Sophos Xg Access Point



Sophos

  1. Sophos Xg Access Point Not Found
  2. Sophos Xg Wireless Access Point
  3. Sophos Xg Firewall Setup
  4. Sophos Xg Models
Sophos

When friends and family are visiting and require wifi access, we typically give them complete access to our network by providing the password to our wireless access point. While most friends and especially family wouldn’t be doing anything malicious on our network, the bigger concern is the devices they’re using to connect to the network could potentially be infected with viruses or malware, possibly spreading to other devices on our network. In most cases, guests simply need internet access and an easy way to allow this while keeping them isolated from the rest of your network is by creating a separate guest network.

If your wireless access point supports creating multiple wireless networks or has a guest network feature, you can use VLANs to isolate the guest network from your private network which I explain in this post. The steps below will explain how to setup a guest wireless network using a separate wireless access point, which in this case is using an Apple Airport Express.

The access point was installed for a client that was using Sophos XG firewall. Integration with the firewall was easy as the device pairs with the software automatically. Most of the configuration was simple if you have a basic understanding of wireless standards. Simple Pricing – Select your access point and your term – the more access points you buy, the lower the subscription cost. Cloud-Based – No big upfront infrastructure costs.No maintenance fees. Easy Deployment – Install and deploy in minutes.

1. Setup the device you’ll be using as a second wireless access point for guest users. Setup the wireless settings as desired (i.e. create a different SSID and password from your main wireless network). Also change the mode of your device to ‘Bridge Mode’. For Apple devices, this is located in the Airport Utility under the ‘Network’ tab -> ‘Router Mode’ -> ‘Off (Bridge Mode)’.

2. Plug in your guest wireless access point to an open ethernet port on your Sophos XG device.

Sophos Xg Access Point Not Found

Access

3. From the Sophos XG web user interface, we’ll first need to setup the new interface by accessing the ‘Interfaces’ tab on the ‘Network’ page and select the port you plugged the guest wireless access point into. Configure the following settings: Download istat menus for mac.

Sophos Xg Wireless Access Point

  • Network Zone: Specify the zone this new interface will be. For this example, choose ‘LAN’.
  • IPv4 Configuration: This should be checked.
  • IP Assignment: Select ‘Static’ since we will define the IP address for this interface.
  • IPv4/Netmask: Enter an IP address for this interface that is in a different subnet than the interface for your main network. For example, if your main network interface has an IP of 172.16.16.16 (Sophos XG default), something such as ‘172.16.17.17’ will work. Leave the netmask defaulted to ’24/255.255.255.0′.
  • Leave ‘IPv6 Configuration’ unchecked unless you obviously need IPv6 for your network.
  • The advanced settings can be left to their default settings. Click ‘Save’ at the bottom.

4. Next, create an IP Host for the guest subnet to be used for a firewall rule. Access the ‘IP Host’ tab on the ‘Host and Services’ page and click ‘Add’. Configure the following settings:

  • Name: Type in a name such as ‘Guest Subnet’.
  • IP Address: Type in the IP address for this guest network such as ‘172.16.17.0’ and leave the default subnet to ‘/24 (255.255.255.0)’.
  • IP Host Group: This allows you to add this IP Host to an IP Host Group but for this example, leave it blank. Click ‘Save’ at the bottom.

5. Create a DHCP server for your guest network by accessing the ‘DHCP’ tab on the ‘Network’ page. Under the ‘Server’ section, click ‘Add’ and configure the following settings:

  • Name: Provide a name such as ‘Guest DHCP’.
  • Interface: Select the port your guest wireless access point is connected to.
  • Start IP: Enter the starting IP address for the range that will be available for assignment to users on the guest network. For example, ‘172.16.17.18’
  • End IP: Enter the ending IP address. For example, “172.16.17.254′.
  • Subnet Mask: Leave the default of ‘/24 (255.255.255.0)’.
  • Domain Name: This can be left blank.
  • Gateway: Leave the default ‘Use Interface IP as Gateway’ checked.
  • Default Lease Time/Max Lease Time: Leave the default values.
  • Conflict Detection: Enable this so clients aren’t being assigned the same IP address.

6. Mac os catalina on macbook air 2013. Create a firewall rule that will allow users on the guest network to access the internet. Access the ‘Firewall’ page and click ‘Add Firewall Rule’ -> ‘User/Network Rule’. If you’re unfamiliar with the firewall rule settings, see my previous guide on firewall rules. Configure the following settings:

  • Rule Name: Provide a name such as ‘Guest Network’.
  • Description: Provide a description as desired.
  • Action: Accept
  • Source Zone: Select ‘LAN’ since this is the zone we added the guest interface to.
  • Source Networks and Devices: Select the IP Host we created in step 4, ‘Guest Subnet’.
  • During Scheduled Time: Set this as desired but for this example, we’ll leave it set to ‘All the Time’.
  • Destination Zone: Select ‘WAN’ since we want users to be able to access our ISP modem/internet.
  • Destination Networks: Select ‘Any’ since we don’t know exactly what protocols and/or ports our guest users will be utilizing.
  • Configure the rest of the settings as desired and click ‘Save’ at the bottom.

Sophos Xg Firewall Setup

7. You should now be able to connect to your guest network and have full access to the internet. Of note, you can still access your Sophos XG web user interface from this guest network since the interface falls under the ‘LAN’ zone. See my other post on completely isolating the guest and local networks.

(Optional) If desired, you can limit the bandwidth available for your guest users by creating a Traffic Shaping Policy for the firewall rule we just created. You can create a new policy from the firewall rule page itself by clicking the ‘Traffic Shaping Policy’ drop down and click ‘Create new’. This page can also be accessed on the ‘Traffic Shaping’ tab on the ‘System Services’ page. Configure the following settings:

  • Name: Provide a name such as ‘Guest Rule’.
  • Policy Association: Select ‘Rule’ since this will be applied to a firewall rule.
  • Rule Type: Select ‘Limit’ as the goal is to limit the available bandwidth to guest users.
  • Limit Upload/Download Separately: As the name implies, you can set a limit on the limit and download bandwidth throughput separately. For this example, select ‘Enable’.
  • Priority: This settings allows you to define priorities such that if you have multiple traffic shaping policies, Sophos XG will know how to prioritize the various connections. For this example, select ‘3 – (Normal)’ as our guest users just need basic internet access.
  • Upload Bandwidth: Specify the maximum upload speed in KBps (not to be confused with Kbps). Search for ‘Mbps to KBps’ using google to convert Mbps which is most commonly for bandwidth speeds to KBps. For example, if I want to limit my guest users upload to 10 Mbps, enter ‘1250’ into this field.
  • Download Bandwidth: Same as above except for the download speed. For example, if I want to limit guest users to a download of 100 Mbps, enter ‘12500’ into this field.
  • Bandwidth Usage Type: Leave ‘Individual’ selected as this policy will apply to the entire guest firewall rule. Click ‘Save’ at the bottom.

Sophos Xg Models

Make sure to assign this new Traffic Shaping Policy to your guest firewall rule.





Comments are closed.