Site-to-Site Connections - Unidos

Connecting Sites with Sophos
Firewall
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW3005: Connecting Sites with Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
Connecting Sites with Sophos Firewall - 1

Connecting Sites with Sophos Firewall
In this chapter you will learn RECOMMENDED KNOWLEDGE AND EXPERIENCE
about the different methods ✓ Sophos Firewall zones and interfaces
Sophos Firewall offers for ✓ Protocols used for VPN access
connecting sites.
DURATION
5 minutes
In this chapter you will learn about the different methods Sophos Firewall offers for connecting
sites.

Site-to-Site Connections
Sophos Firewall
Site-to-site VPN
Sophos Firewall
Remote Ethernet Device
Remote Ethernet Device
Sophos Firewall includes two main ways to connect sites; site-to-site VPNs, and Remote Ethernet
Devices, or REDs. How you choose to connect your sites will depend on the requirements of the
site.
For example, a small site that routes all traffic back to the head office might be a good fit for a RED,
saving on the need for a full Sophos Firewall on-site. Whereas a large site that needs a Sophos
Firewall for web filtering and web server protection could be connected using a site-to-site VPN
without the need for additional hardware.

Site-to-Site Connections
Site-to-Site VPN Remote Ethernet Device (RED)
✓ Connection between two Sophos ✓ Connection between a Sophos

Firewalls Firewall and a small hardware device
✓ Connection can be made to third- ✓ Plug and play with no technical

party firewalls expertise required onsite
✓ Sophos Firewall can provide security ✓ Can transparently extend the

filtering at the remote site network between sites
If we look at a high-level comparison of the two connectivity options, there are a few key
differences.
Site-to-site VPNs can be used to create an encrypted tunnel between two Sophos Firewalls, or
between a Sophos Firewall and another device that supports compatible protocols. Having a
Sophos Firewall at the remote site also allows you to provide the same level of security filtering on-
site without sending all traffic back over the VPN.
Remote Ethernet Devices are small hardware devices that are connected in branch offices that can
transparently extend the network between sites with a layer-2 connection. REDs are plug-and-play,
and don’t require any technical expertise to connect at the remote site.
The RED tunnel technology can also be used to establish connections between Sophos Firewalls
without using additional hardware; this can be used as an alternative to the other supported site-
to-site VPN options.

Site-to-Site VPNs
SSL IPsec
✓ Simple configuration ✓ Can be more secure if configured correctly
✓ Effective site-to-site connectivity ✓ Flexible routing options
✓ Supports failover groups
✓ Compatibility with third-party devices
• HTTPS (TLS) • UDP port 500

• Port 8443 (can be changed) • IP protocols 50 & 51
• Digital certificates for authentication • Pre-shared key, RSA key, or digital certificates
for authentication
• Tunnel mode for site-to-site connections
For site-to-site VPN connections, Sophos Firewall supports two protocols, SSL and IPsec.
SSL site-to-site VPNs are simple to configure, providing a quick and effective way to connect branch
offices.
IPsec on the other hand, can be more secure if configured correctly, provides more flexible routing
options and supports failover groups. IPsec can also be used to connect with third-party devices
but can be more complex to setup.

VPN Zone
All VPNs that are created are automatically added to the VPN zone. This is a special zone that has
no physical interfaces; all VPN connections, whether they are site-to-site or remote access are
always in this zone, but you cannot add or remove any other types of interface.
While you cannot edit interface membership for this zone, you can manage the device access
options.
RED connections are not included in the VPN zone and can be configured to be in any zone,
providing flexible alternative if you need to create a custom zone.

Chapter Review
Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet
Devices (REDs)
Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup,
and IPsec, which is more configurable and flexible
All VPN connections are automatically added to the VPN zone, which is a special zone
with no physical interfaces that cannot be edited
Here are the three main things you learned in this chapter.
Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices, or
REDs.
Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and IPsec,
which is more configurable and flexible.
All VPN connections are automatically added to the VPN zone, which is a special zone with no
physical interfaces that cannot be edited.

