1. General

See https://techvids.sophos.com.

2. Licenses

  • Note: For the renewal of the licenses contact Plaifon (Issaraporn Karavong, <Issaraporn.k@2beshop.com>) at 2BeSHOP.

    Xstream Appliance Bundle        Standard Appliance Bundle
------------------------        -------------------------
Base License                    Base License
Xstream protection              Standard protection
------------------------        -------------------------
Network Protection              Network Protection
Web Protection                  Web Protection
Zero-Day Protection             -
Central Orchestration           -
Enhanced Support                Enhanced Support
    Firewall name SMRU tag Model Serial number Company Expire date Type

    SMRU-SFW-MKU

    SMRU-AS-SERVER-0006

    XG 125

    C1A103MD9WYYFCB

    eLife System

    2025-04-07

    Enhanced Support

    SMRU-SFW-MKT

    SMRU-AS-SERVER-0007

    XG 125

    C1A102GM9DGFQ58

    eLife System

    2025-04-02

    Enhanced Support

    SMRU-SFW-SKK

    SMRU-AS-SERVER-0009

    XG 125

    C1A103P9MF8VXC9

    eLife System

    2025-01-19

    Enhanced Support

    SMRU-SFW-MSL

    SMRU-AS-SERVER-0010

    XG 125

    C1A109CCTCXQ31C

    eLife System

    2025-04-13

    Enhanced Support

    SMRU-SFW-TST

    SMRU-AS-SERVER-0011

    XG 135

    C1B1012TM7QQVCB

    eLife System

    2025-03-11

    Enhanced Support + Web Protection

    SMRU-SFW-WPA

    SMRU-AS-SERVER-0012

    XG 135

    C1B1013GF3WQP30

    eLife System

    2025-02-20

    Enhanced Support

    SMRU-SFW-MLA

    SMRU-AS-SERVER-0013

    XGS 126

    X12106XTPW7P718

    eLife System

    2025-02-24

    Enhanced Support

    SMRU-SFW-MRM

    SMRU-AS-SERVER-0014

    XGS 126

    X12106VK648D467

    eLife System

    2024-12-08

    Enhanced Support + Email Protection + Xstream Protection

    SMRU-SFW-MRH

    SMRU-AS-SERVER-0015

    XGS 126

    X12107GTQJKDR0E

    eLife System

    2025-04-13

    Enhanced Support

    SMRU-SFW-HPH

    SMRU-AS-SERVER-0016

    XG 125

    C1A0A4DDBM67365

    eLife System

    2025-03-31

    Enhanced Support

  • Select SYSTEM > Administration > Licensing.

                            SMRU-SFW-MRM    SMRU-SFW-MRH    SMRU-SFW-TST    SMRU-SFW-MKT    SMRU-SFW-MLA    SMRU-SFW-WPA    SMRU-SFW-MSL    SMRU-SFW-HPH    SMRU-SFW-SKK    SMRU-SFW-MKU
Model                   XGS 126         XGS 126         XG 135          XG 125          XGS 126         XG 135          XG 125          XG 125          XG 125          XG 125
Base Firewall           2099-12-31      2099-12-31      2099-12-31      2099-12-31      2099-12-31      2099-12-31      2099-12-31      2099-12-31      2099-12-31      2099-12-31
Network Protection      2024-12-08      -               -               -               -               -               -               -               -               -
Web Protection          2024-12-08      -               2024-03-21      -               -               -               -               -               -               -
Email Protection        2024-12-12      -               -               -               -               -               -               -               -               -
Web Server Protection   -               -               -               -               -               -               -               -               -               -
Zero-Day Protection     2024-12-08      -               -               -               -               -               -               -               -               -
Central Orchestration   2024-12-08      -               -               -               -               -               -               -               -               -
Enhanced Support        2024-12-08      2025-04-13      2025-03-11      2025-04-02      2025-02-24      2025-02-20      2025-04-13      2025-03-31      2025-01-19      2025-04-07
Enhanced Plus Support   -               -               -               -                               -               -               -               -               -

3. Preparation

3.1. Sophos Central

3.1.1. Registration

  • Browse to https://central.sophos.com.

  • Click Create Sophos Central Trial.

    First Name                      SMRU
Last Name                       IT
Business Email                  smru-it@shoklo-unit.com

  • Click Next.

    Job role                        IT Director/Manager
Phone number                    055532026
Company                         SMRU
Industry                        Non-Profit
Company Size                    300
Country                         Thailand
Zip code/Postcode               63110
State/Province                  Tak

  • Click Submit.

  • Check Activate your Sophos Central account email in your email inbox.

  • Click Create Password.

  • Type the password in CREATE PASSWORD field.

  • Type the password again in CONFIRM PASSWORD field.

  • Uncheck Make all admins sign in with multi-factor authentication.

  • Click Yes to turn off MFA.

  • Select United State in CENTRAL ADMIN PORTAL dropdown list.

    Activate your accounts

CREATE PASSWORD                 ********
CONFIRM PASSWORD                ********
ADDED SECURITY                  □ Make all admins sign in with multi-factor authentication
CENTRAL ADMIN PORTAL            United States

■ I acknowledge that (i) Sophos processes personal data in accordance with the Sophos Privacy Policy;
  (ii) the selected data storage region applies to the hosting location for the Central Admin protal only,
  and that data shared with Sophos may be processed in other locations; and (iii) the Central Admin portal
  data storage region cannot be changed once set up.

□ Enable sample submission. Certain Sophos products allow you to submit file samples to Sophos
  for improved security. We recommend enabling sample submission, but you my uncheck the box to disable it.

■ I have read, understand, and accept the terms of the Sophos End User License Agreement and/or
  Sophos Services Agreement, as applicable, and understand that they create legally binding obligations.

  • Click Activate Account.

  • Click Close.

  • Click Close.

  • Logout.

3.1.2. MFA

  • Browse to https://central.sophos.com.

  • Login as smru-it@shoklo-unit.com user.

  • Select Global Settings.

  • Select General | Multi-factor Authentication (MFA).

  • Choose Select admins who will need MFA. (All others sign in with password only.).

  • Click Add admins.

  • Check smru-it@shoklo-unit.com.

  • Click > icon.

  • Click Add.

  • Click Save.

  • Logout and relogin with smru-it@shoklo-unit.com user.

  • Click Next.

  • Check the email for the Security Code.

  • Type in SECURITY CODE field.

  • Type 4-digit for the PIN.

  • Click Next.

  • Choose Sophos/Google Authenticator.

  • Click Next.

  • Todo:.

    • Scan the QR code and save it to WinOTP Authenticator app.

    • Type the security code from WinOTP Authenticator app in the SECURITY CODE field.

  • Click Finish.

3.2. VirtualBox

  • Make sure that the virtual machine has two network adapters enabled.

  • Make sure that the 1st network adapter is set to Host-only Adapter.

  • Make sure that the 1st network adapter is attached to VirtualBox Host-Only Ethernet Adapter #10.

  • Make sure that the VirtualBox Host-Only Ethernet Adapter #10 is using the 172.16.16.0/24 subnet.

  • Make sure that the 2nd network adapter is set to NAT.

4. Software

4.1. Installation

  • Note: The installation with the SW-17.5.9_MR-9-577.iso file fails with an Unable to install firmware error.
    Use the SW-SFOS_15.01.0-376.iso file instead and upgrade to 17.5.

  • Note: USB keyboards stop working during the installation, use a PS1 keyboard instead.

  • Note: Make sure to have internet connection on the RED interface.

  • Boot the virtual machine from the SW-SFOS_15.01.0-376.iso file.

  • Type y to continue and press Enter.

  • Wait for the installation to finish.

  • [opt]:*Optional:* ERROR: No boot disk has been detected or the disk has failed.

    • Restart the computer.

  • Select Devices | Optical Drives | Remove disk from virtual drive.

  • Type y to reboot and press Enter.

  • Wait.

  • Type admin for the password and press Enter.

4.1.1. Computer

  • Boot the computer from the bootable USB that use SW-18.0.4_MR-4-506.iso.

  • Type y to continue and press Enter.

  • Wait for the installation to finish.

  • Type y to reboot and press Enter.

  • Wait.

  • Type admin for the password and press Enter.

  • Select Accept and press Enter.

4.2. Registration

  • Note: Make sure that the proxy server is disabled on the host machine.

  • Browse to https://172.16.16.16:4444.

    Username:                       admin
Password:                       admin

  • Click Login.

  • Click I Accept.

  • Choose Installing Sophos Firewall (Virtual or Software).

  • Real Computer: Serial Number: C01001T72MKXH07 (2020-02-05)

  • Virtual Computer: Serial Number: C01001W6YRC8F97 (20xx-xx-xx)

  • Click Activate Device.

  • Click Register Device.

  • Click Sign In.

    Email Address:          smru-it@shoklo-unit.com
Password:               ********

  • Click Sign In.

    Real Computer
    Serial Number:          C01001T72MKXH07
Product Type:           UTM
Model:                  SF01V
    Virtual Computer
    Serial Number:          C01001W6YRC8F97
Product Type:           UTM
Model:                  SF01V

  • Click Confirm Registration.

  • Click Initiate License Synchronization.

4.3. Configuration

  • Select Click Here to start configuring your device.

  • Click Start.

    Deployment Mode
    ○ Bridge Mode
● Gateway Mode

  • Click the > button.

  • Select Port1

    Port1 Configuration
    ○ Obtain an IP from DHCP
○ Obtain an IP from PPPoE
● Use Static IP
IP Address      192.168.26.170          # Real Computer
IP Address      172.16.16.16            # Virtual Computer
Subnet Mask     255.255.255.0
Zone            LAN

  • Select Port2

    Port2 Configuration
    ● Obtain an IP from DHCP
○ Obtain an IP from PPPoE
○ Use Static IP
IP Address
Subnet Mask
Zone            WAN

Gateway Details
Gateway Name    SMRU-SFW-MRM            # Real Computer
Gateway Name    VBOX-SFW-MRM            # Virtual Computer
IP Address

  • Click the > button.

    DNS Configuration
    IPv4 Configuration
● Obtain DNS from DHCP
○ Obtain DNS from PPPoE
○ Static DNS
DNS 1
DNS 2
DNS 3

  • Click the > button.

    Default Network Policy
    □ User / Network Rule

  • Click the > button.

    Mail Server Configuration
    Send Notifications to Email Address     smru-it@shoklo-unit.com
Mail Server IPv4 Address/FQDN           eu-smtp-outbound-1.mimecast.com
Port (Default - 25)                     25
From Email Address                      smru-sfw-mrm@shoklo-unit.com    # Real Computer
From Email Address                      vbox-sfw-mrm@shoklo-unit.com    # Virtual Computer

Authentication Required                 ■
Username                                relay@shoklo-unit.com
Password                                ********

Connection Security                     STARTTLS
Certificate                             ApplianceCertificate

  • Click the > button.

    Date & Time Configuration
    Time Zone                               Asia/Bangkok
Set Date                                YY MM DD
Set Time                                HH MM SS
■ Automatically Synchronize with NTP Server
● Use pre-defined NTP Server
○ Use Custom NTP Server

  • Click the > button.

  • Uncheck Send App & Threat data.

  • Click Finish.

  • Click OK to confirm.

  • Wait several minutes for the configuration to finish.

  • Real Computer: Select https://192.168.26.16:4444 to access the Admin Console.

  • Virtual Computer: Select https://172.16.16.16:4444 to access the Admin Console.

    Username:                       admin
Password:                       admin

  • Click Login.

5. Hardware Appliance

5.1. First Time Setup

  • Note: By default, the IP address is 172.16.16.16, and DHCP is enabled.

  • Connect LAN cable between Sophos XG/XGS appliance 1/LAN port and computer LAN port.

  • Browse to https://172.16.16.16:4444.

  • Select English.

  • Click Click to begin.

  • Type the new admin password in New admin password field.

  • Type the new admin password again in Reenter the password field.

  • Have internet: Check Install the latest firmware automatically during setup (recommended).

    • Check I agree to the license agreement.

    • Click Continue.

    • Click Update.

    • Wait for the firewall to reboot.

    • Login to the firewall.

  • Have no internet: Uncheck Install the latest firmware automatically during setup (recommended).

    • Check I agree to the license agreement.

    • Click Continue.

    • Check Continue offline.

    • Click Continue.

  • Type smru-sfw-<site> in Firewall name field.

  • Select Asia/Bangkok.

  • Click Continue.

    C1A103MD9WYYFCB

Licensed features
Feature                                 Status                  Expiry
--------------                          ---------               ------
Network protection                      Evaluating              □
Web protection                          Evaluating              □
Email protection                        Evaluating              □
Web server protection                   Evaluating              □
Sandstorm                               Evaluating              □
Enhanced support                        Not evaluating
Enhanced plus support                   Not evaluating

□ Opt in to the customer experience improvement program

  • Click Continue.

  • Select This firewall (route mode) in Choose gateway dropdown list.

  • Type <Firewall IP address> in LAN address and internal client network size.

  • Note:

  • Optional: Uncheck Enable DHCP.

  • SMRU-SFW-MLA: Check Enable DHCP.

    • Type 192.168.26.50 - 192.168.26.169 in DHCP lease range fields.

    Choose gateway                                          This firewall (route mode)
LAN address and internal client network size            192.168.26.170/24

■ Enable DHCP
DHCP lease range                                        192.168.26.50 - 192.168.26.169

  • Click Continue.

    □ Protect users from network threats
□ Protect users from the suspicious and malicious websites
□ Scan files that were downloaded from the web for malware
□ Send suspicious files to Sophos Sandstorm

  • Click Continue.

  • Type smru-it@shoklo-unit.com in Email recipient field.

  • Type smru-sfw-<site>@shoklo-unit.com in Email sender field.

  • Check Send weekly configuration backup.

  • Type the Level 1 + Level 2 password in Encryption password field.

  • Type the Level 1 + Level 2 password in Confirm encryption password field.

  • Check Specify an external mail server.

  • Type eu-smtp-outbound-1.mimecast.com in Mail server IPv4 address/FQDN.

  • Type 587 in Port (Default - 25) field.

  • Check Requires an encrypted TLS connection.

  • Check Authentication required.

  • Type relay@shoklo-unit.com in User name field.

  • Type the password in Password field.

    Email recipient                         smru-it@shoklo-unit.com
Email sender                            smru-sfw-<site>@shoklo-unit.com
■ Send weekly configuration backup

■ Specify and external mail server

Mail server IPv4 address/FQDN           eu-smtp-outbound-1.mimecast.com
Port (Default - 25)                     587

□ Encrypt the connection when possible
■ Requires an encrypted TLS connection
■ Authentication required

User name                               smru-sfw-<site>@shoklo-unit.com
Password                                ********

  • Click Continue.

  • Click Finish.

