Sophos UTM 9 tips and tricks

Sophos UTM 9 is available as free lincense for home/education purposes. Free license is limited to 50 IP addresses. Advanced security features will expore after 3 years, but the basic fuctionality will remain.

The main pros for UTM9 are

Download and home license is available from

Installing to PC Engines APU2D2 / APU2D4

Sophos can be directly installed on PC Engines APU2 board. You'll need to connect serial console (38400,8,N,1; ISO-8859-1), a keyboard and installation media (DVD-drive or buutable USB stick). Note, that APU2 board will use 115200,8,N,1 on it's own boot. You need to get it booting with APU2 settings and install Sophos with UTM9 settings. Same method should work with Sophos XG Firewall.

Text on boot sequence will look cryptic, but fear not.

You cannot control screen by serial, I think. Use USB keyboard.

First connector from DB9 is eth0, second eth1 etc. Everyhting will work as in virtual machine.

with Dynamic DNS: Quick notes

Dynamic DNS is a method for automatic updating IP address to DNS server. There are many dynamic DNS service providers, but for Finnish people, is the best.

FAQ in notifies: "If a host is not refreshed for 7 days, it is released (the DNS record is removed from the zone)". Therefore we need to update records before that - let's make it 6 days.

Sophos UTM needs a little bit of tweaking to work. Here's a short guide.

Allow SSH access (Management - System settings - Shell access)
Define root and loginuser passwords
Login to SSH
Edit /var/confd/res/dyndns/
Make dyndns-option look like:

	'dyndns' => {
        'server'   => '',
        'protocol' => 'dyndns2',
        'options'  => ['max-interval=6d'],
        'support'  => {
            'mx'       => 1,
            'backupmx' => 1,
            'strategy' => 1,
            'hostname' => 1,
            'wildcard' => 1,
            'aliases'  => 1,
            'ipv6'     => { 'strategy' => 'if', 'record' => ['a', 'both'] },

Note: Do not change DynDNS name in config file!. SSL is enabled by default.
You will find more options and typical usages with ddclient --help
DDCLIENT is launched by /var/mdw/scripts/dyndns.

Configure other options from WebAdmin (Network services - DNS - DynDNS). You will see server address.

After saving this configuration go to Diagnosis/Logs and you should find following log entries in System messages (Logging and reporting - View log files - System messages):

	2017:04:02-16:35:50 sophosutm ddclient[2685]: WARNING: forcing update of from to;
	6 days since last update on Mon Mar 13 20:22:26 2017.
	2017:04:02-16:35:51 sophosutm ddclient[2685]: SUCCESS: updating good: IP address set to

Log can also be viewed from console: grep ddclient /var/log/system.log
Log files are automatically archived to a subdirectory, eg. /var/log/system/2017/04

Forceful update

If ddclient thinks It's already updated IP address, and address is false, you may update it forcefully:

Allow SSH access (Management - System settings - Shell access)
Login to SSH

	> sudo su - root
	> ddclient -force
Disable SSH access

4G WAN with Huawei E392u-12

UTM9 supports E392u-12 with no extra configuration needed. Just skip setting up your WAN in first setup and add it later from Interfaces. You can define SIM PIN at setup - no need to remove it from SIM!

In run remote site with this for about one year. I had two Sophos UTM9's, firewall rules with dyndns fqdn, transferring constant H.264 CCTV video stream. And it worked.

[root@esxi:~] lsusb
Bus 001 Device 006: ID 12d1:1505 Huawei Technologies Co., Ltd. E398 LTE/UMTS/GSM Modem/Networkcard

E392 operation modes can be set from serial console, at a computer that has standard drivers installed.