Professional Documents
Culture Documents
Firewall
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW3005: Connecting Sites with Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
5 minutes
In this chapter you will learn about the different methods Sophos Firewall offers for connecting
sites.
Site-to-site VPN
Sophos Firewall
Sophos Firewall includes two main ways to connect sites; site-to-site VPNs, and Remote Ethernet
Devices, or REDs. How you choose to connect your sites will depend on the requirements of the
site.
For example, a small site that routes all traffic back to the head office might be a good fit for a RED,
saving on the need for a full Sophos Firewall on-site. Whereas a large site that needs a Sophos
Firewall for web filtering and web server protection could be connected using a site-to-site VPN
without the need for additional hardware.
If we look at a high-level comparison of the two connectivity options, there are a few key
differences.
Site-to-site VPNs can be used to create an encrypted tunnel between two Sophos Firewalls, or
between a Sophos Firewall and another device that supports compatible protocols. Having a
Sophos Firewall at the remote site also allows you to provide the same level of security filtering on-
site without sending all traffic back over the VPN.
Remote Ethernet Devices are small hardware devices that are connected in branch offices that can
transparently extend the network between sites with a layer-2 connection. REDs are plug-and-play,
and don’t require any technical expertise to connect at the remote site.
The RED tunnel technology can also be used to establish connections between Sophos Firewalls
without using additional hardware; this can be used as an alternative to the other supported site-
to-site VPN options.
For site-to-site VPN connections, Sophos Firewall supports two protocols, SSL and IPsec.
SSL site-to-site VPNs are simple to configure, providing a quick and effective way to connect branch
offices.
IPsec on the other hand, can be more secure if configured correctly, provides more flexible routing
options and supports failover groups. IPsec can also be used to connect with third-party devices
but can be more complex to setup.
All VPNs that are created are automatically added to the VPN zone. This is a special zone that has
no physical interfaces; all VPN connections, whether they are site-to-site or remote access are
always in this zone, but you cannot add or remove any other types of interface.
While you cannot edit interface membership for this zone, you can manage the device access
options.
RED connections are not included in the VPN zone and can be configured to be in any zone,
providing flexible alternative if you need to create a custom zone.
Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet
Devices (REDs)
Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup,
and IPsec, which is more configurable and flexible
All VPN connections are automatically added to the VPN zone, which is a special zone
with no physical interfaces that cannot be edited
Here are the three main things you learned in this chapter.
Sophos Firewall includes two methods of connecting sites: VPNs and Remote Ethernet Devices, or
REDs.
Sophos Firewall supports two site-to-site VPN protocols: SSL, which is simple to setup, and IPsec,
which is more configurable and flexible.
All VPN connections are automatically added to the VPN zone, which is a special zone with no
physical interfaces that cannot be edited.
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW3010: Configuring SSL Site-to-Site VPNs on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
5 minutes
In this chapter you will learn how to create an SSL site-to-site VPN between two Sophos Firewalls.
Client initiates
connection with server
Site with dynamic public IP address Site with static public IP address
SSL site-to-site VPNs are implemented using a client-server configuration where each end of the
tunnel has a distinct role. The client side will always initiate the connection to the server, and the
server will always respond to client requests. This is different from IPsec where normally either end
can initiate a connection.
Before creating any VPNs, first ensure that SSL VPN is enabled for the zones in which you want to
use it. This will be the zones where the VPN will connect to the Sophos Firewall from. For site-to-
site VPNs this will most likely be the WAN zone.
SSL site-to-site VPNs are configured in CONFIGURE > Site-to-Site VPN > SSL VPN.
In the top-left of the page is a link to the SSL VPN global settings; you should check and configure
these before you start creating VPNs.
SSL VPN settings apply to both site-to-site and remote access VPNs
It is important to note that these settings apply to both site-to-site and remote access SSL VPNs, so
this should be considered when making changes.
Sophos Firewall uses port 8443 by default; if you are going to change this port you should do so
before you begin creating any VPNs.
Here, you can configure the network settings for SSL VPNs, including, the subnet for IP leases, DNS
servers, and the domain name.
You can also customize the cryptographic settings for the connection and choose whether to
compress the traffic.
The configuration of SSL site-to-site VPNs is done in three steps, the first is to create the server side
of the connection. On the firewall that will be acting as the SSL VPN server, click Add in the ‘Server’
section.
The server connection is configured with a name and the local and remote networks. You can also
optionally set a static IP address for the client rather than an IP address from the address pool.
Next, download the configuration file from the server connection. You can choose to encrypt the
connection file so that it requires a password to import.