  • Wait for the Firewall to finish the restart.

  • Login with admin user.

  • Optional: Check I do not want to register now.

    • Click Continue.

    • Select admin > Logout.

    • Close Browser.

  • Optional: Uncheck I do not want to register now.

    • Click Continue.

    • Click Sign In.

    • Type smru-it@shoklo-unit.com in Email address field.

    • Type the password in Password field.

    • Click Sign In.

    • Check I’m not a robot.

    • Click Continue.

    • Click Confirm Registration.

    • Click Initiate Licanse Synchronization.

    • Optional: Click Continue.

    • Click Continue.

    Licensed features

Feature                         Status                  Expiry
-------                         ------                  ------
Base firewall                   Subscribed              Tue 31 Dec 2999
Network protection              Unsubscribed            -
Web protection                  Unsubscribed            -
Email protection                Unsubscribed            -
Web server protection           Unsubscribed            -
Sandstorm                       Unsubscribed            -
Enhanced support                Unsubscribed            -
Enhanced plus support           Unsubscribed            -

    • Click Continue.

    • Select admin > Logout.

    • Close Browser.

5.2. Activate Subscription

  • Login to the Firewall.

  • Select SYSTEM > Administration.

  • Select the Licensing tab.

  • Click Activate subscription.

  • Type the license key in the Enter your license key for this device field.

  • Click Verify key.

  • Click Confirm for confirmation.

  • Optional: Click Synchronize to sync the license.

  • Logout from the Firewall.

  • Close Browser.

6. Console

  • Start Terminal.

  • Type admin for the password and press Enter.

    1. Network  Configuration
2. System   Configuration
3. Route    Configuration
4. Device Console
5. Device Management
6. VPN Management
7. Shutdown/Reboot Device
0. Exit
    1.  Reset to Factory Defaults
2.  Show Firmware(s)
3.  Advanced Shell
4.  Flush Device Reports
0.  Exit

6.1. Advanced Shell

  • Start Terminal.

  • Type admin for the password and press Enter.

  • Type 5 for Device Management and press Enter.

  • Type 3 for Advanced Shell and press Enter.

6.1.1. Admin Service Access

6.1.2. Logs

6.1.3. Postgresql Database

6.1.4. Scheduled Jobs

6.1.5. Scripts

  • See https://www.avanet.com/en/kb/sophos-firewall-run-scripts.

  • Enter the following commands at a Command Line.

    iptables -t filter -L | grep -i drop

vi /scripts/check_emp.sh



mount -no remount,rw /
vi /scripts/check_emp.sh
# Comment out all "touch /conf/emp_wan_portal_tel" lines.
# Comment out all "disable_portals_on_wan=1" lines.
mount -no remount,ro /

ls -al /conf/emp_wan_portal_tel
rm /conf/emp_wan_portal_tel

# Remove the two automatic rules in the "Administration > Devices access > Local service ACL exception rule" section.

6.2. Device Console

  • Start Terminal.

  • Type admin for the password and press Enter.

  • Type 4 for Device Console and press Enter.

6.2.1. Appliance Access

  • See https://community.sophos.com/sophos-xg-firewall/f/discussions/132584/local-service-acl-exception-rule-command-line?ReplyFilter=Answers&ReplySortBy=Answers&ReplySortOrder=Descending.

  • See https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/117385/sophos-firewall-what-to-do-when-the-web-admin-is-not-accessible.

  • Note: Enabling appliance access will disconnect all zones from the internet due to all internet traffic will be dropped.

  • Note: This will cause a network interruption, override the configured Appliance Access, and allow access to all the services.

  • Enter the following commands at a Command Line.

    system appliance_access enable
system appliance_access disable
    This will override the configured Appliance Access and allow access to all the services. All internet traffic will be dropped.
Appliance access enabled.

Appliance access disabled.

  • Enter the following commands at a Command Line.

    psql -U nobody -d corporate -c "select destinationport from tbllocalservicedetails WHERE localserviceid =2"
psql -U nobody -d corporate -c "select * from tbladmin_service_access"
psql -U nobody -d corporate -c "select * from tbladmin_service_rel"

psql -U nobody -d corporate -c "select * from tbladmin_service_access where ruleaction = 'drop'"
psql -U nobody -d corporate -c "select * from tbladmin_service_access where ipfamily = '0' and ruleaction = 'drop'"
psql -U nobody -d corporate -c "select * from tbladmin_service_rel where accessid = 2"
psql -U nobody -d corporate -c "delete from tbladmin_service_rel where accessid = 2"
psql -U nobody -d corporate -c "delete from tbladmin_service_access where ipfamily = '0' and ruleaction = 'drop'"

# Restart the firewall for the changes to take effect.
service -S
    ERROR:  update or delete on table "tbladmin_service_access" violates foreign key constraint "tbladmin_service_rel_accessid_fkey" on table "tbladmin_service_rel"
DETAIL:  Key (id)=(3) is still referenced from table "tbladmin_service_rel".

ERROR:  update or delete on table "tbladmin_service_access" violates foreign key constraint "tbladmin_service_rel_accessid_fkey" on table "tbladmin_service_rel"
DETAIL:  Key (id)=(2) is still referenced from table "tbladmin_service_rel".

6.3. Micro USB

  • Connect the Micro USB cable (console cable) with Sophos XGS and the computer.

  • Install the Virtual COM Port driver.

    • Run the CDM212364_Setup.exe with administrative privileges.

    • Click Extract.

    • Click Next.

    • Choose I accept this agreement.

    • Click Next.

    • Click Finish.

  • Open Device Manager to check whether the Virtual COM Port and USB drivers are installed correctly.

  • If the USB driver is not installed correctly, run windows update (with WSUS disabled) to install the USB driver correctly.

  • Connect to the Device Console.

    • Check the USB Serial Port whether it is COM1, COM2, COM3, or etc in Device Manager > Port (COM & LPT).

    • Start Putty.

    • Choose Serial for Connection type.

    • Type <COM3> in the Serial line field.

    • Type 38400 in the Speed field.

    • Click Open.

    • Type the admin password and press Enter.

6.4. Reboot

  • Start Terminal.

  • Type admin for the password and press Enter.

  • Type 7 for Shutdown/Reboot Device and press Enter.

  • Type r to reboot and press Enter.

  • Close Terminal.

6.5. Serial Cable

  • Start Putty.

  • Choose Serial for Connection type.

  • Type COM1 in the Serial line field.

  • Type 38400 in the Speed field.

  • Click Open.

  • Type the admin password and press Enter.

7. Configuration

  • Note: Connect the Firewall with WAN.

7.1. Device access

  • Browse to https://10.10.1.170:4444.

  • Log in as admin user.

  • Select SYSTEM | Administration.

  • Select the Device access tab.

  • MST: Check only HTTPS, SSH, AD SSO, Captive portal, Radius SSO, Clients, Ping/Ping6, DNS, Wireless Protection, Web proxy, SSL VPN, VPN Portal, User Portal, SMTP Relay, SNMP on LAN Zone.

  • Sites: Check only HTTPS, SSH, Ping/Ping6, DNS, Wireless Protection, SNMP on LAN Zone.

  • MST: Check only SSL VPN on WAN zone.

  • Check HTTPS, SSH, Ping/Ping6, DNS, SNMP on VPN Zone.

  • Click Apply.

7.1.1. Local service ACL exception rule

  • Select SYSTEM > Administration.

  • Select the Device access tab.

  • Click Add under Local service ACL exception rule.

    Rule name                       Admin console WAN access from MORU
Rule position                   Top
Description
IP version                      ● IPv4          ○ IPv6
Source zone                     WAN
Source Network /Host            MORU Public IP
Destination host                MST Public IP
Services                        HTTPS
Action                          ● Accept        ○ Drop

  • Click Save.

7.2. Guest Network

Zones

  • Select CONFIGURE > Network.

  • Select Zones.

  • Click Add.

    Name                    LAN-Ruckus-Guest
Description

Type                    ● LAN   ○ DMZ
Members                 None
Device access           Admin services
                        □ HTTPS □ SSH

                        Authentication services
                        □ Client authentication □ Captive portal        □ AD SSO        □ RADIUS SSO
                        □ Chromebook SSO

                        Network services
                        ■ DNS   ■ Ping/ping6

                        Other services
                        □ Web proxy     ■ SSL VPN tunnel        □ Wireless protection   □ User portal
                        □ Dynamic routing       □ SNMP  □ SMTP relay    □ VPN portal

  • Click Save.

Interfaces

  • Select CONFIGURE > Network.

  • Select Interfaces.

  • Click Port4.

    General settings

Name                    Port4-Guest
Hardware                Port4
Hardware zone           Guest

■ IPv4 configuration

IP assignment           ● Static        ○ PPoE(DSL)     ○ DHCP
IPv4/netmask            192.168.88.170  /24(255.255.255.0)

Gateway detail
Gateway name
Gateway IP

□ IPv6 configuration

  • Click Save.

  • Click Update interface.

Traffic shaping

  • Select CONFIGURE > System services.

  • Select the Traffic shaping tab.

  • Click Add.

    Name                                    Guest Network Traffic
Policy association                      ○ Users ● Rules ○ Web categories        ○ Applications
Rule type                               ● Limit ○ Guarantee
Limit upload/download separately        ○ Disable * Enable
Priority                                2 - [Normal]
Upload bandwidth                        7168 KB/s
Download bandwidth                      2048 KB/s
Bandwidth usage type                    ● Individual    ○ Shared
Description

  • Click Save.

Authentication Groups

  • Select CONFIGURE > Authentication.

  • Select the Groups tab.

  • Click Add.

    Group name              Guest Admin Group
Description             The group member can create voucher for Guest WiFi.

Group type              normal

Policies

Surfing quota           Unlimited Internet Access
Access time             Allowed all the time
Network traffic         None
Traffic shaping         None
Remote access           No policy applied
Clientless              No policy applied
L2TP                    ○ Enable        ● Disable
PPTP                    ○ Enable        ● Disable
Quarantine digest       ○ Enable        ● Disable
MAC binding             ○ Enable        ● Disable
IPsec remote access     ○ Enable        ● Disable
Login restriction       ● Any node      ○ Selected nodes        ○ Node range

  • Click Save.

Authentication Users

  • Select CONFIGURE > Authentication.

  • Select the Users tab.

  • Click Add.

    Username                IT
Name                    SMRU IT
Description             The user can create voucher for Guest WiFi.

User type               ● User . Administrator
Profile

Password                
                        
Email                   smru-it@shoklo-unit.com

Policies

Group                   Guest Admin Group
Surfing quota           Unlimited Internet Access
Access time             Allowed all the time
Network traffic         None
Traffic shaping         None

SSL VPN policy

Remote access           No policy applied
Clientless              No policy applied
IPsec remote access     ○ Enable        ● Disable       IP address
L2TP                    ○ Enable        ● Disable       IP address
PPTP                    ○ Enable        ● Disable       IP address
Quarantine digest       ○ Enable        ● Disable
MAC binding             ○ Enable        ● Disable
MAC address list
Simultaneous sign-ins   ■ Use global setting    ■ Unlimited
Login restriction       ○ Any node      ● User group node(s)    ○ Selected nodes        ○ Node range

  • Click Save.

Hotspot voucher definitions

  • Select PROJECT > Wireless.

  • Select the Hotspot voucher definitions tab.

  • Click Add.

    Visitors
    Name                    7Days
Description
Validity period         7 Days
Time quota              Minutes
Data volume             MB
    Staff
    Name                    180Days
Description
Validity period         180 Days
Time quota              Minutes
Data volume             MB

  • Click Save.

Hotspots

  • Select PROJECT > Wireless.

  • Select Hotspots.

  • Click Add.

    Name                                    SMRU_Guest
Description

Interfaces                              Port4-Guest

Application filter policy               None
Web policy                              None
IPS policy                              None
Traffic shaping policy                  Guest Network Traffic

Redirect to HTTPS                       OFF

Hotspot type                            Voucher
Voucher definitions                     7Days
                                        180Days
Devices per voucher                     1
Administrative users                    Guest Admin Group

Users have to accept terms of use       ON
Terms of use                            Don't do bad things.

Redirect to URL after login             OFF

*Hotspot customization*

Enable customization                    ON
Customization type                      Basic
Logo                                    Browse | 150SMRU_RGB.png
Scale logo to recommended size          ON
Title
Custom text

Voucher template                        Browse

  • Click Save.

  • Click OK.

Hotspot settings

  • Select PROJECT > Wireless.

  • Select Hotspot settings tab.

  • Select OFF to turn on the Delete expired vouchers.

  • Type 3 for the Delete expired vouchers after.

  • Click Apply.

7.2.1. Create Voucher

  • Browse to https://10.10.1.170/userportal

  • Log in as IT user.

  • Select Hotspots.

    Visitors
    Hotspot                         SMRU_Guest
Hotspot voucher definitions     7Days
Amount                          20
Description                     Visitors - YYYY-MM-DD
Print                           OFF
Page size                       A4 (210x297 mm)
Vouchers per page               1
Add QR code                     OFF
    Staff
    Hotspot                         SMRU_Guest
Hotspot voucher definitions     180Days
Amount                          20
Description                     Staff - YYYY-MM-DD
Print                           OFF
Page size                       A4 (210x297 mm)
Vouchers per page               1
Add QR code                     OFF

  • Click Create Vouchers.

7.3. Smarthost and Relay

  • Browse to https://10.10.1.170:4444.

  • Log in as admin user.

  • Select PROTECT > Email.

  • Select the General settings tab.

  • Check Use smarthost.

    ■ Use smarthost

Hostname: eu-smtp-outbound-1.mimecast.com       Port: 587

■ Authenticate device with smarthost

User name: relay@shoklo-unit.com        Password: ********

  • Click Apply.

  • Select the Relay settings tab.

    Host based relay

Allow relay from hosts/network          MST Local Network
                                        MST DMZ Network
Block relay from hosts/networks         Any

Upstream host

Allow relay from hosts/network
Block relay from hosts/networks         Any

Authenticated relay settings

□ Enable authenticated relay
Users and group

  • Click Apply.

  • Log out from Sophos firewall.

  • Close Browser.

7.4. Secure Storage Master key

  • Browse to https://192.168.##.170:4444.

  • Log in as admin user.

  • Click Create key.

  • Type the master key in Enter the secure storage master key field.

  • Type the master key again in Enter your key again to confirm field.

  • Check I have stored the master key in a password manager or another safe place.

  • Click Create key.

  • Log out from Sophos firewall.

  • Close Browser.

7.5. Captcha

  • Enter the following commands at a Command Line.

  • Enter the following command line in Device Console.

    
system captcha-authentication-vpn show
system captcha-authentication-vpn disable
system captcha-authentication-vpn show

7.6. Hosts and Services

  • Note: When adding entries enclose the name in double quotes. This makes the entries show at the top of the first page. It also makes the entries stand out from the default entries.

