====== Sophos Basics====== DO NOT USE GOOGLE CHROME until the certs have been fixed. ==== Sophos Cheat Sheet for the GUI ==== [[Sophos XG Cheat Sheet]] ==== Sophos Extras ==== [[Turning off Captcha]] [[Generating a Certificate]] [[Sophos Central will NOT connect]] [[Importing User csv file via XML API]] ==== Configure Your Sophos ==== Prior to configuring the Sophos you need to decide if you would like to use the Sophos in BRIDGE mode or GATEWAY mode. In BRIDGE mode the Sophos can be transparent except when using the Captive Portal. * Traffic will pass through the Sophos depending on firewalls rules used. * Network Address Translation (NAT) is not needed ==*recommended== In GATEWAY mode * The Sophos will do the routing between networks * The Sophos will need to NAT traffic ==== To Configure Bridge Mode ==== Unlike the cyberoam, the Sophos has a little more hands on configuration. When first configuring your Sophos the wizard will ask how you want to configure the ports (bridge or gateway). If you are unsure, you can skip this step and configure later in the Web GUI. Network -> Interfaces -> Add Interface -> Add Bridge Added br0 Added port2 WAN Added port1 LAN {{ :sophos_bridge.png?600 |}} ==== Activate Your Subscription ==== To use your new Sophos product to its fullest capacity, it requires a subscription. Your license key can be found in an email or a paper that came with the product. {{ :sophos_subscription.png?400 |}} Administration -> Licensing -> Activate Subscription {{ :sophos_activatesub.png?600 |}} Once activated you will not see any immediate changes. You must also synchronize your subscription to your device. {{ :sophos_synchronizesub.png?600 |}} ==== Configure Time and NTP ==== To keep the reports sent to satnag-reports synchronizable, please use UTC or Atlantic/Reykjavik time. If the ship has an NTP server, it can be added as a ‘Use Custom NTP Server’. Administration -> Time {{ :sophos_timeserver.png?600 |}} ==== Configure Networks ==== Hosts and Services -> IP host -> Add Added offship_network 192.168.2.0/24 Added data_network 192.168.1.0/24 {{ :sophos_iphost.png?600 |}} ==== Configure Firewall Rules ==== Firewall-> IPv4 -> Add Firewall Rule create Rule to allow all DNS Depending on where your DNS and/or DHCP server reside, you will probably want to allow all DNS and DHCP traffic to pass through the device {{ :sophos_firewallrule.png?600 |}} ==== Add Web & Application Policies ==== Web -> Policies Applications -> Application Filter ===∗Turn Exceptions OFF∗=== Web -> Exceptions Ensure 'Apple Update' and 'Microsoft Windows Update' are **OFF** {{ :public:screen_shot_2020-07-20_at_17.26.18.png?600 |}} ===To Add Web and Application Policies to a Firewall Rule=== Once you have created your web and application policies you can add them to your firewall rule. Firewall -> 'rule' -> Advanced Make sure you click the 'check box' for the policies to be accepted into the firewall rule. {{ :sophos_addpoliciestofirewall.png?600 |}} ==== User Group ==== Authentication -> Groups -> Add create offshipUsers {{ :sophos_offshipusers.png?600 |}} === Add a Network Traffic Policy === Authentication -> Groups -> Add/Edit -> Network Traffic -> Create New create satNAG_policy {{ :sophos_satnagpolicy.png?600 |}} Add a couple of users; Authentication ->Users ->Add It is helpful to use the same syntax you would use for adding users to the ship email system or LDAP or RADIUS server, when adding the users assign them to the group //offshipUsers// created above. ==== Enable Captive Portal ==== In order to enable the captive portal your device will need two rule groups: //WAN to LAN IPV4 traffic// and //LAN to WAN IPV4 traffic//. Change LAN_WAN_AnyTraffic Firewall rule to DROP