- Some say it suffices to create a file using the same name as the VPN configuration file in your config folder, followed by the suffix ‘up.bat’ and the contents of your script. This is the corresponding path for Sophos: C: Program Files (x86) Sophos Sophos SSL VPN Client config.
- The Sophos Connect client allows you to enforce advanced security and flexibility settings, such as connecting the tunnel automatically. To configure and establish remote access SSL VPN connections using the Sophos Connect client, do as follows: Configure the SSL VPN settings. Send the configuration file to users.
This guide will explain how to setup SSL VPN to access your home network (LAN). While the Sophos website has an official “SSL VPN Remote Access” How-To video, it’s missing some important steps. I’d recommend watching the video as it’s fairly short and following this guide.
Our XG IPSec VPN Tunnel to Microsoft Azure does not stay up, because when there is no activity Microsoft shuts down the tunnel. To overcome this, we have had to implement a 5 minute ping to each of our 5 warehouses from a VM in Azure. A keep alive feature on the XG side would solve this problem. Other firewalls, such as Dell's Sonicwall, have a keep alive feature that addresses this issue.
If you do not have a static WAN IP address, create a Fully Qualified Domain Name (FQDN) using a Dynamic DNS service. There are free services available such as DuckDNS.org but Sophos also offers its own DDNS service for free.
1. Open the ‘Dynamic DNS’ tab on the ‘Network’ page and click ‘Add’.
2. Type in your desired FQDN in the ‘Hostname’ field. It must end with *.myfirewall.co if using Sophos as your DDNS service provider (ex: myname.myfirewall.co).
3. Select your WAN ‘interface’ (likely Port2) and choose ‘NATed Public IP’ next to ‘IPv4 Address’ and set the ‘IP Edit Checking Interval’ as desired (default value of ’20’ works fine).
4. Select ‘Sophos’ as the ‘Service Provider’ and click ‘Save’. After about 3-5 minutes, try accessing or pinging your newly created FQDN.
Setting up SSL VPN
1. Setup your hostname. Open the ‘Admin Settings’ tab on the ‘Administration’ page and type in your FQDN or WAN IP address in the ‘Hostname’ field (ex: myname.myfirewall.co) and click ‘Apply’. The reason for this is that when you download the VPN configuration file, it uses this hostname as the address your device will try to access. There is also an option to use a different hostname which will be explained later.
2. Create a user account. Open the ‘Users’ tab on the ‘Authentication’ page and click ‘Add’. Fill out the ‘Username’, ‘Name’, ‘Password’ and ‘Email’ fields. ‘User Type’ can be set as desired (leaving the default setting of ‘User’ will suffice). Select ‘Open Group’ under the ‘Group’ drop down which is simply a default group Sophos XG created during setup that allows for unlimited access at all times. The remaining fields can be left to their default settings. Click ‘Save’ at the bottom.
3. Create an IP Host. Open the ‘IP Host’ tab on the ‘Host and Services’ page and click ‘Add’. Enter a ‘Name’ as desired (i.e. ‘Local subnet’), select ‘IPv4’ for ‘IP Version’ and select ‘Network’ for ‘Type’. In the ‘IP Address’ field, enter your subnet address (i.e. 172.16.16.0) and select the appropriate ‘Subnet’ (i.e. /24 255.255.255.0). Click ‘Save’ at the bottom.
(Optional) Create another IP Host using an IP Range that the VPN connection will use (default is 10.81.234.5 to 10.81.234.55). This can be utilized for the ‘Source Network and Devices’ in the firewall rule during Step 7 for increased security.
4. Setup SSL VPN. Open the ‘SSL VPN (Remote Access)’ tab on the ‘VPN’ page and click ‘Add’. Type in a ‘Name’ and ‘Description’ as desired and add your user account created in step 2 to the ‘Policy Members’. Additionally, add the IP Host created in step 3 to the ‘Permitted Network Resources (IPv4)’ section. Everything else can be left to the default settings. Click ‘Apply’ at the bottom.
5. Adjust VPN settings. On the same page (VPN), click the ‘Show VPN Settings’ on the top right section above the tabs. Set the ‘Protocol’ to ‘UDP’ (not required but recommended for better VPN performance). As mentioned in Step 1, you can add your FQDN or WAN IP address to the ‘Override Hostname’ field. This will likely be required for your VPN configuration file to use the correct address, so it’s recommended to just type in your FQDN or WAN IP address again. Click ‘Apply’ at the bottom.