7.6.1. IP host

  • Select SYSTEM | Host and services.

  • Select the IP host tab.

  • Click Add.

  • Type <Site> in Name field.

  • Choose IPv4 for IP version.

  • Choose Network for Type.

  • MST: Type 10.10.1.0 in IP address field.

  • <Site>: Type 192.168.##.0 in IP address field.

  • Click Save.

    Table 1. HO
    Name Type Address detail IP version

    IP - 192.168.26.22

    IP address

    192.168.26.22/255.255.255.255

    IPv4

    IP - 10.10.1.41

    IP address

    10.10.1.41/255.255.255.255

    IPv4

    IP - 10.10.1.42

    IP address

    10.10.1.42/255.255.255.255

    IPv4

    IP - 10.10.1.43

    IP address

    10.10.1.43/255.255.255.255

    IPv4

    IP - 10.10.1.44

    IP address

    10.10.1.44/255.255.255.255

    IPv4

    IP - 10.10.1.45

    IP address

    10.10.1.45/255.255.255.255

    IPv4

    IP - 10.10.1.46

    IP address

    10.10.1.46/255.255.255.255

    IPv4

    IP - 10.10.1.47

    IP address

    10.10.1.47/255.255.255.255

    IPv4

    IP - 10.10.1.48

    IP address

    10.10.1.48/255.255.255.255

    IPv4

    IP - 10.10.1.49

    IP address

    10.10.1.49/255.255.255.255

    IPv4

    IP - 10.10.1.50

    IP address

    10.10.1.50/255.255.255.255

    IPv4

    IP - 10.10.1.51

    IP address

    10.10.1.51/255.255.255.255

    IPv4

    IP - 10.10.1.52

    IP address

    10.10.1.52/255.255.255.255

    IPv4

    IP - 10.10.1.53

    IP address

    10.10.1.53/255.255.255.255

    IPv4

    IP - 10.10.1.54

    IP address

    10.10.1.54/255.255.255.255

    IPv4

    IP - 10.10.1.55

    IP address

    10.10.1.55/255.255.255.255

    IPv4

    IP - 61.19.12.16

    IP address

    61.19.12.16/255.255.255.255

    IPv4

    IP - 61.19.12.18

    IP address

    61.19.12.18/255.255.255.255

    IPv4

    IP - 61.19.12.57

    IP address

    61.19.12.57/255.255.255.255

    IPv4

    IP - 64.4.11.25

    IP address

    64.4.11.25/255.255.255.255

    IPv4

    IP - 65.52.98.231

    IP address

    65.52.98.231/255.255.255.255

    IPv4

    IP - 118.214.190.43

    IP address

    118.214.190.43/255.255.255.255

    IPv4

    IP - 118.214.190.73

    IP address

    118.214.190.73/255.255.255.255

    IPv4

    IP - 130.14.29.110

    IP address

    130.14.29.110/255.255.255.255

    IPv4

    IP - 165.112.7.20

    IP address

    165.112.7.20/255.255.255.255

    IPv4

    IP - 203.147.56.230

    IP address

    203.147.56.230/255.255.255.255

    IPv4

    IP - 203.147.56.231

    IP address

    203.147.56.231/255.255.255.255

    IPv4

    IP - 209.25.134.45

    IP address

    209.25.134.45/255.255.255.255

    IPv4

    IP - 209.25.170.7

    IP address

    209.25.170.7/255.255.255.255

    IPv4

    IP - 209.25.195.94

    IP address

    209.25.195.94/255.255.255.255

    IPv4

    MORU Public IP - 203.147.41.226

    IP address

    203.147.41.226/255.255.255.255

    IPv4

    MORU Public IP - 203.147.41.240

    IP address

    203.147.41.240/255.255.255.255

    IPv4

    MORU Local Network

    IP subnet

    10.0.0.0/255.255.255.0

    IPv4

    MST Public IPs

    IP range

    110.77.143.112-110.77.143.119

    IPv4

    MST Public IP - 110.77.143.113

    IP address

    110.77.143.113/255.255.255.255

    IPv4

    MST Public IP - 110.77.143.114

    IP address

    110.77.143.114/255.255.255.255

    IPv4

    MST Public IP - 110.77.143.115

    IP address

    110.77.143.115/255.255.255.255

    IPv4

    MST Public IP - 110.77.143.116

    IP address

    110.77.143.116/255.255.255.255

    IPv4

    MST Public IP - 110.77.143.117

    IP address

    110.77.143.117/255.255.255.255

    IPv4

    MST Public IP - 110.77.143.118

    IP address

    110.77.143.118/255.255.255.255

    IPv4

    MST Public IP - 110.77.148.10

    IP address

    110.77.148.10/255.255.255.255

    IPv4

    MST DMZ Network

    IP subnet

    10.10.0.0/255.255.255.0

    IPv4

    IP - TBHF-WEB-MRM

    IP address

    10.10.0.1/255.255.255.255

    IPv4

    MST Local Network

    IP subnet

    10.10.1.0/255.255.255.0

    IPv4

    MRM SSL VPN Network

    IP subnet

    10.10.9.0/255.255.255.0

    IPv4

    IP - SMRU-AD02

    IP address

    10.10.1.1/255.255.255.255

    IPv4

    IP - tbhf-anc-mrm

    IP address

    10.10.1.2/255.255.255.255

    IPv4

    IP - SMRU-SRV

    IP address

    10.10.1.3/255.255.255.255

    IPv4

    IP - tbhf-doc-mrm

    IP address

    10.10.1.4/255.255.255.255

    IPv4

    IP - tbhf-dwh-mrm

    IP address

    10.10.1.5/255.255.255.255

    IPv4

    IP - tbhf-ops-mrm

    IP address

    10.10.1.6/255.255.255.255

    IPv4

    IP - TBHF-SYS-MRM

    IP address

    10.10.1.7/255.255.255.255

    IPv4

    IP - tbhf-tst-mrm

    IP address

    10.10.1.8/255.255.255.255

    IPv4

    IP - SMRU-VEEAM01

    IP address

    10.10.1.9/255.255.255.255

    IPv4

    IP - tbhf-kvm-mrm

    IP address

    10.10.1.11/255.255.255.255

    IPv4

    IP - SMRU-NPS01

    IP address

    10.10.1.12/255.255.255.255

    IPv4

    IP - S-STOR01

    IP address

    10.10.1.13/255.255.255.255

    IPv4

    IP - SMRU-HyperV01

    IP address

    10.10.1.25/255.255.255.255

    IPv4

    IP - SMRU-IT03

    IP address

    10.10.1.15/255.255.255.255

    IPv4

    IP - SMRU-DBP-MST

    IP address

    10.10.1.17/255.255.255.255

    IPv4

    IP - SMRU-DBD-MST

    IP address

    10.10.1.19/255.255.255.255

    IPv4

    IP - SMRU-FW01

    IP address

    10.10.1.23/255.255.255.255

    IPv4

    IP - S-VPLUS01

    IP address

    10.10.1.24/255.255.255.255

    IPv4

    MRH Local Network

    IP subnet

    10.20.1.0/255.255.255.0

    IPv4

    MST Guest Network

    IP subnet

    192.168.88.0/255.255.255.0

    IPv4

    MKT Local Network

    IP subnet

    192.168.25.0/255.255.255.0

    IPv4

    MLA Local Network

    IP subnet

    192.168.26.0/255.255.255.0

    IPv4

    WPA Local Network

    IP subnet

    192.168.27.0/255.255.255.0

    IPv4

    MSL Local Network

    IP subnet

    192.168.28.0/255.255.255.0

    IPv4

    HPH Local Network

    IP subnet

    192.168.29.0/255.255.255.0

    IPv4

    SKK Local Network

    IP subnet

    192.168.30.0/255.255.255.0

    IPv4

    MKU Local Network

    IP subnet

    192.168.31.0/255.255.255.0

    IPv4

    TST Local Network

    IP subnet

    10.30.1.0/255.255.255.0

    IPv4

    IP - tbhf-anc-mkt

    IP address

    192.168.25.2/255.255.255.255

    IPv4

    IP - tbhf-anc-mla

    IP address

    192.168.26.2/255.255.255.255

    IPv4

    IP - tbhf-anc-wpa

    IP address

    192.168.27.2/255.255.255.255

    IPv4

    IP - tbhf-anc-msl

    IP address

    192.168.28.2/255.255.255.255

    IPv4

    IP - SMRU-PMS-MKT

    IP address

    192.168.25.6/255.255.255.255

    IPv4

    IP - SMRU-PMS-MLA

    IP address

    192.168.26.6/255.255.255.255

    IPv4

    IP - SMRU-PMS-WPA

    IP address

    192.168.27.6/255.255.255.255

    IPv4

    IP - SMRU-PMS-MSL

    IP address

    192.168.28.6/255.255.255.255

    IPv4
    Table 2. BO
    Name Type Address detail IP version

    MST Local Network

    IP subnet

    10.10.1.0/255.255.255.0

    IPv4

    MRM SSL VPN Network

    IP subnet

    10.10.9.0/255.255.255.0

    IPv4

    SMRU-AD02

    IP address

    10.10.1.1/255.255.255.255

    IPv4

    tbhf-anc-mrm

    IP address

    10.10.1.2/255.255.255.255

    IPv4

    SMRU-SRV

    IP address

    10.10.1.3/255.255.255.255

    IPv4

    SMRU-IT03

    IP address

    10.10.1.15/255.255.255.255

    IPv4

    SMRU-DBP-MST

    IP address

    10.10.1.17/255.255.255.255

    IPv4

    SMRU-DBD-MST

    IP address

    10.10.1.19/255.255.255.255

    IPv4

    MRH Local Network

    IP subnet

    10.20.1.0/255.255.255.0

    IPv4

    MKT Local Network

    IP subnet

    192.168.25.0/255.255.255.0

    IPv4

    MLA Local Network

    IP subnet

    192.168.26.0/255.255.255.0

    IPv4

    WPA Local Network

    IP subnet

    192.168.27.0/255.255.255.0

    IPv4

    MSL Local Network

    IP subnet

    192.168.28.0/255.255.255.0

    IPv4

    HPH Local Network

    IP subnet

    192.168.29.0/255.255.255.0

    IPv4

    SKK Local Network

    IP subnet

    192.168.30.0/255.255.255.0

    IPv4

    MKU Local Network

    IP subnet

    192.168.31.0/255.255.255.0

    IPv4

    TST Local Network

    IP subnet

    10.30.1.0/255.255.255.0

    IPv4

    tbhf-anc-mkt

    IP address

    192.168.25.2/255.255.255.255

    IPv4

    tbhf-anc-mla

    IP address

    192.168.26.2/255.255.255.255

    IPv4

    tbhf-anc-wpa

    IP address

    192.168.27.2/255.255.255.255

    IPv4

    tbhf-anc-msl

    IP address

    192.168.28.2/255.255.255.255

    IPv4

    SMRU-PMS-MKT

    IP address

    192.168.25.6/255.255.255.255

    IPv4

    SMRU-PMS-MLA

    IP address

    192.168.26.6/255.255.255.255

    IPv4

    SMRU-PMS-WPA

    IP address

    192.168.27.6/255.255.255.255

    IPv4

    SMRU-PMS-MSL

    IP address

    192.168.28.6/255.255.255.255

    IPv4

  • Content of Entities.xml file.

    <?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1800.2" IPS_CAT_VER="1">
  <IPHost transactionid="">
    <Name>MST Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>10.10.1.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>MRM SSL VPN Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>10.10.9.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-AD02</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>10.10.1.1</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>tbhf-anc-mrm</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>10.10.1.2</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-SRV</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>10.10.1.3</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-IT03</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>10.10.1.15</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-DBP-MST</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>10.10.1.17</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-DBD-MST</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>10.10.1.19</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>MRH Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>10.20.1.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>MKT Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.25.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>MLA Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.26.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>WPA Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.27.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>MSL Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.28.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>HPH Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.29.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>SKK Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.30.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>MKU Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.31.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>TST Local Network</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>Network</HostType>
    <IPAddress>192.168.32.0</IPAddress>
    <Subnet>255.255.255.0</Subnet>
  </IPHost>
  <IPHost transactionid="">
    <Name>tbhf-anc-mkt</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.25.2</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>tbhf-anc-mla</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.26.2</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>tbhf-anc-wpa</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.27.2</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>tbhf-anc-msl</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.28.2</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-PMS-MKT</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.25.6</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-PMS-MLA</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.26.6</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-PMS-WPA</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.27.6</IPAddress>
  </IPHost>
  <IPHost transactionid="">
    <Name>SMRU-PMS-MSL</Name>
    <IPFamily>IPv4</IPFamily>
    <HostType>IP</HostType>
    <IPAddress>192.168.28.6</IPAddress>
  </IPHost>
</Configuration>

7.6.2. MAC host

  • Select SYSTEM | Host and services.

  • Select the MAC host tab.

  • Add the following rules.

    Table 3. HO
    Name Type Address detail

    MAC - MAL-iMAC-01 (ethernet)

    Address

    78:7B:8A:CE:D6:37

    MAC - TBHF-PI-MRM (ethernet)

    Address

    B8:27:EB:03:29:E4

    MAC - TBHF-PI-MRM (wireless)

    Address

    B8:27:EB:56:7C:B1

    MAC - SMRUNB-CB08 (ethernet)

    Address

    A4:BB:6D:1A:60:6C

    MAC - SMRUNB-CB08 (wireless)

    Address

    40:23:43:CF:55:F1

    MAC - SMRUNB-DC04 (ethernet)

    Address

    98:E7:43:83:16:DB

    MAC - SMRUNB-DC04 (wireless)

    Address

    4C:1D:96:3A:9D:37

    MAC - SMRUNB-IT02 (wireless)

    Address

    0C:96:E6:B4:52:3D

    MAC - SMRUWS-IT07

    Address

    E4:54:E8:6B:F8:D7

    MAC - SMRUWS-IT08

    Address

    D0:67:E5:22:B5:A1

    MAC - SMRUWS-IT11

    Address

    E4:54:E8:6B:EA:6E

    MAC - SMRUWS-LB32

    Address

    18:66:DA:46:B8:E4

    MAC - SMRUWS-MGT01

    Address

    34:17:EB:B4:CA:8C

    MAC - TBHFWS-IT01

    Address

    E4:54:E8:64:C2:32

    MAC - TBHFWS-IT02

    Address

    E4:54:E8:64:B9:8A

7.6.3. FQDN host

7.6.3.1. Adding FQDN Host

  • Select SYSTEM | Host and services.

  • Select the FQDN host tab.

  • Click Add.

    Name                                    "*.facebook.com"

Description                             To allow direct access to primary domain and subdomains of facebook

FQDN                                    *.facebook.com

  • Click Save.