Configuring SSL Site-to-Site
VPNs on Sophos Firewall
Sophos Firewall
Version: 19.0v1
Sophos Firewall
FW3010: Configuring SSL Site-to-Site VPNs on Sophos Firewall
April 2022
Version: 19.0v1
Configuring SSL Site-to-Site VPNs on Sophos Firewall - 1

Configuring SSL Site-to-Site VPNs on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to create an SSL site-to-site VPN ✓ Methods offered by Sophos Firewall for connecting
between two Sophos Firewalls. sites
DURATION
5 minutes
In this chapter you will learn how to create an SSL site-to-site VPN between two Sophos Firewalls.

SSL Site-to-Site VPN
Client initiates
connection with server
Branch Office Sophos Firewall Head Office Sophos Firewall

Client for SSL VPN Server for SSL VPN
Site with dynamic public IP address Site with static public IP address
SSL site-to-site VPNs are implemented using a client-server configuration where each end of the
tunnel has a distinct role. The client side will always initiate the connection to the server, and the
server will always respond to client requests. This is different from IPsec where normally either end
can initiate a connection.

Device access is configured in:
Device Access for SSL VPN SYSTEM > Administration > Device access
Before creating any VPNs, first ensure that SSL VPN is enabled for the zones in which you want to
use it. This will be the zones where the VPN will connect to the Sophos Firewall from. For site-to-
site VPNs this will most likely be the WAN zone.

SSL VPNs are configured in:
SSL VPN Global Settings CONFIGURE > Site-to-Site VPN > SSL VPN
SSL site-to-site VPNs are configured in CONFIGURE > Site-to-Site VPN > SSL VPN.
In the top-left of the page is a link to the SSL VPN global settings; you should check and configure
these before you start creating VPNs.

SSL VPN Global Settings
SSL VPN settings apply to both site-to-site and remote access VPNs
It is important to note that these settings apply to both site-to-site and remote access SSL VPNs, so
this should be considered when making changes.
Sophos Firewall uses port 8443 by default; if you are going to change this port you should do so
before you begin creating any VPNs.
Here, you can configure the network settings for SSL VPNs, including, the subnet for IP leases, DNS
servers, and the domain name.
You can also customize the cryptographic settings for the connection and choose whether to
compress the traffic.

Creating an SSL VPN
1 Configure server
The configuration of SSL site-to-site VPNs is done in three steps, the first is to create the server side
of the connection. On the firewall that will be acting as the SSL VPN server, click Add in the ‘Server’
section.

Creating an SSL VPN
1 Configure server
The server connection is configured with a name and the local and remote networks. You can also
optionally set a static IP address for the client rather than an IP address from the address pool.

Creating an SSL VPN
2 Download configuration
Next, download the configuration file from the server connection. You can choose to encrypt the
connection file so that it requires a password to import.

Creating an SSL VPN
3 Upload on client
On the client Sophos Firewall, click Add in the ‘Client’ section.

Creating an SSL VPN
3 Upload on client
Here, you will give the connection a name and upload the configuration file. If necessary, you can
override the hostname for the server Sophos Firewall, this can be a static or dynamic DNS name or
an IP address. You can also optionally define a HTTP proxy server.

Creating an SSL VPN
SERVER
CLIENT
Here you can see a connected SSL site-to-site VPN. Sophos Firewall will automatically create the
required routes and firewall rules so that traffic can flow between the networks defined in the
connection.

Simulation: Create an SSL Site-to-Site VPN
In this simulation you will create an

SSL site-to-site VPN between two
Sophos Firewalls.
LAUNCH SIMULATION CONTINUE
https://training.sophos.com/fw/simulation/SslVpnS2s/1/start.html
In this simulation you will create an SSL site-to-site VPN between two Sophos Firewalls.
Getting Started with Firewall and NT Rules on Sophos Firewall - 13

Chapter Review
SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs
You need to enable SSL VPNs for the zones you want to create them in
You configure the connection on the server Sophos Firewall then upload the
configuration file to the client Sophos Firewall
SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs.
You need to enable SSL VPNs for the zones you want to create them in.
You configure the connection on the server Sophos Firewall then upload the configuration file to
the client Sophos Firewall.

Getting Started with IPsec
Site-to-Site VPNs on Sophos
Firewall
Sophos Firewall
Version: 19.0v1
Sophos Firewall
FW3020: Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall
April 2022
Version: 19.0v1
Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 1

Getting Started with IPsec Site-to-Site VPNs on Sophos
Firewall
to configure IPsec site-to-site ✓ Sophos Firewall zones and interfaces
VPN connections for simple ✓ Protocols used for VPN access
environments.
DURATION
11 minutes
In this chapter you will learn how to configure IPsec site-to-site VPN connections for simple
environments.