6. Enable SSL VPN. Open the ‘Device Access’ tab on the ‘Administration’ page and make sure ‘SSL VPN’ is checked for LAN and WAN. You can also check ‘HTTPS’ for VPN if you want access to the Sophos XG web UI you’re currently using when connected through VPN. Click ‘Apply’ in the ‘Local Services ACL’ section you just modified.
7. Create a firewall rule for VPN. Open the ‘Firewall’ page and add a ‘User/Network Rule’. Fill in the applicable fields and set ‘Source Zones’ to ‘VPN’, ‘Source Network and Devices’ to ‘Any’ or the IP Host for the VPN IP range created in the optional step, ‘Destination Zone’ to ‘LAN’ and ‘Destination Network’ to the IP Host you created in Step 3 (i.e. ‘Local subnet’). Other settings can be setup as desired. See my previous post on Firewall Rules for more information.
Setting up OpenVPN
At this point, VPN is setup on Sophos XG and now you just need to configure your client that will be used to VPN into your home network. In this example, we’ll use an iOS device.
1. Download ‘OpenVPN’ on your iOS device from the App Store.
2. Open the web browser on your iOS device and browse to the same IP address used to configure Sophos XG except on port 443 (ex: https://172.16.16.16:443) which should bring you to the Sophos User Portal. Log in using the account created earlier and download the configuration file for iOS.
3. Open the configuration file in the OpenVPN app on your iOS device. The remainder of the steps should be self explanatory as you simply need to add the configuration file to OpenVPN, fill in your username and password and click connect at which point you’re now able to connect to your local network from outside the network.
XG Firewall makes it simple to get up and running quickly with the best network visibility, protection, and response in the industry. We make it easy to protect your network across multiple sites while also enabling access for your remote workers.
If you just received your XG Firewall, run through the convenient XG Firewall setup wizard which will have you up and running in a few minutes with essential protection for your network.
If you are running two XG Firewall appliances in High Availability mode for maximum business continuity, then be sure to take advantage of the new Quick HA option in v18.
INSTRUCTIONS: ‘How to deploy in gateway mode’ ► VIDEO ‘Registration and setup wizard’ ►
Get familiar with XG firewall
After the initial setup, review our extensive library of Getting Started How-To videos and the Documentation for XG Firewall. There’s also a great list of articles and videos to review on the Initial Setup Community Forum.
Periodic best practices checkup
To ensure your XG Firewall is protecting your network optimally, follow these best practices after initial setup or periodically.
If you don’t have time to perform these steps, the Sophos Professional Services team of network experts is available to help ensure your firewall is configured optimally. Contact them at [email protected]
Double check your protection licenses
On your XG Firewall go to Administration > Licensing and ensure you have these essential network protection subscriptions:
- Network Protection – Essential for IPS, advanced threat protection, and botnet protection
- Web Protection – Essential for web security and control and application control
- Sandstorm Protection – Essential for the latest threat protection using artificial intelligence and sandboxing analysis
- Email Protection – Essential for anti-spam and phishing attack protection
- Web Server Protection – Essential if you have any servers that require public internet access
Always keep your firmware up to date to ensure you have the latest security, performance, and reliability updates. You can get the latest v18 release for your XG Firewall from MySophos.
INSTRUCTIONS: ‘How to download firmware updates’ ► VIDEO: ‘Firmware update and roll-back’ ►
Firewall rule and protection policy recommendations
Of course, by design, your firewall blocks all network traffic – your network is completely locked down – but you enable traffic to flow by creating firewall rules.
Firewall rules enable your network to function, but they also create opportunities for hackers, ransomware, and malware to enter. Hence, it’s essential to protect your network by applying security policies to these firewall rules.
If you’re new to XG Firewall or v18, check out the introductory video on Firewall Rules and the What’s new in v18 for Firewall Rules video.
If your firewall has been running for a while, you may have dozens or even hundreds of firewall rules you’ve added over time. It’s very important that you periodically review all your firewall rules to ensure that there are no avoidable “openings” in your network. Ensure you don’t have any unnecessary or unused rules that are presenting openings that hackers can take advantage of.
Start by checking the ‘Active firewall rules’ widget on the Control Center to identify unused rules:
Then, go through your firewall rules to examine all the active rules to ensure they are needed and proper protection is being applied.
In particular, disable all non-essential port-forwarding rules, and re-evaluate if any of the port-forwarding rules you have can be better accommodated via VPN access or, at the very least, multifactor authentication.