  • Add the following rules.

    Table 4. HO
    Name FQDN

    SMRU - *.anydesk.com

    *.anydesk.com

    SMRU - outlook.office365.com

    outlook.office365.com

    SMRU - vpn.ox.ac.uk

    vpn.ox.ac.uk

    "eu-smtp-outbound-1.mimecast.com"

    eu-smtp-outbound-1.mimecast.com

    SMRU - ngs.sanger.ac.uk

    ngs.sanger.ac.uk

    SMRU - ipinfo.io

    ipinfo.io

    SMRU - www.bhf-th.org

    www.bhf-th.org

    SMRU - www.shoklo-unit.com

    www.shoklo-unit.com

    SMRU - sugarproxy.sharpcast.com

    sugarproxy.sharpcast.com

    SMRU - malariaapp.ddc.moph.go.th

    malariaapp.ddc.moph.go.th

7.6.4. Services

  • Select SYSTEM | Host and services.

  • Select the Services tab.

  • Add the following rules.

    Table 5. HO
    Name Protocol Detail

    "SMRU" RPC

    TCP/UDP

    TCP (1:65535) / (135)

    TCP 137

    TCP/UDP

    TCP (1:65535) / (137)

    TCP 138

    TCP/UDP

    TCP (1:65535) / (138)

    TCP 222

    TCP/UDP

    TCP (1:65535) / (222)

    "SMRU" SMB

    TCP/UDP

    TCP (1:65535) / (445)

    TCP UDP 500

    TCP/UDP

    TCP (1:65535) / (500), UDP (1:65535) / (500)

    UDP 514

    TCP/UDP

    UDP (1:65535) / (514)

    TCP UDP 1194

    TCP/UDP

    TCP (1:65535) / (1194), UDP (1:65535) / (1194)

    "SMRU" MSSQL

    TCP/UDP

    TCP (1:65535) / (1433)

    TCP 2222

    TCP/UDP

    TCP (1:65535) / (2222)

    TCP 3389 (RDP)

    TCP/UDP

    TCP (1:65535) / (3389)

    TCP UDP 4500

    TCP/UDP

    TCP (1:65535) / (4500), UDP (1:65535) / (4500)

    TCP 6027 (PMP)

    TCP/UDP

    TCP (1:65535) / (6027)

    TCP 6383 (PMP)

    TCP/UDP

    TCP (1:65535) / (6383)

    TCP 6568 (AnyDesk)

    TCP/UDP

    TCP (1:65535) / (6568)

    TCP 8000

    TCP/UDP

    TCP (1:65535) / (8000)

    TCP 8080

    TCP/UDP

    TCP (1:65535) / (8080)

    "SMRU" WSUS

    TCP/UDP

    TCP (1:65535) / (8530)

    TCP UDP 9100 (Printing)

    TCP/UDP

    TCP (1:65535) / (9100), UDP (1:65535) / (9100)

    TCP 10000:10099

    TCP/UDP

    TCP (1:65535) / (10000:10099)

    TCP 19812:19814 (FreezerWorks)

    TCP/UDP

    TCP (1:65535) / (19812:19814)

    TCP 22000:22099

    TCP/UDP

    TCP (1:65535) / (22000:22099)

    TCP 22222

    TCP/UDP

    TCP (1:65535) / (22222)

    TCP 23560 (PRTG)

    TCP/UDP

    TCP (1:65535) / (23560)

    TCP 33000:33099

    TCP/UDP

    TCP (1:65535) / (33000:33099)
    Table 6. BO
    Name Protocol Detail

    LINE

    TCP/UDP

    UDP (1:65535) / (1025:65535)

    "SMRU" MSSQL

    TCP/UDP

    TCP (1:65535) / (1433)

    "SMRU" RPC

    TCP/UDP

    TCP (1:65535) / (135)

    TCP 137

    TCP/UDP

    TCP (1:65535) / (137)

    TCP 138

    TCP/UDP

    TCP (1:65535) / (138)

    "SMRU" SMB

    TCP/UDP

    TCP (1:65535) / (445)

    "SMRU" WSUS

    TCP/UDP

    TCP (1:65535) / (8530)

7.7. Interfaces

7.7.1. WAN

PPPoE option for HO:

  • Select CONFIGURE | Network.

  • Select the Interfaces tab.

  • Select Port2.

    General settings
Name                            WAN-Port2
Hardware                        Port2
Network zone                    WAN
■ IPv4 configuration

IP assignmet                    ○ Static        ● PPPoE(DSL)    ○ DHCP
IPv4/netmask
Preferred IP

Gateway detail
Gateway name                    smru-sfw-<site>_WAN-Port2
Gateway IP                      128.0.0.1
Username                        ndno14657104@onnet.hp
Password                        ********
                                ********

Access concentrator/service name        /

□ LCP echo interval             Send LCP echo request every 20 seconds (5-180, default:20)
□ LCP failure                   Wait for LCP echo reply for 3 attempts (default:3)
Schedule time for reconnect     All days of the week 00 HH 00 MM

□ IPv6 configuration

DSL settings

□ VDSL
VLAN tag

Advanced settings

Interface speed                 Auto Negotiation
MTU                             1500
□ Override MSS                  1452
● Use default MAC address       ##:##:##:##:##:##
○ Override default MAC address

  • Click Save.

  • Click Update interface.

Aliases:

  • Note: This allows you to ping 110.77.143.113, 110.77.143.114, etc.

  • Select Network > Interfaces.

  • Select Add interface > Add alias.

  • Select WAN for the Physical interface.

  • Choose IPv4.

  • Type 110.77.143.113 for the IPv4 / Netmask field.

  • Type 110.77.143.114 for the IPv4 / Netmask field.

  • Type 110.77.143.115 for the IPv4 / Netmask field.

  • Type 110.77.143.116 for the IPv4 / Netmask field.

  • Type 110.77.143.117 for the IPv4 / Netmask field.

  • Type 110.77.143.118 for the IPv4 / Netmask field.

  • Click Save.

DHCP option for BO:

  • Note: For 3G/4G see WWAN1 Interface.

  • Select CONFIGURE | Network.

  • Select the Interfaces tab.

  • Select Port2.

    General settings
Name                            WAN-Port2
Hardware                        Port2
Network zone                    WAN
■ IPv4 configuration

IP assignmet                    ○ Static        ○ PPPoE(DSL)    ● DHCP
IPv4/netmask
Preferred IP

Gateway detail
Gateway name                    smru-sfw-<site>_WAN-Port2
Gateway IP                      128.0.0.1

  • Click Save.

  • Click Update interface.

7.7.2. LAN

BO:

  • Select CONFIGURE | Network.

  • Select the Interfaces tab.

  • Select br0.

    General settings
Name                    LAN-br0
Hardware                br0
Description
                        ■ Enable routing on this bridge pair

Member interfaces
                        Interface               Zone
                        Port1                   LAN
                        Port3                   LAN
                        Port4                   LAN
                        Port5                   LAN
                        Port6                   LAN
                        Port7                   LAN
                        Port8                   LAN
                        Port9                   LAN
                        Port10                  LAN
                        Port11                  LAN
                        Port12                  LAN

■ IPv4 configuration
IP assignment           ● Static        ○ DHCP
IPv4/netmask            192.168.##.170/24(255.255.255.0)
Gateway detail
Gateway name
Gateway IP

□ IPv6 configuration

VLAN
□ Filter VLANs

  • Click Save.

  • Click Update bridge.

7.8. WAN link manager

7.8.1. Active gateway

  • Select CONFIGURE | Network.

  • Select WAN link manager.

  • Fiber Optic: Click Edit on WAN-Port2 interface.

  • WWAN1: Click Edit on WWAN1 interface.

  • Fiber Optic: Type smru-sfw-<site>_WAN-Port2 in Name field.

  • WWAN1: Type smru-sfw-<site>_WWAN in Name field.

  • Choose Active.

  • Type 1 in the Weight field.

  • Click Save.

7.8.2. Load Balance and Failover

7.8.3. Failover rules

  • Select CONFIGURE | Network.

  • Select WAN link manager.

  • Fiber Optic: Click Edit on WAN-Port2 interface.

  • WWAN1: Click Edit on WWAN1 interface.

  • SMRU-SFW-MRM: Click Edit on Port2-WAN-CAT interface.

  • SMRU-SFW-MRM: Click Edit on Port5-WAN-3BB interface.

  • Click Add or Edit under Failover rules.

  • Click Save.

    SMRU-SFW-MRM    Port2-WAN-CAT   Active  If Not able to PING on IP address '8.8.8.8' Then "SHIFT to another available gateway"
SMRU-SFW-MRM    Port5-WAN-3BB   Backup  If Not able to PING on IP address '8.8.8.8' Then "SHIFT to another available gateway"

  • Select PROTECT | Rules and policies.

  • Select the NAT rules tab.

  • Make sure that the Default SNAT IPv4 NAT rule is enabled.

    Rule name                       Default SNAT IPv4
Description                     Auto created IPv4 SNAT MASQ rule for traffic from "ANY" inbound interface to WAN outbound interface.
                                Updated automatically with WAN interface changes
Original source                 Any
Original destination            Any
Original service                Any
Translated source (SNAT)        MASQ
Translated destination (DNAT)   Original
Translated service (PAT)        Original
Inbound interface               Any
Outbound interface              WAN
                                WAN-3BB
                                □ Override source translation (SNAT) for specified outbound interfaces

7.9. Dynamic DNS

  • Note: The Sophos Dynamic DNS myfirewall.co is discontinued after 31 January 2022.

  • Note: We don’t need to add DynDns on the sites firewall when using Site-to-site SSL VPN.

  • Select CONFIGURE | Network.

  • Select the Dynamic DNS tab.

  • Click Add.

  • DynDns Type smru-sfw-<site>.dyndns.org in Hostname field.

  • Sophos Type smru-sfw-<site>.myfirewall.co in Hostname field.

  • LAN: Select WAN-Port2 in Interface dropdown list.

  • 3G/4G module: Select WWAN1 in Interface dropdown list.

  • Choose NATed public IP.

  • DynDns Select DynDns in Service provider dropdown list.

    • Type SMRU in Login name field.

    • Type the password in Password field.

  • Sophos Select Sophos in Service provider dropdown list.

    DynDns
    Host details
Hostname                        smru-sfw-<site>.dyndns.org
Interface                       WAN-Port2 - 192.168.1.##                        # LAN
Interface                       WWAN1 - ###.###.###.###                         # 3G/4G module
IPv4 address                    ○ Use port IP   ● NATed public IP

Service provider’s details
Service provider                DynDns
Login name                      SMRU
Password                        ********

  • Click Save.

7.10. VPN IPsec

7.11. Web

7.11.1. Policies

  • To Continue.

  • Select PROTECT | Web.

  • Select the Policies tab.

    Table 7. "SMRU" Guest Network Web Filter
    Users Activities Action Constraints Manage Status

    Anybody

    Criminal Activities
    Games and Gambling
    Nudity and Adult Content
    Advertisements
    Criminal Activity
    Gambling
    Games
    Hacking
    Nudity
    Phishing & Fraud
    Sexually Explicit
    Spam URLs
    Spyware & Malware

    HTTP is blocked HTTPS is blocked

    Add rule Clone Delete

    ON
    Table 8. "SMRU" Local Network Web Filter
    Users Activities Action Constraints Manage Status

    Anybody

    Advertisements
    Criminal Activity
    Gambling
    Games
    Hacking
    Nudity
    Phishing & Fraud
    Sexually Explicit
    Spam URLs
    Spyware & Malware

    HTTP is blocked HTTPS is blocked

    Add rule Clone Delete

    ON

    SMRU-SFW-MRM Allow Youtube

    Youtube

    HTTP is allowed

    Add rule Clone Delete

    ON

    Anybody

    Youtube

    HTTP is blocked HTTPS is blocked

    Add rule Clone Delete

    ON

7.11.2. Catagories

  • Select PROTECT | Web.

  • Select the Categories tab.

  • Click Add.

    Name                            youtube.com
Description
Classification                  Acceptable
Traffic shaping policy          None
Configure category              ● Local                 ○ External URL database
Import domain/keyword           Domain                  Keyword
                                Browse                  Browse
Domain/keyword                  youtube.com             youtube.com

  • Click Save.

    Name Type Classification Traffic shaping policy

    facebook.com

    Custom

    Unproductive

    twitter.com

    Custom

    Unproductive

    youtube.com

    Custom

    Unproductive

    acrobat.com

    Custom

    Productive

    adobe.com

    Custom

    Productive

    anydesk.com

    Custom

    Productive

    dashlane.com

    Custom

    Productive

    dropbox.com

    Custom

    Productive

    mimecast.com

    Custom

    Productive

    msecnd.net

    Custom

    Productive

    nuget.org

    Custom

    Productive

    powerbi.com

    Custom

    Productive

    visualstudio.com

    Custom

    Productive

    windows.net

    Custom

    Productive

    fmwww.bc.edu

    Custom

    Productive

    ngs.sanger.ac.uk

    Custom

    Productive

    www.stata.com

    Custom

    Productive

    www.stattransfer.com

    Custom

    Productive

    sugarproxy.sharpcast.com

    Custom

    Productive

    ugene.net

    Custom

    Productive

    1password.com

    Custom

    Productive

    lastpass.com

    Custom

    Productive

    github.com

    Custom

    Productive

    services.addons.mozilla.org

    Custom

    Productive

    update.virtualbox.org

    Custom

    Productive

7.11.3. Exceptions

  • Select PROTECT | Web.

  • Select the Exceptions tab.

  • Todo:.

7.11.4. General settings

  • Select PROTECT | Web.

  • Click General settings.

  • Check Enable web content cache under Advanced.

  • Type 8080 in Web proxy listening port field.

    Web proxy configuration

Web proxy listening port        8080
Allowed destination ports       21, 70, 80, 88, 210, 280, 443, 488, 550, 563, 591, 777, 800, 3001, 1025-65535

  • Click Apply.

7.11.5. User notifications

  • Select PROTECT | Web.

  • Select the User notifications tab.

  • Check Use custom block message.

    Message for block action

+ Use custom block message      Block message
                                SMRU IT has restricted access to sites categorized as {category}.
                                <br><br>If you think this is incorrect, you may contact SMRU IT <a>smru-it@shoklo-unit.com</a>.

  • Click Apply.

7.12. Rules and Policies

7.12.1. Firewall Rules

  • Select PROTECT | Rules and policies.

  • Select the Firewall rules tab.

  • Add the following Outgoing traffic rules.