Here, you will give the connection a name and upload the configuration file. If necessary, you can
override the hostname for the server Sophos Firewall, this can be a static or dynamic DNS name or
an IP address. You can also optionally define a HTTP proxy server.
CLIENT
Here you can see a connected SSL site-to-site VPN. Sophos Firewall will automatically create the
required routes and firewall rules so that traffic can flow between the networks defined in the
connection.
https://training.sophos.com/fw/simulation/SslVpnS2s/1/start.html
In this simulation you will create an SSL site-to-site VPN between two Sophos Firewalls.
SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs
You need to enable SSL VPNs for the zones you want to create them in
You configure the connection on the server Sophos Firewall then upload the
configuration file to the client Sophos Firewall
Here are the three main things you learned in this chapter.
SSL VPN settings are global and apply to both site-to-site and remote access SSL VPNs.
You need to enable SSL VPNs for the zones you want to create them in.
You configure the connection on the server Sophos Firewall then upload the configuration file to
the client Sophos Firewall.
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW3020: Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
11 minutes
In this chapter you will learn how to configure IPsec site-to-site VPN connections for simple
environments.
Sophos Firewall supports two types of IPsec VPN; route-based and policy based.
With route-based VPNs you create a VPN connection between two firewalls, then separately
configure routing for the traffic you want to send over the connection.
With policy-based VPNs, you define the local and remote networks as part of the VPN connection
and routes will be created for these networks only.
The advantage of route-based VPNs is that you can make changes to the traffic being routed over
the connection without having to edit, and therefore disconnect and reconnect, the VPN.
IPsec VPNs require a matching set of algorithms and settings on both ends for a tunnel to be
successfully created. On the Sophos Firewall these are configured in IPsec profiles.
There are several preconfigured profiles that ship with the Sophos Firewall, but these can be
cloned and modified to meet your requirements. This may be necessary to meet compliance
criteria, or to create a VPN with a third-party device.
When you create a route-based VPN, an xfrm tunnel interface is created on the Sophos Firewall.
This can be configured like any other interface, except it is always in the VPN zone. You can create
routes, NAT rules, and firewall rules in the same way you would for any other traffic.
Select either:
• Preshared key
• Digital certificate
• RSA key
Let’s look at how you can configure this. We will look at the configuration for one side of the
tunnel; however, this will need to be done on both ends.
The first step is to create the tunnel interfaces. This is done by creating a new IPsec configuration;
select Tunnel interface for the connection type.
You will notice that when you select tunnel interface the IP version automatically changes to Dual,
as tunnel interfaces support both IPv4 and IPv6.
One side of the connection must be configured to initiate the connection. The other can be
configured to only respond.
In the ‘Encryption’ section, select the IPsec profile and type of authentication you want to use.
In the ‘Gateway settings’ section, select the local interface that will be used to create the VPN
connection and enter the IP address of the firewall that will be on the other side.
When configuring the local and remote gateways you do not specify the local and remote networks
for tunnel interfaces; however, you must set the remote gateway address. Unlike IPsec VPNs, you
cannot use a wildcard for the remote gateway address even if the tunnel interface is configured to
respond only.
Once you have saved the IPsec connection you will see a new interface has been created for it. The
interface will be bound to the physical interface selected when you created the IPsec connection.
The interface itself is configured in the same way as any other interface; however, you cannot
configure the zone. Tunnel interfaces are always in the VPN zone.
You must ensure that the tunnel interfaces at each end of the tunnel are in the same subnet.
Once you have configured the tunnel interfaces you can create routes for the traffic to use the
VPN. Routing can be configured using static routes, SD-WAN policy routes, and dynamic routing.
https://training.sophos.com/fw/simulation/IpsecVpnS2s/1/start.html
In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos
Firewalls.
There is a wizard that can be launched from the IPsec site-to-site VPN page, which can be used to
create a policy-based VPN. The wizard will walk through the steps necessary to create a VPN,
providing additional help and descriptions for each field on the left.
In the ‘General settings’ you can choose between IPv4 or IPv6 and whether the Sophos Firewall
should only respond to VPN requests or try to initiate them.
When you are creating a new VPN you can also optionally choose to have the Sophos Firewall
automatically create firewall rules, although these will be fairly general and should be reviewed.
Copy this to the ‘Remote RSA Copy this from the ‘Local RSA
key’ field on the peer device key’ field on the peer device
In the ‘Encryption’ section you select the VPN profile, either one of the out-of-the-box profiles, or
one you have created yourself. Select the authentication type, which can be either a pre-shared
key, an RSA key, or a digital certificate.