IPsec Site-to-Site VPNs
Route-based VPN Policy-based VPN
• VPN connection is • Local and remote networks
independent of routes for are defined as part of the
traffic VPN
• Routes can be modified • VPN must be edited to

without disconnecting VPN change networks and
requires disconnecting and
• Routes are created manually reconnecting
• Routes are created

automatically
Sophos Firewall supports two types of IPsec VPN; route-based and policy based.
With route-based VPNs you create a VPN connection between two firewalls, then separately
configure routing for the traffic you want to send over the connection.
With policy-based VPNs, you define the local and remote networks as part of the VPN connection
and routes will be created for these networks only.
The advantage of route-based VPNs is that you can make changes to the traffic being routed over
the connection without having to edit, and therefore disconnect and reconnect, the VPN.

IPsec VPN profiles are configured in:
IPsec VPN Profiles SYSTEM > Profiles > IPsec profiles
Security parameters used to establish and maintain the VPN connection
Both sides of the VPN must allow the same settings
There are several profiles provided out-of-the-box
IPsec VPNs require a matching set of algorithms and settings on both ends for a tunnel to be
successfully created. On the Sophos Firewall these are configured in IPsec profiles.
There are several preconfigured profiles that ship with the Sophos Firewall, but these can be
cloned and modified to meet your requirements. This may be necessary to meet compliance
criteria, or to create a VPN with a third-party device.

Route-Based VPN
xfrm tunnel interface
Sophos Firewall Sophos Firewall
172.16.16.0/24 172.20.77.0/24 192.168.16.0/24 192.168.2.0/24
When you create a route-based VPN, an xfrm tunnel interface is created on the Sophos Firewall.
This can be configured like any other interface, except it is always in the VPN zone. You can create
routes, NAT rules, and firewall rules in the same way you would for any other traffic.

IPsec VPNs are configured in:
Creating the VPN Tunnel Interfaces CONFIGURE > Site-to-Site VPN > IPsec
Select the Tunnel interface

connection type
At least one side of the

connection must be configured to
initiate the connection
Select either:
• Preshared key
• Digital certificate
• RSA key
Let’s look at how you can configure this. We will look at the configuration for one side of the
tunnel; however, this will need to be done on both ends.
The first step is to create the tunnel interfaces. This is done by creating a new IPsec configuration;
select Tunnel interface for the connection type.
You will notice that when you select tunnel interface the IP version automatically changes to Dual,
as tunnel interfaces support both IPv4 and IPv6.
One side of the connection must be configured to initiate the connection. The other can be
configured to only respond.
In the ‘Encryption’ section, select the IPsec profile and type of authentication you want to use.

Creating the VPN Tunnel Interfaces
You do not need to specify the local and

remote networks for tunnel interfaces
In the ‘Gateway settings’ section, select the local interface that will be used to create the VPN
connection and enter the IP address of the firewall that will be on the other side.
When configuring the local and remote gateways you do not specify the local and remote networks
for tunnel interfaces; however, you must set the remote gateway address. Unlike IPsec VPNs, you
cannot use a wildcard for the remote gateway address even if the tunnel interface is configured to
respond only.

Configuring the Tunnel Interfaces
Tunnel interfaces are always in

the VPN zone
Once you have saved the IPsec connection you will see a new interface has been created for it. The
interface will be bound to the physical interface selected when you created the IPsec connection.
The interface itself is configured in the same way as any other interface; however, you cannot
configure the zone. Tunnel interfaces are always in the VPN zone.
You must ensure that the tunnel interfaces at each end of the tunnel are in the same subnet.

Routing for Route-Based VPNs
Configure routes to send the traffic over the tunnel
Supports static routes, SD-WAN policy routes, and dynamic routing
Once you have configured the tunnel interfaces you can create routes for the traffic to use the
VPN. Routing can be configured using static routes, SD-WAN policy routes, and dynamic routing.