    Table 9. MST
    Name Source Destination What Action Features

    Allow DNS

    LAN,
    MST Local Network

    WAN,
    Any host

    DNS

    Accept

    LinkedNAT LOG

    Allow Proxy

    LAN,
    MST Local Network

    WAN,
    Any host

    TCP 8080

    Accept

    AV WEB LinkedNAT PRX LOG

    Deny all HTTP HTTPS

    LAN,
    MST Local Network

    WAN,
    Any host

    Todo

    Accept

    WEB LinkedNAT LOG
    Table 10. Sites
    Name Source Destination What Action Features

    Allow SMRU Default

    LAN,
    Any host

    WAN,
    Any host

    DNS,
    HTTP,
    HTTPS,
    IKE,
    IMAP,
    LINE,
    NTP,
    PING,
    SMTP,
    SMTP(S),
    TeamViewer

    Accept

    LOG

  • Add the following VPN traffic rules.

    Name Source Destination What Action Features

    Allow traffic from MST

    VPN,
    MST Local Network,
    MRM SSL VPN Network

    LAN,
    <Site> Local Network

    Any service

    Accept

    LOG

    Allow traffic from <Site> ANC to MST ANC server

    LAN,
    tbhf-anc-<site>

    VPN,
    tbhf-anc-mrm

    Any service

    Accept

    LOG

    Allow traffic to SMRU-AD02

    LAN,
    <Site> Local Network

    VPN,
    SMRU-AD02

    Any service

    Accept

    LOG

    Allow traffic to tbhf-anc-mrm

    LAN,
    <Site> Local Network

    VPN,
    tbhf-anc-mrm

    HTTP PING

    Accept

    LOG

    Allow traffic to WSUS

    LAN,
    <Site> Local Network

    VPN,
    SMRU-IT03

    PING "SMRU" WSUS

    Accept

    LOG

    Allow traffic to MST database servers

    LAN,
    <Site> Local Network

    VPN,
    SMRU-DBD-MST,
    SMRU-DBP-MST

    PING,
    "SMRU" MSSQL

    Accept

    LOG

    Allow traffic to SMRU-SRV

    LAN,
    <Site> Local Network

    VPN,
    SMRU-SRV

    PING,
    "SMRU" SMB

    Accept

    LOG

    Allow ping to MST firewall

    LAN,
    <Site> Local Network

    VPN,
    smru-sfw-mrm

    PING

    Accept

    LOG

  • Add the following Inter-site traffic rules.

    Name Source Destination What Action Features

    Allow inter-site ping to PMS server

    VPN,
    MKT Local Network,
    MLA Local Network,
    WPA Local Network,
    MSL Local Network,
    HPH Local Network,
    SKK Local Network,
    MKU Local Network

    LAN,
    SMRU-PMS-<Site>

    PING

    Accept

    LOG

    Allow inter-site ping to PMS servers

    LAN,
    <Site> Local Network

    VPN,
    SMRU-PMS-MKT,
    SMRU-PMS-MLA,
    SMRU-PMS-MSL,
    SMRU-PMS-WPA

    PING

    Accept

    LOG

    Allow inter-site SQL Server traffic

    VPN,
    MKT Local Network,
    MLA Local Network,
    WPA Local Network,
    MSL Local Network,
    HPH Local Network,
    SKK Local Network,
    MKU Local Network

    LAN,
    SMRU-PMS-<Site>

    "SMRU" MSSQL

    Accept

    LOG

    Allow inter-site SQL Servers traffic

    LAN,
    <Site> Local Network

    VPN,
    SMRU-PMS-MKT,
    SMRU-PMS-MLA,
    SMRU-PMS-MSL,
    SMRU-PMS-WPA

    "SMRU" MSSQL

    Accept

    LOG

    Allow inter-site traffic to WPA ANC server

    LAN,
    <Site> Local Network

    VPN,
    tbhf-anc-wpa

    HTTP,
    PING

    Accept

    LOG

  • Add the following Inter-zone traffic rules.

    Name Source Destination What Action Features

    Allow LAN to LAN traffic

    LAN,
    <Site> Local Network

    LAN,
    <Site> Local Network

    Any service

    Accept

    LOG

7.12.2. NAT Rules

  • Note: Sophos recommend to set Outbound interface to WAN interface. If outbound interface is set to Any, the NAT rule will be applied on LAN to VPN (LAN to DMZ) traffic, and stops LAN to VPN (LAN to DMZ) traffic. It is recommended to move the LAN to WAN NAT rule to the bottom, otherwise, it can be applied on other traffic, and cause unexpected results.

  • Select PROTECT | Rules and policies.

  • Select the NAT rules tab.

    Table 11. LAN cable (Port2)
    Name Original Translated Interface ID Usage

    LAN to WAN (MASQ)

    Source: Any host
    Service: Any service
    Destination: Any host

    Source: MASQ
    Service: Original
    Destination: Original

    Inbound: Any interface
    Outbound: WAN-Port2
    Last used: <Date>

    #<number>

    0
    Table 12. 3G/4G (WWAN1)
    Name Original Translated Interface ID Usage

    LAN to WAN (MASQ)

    Source: Any host
    Service: Any service
    Destination: Any host

    Source: MASQ
    Service: Original
    Destination: Original

    Inbound: Any interface
    Outbound: WWAN1
    Last used: <Date>

    #<number>

    0
    Table 13. DMZ (tbhf-web-mrm)
    Name Original Translated Interface ID Usage

    HTTPS from WAN to DMZ (tbhf-web-mrm)

    Source: Any host
    Service: HTTPS
    Destination: MST Public IP - 110.77.143.117

    Source: Original
    Service: HTTPS
    Destination: IP - tbhf-web-mrm

    Inbound: Any interface
    Outbound: Any interface
    Last used: <Date>

    #<number>

    0

7.13. DNS

  • Select CONFIGURE | Network.

  • Select the DNS tab.

DNS configuration:

  • Main Office: SMRU-SFW-MRM, SMRU-SFW-TST

    • Note: The DNS Manager on the Windows Server has the Sophos Firewall set up as a forwarder.

    • Note: Do not add the IP address of the DNS Manager in the DNS fields to prevent a DNS loop.

  • Remote Sites: SMRU-SFW-MKT, SMRU-SFW-MLA, SMRU-SFW-WPA, SMRU-SFW-MSL, SMRU-SFW-HPH, SMRU-SFW-SKK, SMRU-SFW-MKU

    • Note: Set the DNS Manager on the Windows Server as the primary DNS server as recommended by Microsoft.

  • Choose Static DNS.

    IPv4

○ Obtain DNS from DHCP
○ Obtain DNS from PPPoE
● Static DNS
                                Main Office     Remote Site
                                --------------  --------------
DNS 1                           8.8.8.8         10.10.1.1
DNS 2                           1.1.1.1         192.168.##.170
DNS 3                           208.67.222.222  8.8.8.8

IPv6

○ Obtain DNS from DHCP
● Static DNS
DNS 1
DNS 2
DNS 3

DNS query configuration

● Choose server based on incoming requests record type
○ Choose IPv6 DNS server over IPv4
○ Choose IPv4 DNS server over IPv6
○ Choose IPv6 if request originator address is IPv6, else IPv4

  • Click Apply.

DNS host entry:

  • Select CONFIGURE | Network.

  • Select the DNS tab.

  • Add the following DNS host.

Host/domain name IP address TTL Weight Publish on WAN Reverse DNS lookup

SMRU-AD02.smru.shoklo-unit.com

10.10.1.1

60

1

No

On

SMRU-IT03.smru.shoklo-unit.com

10.10.1.15

60

1

No

On

SMRU-DBP-MST.smru.shoklo-unit.com

10.10.1.17

60

1

No

On

SMRU-SRV.smru.shoklo-unit.com

10.10.1.3

60

1

No

On

tbhf-anc.smru.shoklo-unit.com

192.168.26.2

60

1

No

On

7.14. DHCP

  • Select CONFIGURE | Network.

  • Select the DHCP tab.

  • Click Add.

  • Select the IPv4 tab.

    General settings

Name                            <Site> DHCP
Interface                       br0 - 192.168.##.170
                                □ Accept client request via relay

Dynamic IP lease                Start IP        End IP
                                192.168.##.50 192.168.##.169

Static IP MAC mapping           Hostname        MAC address     IP address
                                □               □               □

Subnet mask                     /24 (255.255.255.0)
Domain name                     smru.shoklo-unit.com
Gateway                         ■ Use interface IP as gateway
                                192.168.##.170

Default lease time              1440
Max lease time                  2880
Conflict detection              □ Enable

DNS server

■ Use device’s DNS settings
Primary DNS                     192.168.##.170
Secondary DNS                   10.10.1.1

WINS server

Primary WINS server
Secondary WINS server

  • Click Save.

7.14.1. Fixed Lease

  • Select CONFIGURE | Network.

  • Select the DHCP tab.

  • Go to Static IP MAC mapping section.

  • Click + Button.

  • Scroll down to the bottom.

  • Fill in data using following instruction.

Hostname MAC address IP address

Name of device

Ethernet/Wireless MAC address

IP address of device

  • Click Save

7.15. AD Server integration

  • Note: For AD users to work properly with Sophos, STAS setup is needed.

  • Select CONFIGURE > Authentication.

  • Select the Servers tab.

  • Click Add.

    Server type                     Active Directory
Server name                     SMRU-AD02
Server IP/domain                10.10.1.1
Connection security             Plaintext
Port                            389
NetBIOS domain                  SMRU
ADS user name                   ADadmin
Password                        ********
Display name attribute
Email address attribute         mail
Domain name                     smru.shoklo-unit.com
Search queries                  DC=smru,DC=shoklo-unit,DC=com

  • Click Test connection.

  • Click Save.

  • Select the Services tab.

  • Check Firewall authentication methods | SMRU-AD02.

  • Move Firewall authentication methods | SMRU-AD02 to the top.

  • Click Firewall authentication methods | Apply.

  • Click OK to confirm.

  • Optional: Check User portal authentication methods | SMRU-AD02.

  • Optional: Move User portal authentication methods | SMRU-AD02 to the top.

  • Optional: Click User portal authentication methods | Apply.

  • Optional: Click OK to confirm.

  • Optional: Check VPN portal authentication methods | SMRU-AD02.

  • Optional: Move VPN portal authentication methods | SMRU-AD02 to the top.

  • Optional: Click VPN portal authentication methods | Apply.

  • Optional: Click OK to confirm.

7.16. STAS

7.16.1. File Server Local Security Policy

Administrative User with Log on as a service.

  • Start Windows Administrative Tools > Local Security Policy (secpol.msc).

  • Select Local Policies > User Rights Assignment.

  • Double-click Logon as a service.

  • Select the Local Security Setting tab.

  • Click Add User or Group.

  • Type Administrator in the Enter the object names to select field.

  • Click Check Names.

  • Select Administrator or Administrators.

  • Click OK.

  • Click OK.

  • Click Apply.

  • Click OK.

7.16.2. File Server Windows Firewall

  • Start Control Panel> Windows Defender Firewall.

  • Select Advanced settings.

  • Select Inbound Rules.

  • Select Action > New Rule.

  • Select the Rule Type tab.

  • Choose Port.

  • Click Next.

  • Choose UDP.

  • Choose Specific local ports.

  • Type 6677 in the Specific local ports field.

  • Click Next.

  • Choose Allow the connection.

  • Click Next.

  • Check Domain.

  • Check Private.

  • Check Public.

  • Click Next.

  • Type UDP 6677 for STAS in the Name field.

  • Click Finish.

  • Close Windows Defender Firewall with Advanced Security.

  • Close Windows Defender Firewall.

7.16.3. Download STAS on Sophos Firewall

  • Browse to https://10.10.1.170:4444.

  • Login with admin account.

  • Select CONFIGURE > Authentication.

  • Select the Client downloads tab.

  • Click Sophos Transparent Authentication Suite (STAS) to download STAS.exe.

7.16.4. Configure STAS on Sophos Firewall

  • Select CONFIGURE > Authentication.

  • Select the STAS tab.

  • Click OFF icon to Enable Enable Sophos Transparent Authentication Suite.

  • Click Activate STAS.

  • Click Add new collector.

  • Type 10.10.1.1 in the Collector IP field.

  • Type 6677 in the Collector port field.

  • Choose New group for the Collector group.

  • Click Save.

  • Logout from Sophos Firewall web page.

  • Close Browser.

7.16.5. Install STAS on File Server

  • Run the STAS.exe file with administrative privileges.

  • Click Next.

  • Click Next.

  • Uncheck Create a desktop shortcut.

  • Uncheck Create a Quick Launch shortcut.

  • Click Next.

  • Click Install.

  • Choose SSO Suite | Installs all Sophos SSO Suite components on this machine.

  • Click Next.

  • Type SMRU\Administrator in the User Name field.

  • Type the password in the Password field.

  • Type the password again in the Confirm Password field.

  • Click Next.

  • Click Finish.

7.16.6. Configure STAS on File Server

  • Select Registry Read Access for the Workstation Polling Method.

  • Click Apply.

  • Select the STA Agent tab.

  • Type 10.10.1.1 for the Domain Controller IP.

  • Click Add under Monitored Networks.

  • Type 10.10.1.0/24.

  • Click OK.

  • Optional: Remove 192.168.1.0/24 in the Monitored Networks list.

    • Select 192.168.1.0/24.

    • Click Remove.

  • Click Apply.

  • Select the Exclusion List tab.

  • Click Login IP Address / Network Subnet mask Exclusion List | Add.

  • Type 10.10.1.1 - 10.10.1.69.

  • Click OK.

  • Click Apply.

  • Select the General tab.

  • Type SMRU in the NetBIOS Name field.

  • Type smru.shoklo-unit.com in the Fully Qualified Domain Name field.

  • Click Start under Status to start the STA Agent service.

  • Click OK.

  • Click Yes to continue*.

  • Note: If everything is working fine, the 10.10.1.170 IP address will show up under Sophos Appliances.

7.17. Time

  • Select SYSTEM | Administration.

  • Select Time.

  • Choose Use custom NTP server.

  • Add 0.pool.ntp.org, 1.pool.ntp.org and 2.pool.ntp.org in Use custom NTP server field.

  • Click Sync now.

    Current time                    YYYY-MM-DD HH:MM:SS Asia/Bangkok
Time zone                       Asia/Bangkok

○ Use pre-defined NTP server
● Use custom NTP server         0.pool.ntp.org
                                1.pool.ntp.org
                                2.pool.ntp.org

                                Sync now

○ Do not use NTP server
Date
Time

  • Click Apply.

  • Click OK.

7.18. Notification settings

  • Select CONFIGURE > System services.

  • Select the Notification list tab.

  • Select the Email notifications to be ON.

  • Click Expand all.

  • Check Sign-in failed for the Admin.

  • Check Too many failed sign-in atempts for the Admin.

  • Check Installed new firmware for the Firmware.

  • Check Antivirus definition upgrade failed for the System.

  • Check System started for the System.

  • Check High CPU usage for the System.

  • Check Gateway status for the System.