Pre-shared keys are a passphrase that is entered on both devices. This is generally the weakest
authentication type, mostly because the key length is usually short in comparison to the other
options.
RSA keys are public private key pairs. The public key is copied from each device to the other device.
This provides good security, as the key length is much longer, and different keys are used for each
device. As a bonus, you do not need to create a passphrase, you can simply copy and paste the
keys.
Digital certificates are the most secure option, but take some additional effort to configure. They
provide similar public private key pairs to RSA keys, but are also signed by trusted certificate
authorities, and have the longest key lengths.
In the ‘Gateway settings’ you configure the interface the Sophos Firewall will use for the VPN and
where it will be connecting to. If the remote side has a dynamic IP address a wildcard can be used;
however, this also means the Sophos Firewall cannot initiate the connection as it does not know
where to connect to.
IPsec VPNs can also have an ID, which can be based on DNS, IP address, email address, or an X.509
certificate name.
Finally, you need to define which networks will be available over the VPN. That is, the local
networks that remote devices will be able to access, and the remote networks you expect to be
able to access over the VPN.
Sophos XGS Series appliances support IPsec acceleration, which offloads the IPsec encryption and
decryption to the NPU.
This is both faster in terms of performance, but it is also offloading work from the CPU, freeing up
cycles to work on other security processing functions.
Here you can see that the most used ciphers and authentication combinations are supported, with
only DES, 3DES, TwoFish, and MD5 being unsupported.
This will restart all IPsec tunnels and stop offloading IPsec VPN traffic
to the Xstream flow processor.
This will restart all IPsec tunnels and offload IPsec VPN traffic to the
Xstream flow processor.
IPsec acceleration is configured on the Console using the system ipsec-acceleration command to
enable and disable the feature.
ESP + Request
With IPsec acceleration enabled, when a packet comes in the kernel will still perform the
encapsulation, but it will not encrypt the packet.
The NPU will detect the ESP header and perform the encryption on the packet.
The reverse will happen with the reply. The NPU will decrypt the packet and the kernel will remove
the encapsulation.
KERNEL
If you also have firewall acceleration enabled, offloading to the FastPath, the NPU will do the
packet encapsulation and the encryption. This is the ideal scenario.
The opposite is true with IPsec acceleration and firewall acceleration both disabled, as the kernel
will do both the encapsulation and encryption.
Route-based VPNs create an xfrm interface that is configured like any other interface.
Routes are created manually, separate to the connection
Policy-based VPNs define the networks, and routes are created automatically. The VPN
requires a reconnection if you edit the networks for the VPN
Firewall rules can be created automatically when you create a policy-based VPN but are
broad and should be edited
Here are the four main things you learned in this chapter.
IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of the
VPN need to support the same settings.
Route-based VPNs create an xfrm interface that is configured like any other interface. Routes are
created manually, separate to the connection.
Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a
reconnection if you edit the networks for the VPN.
Firewall rules can be created automatically when you create a policy-based VPN but are broad and
should be edited.
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW3035: Getting Started with Remote Ethernet Devices on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
9 minutes
In this chapter you will learn how to deploy a Remote Ethernet Device on Sophos Firewall.
RED
Layer-2 Tunnel
Router TCP:3400
DHCP & DNS UDP:3410 Sophos Firewall
Server
Sophos Remote Ethernet Devices or RED provide a simple way to connect remote sites to a central
network securely, by creating a layer-2 tunnel. Installing the RED device on-site requires no
configuration or technical expertise. RED connections use a small hardware RED device at the
remote location and all configuration for that device is done locally at the Sophos Firewall.
Head Office
RED
7. Establish Layer-2 Tunnel
4. Receive Router
local IP Sophos Firewall
(DHCP)
You configure the RED on the Sophos Firewall. You need to provide the publicly resolvable
hostname the RED will connect to and the IP address and netmask of the RED interface that will be
created on the Sophos Firewall. You also enter the 15-character RED ID that is printed on a sticker
on the base of the RED. This is used to tie the configuration to the device.
The Sophos Firewall then sends the configuration to the cloud-based provisioning server.
Next, the RED is plugged in at the remote office and gets an IP address, DNS server and gateway
from the local DHCP server.
The RED connects to the provisioning server with its ID, and the provisioning server sends back the
configuration that the RED needs to connect to the Sophos Firewall at the central office. The
provisioning server is no longer used from this point forward.
Finally, the RED establishes a layer-2 tunnel to the Sophos Firewall using TCP port 3400 and UDP
port 3410.
In Standard/Unified mode the remote network is managed by the Sophos Firewall, which serves
as the DHCP server and default gateway for all clients connecting through the RED. All traffic
generated on the remote network is sent through the RED to Sophos Firewall.
