Sophos Firewall Setup - Blending Sites
- Install the latest firmware. Check for updates.
- Login to Sophos Central and manage from there.
- Setup LAN interface IP and DHCP scope (for laptops or other devices plugged in at the site).
- Setup backups of the config to the cloud and set e-mail to iti-notify@texonlp.com. Backups will be sent as e-mail attachments. Save encrypted key in LastPass.
- Setup will finish and reboot.
- Login to the appliance (new IP) and follow wizard steps (save storage key in LastPass).
- Add the appliance to Sophos central (use OTP).
- Setup Port3 for IO - go to Network and IO zone, then make Port3 as IO interface. (LAN – Port1, WAN – Port 2).
- In Network/DNS, select ‘Obtain DNS from DHCP’ (from CradlePoint). Create ‘DNS host Entry’ and ‘DNS request route’ entries:
11. In Network/DHCP setup DHCP scopes:
12. Connect Sophos LAN interface to Port 1 on Cisco switch. Connect Sophos WAN interface to LAN interface on CradlePoint. Connect Sophos Port3 - DMZ interface (previously set as IO) to IO uplink on Cisco (usually Port 17). If HMI connection is required, connect Sophos Port4 to HMI Uplink on Cisco (usually Port 13).
Note: During Firewall setup in the office, connect WAN Port to a port on Cisco switch in the office, to allow access remotely.
13. Keep the default firewall rule.
14. On the firewall in TX, add a static route to forward traffic to the new firewall – go to WAN zone (Interface).
15. In Sophos Central enable all 3 features. New firewall is now listed in firewall management.
16. Under ‘Texon’, click ‘Manage Policy’, scroll down to ‘Hosts and Services’ and create ‘IP Hosts’ for every device at the site (append ‘central’ to the name):
The policy will be pushed to the local firewall.
17. Select ‘IP Host Group’ and add previously created IP Hosts to corresponding groups – e.g ‘Sites Host iLO’, etc.:
18. Site-to-Site VPN setup.
In ‘Firewall Management’ open the console and click on Site-to-site VPN. There will be 2 IPSec VPNs created – Nevada and TX:
Use the following settings – check ‘Activation on save’, ‘Create firewall rule’, ‘NAT’. Use IKEv2 and RSA key. Copy remote RSA key from Nevada or TX firewall accordingly and copy/paste local RSA key into Nevada or TX same way:
19. Connect to firewalls in Nevada and TX and perform the same steps as above, but name new IPsec connections after Site’s name:
Use the following settings (TX):
20. Once VPN tunnel is established, check the connection status that it turned ‘green’.
21. Note: There is no need to create firewall rules on the new firewall at a site. After setting up VPN connections, there will be ‘Automatic VPN Rules’ added, opened to all traffic, which is filtered in Nevada and TX. Other rules will be pushed by the Policy (Blocking traffic, Rules 1-4):
