Sophos

[Jailer]

Hey it's all for the experience of learning right? Well now you know what NOT to do. :D

 

[joeschmuck]

Me while playing around in ESXi setting up my vNICs and vSwitches all while 700 miles away from home and I won't be back home for five more days:

Me: Hey, what's this Management Network on the vSwitch? Hmm. I'm sure I don't need it. Let's disconnect the vNIC from the vSwitch that has the Management Network.

Putty: Connection lost

LOL, yup, no fun when you do that remotely.

 

[diedrichg]

Okay, I'm stumped and I haven't even begun! I'm running ESXi 6.5 and I'm having the simplest of issues - I can't connect to the Sophos XG web admin setup page 172.16.16.16:4444. I know it has to do with my network configuration in ESXi because I've seen the 172.16.... page before when I had only one vSwitch/NIC set to the Sophos VM.

I'm working directly from the ESXi 6.5 webUI. I have two ports on a single PCIe card. One will be WAN, one will be LAN.
vmnic0 = LAN
vmnic1 = WAN

vmnic0 is attached to vSwtich0
vmnic1 attached to a vSwitch called "ISP".

I then had to create a Port Group called "ISP" so that I could assign both network adapters to the Sophos VM.

I can launch the Sophos VM and manage it through the console, but I am unable to access 172.16.16.16:4444. I don't even see that address showing up on my ASUS router. I'm just trying to get a basic setup going so that I can play around with Sophos before making it the watchdog for my entire network.

What am I doing wrong? Do I just need to take out all the variables and put the ESXi box as the first unit on the network so that there won't be any address/subnet confusion?

 

[ChriZ]

Don't use xg, but I think it defaults the network interface in the 172 range.
Give a manual IP with that same subnet on a different machine so that you can access the webgui and then change sophos interface to your own subnet

 

[zoomzoom]

@diedrichg In ESXi, ensure the Port group assigned to Sophos for LAN is using a virtual MAC, not the hardware MAC as exposed to ESXi; however, for WAN, because no other Port groups/VM Kernel NICs/etc., should be attached to it, the hardware MAC as exposed to ESXi should be passed directly to Sophos.

• Creating a virtual MAC for Sophos' LAN eth on the ESXi side will prevent access issues, of which will eventually occur at the most inopportune times.
• Passing the hardware MAC for WAN directly to Sophos will prevent memory issues in the cable modem (if you're utilizing cable for broadband, as I know this isn't the same for DSL, and unsure of how Fiber modems deal with the router MAC address in memory)

1. Create a vSwitch for vmnic0 [vSwitch0]
   1. Create a Port group for Sophos LAN, selecting vSwitch0 as the interface
   2. Under the Sophos VM Settings, add this Port group as Network Adapter 1
   
   
2. Create a vSwitch for vmnic1 [vSwitch1]
   1. Create a Port group named "WAN",selecting vSwitch1 as the interface
   2. Under the Sophos VM Settings, add this Port group as Network Adapter 2

I've taken screenshots to demonstrate how the above should look once finished, with the MAC ending in 81 being the virtual MAC assigned to Sophos for LAN by ESXi, and the MAC ending in 63 being the physical hardware MAC passed directly to Sophos for WAN.

 

[diedrichg]

Thanks, all. I'll look at this later.

 

[diedrichg]

@zoomzoom Thank you so much for taking the time to put those together. I'm going to send a PM in a min.

 

[diedrichg]

A huge thanks to @zoomzoom for helping me get my ESXi network settings straightened out! I now have something to mess with when I go to work next week!

Edit: to anyone who sees this in the future, feel free to PM me for help on getting your settings set so that you can get connected to Sophos VM in ESXi.

 

[joeschmuck]

Is the CPU usage always 100% on this version? It is Beta after all. How much resources do you have allocated to it? I should probably run up my XG firewall again and start getting it all set up to replace UTM. The wife is gone on a trip so this gives me time to play without getting yelled at for taking down the internet.

 

[diedrichg]

Is the CPU usage always 100% on this version? It is Beta after all. How much resources do you have allocated to it? I should probably run up my XG firewall again and start getting it all set up to replace UTM. The wife is gone on a trip so this gives me time to play without getting yelled at for taking down the internet.

It was probably still in the initialization / update stage. I took the screenshot right after it came up and I shut it down right after that. I haven't looked at it since and I won't get to it until Wednesday...life, family, extra-warm October weather. It's currently sitting behind the ASUS router so that I can play around with it until it becomes the frontman.

I gave it two processor cores, 6144 MB RAM, 60GB storage. It's an AMD A8-3870K.

 

[joeschmuck]

I guess I need to check out the new features for XG v17, should be a huge upgrade from v15. I'm still torn on if I will migrate to XG or just stay with UTM until they stop supporting it, after all I presenly only have 30 active IPs on my network so I'm not hitting the limitation of 50 IPs, not even close.

...life, family, extra-warm October weather.

Understood! Enjoy the weather and family before it starts getting cold, then enjoy the winter weather and family ;)

 

[diedrichg]

I guess I need to check out the new features for XG v17, should be a huge upgrade from v15. I'm still torn on if I will migrate to XG or just stay with UTM until they stop supporting it,

Since it does not apply to me, I've not looked... is there a migration wizard to import your settings?