In Standard/Split mode the Sophos Firewall still manages the remote network, acting as the DHCP
server and default gateway. However, in this configuration only traffic to defined networks is sent
through the RED to Sophos Firewall, and all other traffic is sent directly to the Internet.
In Transparent/Split mode the Sophos Firewall doesn’t manage the remote network but is a
member of it. The Firewall gets its IP address from a DHCP server running on the remote network.
Only traffic to defined networks is sent through the RED to Sophos Firewall, and all other traffic is
sent directly to the Internet. As this mode of deployment does not require any re-addressing it is
an easy way to connect networks following an acquisition or similar.
In the case of Standard/Split and Transparent/Split deployment modes, the Sophos Firewall does
not provide any web filtering or other security to clients on the remote network.
Please note that you still need to create firewall rules for the computers connected to the remote
network to be able to interact with computers on the central office network.
The configuration required when deploying REDs in the different modes is slightly different and is
summarised in this table.
Both standard modes have similar configuration; you set IP address for the RED interface on
Sophos Firewall statically and can optionally provide DHCP for the remote side of the tunnel.
Where it differs is that for standard/split, you need to define for which networks traffic will be
routed over the RED tunnel, with all other traffic being routed onto the local Internet gateway.
The transparent mode is most different. In this case the RED interface on Sophos Firewall will get
its IP address settings from a DHCP on the remote side of the tunnel. As the Sophos Firewall is not
the default gateway for the network you need to supply more split settings. In addition to the split
networks, you configure a DNS server for those networks, and the split domains.
https://training.sophos.com/fw/simulation/DeployRED/1/start.html
In this simulation you will deploy a Remote Ethernet Device (RED) on Sophos Firewall in
standard/split mode.
The SD-RED hardware provides the option for dual power supplies for redundancy, and an
expansion slot that can be used to add WiFi or 4G.
[Additional Information]
https://community.sophos.com/xg-firewall/f/recommended-reads/119318/substituting-xg-for-red-
devices-via-light-touch-deployment-from-sophos-central
SD-RED 20 SD-RED 60
PERFORMANCE
Maximum Throughput 250 Mbps 850 Mbps
CONNECTIVITY
LAN Interfaces 4 x 10/100/1000 Base-TX (1 GbE Copper)
WAN Interfaces 1 x 10/100/1000 Base-TX (shared 2 x 10/100/1000 Base-TX
with SFP) (WAN1 shared port with SFP)
SPF Interfaces 1x SFP Fiber (shared port with 1x SFP Fiber (shared port with
WAN) WAN1)
PoE Ports None 2 PoE Ports (total power 30W)
MODULARITY
Expansion Bays 1 (for use with optional Wi-Fi OR 4G/LTE Card)
REDUNDANCY
Swappable Components Optional 2nd power supply
Here you can see a table comparing the SD-RED 20 and 60.
The number of users that can be used with the RED models is unlimited, and the model selected is
driven by the maximum throughput and other features.
The SD-RED 20 is designed for smaller sites with a maximum throughput of 250 Mbps, while the
SD-RED 60 is ideal for larger sites reaching a throughput of up to 850 Mbps.
Both models have gigabit connections on both the internal and external interfaces and have
support for SFP fiber.
The SD-RED 60 adds dual WAN ports, as well as two power over ethernet ports and can supply a
total of up to 30 watts of power.
[Additional Information]
Datasheet: https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-sd-red-ds.pdf
Optional Wi-Fi Module: 802.11 a/b/g/n/ac Wave 1 (Wi-Fi 5) dual-band capable 2x2 MIMO 2
antennas
There are three discontinued models of RED that are still supported, starting with the RED 15,
which is suitable for small sites. All three RED models feature gigabit connections and at least one
USB port that can be used to provide backup connectivity using UMTS.
The RED 15w has all the features of the RED 15 and includes a built-in wireless access point.
The RED 50, which is designed for larger sites and includes advanced features including:
• Two external ports that can be configured for load balancing or failover
• The ability to configure the internal ports in either switch mode or for VLANs
• And two USB ports
RED requires DHCP, DNS, ports TCP 3400 and UDP 3410
There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or
4G module using the expansion bay
Here are the three main things you learned in this chapter.
RED requires DHCP, DNS, ports TCP 3400 and UDP 3410.
RED can be deployed in three modes; standard/unified, standard/split, and transparent/split. Each
deployment mode requires slightly different configuration.
There are two RED models; SD-RED 20 and SD-RED 60. You can optionally add a Wi-Fi or 4G
module using the expansion bay.