  • Click Save.

  • Click OK.

7.18.1. Notification settings

  • Select SYSTEM > Administration > Notification settings.

    Mail Server settings

Send notifications via                  ○ Built-in email server ● External email server
Mail server IPv4 address/FQDN - Port    eu-smtp-outbound-1.mimecast.com
Authentication required                 ■
Username                                relay@shoklo-unit.com
Password                                ********
Connection security                     STARTTLS

Email settings

From email address                      smru-sfw-mrm@shoklo-unit.com
Send notifications to email address     it-notify@shoklo-unit.com
Management interface IP address         None

7.19. Backups

7.19.1. Configuration

  • Select SYSTEM | Backup & firmware.

  • Select the Backup & restore tab.

  • Choose Email on Backup mode.

  • Type smru-sfw-<site> in Backup prefix field.

  • smru-sfw-<site> Type smru-it@shoklo-unit.com in Email address field.

  • smru-sfw-mrm: Type smru-it@shoklo-unit.com,it-notify@tropmedres.ac in Email address field.

  • Choose Daily on Frequency.

  • Select Sunday Day 00 HH 00 MM on Schedule.

  • Type the level 1 + level 2 password in Encryption password field.

  • Type the level 1 + level 2 password again in Confirm Encryption password field.

  • Click Apply.

  • Click OK.

  • Click Backup now.

7.19.2. Extraction

  • Save the backup file to the O:\Tmp folder.

  • Enter the following commands at a Command Line.

    # Decrypt the backup file.
openssl enc -aes-256-cbc -md md5 -d -in /home/Other/Tmp/smru-sfw-mkt_Backup_C1A102GM9DGFQ58_14Feb2022_00.00.05 > /tmp/smru-sfw-mkt.tgz
# Type the level 1 and level 2 passwords and press Enter.

# Extract contents of backup file.
cd /tmp
tar tfz smru-sfw-mkt.tgz
tar xfz smru-sfw-mkt.tgz
ls -al conf/backupdata/device.backup

# List PostgreSQL database dumps.
ls -al conf/backupdata/device.backup/db.*
vi conf/backupdata/device.backup/db.dump
grep "tblfirewallrule" conf/backupdata/device.backup/db.dump
cd

7.20. Cellular WAN | 3G/4G module

  • Select CONFIGURE | Network.

  • Select the Cellular WAN tab.

  • Click OFF to turn on Cellular WAN.

  • Click OK.

  • Refresh the page until it detect the 3G/4G module.

  • Click Connect.

  • Click OK.

  • Select the Interfaces tab.

  • Select WWAN1.

  • Click Show recommended configuration.

  • Click Load recommended configuration.

  • Select 99# in Phone number dropdown list.

    General settings

  Interface name                WWAN1
  IP assignment                 ● Dial-up(PPP)          ○ Network adapter(DHCP)
  Connect                       ● Auto                  ○ Manual
  Reconnect tries               Always
  Modem port                    Serial 2
  Phone number                  99#
  Username
  Password
  SIM card PIN code
  APN
  Initialization string

*Gateway settings

  Gateway name                  smru-sfw-<site>_WWAN
  Gateway IP                    128.0.0.1

Other Settings

  MTUA                          1500
  MSS                           1460

  • Click Save.

  • Click OK.

7.21. Reports

Admin Events

  • Select MONITOR & ANALYZE > Reports.

  • Click Show Reports settings.

  • Select the Custom view tab.

  • Click Add.

  • Type SMRU-SFW-<Site> Admin Events in the Custom view field.

  • Expand Events.

  • Check Admin Events.

  • Click Save.

  • Select the Report scheduling tab.

  • Click Add

  • Choose Report.

  • Type SMRU-SFW-<Site> Admin Events in the Name field.

  • Type smru-it@shoklo-unit.com in the To email address field.

  • Choose Report group for Report type.

  • Select SMRU-SFW-<Site> Admin Events in the Report group dropdown list.

  • Choose Daily for Email frequency.

  • Choose Previous day for Report period.

  • Select 24 in the Send email at dropdown list.

  • Click Save.

Admin events are:

  • VPN > IPsec connections

  • VPN > IPsec policies

7.22. Log settings

  • Select CONFIGURE > System services.

  • Select Log settings tab.

  • Click Add.

  • Type Firewall log in the Name field.

  • Type the syslog server IP address in the IP address / Domain field.

  • Uncheck Secure log transmission.

  • Type 514 in the Port field.

  • Select LOCAL0 in the Facility field.

  • Select Information in the Severity level.

  • Select Device Standard Format (legacy).

  • Click Save.

  • Check Firewall rules for Firewall log.

  • Click Apply.

  • Click OK.

  • Select CONFIGURE > System services.

  • Select Log settings tab.

  • Click Add.

  • Type Web Filter log in the Name field.

  • Type the syslog server IP address in the IP address / Domain field.

  • Uncheck Secure log transmission.

  • Type 514 in the Port field.

  • Select LOCAL1 in the Facility field.

  • Select Information in the Severity level.

  • Select Device Standard Format (legacy).

  • Click Save.

  • Check Web filter for Web Filter log.

  • Click Apply.

  • Click OK.

7.23. Active Threat Response

7.23.1. MDR Threat Feeds

  • Select PROTECT > Active threat response.

  • Select MDR threat feeds tab.

  • Enable MDR threat feeds.

  • Choose Log and drop.

  • Click Apply.

7.23.2. Sophos-X-Ops threat feeds (Advanced threat protection)

  • Select PROTECT > Sophos-X-Ops threat feeds (Active threat protection).

  • Enable Sophos-X-Ops threat feeds.

  • Choose Log and drop.

  • Choose Inspect untrusted content.

7.24. Intrusion Prevention

  • Select PROTECT > Intrusion prevention.

  • Select IPS policies.

  • Enable IPS protection.

  • Click Add to add the policy.

  • Type "LAN to WAN" in the Name field.

  • Type Block backdoor malware and scan the traffic flowing from LAN to WAN; Primarily intended to secure LAN-based client(s) in the Description field.

  • Select LAN TO WAN for Clone rules.

  • Click Save.

  • Click Edit icon for "LAN to WAN".

  • Click Add.

  • Type Malware Backdoor in the Rule name field.

  • Check malware-backdoor for the Category.

  • Click OK.

  • Choose Select all.

  • Select Drop packet for Action.

  • Click Save.

  • Click Save.

  • Select PROTECT > Rules and Policies.

  • Expand Outgoin - LAN.

  • Select Allow LAN to WAN traffic rule.

  • Scroll down to the bottom.

  • Select "LAN to WAN" for Detect and prevent exploits (IPS).

  • Click Save.

  • Select Allow Proxy rule.

  • Scroll down to the bottom.

  • Select "LAN to WAN" for Detect and prevent exploits (IPS).

  • Click Save.

8. HA

Auxiliary Device

  • Set the LAN interface IP to 10.10.1.254.

  • Select CONFIGURE > Network.

  • Select Port8.

    Name                    HA-Port8
Hardware                Port8
Network zone            DMZ

■ IPv4 configuration

IP assignment           ● Static        ○ PPPoE(DSL)    ○ DHCP
IPv4/netmast            172.16.16.2

Gateway detail
Gateway name
Gateway IP

□ IPv6 configuration

  • Click Save.

  • Click Update interface.

  • Select SYSTEM > Administration.

  • Select the Device access tab.

  • Check DMZ | SSH.

  • Click Apply.

  • Click OK.

  • Select CONFIGURE > System services.

  • Select the High availability tab.

    Initial device role                             ○ Primary (active-passive)      ● Auxiliary     ○ Primary (active-active)
HA configuration mode                           ○ QuickHA mode  ● Interactive mode
Passphrase                                      X1/%Bbvih86pN0kd
Dedicated HA link                               HA-Port8

  • Click Save.

Primary Device

  • Set the LAN interface IP to 10.10.1.170.

  • Select CONFIGURE > Network.

  • Select Port8.

    Name                    HA-Port8
Hardware                Port8
Network zone            DMZ

■ IPv4 configuration

IP assignment           ● Static        ○ PPPoE(DSL)    ○ DHCP
IPv4/netmast            172.16.16.1

Gateway detail
Gateway name
Gateway IP

□ IPv6 configuration

  • Click Save.

  • Click Update interface.

  • Select SYSTEM > Administration.

  • Select the Device access tab.

  • Check DMZ | SSH.

  • Click Apply.

  • Click OK.

  • Connect the LAN cable between Primary and Auxiliary device PortHA.

  • Select CONFIGURE > System services.

  • Select the High availability tab.

    Initial device role                             ● Primary (active-passive)      ○ Auxiliary     ○ Primary (active-active)
HA configuration mode                           ○ QuickHA mode  ● Interactive mode
Cluster ID                                      0
Passphrase                                      X1/%Bbvih86pN0kd
Dedicated HA link                               HA-Port8
Dedicated peer HA link IPv4 address             172.16.16.2
Select ports to be monitored                    LAN-Port1

Peer administration settings                    Interface: LAN-br0      IPv4 address: 10.10.1.254       IPv6 address
Reserve bridge port                             LAN-Port1
Keepalive request interval                      Send a request every 250 milliseconds (250-500)
Keepalive attempts                              Make 16 attempts before determining it as device failure (16-24)
Use host or hypervisor-assigned MAC address     □
Fail back to primary device after it recovers   ■

  • Click Initiate HA.

  • Click OK.

  • Login to both Primary and Auxiliary device through CLI console.

  • Type 4 and press Enter.

  • Type system ha show logs and press Enter.

9. Wireless

9.1. Wireless Networks

9.1.1. Private

  • Select PROTECT > Wireless

  • Select the Wireless networks tab.

  • Click Add.

    Name                    SMRU
Hardware                wlnet1
Description
SSID                    SMRU
Security mode           WPA2 Personal
Passphrase              ********
                        ********
Client traffic          Bridge to AP LAN

  • Click Save.

9.1.2. Guest

  • Select PROTECT > Wireless

  • Select the Wireless networks tab.

  • Click Add.

    Name                    SMRU-Guest
Hardware                wlnet1
Description
SSID                    SMRU-Guest
Security mode           No Encryption
Client traffic          Bridge to AP LAN

  • Click Save.

9.2. Access Points

Register AP

  • Select PROTECT > Wireless.

  • Select the Access points tab.

  • Check APX320[<serial number>].

  • Click Accept.

  • Click OK to confirm.

Configure AP

  • Select PROTECT > Wireless.

  • Select the Access points tab.

  • Select APX320[<serial number>].

  • Type SMRU-AP04 in the Label field.

  • Select Thailand for the Country.

  • Add SMRU for the Wireless networks.

  • Click Save.

10. Import & Export

10.1. Export

  • Note: Exporting a full configuration takes several minutes and the size of the API-*.tar file is one or more mega bytes.

  • Select SYSTEM > Backup & firmware.

  • Select the Import export tab.

  • Choose Export selective configuration.

  • Click Add new item.

  • Select one or more of the

  • Hosts and services > IP host: Check IPHost.

  • Rules and policies > Firewall rules: Check FirewallRule.

  • Rules and policies > Firewall rule groups: Check FirewallRuleGroup.

  • Rules and policies > NAT rules: Check NATRule.

  • VPN > IPsec connections: Check VPNIPSecConnection.

  • Click Apply 1 selected items.

  • Uncheck Include dependent entity.

  • Click Export.

  • Click Download.

  • Click Choose File.

  • Click OK.

  • Wait for the download to finish.

10.2. Edit

  • Extract the Entities.xml file from the downloaded file.

  • Edit the Entities.xml file.

  • Compress the Entities.xml file to a .tar file.

10.3. Convert xml

  • Extract the Entities.xml file from the downloaded API-*.tar file to the O:\Tmp folder.

  • Enter the following commands at a Command Line.

    xsltproc /usr/local/share/sophos-firewall-rules.xsl /home/Other/Tmp/Entities.xml | sed "s/,;/;/g" > smru-sfw-mrm-firewall-rules.xml
xsltproc /usr/local/share/sophos.xsl /home/Other/Tmp/Entities.xml | sed "s/,;/;/g" > smru-sfw-mrm-vpn.xml

10.4. Import

  • Select SYSTEM > Backup & firmware.

  • Select the Import export tab.

  • Click Browse.

  • Select the .tar file.

  • Click Open.

  • Click Import.

11. Central synchronization

  • Note: To register to Sophos Central, you need Sophos Central account.

Deregister

  • Select SYSTEM | Sophos Central.

  • Click Deregister.

  • Click OK.

Register

  • Select SYSTEM | Sophos Central.

  • Click Register.

  • Choose Use email address.

  • Type smru-it@shoklo-unit.com in the Email address field.

  • Type the password in the Password field.

  • Click Register.

  • Enable Security Heartbeat.

  • Enable Synchronized Application Control.

  • v17.5: Enable Manage from Sophos Central.

  • v18.0: Enable Sophos Central services.

    • Check Send reports and logs to Sophos Central.

    • Check Manage from Sophos Central.

  • Check Send configuration backup to Sophs Central.

  • Click Apply.

  • Logon to https://central.sophos.com with Sophos Central account.

  • Click Firewall Management.

  • Click Show All Firewalls.

  • Click Approval Pending.

  • Click Accept services.

12. OS upgrade/downgrade

12.1. USB bootable

  • Run the balenaEtcher-Portable-1.5.109.exe portable file with administrative privileges.

  • Click Flash from file.

  • Select HW-17.5.14_MR-14-1-714.iso file and click Open.

  • Click Change.

  • Select the USB device.

  • Click Select(1).

  • Click Flash!.

  • Wait about 2 minutes for the flashing to finish.

  • Close Etcher.

12.2. Installation

  • Attach the OS USB in Sophos XG/XGS Hardware Appliance.

  • Connect the keyboard to Sophos XG/XGS Hardware Appliance.

  • Press the power button to start Sophos XG/XGS.

  • Press F7 key to boot from the USB key.

  • Select Yes and press Enter.

  • Wait for the device to reboot and finish the OS installation.

  • Detach the OS USB.

  • Press Y and Enter to reboot the device.

13. Firmware Upgrade

Name            Model           Version Remarks
============    ==============  ======= =======
smru-sfw-hph    Sophos XG 125   19.0.0
smru-sfw-mku    Sophos XG 125   19.0.0
smru-sfw-mkt    Sophos XG 125   19.5.0
smru-sfw-msl    Sophos XG 125   19.0.0
smru-sfw-skk    Sophos XG 125   19.0.0  Fan     12.0V, 3.4A

smru-sfw-tst    Sophos XG 135   19.5.0S Fan     12V, 3A
smru-sfw-wpa    Sophos XG 135   19.5.0

smru-sfw-mla    Sophos XGS 126  19.5.0          12.0V, 12.5A, 150.0W
smru-sfw-mrm    Sophos XGS 126  19.5.0          12.0V, 12.5A, 150.0W
smru-sfw-mrh    Sophos XGS 126  19.5.0          12.0V, 12.5A, 150.0W

13.1. Firmware is available

  • Browse to https://192.168.##.170:4444.