 

[joeschmuck]

Since it does not apply to me, I've not looked... is there a migration wizard to import your settings?

I saw someone ask that question but I didn't see a response so I'm not sure. These are similar but different products but it would be nice to have XG import the UTM configuration file, but I'm not holding my breath. My configuration is fairly simple but just time consuming to re-enter all the static IPs. The few firewall rules I have should be simple.

Well I think I have my first hard drive failure, one of the WD Reds is throwing errors during the SMART long test. I need to wait until it's finished before I can actually do anything. Thankfully I have a few 2TB drives laying around I can use until I can purchase some new drives. I can't complain about the drive failing, it has 42868 hours (almost made it 5 years) on it and the heads never park, so not bad at all. The real pain is dragging the unit out of the basement, it has some weight with the case being thick steel and all those hard drives. Eh, it's almost time to do that anyway, I like to pull it out and do a good inspection on the fans and blow out any dust and sometimes even spiders.

 

[ChriZ]

They said, when XG was introduced, that they would create a migration tool or something.
Unless they do I am staying with UTM; too lazy to setup everything from scratch.
Plus I found the XG GUI .... not that good. Don't know if it's improved now (was testing one of the first versions so maybe I should give it another try)

 

[joeschmuck]

Plus I found the XG GUI .... not that good. Don't know if it's improved now (was testing one of the first versions so maybe I should give it another try)

I've been reading that the XG GUI is getting better and v17 should be a real improvement. With that said, I still may not take the leap to it however I will test it out on my second WAN IP address. And as I recall, even the Sophos UTM really sucked getting use to it's GUI. After a few years I am better with it but by no means do I call myself a Pro at it, not even a little bit.

 

[diedrichg]

Rumor is that the UTM>XG migration tool is to be put off until v18. You would need to rebuild from scratch if you want to move to XG. Suggestion per the Sophos forums:

Show : UTM -> XG migration suggestions

Best to rebuild

Print the config of your UTM to PDF. As a PD you can copy and paste as you need.

Use that as your reference -- Rules will change so you can just reference and compose as you need.

Do not name anything TV as "TV" is a domain. Instead use MAINLGTV or SONYTELEVSION as an example.

Find the MAC id's of all your home devices. Make a table for reference in a txt file. You may wish to make allowances for the MAC to IP in your DHCP rules as well as clientless user on that same IP address. Table references do help. Rules fo IP --> Port --> IP Address so if you have your doco...

Show : What's New in XG v17

What’s new?
XG Firewall v17 delivers innovative technology, including a breakthrough in network visibility: Synchronised App Control. This automatically identifies, classifies and controls custom, evasive and generic network applications that are currently going unidentified.

It also greatly streamlines configuration and day-to-day management in key areas by providing more powerful tools that are intuitive and easy to use for Firewall, IPS, Web, NAT and VPN.

Security and Control

• Synchronized App Control – a break-through in network visibility, taking application control to a whole new level
• Web keyword monitoring – for dynamic content control and enhanced online child safety in education
• IPS and App Control UI enhancements – enables smart filters and makes custom policies easier to build and maintain

Management and Trouble-shooting

• Firewall rule management enhancements – management of large firewall rule sets are more straightforward
• Policy Test Simulator – simpler validation and troubleshooting of firewall rules and policy settings
• VPN Setup Improvements – easier configuration and management of site-to-site VPN connections

Networking

• IKEv2 VPN support – better IPSec VPN interoperability with other systems
• Wildcard FQDN support – fully qualified domain objects are more powerful and predefined cloud services
• NAT rule enhancements – fully object based means more powerful rules that can forward multiple services and ports in a single rule

I have taken the liberty of making screenshots of each XG v17-beta2 screen. I have yet to make any changes, so what you see are out-of-the-box defaults.

Code:

https://imgur.com/a/0nITv

The images uploaded in reverse order and imgur did away with their automatic sorting abilities, so what you can do is start at the bottom of the list and the slideshow will take you through each screen starting with the left menu item (top to bottom) and its tabs (left to right) - this way you can quickly scroll to the section that most interests you to see the abilities of XG v17.

 

[joeschmuck]

The link failed to load but that it okay. I think I will wait a while.

EDIT: The link works now (6:55PM). Not sure why it didn't work before. It looks oddly like v16 but I'm sure there are some differences in there. Did you take all those snapshots manually? That must have taken a long time (20 minutes or so) to get all of those.

 

[diedrichg]

The link failed to load but that it okay. I think I will wait a while.

Check the URL, I just tried https://imgur.com/a/0nITv and it worked on a browser where I wasn't logged in.

 

[joeschmuck]

I just updated my previous posting, I got in while you were typing in your response.

 

[diedrichg]

EDIT: The link works now (6:55PM). Not sure why it didn't work before. It looks oddly like v16 but I'm sure there are some differences in there. Did you take all those snapshots manually? That must have taken a long time (20 minutes or so) to get all of those.

Approximately 6 seconds per screenshot @ over 150 images. It took a few, yeah. I did it for the community. Not that setting up a test VM takes much work, but this way you can get a good idea of what to expect without putting in much time.