • Press F2 and you will and enter 'password' as the password and now that we have access we can change this by clicking on 'configure password'.
  • When you have configured your password, click on 'configure management network'.
  • Now click on 'Network Adapters' and make a note of the NIC that is being used for your LAN.
  • Now click on 'IP Configuration' and assign your management interface IP address. It is recommended that you select the 'static' IP address option and assign an IP address that is not currently being used on your network.

You should now be able to access your ESXi server using vSphere, Workstation or both.

Step 2: Access ESXi via vSphere

  • Open vSphere and connect to the ESXi server by inputting the IP address you have just assigned to the management interface in step 1 along with 'root' as the username and the password you previously set in step 1.
  • Once you have successfully logged in, navigate to the tab 'Configuration' and select 'Networking' on the left-hand side. You should see that a 'vmnic' is already active for the management network, this will be used for the internal network i.e your LAN.
  • Now create another vswitch and VMkernal for the external connection by clicking on 'Add Networking' in the top right-hand corner. First, we will select 'VMkernal' and select your second NIC. If you are unsure which one yours is then connect your ethernet cable from your second server port to the ISP router which should be in modem only mode. The interface should now be up.
  • Click next and unless you wish to create VLANs press next again and enter another network IP address before getting to the summary.
  • Now click on 'Add networking' again and this time select Virtual Machine and select the NIC you have just chosen in the last step. Follow the settings through and finish off, you should now have another vSwitch with a separate kernel and vmnic.

Sophos Firewall Os

Step 3: Install Sophos XG

You can use vSphere for this, however, I would highly recommend using Workstation to do the following. (These instructions will now refer to VMware Workstation).

  • Sign into your ESXi server just as you did on vSphere.
  • On VMware Workstation click 'file' - 'new virtual machine' and select the server IP address as the target.
  • Go through the settings you prefer in order to get to the summary section but do not finish.
  • Click on 'Customise Settings' and add x2 network adapters and uncheck 'connect on power on'. You will also need to add the Sophos XG image to the virtual hard drive. Once this is done, finalise the settings and start the machine.
  • Depending on the size of the drive you have provisioned, the install could take some time.
  • When the install has finished you will be asked to remove the installation disk and press 'y' to reboot. Instead of pressing 'y' to reboot, power off the machine and remove the image file from the virtual disk.
  • Power up the machine again and wait for it to load. Once loaded you should be presented with a screen similar to the one below once you have signed in. The default username and password is admin - admin.
  • Now press '1' for Network Configuration so that we can change the default internal IP address given.
  • Press '1' again for Interface Configuration and proceed to press enter twice to get to the configuration of the IPv4 Address. Note: Your WAN interface is set to DHCP automatically and should have an IP address assigned, if not reset your modem only ISP router and repeat the last step along with this one again so you can validate that you have an IP address assigned to the WAN interface.
  • When asked if you want to set the IPv4 address for Port 1 (LAN), select 'y' and assign an IP address you have not yet assigned.
  • You should now have access to the web-based GUI by typing into your browser: https://IP ADDRESS:4444
  • Once you have gained access you will need to confirm your license and this requires an internet connection which you should have through your external interface.

Step 4: Change your Internal Router into an AP

  • Before proceeding with the Sophos wizard you should be able to change your internal router into an AP. You will need to give your AP the default gateway of the Sophos internal facing interface. Other clients on your network may lose connection as DHCP isn't configured by default. This interface will be the new gateway for all internal clients.
  • Regain connection to the web browser GUI and continue with the Sophos XG wizard.

Step 5: Sophos XG Install Continued..

Sophos Firewall Ospf

  • When the wizard has completed and applied all the configuration changes you will have to reload the GUI and regain access to the dashboard. The dashboard should look something like the one pictured below.
  • Once you have access we need to configure a DHCP server for LAN clients to connect.
  • Navigate to the 'System' tab (looks like a cog)
  • Click on 'Network' and then 'DHCP' as shown in the image below

Note: If you are using another device as a DHCP server you can also set-up DHCP Relay further down the same page.

47re torque converter

Sophos Xg Virtual Firewall

  • Under the DHCP server section click on 'Add' where you will be taken to another page to enter your DHCP pool settings. Enter your settings accordingly but be mindful of any addresses already issued on your network.

Once these settings have been followed you should have full network connectivity again and your clients should be able to request a new DHCP address from the Firewall. All your internals hosts traffic will now pass through the Sophos XG firewall, giving you that extra layer of security. You can now go ahead and configure the firewall the way you want it.

I hope this has been helpful for you and I hope you have managed to get your firewall up and running. If you have any questions, I will do my best to answer them but otherwise please refer to the Sophos community.

You can also catch me on Twitter: @iwiizkiid

Website: www.synack.co.uk