Simulation: Create a Route-Based IPsec Site-to-Site VPN
In this simulation you will create a

route-based IPsec site-to-site VPN
between two Sophos Firewalls.
https://training.sophos.com/fw/simulation/IpsecVpnS2s/1/start.html
In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos
Firewalls.

Policy-Based IPsec VPN: IPsec VPN Wizard
Step-by-step guide for creating

IPsec VPNs
IPsec VPN policies are configured in:

CONFIGURE > VPN > IPsec Connections
Additional information about the

configuration shown on the left
We will now look at configuring policy-based VPNs.
There is a wizard that can be launched from the IPsec site-to-site VPN page, which can be used to
create a policy-based VPN. The wizard will walk through the steps necessary to create a VPN,
providing additional help and descriptions for each field on the left.

Policy-Based IPsec VPN 1
Let’s walk through the configuration created by the wizard.
In the ‘General settings’ you can choose between IPv4 or IPv6 and whether the Sophos Firewall
should only respond to VPN requests or try to initiate them.
When you are creating a new VPN you can also optionally choose to have the Sophos Firewall
automatically create firewall rules, although these will be fairly general and should be reviewed.

Copy this to the ‘Remote RSA Copy this from the ‘Local RSA
key’ field on the peer device key’ field on the peer device
In the ‘Encryption’ section you select the VPN profile, either one of the out-of-the-box profiles, or
one you have created yourself. Select the authentication type, which can be either a pre-shared
key, an RSA key, or a digital certificate.
Pre-shared keys are a passphrase that is entered on both devices. This is generally the weakest
authentication type, mostly because the key length is usually short in comparison to the other
options.
RSA keys are public private key pairs. The public key is copied from each device to the other device.
This provides good security, as the key length is much longer, and different keys are used for each
device. As a bonus, you do not need to create a passphrase, you can simply copy and paste the
keys.
Digital certificates are the most secure option, but take some additional effort to configure. They
provide similar public private key pairs to RSA keys, but are also signed by trusted certificate
authorities, and have the longest key lengths.

In the ‘Gateway settings’ you configure the interface the Sophos Firewall will use for the VPN and
where it will be connecting to. If the remote side has a dynamic IP address a wildcard can be used;
however, this also means the Sophos Firewall cannot initiate the connection as it does not know
where to connect to.
IPsec VPNs can also have an ID, which can be based on DNS, IP address, email address, or an X.509
certificate name.
Finally, you need to define which networks will be available over the VPN. That is, the local
networks that remote devices will be able to access, and the remote networks you expect to be
able to access over the VPN.

IPsec Acceleration
XGS Series Appliances Support IPsec Acceleration
Cipher and Authentication Combinations

SUPPORTED UNSUPPORTED
• AES-CBC 128/192/256-bit AES keys • DES, 3DES

with SHA-1, SHA-256, SHA-384, or • TwoFish
SHA-512 HMAC • MD5
• AES-GCM with 128/192/256-bit AES
key
• NULL cipher with 128-bit GMAC
authentication
Sophos XGS Series appliances support IPsec acceleration, which offloads the IPsec encryption and
decryption to the NPU.
This is both faster in terms of performance, but it is also offloading work from the CPU, freeing up
cycles to work on other security processing functions.
Here you can see that the most used ciphers and authentication combinations are supported, with
only DES, 3DES, TwoFish, and MD5 being unsupported.

IPsec Acceleration
console> system ipsec-acceleration disable
This will restart all IPsec tunnels and stop offloading IPsec VPN traffic
to the Xstream flow processor.
Turn off IPsec acceleration(Y/N)?

Y
console> system ipsec-acceleration enable
This will restart all IPsec tunnels and offload IPsec VPN traffic to the
Xstream flow processor.
Turn on IPsec acceleration(Y/N)?

Y
IPsec acceleration is configured on the Console using the system ipsec-acceleration command to
enable and disable the feature.

IPsec Acceleration
SOPHOS FIREWALL
Kernel does packet
encapsulation and adds
the ESP header
KERNEL
ESP + Request
The NPU detects the

encapsulated packet and
performs the encryption
NPU/Xstream Processor
Request ESP Request
With IPsec acceleration enabled, when a packet comes in the kernel will still perform the
encapsulation, but it will not encrypt the packet.
The NPU will detect the ESP header and perform the encryption on the packet.
The reverse will happen with the reply. The NPU will decrypt the packet and the kernel will remove
the encapsulation.

