Sophos XG Firewall tips and tricks
Sophos Firewallis available as free lincense for home/education purposes. Free license is limited to 4 cpu and 6 GB of RAM. Some things have gotten better, many have got worse. Despite having somewhat similar features as UTM 9, XG does not support UEFI BIOS platforms. From a home lab perspective, this will leave all platforms made after ~2020 useless. You don't want to run your "critical" asset on 5+ years old hardware, and propably not even virtualized with HA. For me, this is the end of Sophos firewalls. Too bad.
Download and information is available from sophos.com.
with dy.fi Dynamic DNS: Quick notes
Dynamic DNS is a method for automatic updating IP address to DNS server. There are many dynamic DNS service providers, but for Finnish people, http://dy.fi is the best.
FAQ in dy.fi notifies: "If a host is not refreshed for 7 days, it is released (the DNS record is removed from the dy.fi zone)". Therefore we need to update records before that - let's make it 6 days. This is something I have not worked out in configuration yet.
Sophos XG needs a little bit of tweaking to work. Here's a short guide.
Login to SSH
From Main menu: select 5. Device Management
From Device Management menu: select 3. Advanced Shell
Query Dynamic DNS providers from internal DB: psql -U nobody -d corporate -c "select * from tblddnsserviceprovider"
Modify DynDns entry: psql -U nobody -d corporate -c "update tblddnsserviceprovider set serverstring = 'dy.fi' where serviceproviderid=1"
Check that serverstring was updated: psql -U nobody -d corporate -c "select * from tblddnsserviceprovider"
Should look like this:
serviceproviderid | displayname | protocol | serverstring -------------------+-------------+------------+--------------------------------- 2 | ZoneEdit | zoneedit1 | dynamic.zoneedit.com 3 | EasyDNS | easydns | members.easydns.com 5 | Sophos | cyberoam | myfirewall.co 4 | DynAccess | dyndns2 | setip.dynaccess.com 6 | No-IP | noip | dynupdate.no-ip.com 7 | DNS-O-Matic | dyndns2 | updates.dnsomatic.com 8 | Google DDNS | dyndns2 | domains.google.com 9 | Namecheap | namecheap | dynamicdns.park-your-domain.com 10 | FreeDNS | freedns | freedns.afraid.org 11 | Cloudflare | cloudflare | api.cloudflare.com 1 | DynDns | dyndns2 | dy.fi (11 rows)
Configure DynDns options from WebAdmin (Network - Dynamic DNS - DynDNS).
Troubleshooting can be done by downloading log file (Diagnostics - Tools - Troubleshooting logs - ddc.log)
Sophos UTM 9 tips and tricks
Sophos UTM 9 is available as free lincense for home/education purposes. Free license is limited to 50 IP addresses. Advanced security features will expore after 3 years, but the basic fuctionality will remain.
The main pros for UTM9 are
- Enterprise-level management GUI
- Enterprise-level firewall rules (which is great!)
- Advanced security featured, eg. web server protection (IPS)
- HTML5 VPN, eg. clientless remote desktop
- Other standard features (like m0n0wall, OPNsense, pfsense etc)
Download and home license is available from sophos.com.
Installing to PC Engines APU2D2 / APU2D4
Sophos can be directly installed on PC Engines APU2 board. You'll need to connect serial console (38400,8,N,1; ISO-8859-1), a keyboard and installation media (DVD-drive or buutable USB stick). Note, that APU2 board will use 115200,8,N,1 on it's own boot. You need to get it booting with APU2 settings and install Sophos with UTM9 settings. Same method should work with Sophos XG Firewall.
Text on boot sequence will look cryptic, but fear not.
You cannot control screen by serial, I think. Use USB keyboard.
First connector from DB9 is eth0, second eth1 etc. Everyhting will work as in virtual machine.
with dy.fi Dynamic DNS: Quick notes
Dynamic DNS is a method for automatic updating IP address to DNS server. There are many dynamic DNS service providers, but for Finnish people, http://dy.fi is the best.
FAQ in dy.fi notifies: "If a host is not refreshed for 7 days, it is released (the DNS record is removed from the dy.fi zone)". Therefore we need to update records before that - let's make it 6 days.
Sophos UTM needs a little bit of tweaking to work. Here's a short guide.
Allow SSH access (Management - System settings - Shell access)
Define root and loginuser passwords
Login to SSH
Edit /var/confd/res/dyndns/features.ph
Make dyndns-option look like:
'dyndns' => {
'server' => 'dy.fi',
'protocol' => 'dyndns2',
'options' => ['max-interval=6d'],
'support' => {
'mx' => 1,
'backupmx' => 1,
'strategy' => 1,
'hostname' => 1,
'wildcard' => 1,
'aliases' => 1,
'ipv6' => { 'strategy' => 'if', 'record' => ['a', 'both'] },
},
Note: Do not change DynDNS name in config file!. SSL is enabled by default.
You will find more options and typical usages with ddclient --help
DDCLIENT is launched by /var/mdw/scripts/dyndns.
Configure other options from WebAdmin (Network services - DNS - DynDNS). You will see dy.fi server address.
After saving this configuration go to Diagnosis/Logs and you should find following log entries in System messages (Logging and reporting - View log files - System messages):
2017:04:02-16:35:50 sophosutm ddclient[2685]: WARNING: forcing update of your.dyndns.dy.fi from 78.27.96.6 to 78.27.96.6; 6 days since last update on Mon Mar 13 20:22:26 2017. 2017:04:02-16:35:51 sophosutm ddclient[2685]: SUCCESS: updating your.dyndns.dy.fi: good: IP address set to 78.27.96.6
Log can also be viewed from console: grep ddclient /var/log/system.log
Log files are automatically archived to a subdirectory, eg. /var/log/system/2017/04
Forceful update
If ddclient thinks It's already updated IP address, and address is false, you may update it forcefully:
Allow SSH access (Management - System settings - Shell access)
Login to SSH
> sudo su - root > ddclient -forceDisable SSH access
4G WAN with Huawei E392u-12
UTM9 supports E392u-12 with no extra configuration needed. Just skip setting up your WAN in first setup and add it later from Interfaces. You can define SIM PIN at setup - no need to remove it from SIM!
In run remote site with this for about one year. I had two Sophos UTM9's, firewall rules with dy.fi dyndns fqdn, transferring constant H.264 CCTV video stream. And it worked.
[root@esxi:~] lsusb
Bus 001 Device 006: ID 12d1:1505 Huawei Technologies Co., Ltd. E398 LTE/UMTS/GSM Modem/Networkcard
E392 operation modes can be set from serial console, at a computer that has standard drivers installed.
- AT^SETPORT? queries corrent mode
- AT^SETPORT=? lists available modes
- Default: A1;1,2,3,7,A1,A2
- AT^SETPORT="A1,A2;1,2,3,7" changes mode (unplugging of device needed)