User Tools

Site Tools


public:sophos

Sophos Basics

DO NOT USE GOOGLE CHROME

Sophos Cheat Sheet for the GUI

Sophos Extras

Configure Your Sophos

Prior to configuring the Sophos you need to decide if you would like to use the Sophos in BRIDGE mode or GATEWAY mode.

In BRIDGE mode the Sophos can be transparent except when using the Captive Portal.

  • Traffic will pass through the Sophos depending on firewalls rules used.
  • Network Address Translation (NAT) is not needed

In GATEWAY mode

  • The Sophos will do the routing between networks
  • The Sophos will need to NAT traffic

To Configure Bridge Mode

Unlike the cyberoam, the Sophos has a little more hands on configuration. When first configuring your Sophos the wizard will ask how you want to configure the ports (bridge or gateway). If you are unsure, you can skip this step and configure later in the Web GUI.

Network → Interfaces → Add Interface → Add Bridge

Added br0
Added port2     WAN
Added port1     LAN

Activate Your Subscription

To use your new Sophos product to its fullest capacity, it requires a subscription. Your license key can be found in an email or a paper that came with the product.

Administration → Licensing → Activate Subscription

Once activated you will not see any immediate changes. You must also synchronize your subscription to your device.

Configure Time and NTP

To keep the reports sent to satnag-reports synchronizable, please use UTC or Atlantic/Reykjavik time. If the ship has an NTP server, it can be added as a ‘Use Custom NTP Server’.

Administration → Time

Configure Networks

Hosts and Services → IP host → Add

Added offship_network  192.168.2.0/24
Added data_network     192.168.1.0/24

Configure Firewall Rules

Firewall→ IPv4 → Add Firewall Rule

create Rule to allow all DNS

Depending on where your DNS and/or DHCP server reside, you will probably want to allow all DNS and DHCP traffic to pass through the device

Add Web & Application Policies

Web → Policies

Applications → Application Filter

∗Turn Exceptions OFF∗

Web → Exceptions

Ensure 'Apple Update' and 'Microsoft Windows Update' are OFF

To Add Web and Application Policies to a Firewall Rule

Once you have created your web and application policies you can add them to your firewall rule.

Firewall → 'rule' → Advanced

Make sure you click the 'check box' for the policies to be accepted into the firewall rule.

User Group

Authentication → Groups → Add

create offshipUsers 

Add a Network Traffic Policy

Authentication → Groups → Add/Edit → Network Traffic → Create New

create satNAG_policy

Add a couple of users; Authentication →Users →Add

It is helpful to use the same syntax you would use for adding users to the ship email system or LDAP or RADIUS server, when adding the users assign them to the group offshipUsers created above.

Enable Captive Portal

In order to enable the captive portal your device will need two rule groups: WAN to LAN IPV4 traffic and LAN to WAN IPV4 traffic.

Change LAN_WAN_AnyTraffic Firewall rule to DROP

public/sophos.txt · Last modified: 2020/07/21 12:13 by rhudak