IPsec Acceleration with Firewall Acceleration (FastPath)
SOPHOS FIREWALL
KERNEL
NPU does packet

encapsulation and adds The NPU detects the
the ESP header encapsulated packet and
performs the encryption
NPU/Xstream Processor
Request ESP + Request ESP Request
If you also have firewall acceleration enabled, offloading to the FastPath, the NPU will do the
packet encapsulation and the encryption. This is the ideal scenario.
The opposite is true with IPsec acceleration and firewall acceleration both disabled, as the kernel
will do both the encapsulation and encryption.

Chapter Review
IPsec profiles contain the security parameters to establish and maintain the VPN. Both
sides of the VPN need to support the same settings
Route-based VPNs create an xfrm interface that is configured like any other interface.
Routes are created manually, separate to the connection
Policy-based VPNs define the networks, and routes are created automatically. The VPN
requires a reconnection if you edit the networks for the VPN
Firewall rules can be created automatically when you create a policy-based VPN but are
broad and should be edited
Here are the four main things you learned in this chapter.
IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of the
VPN need to support the same settings.
Route-based VPNs create an xfrm interface that is configured like any other interface. Routes are
created manually, separate to the connection.
Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a
reconnection if you edit the networks for the VPN.
Firewall rules can be created automatically when you create a policy-based VPN but are broad and
should be edited.

Getting Started with Remote
Ethernet Devices on Sophos
Firewall
Sophos Firewall
Version: 19.0v1
Sophos Firewall
FW3035: Getting Started with Remote Ethernet Devices on Sophos Firewall
April 2022
Version: 19.0v1
Getting Started with Remote Ethernet Devices on Sophos Firewall - 1

Getting Started with Remote Ethernet Devices on Sophos
Firewall
to deploy a Remote Ethernet ✓ Sophos Firewall zones and interfaces
Device on Sophos Firewall. ✓ Protocols used for VPN access
DURATION
9 minutes
In this chapter you will learn how to deploy a Remote Ethernet Device on Sophos Firewall.

RED Overview
• Plug and play branch office connectivity
• No technical expertise required onsite
• Creates a layer-2 tunnel to Sophos Firewall
RED
Layer-2 Tunnel
Router TCP:3400
DHCP & DNS UDP:3410 Sophos Firewall
Server
Sophos Remote Ethernet Devices or RED provide a simple way to connect remote sites to a central
network securely, by creating a layer-2 tunnel. Installing the RED device on-site requires no
configuration or technical expertise. RED connections use a small hardware RED device at the
remote location and all configuration for that device is done locally at the Sophos Firewall.
At the remote location, the RED requires:

• A power connection
• A network connection
• A DHCP server to provide an IP address, DNS server and default gateway
• And ports 3400 TCP and 3410 UDP open on the firewall

RED Deployment
RED Provisioning Service:
red.astaro.com
1. Configure RED device
Head Office
RED
7. Establish Layer-2 Tunnel
4. Receive Router
local IP Sophos Firewall
(DHCP)
3. Deploy RED device
Let’s look at how you deploy a RED.
You configure the RED on the Sophos Firewall. You need to provide the publicly resolvable
hostname the RED will connect to and the IP address and netmask of the RED interface that will be
created on the Sophos Firewall. You also enter the 15-character RED ID that is printed on a sticker
on the base of the RED. This is used to tie the configuration to the device.
The Sophos Firewall then sends the configuration to the cloud-based provisioning server.
Next, the RED is plugged in at the remote office and gets an IP address, DNS server and gateway
from the local DHCP server.
The RED connects to the provisioning server with its ID, and the provisioning server sends back the
configuration that the RED needs to connect to the Sophos Firewall at the central office. The
provisioning server is no longer used from this point forward.
Finally, the RED establishes a layer-2 tunnel to the Sophos Firewall using TCP port 3400 and UDP
port 3410.