Exposed services and servers through port forwarding are one of the top ways hackers breach your network. VPN and MFA provide much better security for remote access to internal network resources.
If you are on v17.x we suggest you upgrade to v18 for the latest NAT rule enhancements. If you are on v18 already, review all your NAT rules to ensure all are required and adequately protected by a corresponding firewall rule.
Make sure you’re applying essential protection to all your firewall rules. XG Firewall makes it super easy to assign web protection and control, intrusion prevention (IPS), sandboxing, and file analysis as well as application control.
In general, do not apply “Allow All” or “None” when selecting a protection policy. These should only be used in special circumstances or for troubleshooting, never as an active protection policy.
Recommended protection best practices
Most internet traffic is encrypted with SSL/TLS making it impossible to secure without proper inspection.
Sophos Openvpn Comp-lzo
XG Firewall v18 introduced the new Xstream TLS Inspection feature that provides high-performance inspection of encrypted traffic, enabling you to properly protect your network. Ensure you have one or more TLS inspection rules applied to your internet traffic, otherwise a lot of the protection discussed below will be ineffective. (Instructions: ‘SSL/TLS inspection rules’ / Video: ‘Xstream SSL inspection in XG Firewall v18′).
You will need to deploy the XG Firewall SSL certificate on your client machines, which is accomplished easiest on Windows using the wizard in Microsoft’s Group Policy Manager.
After deployment, monitor TLS inspection via the Control Center and add important problematic sites to the exception list with the convenient tools available from the widget.
Web policy and protection
This determines which websites are allowed or blocked and how to protect web traffic. Any firewalls governing internet traffic should have a web filtering policy in place.
There are several built-in policies for schools, workplaces, and more that you can use out-of-the-box to make this easy. Simply choose one appropriate for your organization and customize it to suit your needs. (Instructions: ‘How to implement Web Protection’ instructions / Video: ‘How To: Creating Web Protection rules’).
Malware and content scanning
XG Firewall can scan all web traffic for malicious code and downloaded files.
We strongly recommend that you take advantage of SophosLabs Threat Intelligence and Sophos Sandstorm sandboxing to further analyze files.
To do so, simply check the option to “Detect zero-day threats with Sandstorm” for all rules governing web traffic. (Instructions: ‘How to configure Sophos Sandstorm’).
Intrusion Prevention looks for activity attempting to exploit vulnerabilities in networked devices. This is a common technique for hackers to get control of servers exposed to the internet and to move laterally within a network. IPS protection signatures are included for all platforms: Windows, Macs, Unix, and more.
Make sure you are applying IPS protection policies that align with the network platforms in your environment – use either one of the built-in policies or create your own. Also, ensure you not only apply IPS protection to internet traffic rules but also rules between different segments of your internal network (e.g. LAN and DMZ) to help catch active threats trying to spread on your network. (Instructions: ‘IPS policies’ / Video: ‘How To: Setting Up And Configuring IPS’).
Advanced Threat Protection is another essential aid in identifying an active threat on your network. It examines outbound traffic for any attempts to contact known hacker command and control servers.
If an ATP is detected, it indicates you have a bot or threat on your network. ATP setup is super easy. (Instructions: ‘How to configure Advanced Threat Protection (ATP)’).
Firewall best practices for blocking ransomware
Check out this white paper on additional best practices for blocking Ransomware attacks.
VPN connectivity recommendations
With VPN connections being tremendously important these days, here are some additional resources on getting the most from your XG Firewall’s VPN connectivity options.
Site-to-Site VPN: If you want the ultimate in VPN reliability and security between your central office and branch offices or remote locations, Sophos unique RED tunnels are ideal.
You can easily deploy an XG Firewall to a remote location without touching it and set up a RED tunnel in no time. (Instructions: ‘Substituting XG for RED devices via Light-Touch deployment from Sophos Central’).
Remote user VPN: If you have users working remotely, XG Firewall offers a couple of options for secure remote access.
Our previous article outlined the various access options and their pros/cons. We recommend using Sophos Connect Client for the ultimate in ease-of-use. (Instructions: ‘Sophos Connect Client’ / Video: ‘Sophos Connect VPN Client’).
Sophos Openvpn Setup
Customer Resource Center (how-to videos, documentation, and more)
How-To Video Library (dozens of video tutorials to get you started)
Sophos Openvpn Client
XG Community (tap into the vast knowledge and expertise of the XG Firewall community)