  • Log in as admin.

  • Select System > Backup & firmware > Firmware.

  • Select HW-18.0.4_MR-4.SF300-506 | GA | Download.

  • Wait for the download to finish.

  • Select HW-18.0.4_MR-4.SF300-506 | GA | Install.

  • Select HW-18.0.5_MR-5.SF300-586 | GA | Install.

  • Wait for the installation to finish.

  • Wait for the firewall to reboot.

13.2. Firmware to be uploaded

  • Note: Copy the .sig file to a remote site computer when having a slow internet connection.

  • Note: Browse to the firewall from the remote site computer to upload the .sig file.

  • Note: Browse to the firewall from your local computer to boot the firmware image.

  • Browse to https://192.168.##.170:4444.

  • Log in as admin.

  • Select System > Backup & firmware > Firmware.

  • Select Inactive SFOS version | Upload firmware.

  • Click Browse.

  • Select the W:\Firmware\Sophos\XG folder.

  • XG 125/135: Select the HW-19.5.0_GA.SF300-197.sig file.

  • XGS 126: Select the HW-19.5.0_GA.SF310-197.sig file.

  • Click Open.

  • Click Upload firmware.

  • Click OK to confirm.

  • Wait for the upload to finish.

  • Select SFOS 19.5.0 GA-Build197 | Boot firmware image.

  • Click OK to confirm.

  • Wait for the installation to finish.

  • Wait for the firewall to reboot.

14. Restore Backup

  • See Backup-restore compatibility check.

  • Connect the computer to the Sophos Firewall via the LAN port.

  • Factory Default: Browse to https://172.16.16.16:4444.

  • MRH: Browse to https://10.20.1.170:4444.

  • MKT: Browse to https://192.168.25.170:4444.

  • Log in as admin.

  • Select SYSTEM > Backup & Firmware in the left navigation panel.

  • Click Choose file in Backup restore | Restore configuration.

  • Select the backup file and click Choose.

  • Type the backup encryption password in the Password field.

  • Click Upload and Restore.

  • Click OK in the Notification popup about you will loose the configurations.

  • Type Password for Secure Storage Master Key.

  • Wait for the upload of the backup to finish

  • Wait for the firewall to reboot.

15. Troubleshooting

V18 Proxy

16. Certificates

  • Note: If the Default certificate is updated, all SSL VPN connections will be disconnected and you need to download the SSL VPN configuration to add it to the clients.

  • Note: The Default certificate allows for easy logon to the Admin console of the Sophos firewall for IT staff.

  • Note: The SecurityAppliance_SSL certificate allows for all users to get proper Sophos firewall messages inside their web browser.

  • This is the procedure to follow for each Sophos Firewall.

    1. Select the ApplianceCertificate certificate for SYSTEM | Administration | Admin and user settings | Certificate | ApplianceCertificate and click Apply, then click OK.

    2. Generate a new SYSTEM | Certificates | Certificate authorities | Default certificate.

    3. Generate a new SYSTEM | Certificates | Certificate authorities | SecurityAppliance_SSL_CA certificate.

    4. Generate a new SYSTEM | Certificates | Certificates | ApplianceCertificate certificate.

    5. Delete any existing SYSTEM | Certificates | Certificates | LSC certificate.

    6. Generate a new SYSTEM | Certificates | Certificates | LSC smru-sfw-tst certificate.

    7. Select the LSC smru-sfw-tst certificate for SYSTEM | Administration | Admin and user settings | Certificate.

  • Select SYSTEM | Administration.

  • Select Admin and user settings tab.

  • Select ApplianceCertificate for Certificate under Admin console and end-user interaction.

  • Choose Use a different hostname:.

  • Type 10.10.1.170 for the hostname.

  • Type 10.20.1.170 for the hostname.

  • Type 10.30.1.170 for the hostname.

  • Click Apply under Admin console and end-user interaction.

  • Click OK to confirm.

  • Select SYSTEM | Certificates.

  • Select the Certificate authorities tab.

  • Select Default.

    Name                    Default
Country name            Thailand
State                   NA
Locality name           NA
Organization name       SMRU
Organization unit name  NA
Common name             smru-sfw-mrm                            smru-sfw-tst            smru-sfw-mrh
Email address           smru-it@shoklo-unit.com
Private key passphrase  ********
Key Type                ● RSA   ○ Elliptic curve
Key length              2048
Secure hash             SHA-256

  • Click Save.

  • Click OK to confirm.

  • Click the Default | Download icon to download the Default certificate authority.

  • Note: The downloaded local_certificate_authority.tar.gz file contains the Default.der and Default.pem files.

  • Extract the Default.pem file from the local_certificate_authority.tar.gz file into the T:\IT\Public\X509 Certificates\SMRU-IT folder and rename it into smru-sfw-mrm_CA.pem.

  • Extract the Default.pem file from the local_certificate_authority.tar.gz file into the T:\IT\Public\X509 Certificates\SMRU-IT folder and rename it into smru-sfw-mrh_CA.pem.

  • Extract the Default.pem file from the local_certificate_authority.tar.gz file into the T:\IT\Public\X509 Certificates\SMRU-IT folder and rename it into smru-sfw-tst_CA.pem.

  • Click the SecurityAppliance_SSL_CA | Regenerate certificate authority icon to regenerate the SecurityAppliance_SSL_CA certificate authority.

  • Click OK to confirm.

  • Click the SecurityAppliance_SSL_CA | Download icon to download the SecurityAppliance_SSL_CA certificate.

  • Copy the SecurityAppliance_SSL_CA.pem file to the T:\IT\Public\X509 Certificates\All folder and rename it into SecurityAppliance_SSL_CA-smru-sfw-mrm.pem.

  • Copy the SecurityAppliance_SSL_CA.pem file to the T:\IT\Public\X509 Certificates\All folder and rename it into SecurityAppliance_SSL_CA-smru-sfw-mrh.pem.

  • Copy the SecurityAppliance_SSL_CA.pem file to the T:\IT\Public\X509 Certificates\All folder and rename it into SecurityAppliance_SSL_CA-smru-sfw-tst.pem.

  • Select the Certificates tab.

  • Click the ApplianceCertificate | Regenerate certificate icon to regenerate the ApplianceCertificate certificate.

  • Click OK to confirm.

  • Click the LSC * | Delete icon to delete any LSC locally-signed certificate.

  • Click OK to confirm.

  • Click Add to generate a new certificate.

  • Choose Generate locally-signed certificate.

  • Note: Use the current date and the last acceptable date of 2036-12-31 for the Valid from and Valid until fields.

    Certificate details

Name                    LSC smru-sfw-mrm                        LSC smru-sfw-tst        LSC smru-sfw-mrh
Valid from              <current date>
Valid until             2036-12-31
Key type                ● RSA   ○ Elliptic curve
Key length              2048
Secure hash             SHA-256

Subject name attributes

Country name            Thailand
State                   NA
Locality name           NA
Organization name       SMRU
Organization unit name  NA
Common name             smru-sfw-mrm                            smru-sfw-tst            smru-sfw-mrh
Email address           smru-it@shoklo-unit.com

Distinguished name      /C=TH/ST=NA/L=NA/O=SMRU/OU=NA/CN=smru-sfw-mrm/emailAddress=smru-it@shoklo-unit.com
Distinguished name      /C=TH/ST=NA/L=NA/O=SMRU/OU=NA/CN=smru-sfw-tst/emailAddress=smru-it@shoklo-unit.com
Distinguished name      /C=TH/ST=NA/L=NA/O=SMRU/OU=NA/CN=smru-sfw-mrh/emailAddress=smru-it@shoklo-unit.com

Subject Alternative Names (SANs)

DNS names               fw.shoklo-unit.com                      smru-sfw-tst            smru-sfw-mrh
IP addresses            110.77.143.113
                        10.10.1.170                             10.30.1.170             10.20.1.170

Advanced settings
Certificate ID          DNS             smru-sfw-mrm            smru-sfw-tst.dyndns.org smru-sfw-mrh.dyndns.org

  • Click Save.

  • Select SYSTEM | Administration.

  • Select Admin and user settings tab.

  • Select LSC smru-sfw-mrm for Certificate under Admin console and end-user interaction.

  • Select LSC smru-sfw-tst for Certificate under Admin console and end-user interaction.

  • Select LSC smru-sfw-mrh for Certificate under Admin console and end-user interaction.

  • Choose Use a different hostname:.

  • Type 10.10.1.170 for the hostname.

  • Type 10.20.1.170 for the hostname.

  • Type 10.30.1.170 for the hostname.

  • Click Apply under Admin console and end-user interaction.

  • Click OK to confirm.

16.1. Private CA

16.1.1. Certificate Authorities

  • Select SYSTEM | Certificates.

  • Select Certificate authorities tab.

  • Click Add.

  • Click Browse or Choose File for the certificate.

  • Select the T:\IT\Helpdesk\X509 Certificates\SMRU-CA.pem file.

  • Click Open.

  • Choose Signing and validation.

  • Click Browse or Choose File for the private key.

  • Select the T:\IT\Helpdesk\X509 Certificates\SMRU-CA.key file.

  • Click Open.

  • Type the certificate level 1 password in the Private key passphrase field.

  • Click Save.

16.1.2. Certificates

  • Select SYSTEM | Certificates.

  • Select Certificates tab.

  • Click Add.

  • Type _SMRU-Sophos-Firewall-Admin-Console in the Name field.

  • Click Browse or Choose File for the certificate.

  • Select the T:\IT\Helpdesk\X509 Certificates\SMRU-Sophos-Firewall-Admin-Console.pem file.

  • Click Open.

  • Click Browse or Choose File for the private key.

  • Select the T:\IT\Helpdesk\X509 Certificates\SMRU-Sophos-Firewall.key file.

  • Click Open.

  • Type the certificate level 2 password in the Passphrase or preshared key field.

  • Click Save.

16.1.3. Admin And User Settings

  • Select SYSTEM | Administration.

  • Select Admin and user settings tab.

  • Select @SMRU-Sophos-Firewall-Admin-Console for the Certificate under Admin console and end-user interaction section.

  • Click Apply.

  • Click OK to confirm.

16.1.4. SSL/TLS Inspection Rules

  • Select PROTECT | Rules and policies.

  • Select SSL/TLS inspection rules tab.

  • Click SSL/TLS inspection settings.

  • Select @SMRU Root CA (RSA) for Re-sign RSA with.

  • Select @SMRU Root CA (RSA) for Re-sign EC with.

  • Click Save.

16.2. Installation

16.2.1. Delta Windows Tools

  • Enter the following commands at a Command Prompt with administrative privileges.

    net use T: \\SMRU-SRV\Teams$ /Persistent:No
Set-ConfigWindowsCertificateStore

16.2.2. Local Linux Computer

  • Log in as smru on tbhf-ops-mrm.

  • Enter the following commands at a Command Line.

    sudo mkdir -p /media/Teams
sudo mount -t cifs -o username=<User>,domain=SMRU,vers=3.0 //SMRU-SRV/Teams$ /media/Teams

folder="/media/Teams/IT/Public/X509 Certificates/SMRU-IT"
sites="mst tst mkt mla wpa msl hph skk mku"
sudo mkdir -p /usr/local/share/ca-certificates/smru
for site in ${sites}; do
  # See https://thomas-leister.de/en/how-to-import-ca-root-certificate
  #sudo /bin/cp "${folder}/Default-ca-smru-sfw-${site}.pem" "/usr/local/share/ca-certificates/smru/smru-sfw-${site}_CA.crt" 2> /dev/null
  #sudo /bin/cp "${folder}/smru-sfw-${site}_CA.pem"         "/usr/local/share/ca-certificates/smru/smru-sfw-${site}_CA.crt" 2> /dev/null
  sudo /bin/cp "${folder}/smru-sfw-${site}_CA.pem"         "/usr/local/share/ca-certificates/smru/smru-sfw-${site}_CA.crt"
  sudo chmod a-x "/usr/local/share/ca-certificates/smru/smru-sfw-${site}_CA.crt"
done
sudo update-ca-certificates

sudo umount /media/Teams

curl https://smru-sfw-tst.dyndns.org:4444

16.2.3. Local Windows Computer

  • Option 1

    • Enter the following commands at a Command Prompt with administrative privileges.

    certutil.exe -addstore root "T:\IT\Public\X509 Certificates\SMRU-IT\smru-sfw-mrm_CA.pem"

curl.exe https://10.30.1.170:4444

  • Option 2

    • Enter the following commands at a PowerShell Command Prompt with administrative privileges.

    $FilePath = "T:\IT\Public\X509 Certificates\SMRU-IT"
Import-Certificate -FilePath "$FilePath\smru-sfw-mrm_CA.pem" -CertStoreLocation Cert:\LocalMachine\Root

17. VPN

17.1. SSL VPN (remote access)

  • Note: When having an ISP router instead of using PPPoE, then port 8443 forwarding must be set up on the ISP router.

17.1.1. Configuration of Sophos Firewall

  • Select CONFIGURE > Authentication > Groups.

  • Click Add.

    Group name                      MRM SSL VPN group
Description
Group type                      Normal
Surfing quota                   Unlimited Internet Access
Access time                     Allowed all the time
Network traffic                 None
Traffic shaping                 None
SSL VPN policy                  MST SSL VPN policy
Clientless SSL VPN policy       No policy applied
L2TP                            ○ Enable        ● Disable
PPTP                            ○ Enable        ● Disable
Quarantine digest               ○ Enable        ● Disable
MAC binding                     ○ Enable        ● Disable
IPsec remote access             ○ Enable        ● Disable
Sign-in restriction             ● Any node      ○ Selected nodes        ○ Node range

  • Click Save.

  • Select CONFIGURE > Authentication > Users.

  • Click Add.

    Username                        John.vpn
Name                            John Smith
Description
User type                       ● User  ○ Administrator
Profile                         Profile
Password                        ********
                                ********
Email                           john@shoklo-unit.com
Group                           MRM SSL VPN group
Surfing quota                   Unlimited Internet Access
Access time                     Allowed all the time
Network traffic                 None
Traffic shaping                 None
SSL VPN policy                  MST SSL VPN policy
Clientless SSL VPN policy       No policy applied
IPsec remote access             ○ Enable        ● Disable       IP address
L2TP                            ○ Enable        ● Disable       IP address
PPTP                            ○ Enable        ● Disable       IP address
Quarantine digest               ○ Enable        ● Disable
MAC binding                     ○ Enable        ● Disable
MAC address list
Simultaneous sign-ins           ■ Use global setting    ■ Unlimited
Sign-in restriction             ○ Any node      ● User group node(s)
                                ○ Selected nodes        ○ Node range

  • Click Save.