RED Deployment Modes
Standard/Unified Standard/Split Transparent/Split
Default GW Default GW Default GW

DHCP Server DHCP Server DHCP Server DHCP Client
Traffic routed over RED tunnel

Traffic routed directly to the Internet
REDs can be deployed in three modes.
In Standard/Unified mode the remote network is managed by the Sophos Firewall, which serves
as the DHCP server and default gateway for all clients connecting through the RED. All traffic
generated on the remote network is sent through the RED to Sophos Firewall.
In Standard/Split mode the Sophos Firewall still manages the remote network, acting as the DHCP
server and default gateway. However, in this configuration only traffic to defined networks is sent
through the RED to Sophos Firewall, and all other traffic is sent directly to the Internet.
In Transparent/Split mode the Sophos Firewall doesn’t manage the remote network but is a
member of it. The Firewall gets its IP address from a DHCP server running on the remote network.
Only traffic to defined networks is sent through the RED to Sophos Firewall, and all other traffic is
sent directly to the Internet. As this mode of deployment does not require any re-addressing it is
an easy way to connect networks following an acquisition or similar.
In the case of Standard/Split and Transparent/Split deployment modes, the Sophos Firewall does
not provide any web filtering or other security to clients on the remote network.
Please note that you still need to create firewall rules for the computers connected to the remote
network to be able to interact with computers on the central office network.

Configuring RED in Different Deployment Modes
Standard/Unified Standard/Split Transparent/Split

Zone for the RED interface on the Sophos Firewall 
IP address for the RED interface on the Sophos Firewall Static Static DHCP
DHCP server for the remote network Optional Optional No
Split networks (Networks that are accessed through the  
RED from the remote site)
Split DNS server (DNS server for the split networks) 
Split domains (Domains that are accessed through the 
RED from the remote site)
MAC address filtering Optional
Tunnel compression Optional
The configuration required when deploying REDs in the different modes is slightly different and is
summarised in this table.
Both standard modes have similar configuration; you set IP address for the RED interface on
Sophos Firewall statically and can optionally provide DHCP for the remote side of the tunnel.
Where it differs is that for standard/split, you need to define for which networks traffic will be
routed over the RED tunnel, with all other traffic being routed onto the local Internet gateway.
The transparent mode is most different. In this case the RED interface on Sophos Firewall will get
its IP address settings from a DHCP on the remote side of the tunnel. As the Sophos Firewall is not
the default gateway for the network you need to supply more split settings. In addition to the split
networks, you configure a DNS server for those networks, and the split domains.

Simulation: Deploy a RED on Sophos Firewall
In this simulation you will deploy a

Remote Ethernet Device (RED) on
Sophos Firewall in standard/split
mode.
https://training.sophos.com/fw/simulation/DeployRED/1/start.html
In this simulation you will deploy a Remote Ethernet Device (RED) on Sophos Firewall in
standard/split mode.
Getting Started with Firewall and NT Rules on Sophos Firewall - 7

Additional information in
SD-RED Models the notes
SD-RED 20 and SD-RED 60
There are two RED models, SD-RED 20 and SD-RED 60.
The SD-RED hardware provides the option for dual power supplies for redundancy, and an
expansion slot that can be used to add WiFi or 4G.
https://community.sophos.com/xg-firewall/f/recommended-reads/119318/substituting-xg-for-red-
devices-via-light-touch-deployment-from-sophos-central

Additional information in
SD-RED Models the notes
SD-RED 20 SD-RED 60
PERFORMANCE
Maximum Throughput 250 Mbps 850 Mbps
CONNECTIVITY
LAN Interfaces 4 x 10/100/1000 Base-TX (1 GbE Copper)
WAN Interfaces 1 x 10/100/1000 Base-TX (shared 2 x 10/100/1000 Base-TX
with SFP) (WAN1 shared port with SFP)
SPF Interfaces 1x SFP Fiber (shared port with 1x SFP Fiber (shared port with
WAN) WAN1)
PoE Ports None 2 PoE Ports (total power 30W)
MODULARITY
Expansion Bays 1 (for use with optional Wi-Fi OR 4G/LTE Card)
REDUNDANCY
Swappable Components Optional 2nd power supply
Here you can see a table comparing the SD-RED 20 and 60.
The number of users that can be used with the RED models is unlimited, and the model selected is
driven by the maximum throughput and other features.
The SD-RED 20 is designed for smaller sites with a maximum throughput of 250 Mbps, while the
SD-RED 60 is ideal for larger sites reaching a throughput of up to 850 Mbps.
Both models have gigabit connections on both the internal and external interfaces and have
support for SFP fiber.
The SD-RED 60 adds dual WAN ports, as well as two power over ethernet ports and can supply a
total of up to 30 watts of power.
Datasheet: https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-sd-red-ds.pdf
Optional Wi-Fi Module: 802.11 a/b/g/n/ac Wave 1 (Wi-Fi 5) dual-band capable 2x2 MIMO 2
antennas
Optional 3G/4G LTE Module: MC7430/MC7455 Sierra Wireless Card