  • Select SYSTEM > Hosts and services > IP host.

  • Click Add.

    Name                            MST Local Network
IP version                      ● IPv4  ○ IPv6
Type                            ○ IP    ● Network       ○ IP range      ○ IP list
IP address                      10.10.1.0       Subnet  /24(255.255.255.0)
IP host group

  • Click Save.

  • Select SYSTEM > Hosts and services > IP host.

  • Click Add.

    Name                            MST SSL VPN Network
IP version                      ● IPv4  ○ IPv6
Type                            ○ IP    ● Network       ○ IP range      ○ IP list
IP address                      10.10.9.0       Subnet  /24(255.255.255.0)
IP host group

  • Click Save.

  • Select CONFIGURE > Remote access VPN > SSL VPN.

  • Click Add.

    General settings
    Name                                                MST SSL VPN policy
    Description

Identity
    Policy members                                      MRM SSL VPN group

Tunnel access
    Use as default gateway                              OFF
    Permitted network resources (IPv4)                  MST Local Network
    Permitted network resources (IPv6)

Idle time-out
    Disconnect idle clients                             OFF
    Override global time-out(Default 15 Minutes)

  • Click Apply.

  • Click OK.

  • Select CONFIGURE > Authentication > Services.

  • Click Add.

    Firewall authentication methods
    Authentication server list              Selected authentication server
                                        Local
■ Local

  • Click Apply.

  • Click OK.

    SSL VPN authentication methods
    ○ Same as VPN
○ Same as firewall
● Set authentication method for SSL VPN
Authentication server list              Selected authentication server
                                        Local
■ Local

  • Click Apply.

  • Click OK.

  • Select SYSTEM > Administration > Device access.

  • Check LAN | User Portal.

  • Check LAN | VPN Portal.

  • Check WAN | SSL VPN.

  • Click Apply.

  • Click OK.

  • Note: To change VPN settings, the Sophos firewall needs to be registered.

  • Select CONFIGURE > Site-to-site VPN > SSL VPN > SSL VPN global settings.

    protocol                        ● TCP   ○ UDP   (Select UDP for better performance)
SSL server certificate          ApplianceCertificate
Override hostname               smru-sfw-mrm.dyndns.org
Port                            8443
Assign IPv4 addresses           10.10.9.0       /24 (255.255.255.0)
Assign IPv6 addresses           2001:db8::1:0   /64
Lease mode                      IPv4 only
□ Use static IP adresses
IPv4 DNS                        10.10.1.1
IPv4 WINS
Domain name                     smru.shoklo-unit.com
Disconnect dead peer after      180 Seconds
Disconnect idle peer after      15 Minutes
Encryption algorithm            AES-256-GCM
Authentication algorithm        SHA2 256
Key size                        2048 bit
Key lifetime                    28800 Seconds
■ Compress SSL VPN traffic
■ Enable debug mode

  • Click Apply.

  • Click OK.

  • Select PROTECT > Rules and policies > Firewall rules.

  • Click Add firewall rule > New firewall rule.

    Rule name                       Allow MST SSL VPN clients
Action                          Accept
■ Log firewall traffic
Description
Rule position                   Bottom
Rule group                      VPN traffic

Source zones                    VPN
Source networks and devices     MST SSL VPN Network
During scheduled time           All the time

Destination zones               LAN
Destination networks            MST Local Network
Services                        Any

■ Match known users             MRM SSL VPN group
                                □ Exclude this user activity from data accounting
□ Use web authentication for unknown users

  • Click Save.

17.1.2. Configuration of certificates

  • Select SYSTEM > Certificates > Certificates.

  • Delete any old user vpn certificate.

  • Click the ApplianceCertificate | Regenerate certificate button.

  • Click OK.

17.1.3. Configuration of Windows client

  • Browse to the Sophos VPN Portal at SMRU-SFW-MRM.

    Username:                       Douwe.vpn
Password:                       ********

  • Click Login.

  • Select SSL VPN.

  • Select Download client and configuration for Windows.

  • Note: When the OpenVPN GUI is up and running, the Sophos SSL VPN Client Setup detects this but doesn’t realise it is another VPN client and asks if the MST SSL VPN Client should be terminated. If you click Yes then it will close the OpenVPN GUI connection. Make sure to click No.

  • Run the sslvpn-douwe.vpn-client.exe file with administrative privileges.

  • Optional: Click No to skip terminating the MST SSL VPN Client.

  • Click Next.

  • Click I Agree.

    C:\Program Files (x86)\Sophos\MST SSL VPN Client

  • Click Install.

  • Uncheck Always trust software from "Sophos".

  • Click Install.

  • Click Next.

  • Click Finish.

17.1.4. Troubleshooting

  • Type tail -f /log/sslvpn.log on the Command Line of SMRU-SFW-MRM.

17.2. SSL VPN (site-to-site)

  • Add an SSL VPN site-to-site server connection.

    • Browse to https://10.10.1.170:4444.

    • Login with admin user account.

    • Select CONFIGURE | VPN.

    • Select SSL VPN (site-to-site).

    • Click Add for the Server.

    • Type MSTtoMLA in the Connection name field.

    • Uncheck Use static virtual IP address

    • Click Add new item for Local networks.

    • Check MST Local Network.

    • Click Apply 1 selected items.

    • Click Add new item for Remote networks.

    • Check MLA Local Network.

    • Click Apply 1 selected items.

    Connection name         MSTtoMLA
Description
                        □ Use static virtual IP address
Local networks          MST Local Network
Remote networks         MLA Local Network

    • Click Save.

    • Click Download icon for MRMtoMLA.

    • Check Encrypt configuration file.

    • Type the Level 2 password in the Password field.

    • Type the Level 2 password again in the Confirm Password field.

    • Click Download.

    • Move the downloaded file to the T:\IT\Helpdesk\Sophos SSL VPN\Sites folder.

  • Add an SSL VPN site-to-site client connection.

    • Browse to https://192.168.26.170:4444.

    • Login with admin user account.

    • Select CONFIGURE | Site-to-site VPN.

    • Select SSL VPN.

    • Click Add for the Client.

    • Type MLAtoMRM in the Connection name field.

    • Click Choose File.

    • Select server_MRMtoMLA.epc.

    • Click Open.

    • Type the Level 2 password in the Password field.

    • Uncheck Use HTTP Proxy server.

    • Uncheck Override peer hostname.

    Connection name         MLAtoMST
Description
Configuration file      Choose File | server_MSTtoMLA.epc
Password                ******** (Level 2)
                        □ Use HTTP Proxy server
                        □ Override peer hostname

    • Click Save.

18. Templates

19. Command Line Prompt

#cat /etc/profile
#echo PS1
PS1=root@`cat /etc/hostname`:$PWD'# '

20. API

20.1. Create read-only administrator profile

  • Select SYSTEM > Profiles.

  • Select the Device access tab.

  • Click Add.

  • Type APIreadall in Profile name field.

  • Choose Read-only for Configuration.

  • Click Save.

  • Select CONFIGURE > Authentication

  • Select the Users tab.

  • Click Add.

  • Type APIreadall in the Username field.

  • Type APIreadall in the Name field.

  • Choose Administrator for the User type.

  • Select APIreadall for the Profile.

  • Type the password.

  • Type the password.

  • Type smru-it@shoklo-unit.com for the Email.

  • Select Open Group for the Group.

    Username                        apireadall
Name                            APIreadall
Description
User type                       ○ User  ● Administrator
Profile                         APIreadall
Password                        ********
                                ********
Email                           smru-it@shoklo-unit.com
Group                           Open Group
Surfing quota                   Unlimited Internet Access
Access time                     Allowed all the time
Network traffic                 None
Traffic shaping                 None
SSL VPN policy                  No policy applied
Clientless SSL VPN policy       No policy applied
IPsec remote access             ○ Enable        ● Disable       IP address
L2TP                            ○ Enable        ● Disable       IP address
PPTP                            ○ Enable        ● Disable       IP address
Quarantine digest               ○ Enable        ● Disable
MAC binding                     ○ Enable        ● Disable
MAC address list
Simultaneous sign-ins           ■ Use global setting    ■ Unlimited
Sign-in restriction             ○ Any node      ● User group node(s)
                                ○ Selected nodes        ○ Node range

  • Click Save.

  • Select SYSTEM > Backup & firmware.

  • Select the API tab.

  • Check Enabled to enable the API.

  • Add 10.10.1.2 in the Allowed IP address field.

  • Click Apply.

  • Enter the following commands at a Linux Command Line.

    curl --insecure 'https://10.10.1.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********</Password></Login><Get><FirewallRuleGroup></FirewallRuleGroup></Get></Request>'
curl --insecure 'https://10.10.1.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********</Password></Login><Get><FirewallRule></FirewallRule></Get></Request>'
curl --insecure 'https://10.10.1.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********</Password></Login><Get><NATRule></NATRule></Get></Request>'
curl --insecure 'https://10.10.1.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********</Password></Login><Get><VPNIPSecConnection></VPNIPSecConnection></Get></Request>'

  • Enter the following commands at a Windows Command Prompt.

    curl.exe --insecure "https://192.168.32.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********!</Password></Login><Get><FirewallRuleGroup></FirewallRuleGroup></Get></Request>"
curl.exe --insecure "https://192.168.32.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********!</Password></Login><Get><FirewallRule></FirewallRule></Get></Request>"
curl.exe --insecure "https://192.168.32.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********!</Password></Login><Get><NATRule></NATRule></Get></Request>"
curl.exe --insecure "https://192.168.32.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadonly</Username><Password>********!</Password></Login><Get><VPNIPSecConnection></VPNIPSecConnection></Get></Request>"

21. Static IP MAC mapping

To get the IP address from another DHCP server configured on the Sophos Firewall, enable the static entry scope at the global level.

  • Sign in to the command-line interface (CLI).

  • Select option 4. Device Console.

  • Run the following command:

system dhcp static-entry-scope show
system dhcp static-entry-scope global
system dhcp static-entry-scope show
exit

22. Reset the admin password

  • See how to connect to Device Console with Micro USB cable.

  • See how to connect to Device Console with serial cable.

  • Connect the Micro USB cable (console cable) with Sophos XGS and the computer.

  • Open Device Manager to check whether the Virtual COM Port and USB drivers are installed correctly.

  • Connect to the Device Console by Putty.

    • Check the USB Serial Port whether it is COM1, COM2, COM3, or etc in Device Manager > Port (COM & LPT).

    • Start Putty.

    • Choose Serial for Connection type.

    • Type <COM3> in the Serial line field.

    • Type 38400 in the Speed field.

    • Click Open.

    • Press Enter.

    • Type RESET and press Enter.

    • Type 4 and press Enter.

    • Type y to confirm and press Enter.

    • Type the default password admin and press Enter.

    • Close Putty.

  • Browse to https://<Firewall IP address>:4444[^].

  • Type admin in the Username field.

  • Type admin in the Password field.

  • Optional: Click Continue.

  • Type admin in the Current password field.

  • Type the new password in the Password field.

  • Type the new password in the Confirm password field.

  • Click Apply.

  • Logout from Sophos Firewall web sonsole.

  • Close Browser.

23. Useful Commands

  • Enter the following commands at a Command Line.

    # Get all configuration names.
grep -i '^  <[a-z]' /home/Other/Sophos/2022-02-20/smru-sfw-mrm-FullConfiguration-2022-02-20.xml |
  sed "s/ transactionid=\"\"//" |
  sed "s/^  <//" |
  sed "s/>$//" |
  sort -u > /tmp/configurations-all


# Get all configuration files.
cd ~delta/github/git/delta-software-labs/Linux-Tools
cat share/sophos-configurations.txt | grep -v "^#" | while read i; do echo $i; curl --insecure --silent 'https://10.10.1.170:4444/webconsole/APIController?reqxml=<Request><Login><Username>APIreadall</Username><Password>********</Password></Login><Get>'"<$i></$i>"'</Get></Request>' > /home/Other/Sophos/YYYY-MM-DD/$i.xml; done

# Remove tokens from configuration files.
for i in /home/Other/Sophos/YYYY-MM-DD/*; do sed -i "s/ TOKEN=.*>/>/" $i; done

# Sort some configuration files.
xsltproc share/sophos-sort-AntiSpamQuarantineDigestSettings.xsl /home/Other/Sophos/YYYY-MM-DD/AntiSpamQuarantineDigestSettings.xml > /home/Other/Sophos/YYYY-MM-DD/AntiSpamQuarantineDigestSettings-Sorted.xml
xsltproc share/sophos-sort-L2TPConfiguration.xsl                /home/Other/Sophos/YYYY-MM-DD/L2TPConfiguration.xml                > /home/Other/Sophos/YYYY-MM-DD/L2TPConfiguration-Sorted.xml
xsltproc share/sophos-sort-PPTPConfiguration.xsl                /home/Other/Sophos/YYYY-MM-DD/PPTPConfiguration.xml                > /home/Other/Sophos/YYYY-MM-DD/PPTPConfiguration-Sorted.xml
##xsltproc share/sophos-sort-SSLVPNPolicy.xsl                     /home/Other/Sophos/YYYY-MM-DD/SSLVPNPolicy.xml                     > /home/Other/Sophos/YYYY-MM-DD/SSLVPNPolicy-Sorted.xml
xsltproc share/sophos-sort-User.xsl                             /home/Other/Sophos/YYYY-MM-DD/User.xml                             > /home/Other/Sophos/YYYY-MM-DD/User-Sorted.xml
xsltproc share/sophos-sort-UserGroup.xsl                        /home/Other/Sophos/YYYY-MM-DD/UserGroup.xml                        > /home/Other/Sophos/YYYY-MM-DD/UserGroup-Sorted.xml

# Remove unsorted configuration files.
rm -f /home/Other/Sophos/YYYY-MM-DD/AntiSpamQuarantineDigestSettings.xml
rm -f /home/Other/Sophos/YYYY-MM-DD/L2TPConfiguration.xml
rm -f /home/Other/Sophos/YYYY-MM-DD/PPTPConfiguration.xml
##rm -f /home/Other/Sophos/YYYY-MM-DD/SSLVPNPolicy.xml
rm -f /home/Other/Sophos/YYYY-MM-DD/User.xml
rm -f /home/Other/Sophos/YYYY-MM-DD/UserGroup.xml

# Compare configuration files.
diff -qr /home/Other/Sophos/2022-02-22P /home/Other/Sophos/2022-02-22Q

# Set the interface IP address
ifconfig Port1 10.20.1.170 netmask 255.255.255.0 up

24. SSH Commands

ssh -tt admin@10.10.1.170 << EOF
5
3
ls -al
exit
0
0
EOF