Discontinued Supported RED Models
RED 15 RED 15 W RED 50
Maximum users Unrestricted Unrestricted Unrestricted

Maximum throughput 90 Mbit/s 90 Mbit/s 360 Mbit/s
LAN ports 4 x Gbit 4 x Gbit 4 X Gbit
WAN ports 1 x Gbit 1 X Gbit 2 x Gbit
USB ports 1 1 2
Hardware accelerated encryption ✓
Configure VLANs on LAN ports ✓
Data compression ✓ ✓ ✓
Built-in wireless access point ✓
There are three discontinued models of RED that are still supported, starting with the RED 15,
which is suitable for small sites. All three RED models feature gigabit connections and at least one
USB port that can be used to provide backup connectivity using UMTS.
The RED 15w has all the features of the RED 15 and includes a built-in wireless access point.
The RED 50, which is designed for larger sites and includes advanced features including:
• Two external ports that can be configured for load balancing or failover
• The ability to configure the internal ports in either switch mode or for VLANs
• And two USB ports

Chapter Review
RED requires DHCP, DNS, ports TCP 3400 and UDP 3410
RED can be deployed in three modes; standard/unified, standard/split, and

transparent/split. Each deployment mode requires slightly different configuration
There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or
4G module using the expansion bay
RED requires DHCP, DNS, ports TCP 3400 and UDP 3410.
RED can be deployed in three modes; standard/unified, standard/split, and transparent/split. Each
deployment mode requires slightly different configuration.
There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G
module using the expansion bay.


Site-to-Site Connections - Unidos

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Site-to-Site Connections - Unidos

Uploaded by

Copyright:

Available Formats

Connecting Sites with Sophos

Connecting Sites with Sophos Firewall - 1

Connecting Sites with Sophos Firewall - 2

Remote Ethernet Device

Remote Ethernet Device

Connecting Sites with Sophos Firewall - 3

Site-to-Site VPN Remote Ethernet Device (RED)

✓ Connection between two Sophos ✓ Connection between a Sophos

✓ Connection can be made to third- ✓ Plug and play with no technical

✓ Sophos Firewall can provide security ✓ Can transparently extend the

Connecting Sites with Sophos Firewall - 4

• HTTPS (TLS) • UDP port 500

Connecting Sites with Sophos Firewall - 5

Connecting Sites with Sophos Firewall - 6

Connecting Sites with Sophos Firewall - 11

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 1

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 2

Branch Office Sophos Firewall Head Office Sophos Firewall

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 3

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 4

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 5

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 6

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 7

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 8

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 9

On the client Sophos Firewall, click Add in the ‘Client’ section.

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 10

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 11

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 12

In this simulation you will create an

LAUNCH SIMULATION CONTINUE

Getting Started with Firewall and NT Rules on Sophos Firewall - 13

Configuring SSL Site-to-Site VPNs on Sophos Firewall - 18

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 1

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 2

• Routes can be modified • VPN must be edited to

• Routes are created

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 3

Security parameters used to establish and maintain the VPN connection

Both sides of the VPN must allow the same settings

There are several profiles provided out-of-the-box

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 4

xfrm tunnel interface

Sophos Firewall Sophos Firewall

172.16.16.0/24 172.20.77.0/24 192.168.16.0/24 192.168.2.0/24

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 5

Select the Tunnel interface

At least one side of the

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 6

You do not need to specify the local and

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 7

Tunnel interfaces are always in

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 8

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 9

In this simulation you will create a

LAUNCH SIMULATION CONTINUE

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 10

Step-by-step guide for creating

IPsec VPN policies are configured in:

Additional information about the

We will now look at configuring policy-based VPNs.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11

Let’s walk through the configuration created by the wizard.