Deploying a Sophos XGS 2100 firewall

By /

Deploying a Sophos XGS 2100 firewall as an edge device in a small office environment with a Cisco Catalyst 3650 PoE Switch, servers, workstations, patch panels, and a service router requires careful planning to ensure security, performance, and ease of management. Below is a best practice deployment model and a step-by-step configuration guide for your setup.

Deployment Model

  1. Sophos XGS 2100 as the Edge Firewall:
  • Place the Sophos XGS 2100 at the edge of your network, connecting directly to your ISP modem or service router.
  • Configure it to handle WAN connectivity, firewall policies, intrusion prevention, VPN, and threat protection.
  1. Cisco Catalyst 3650 PoE Switch:
  • Connect the switch to the Sophos XGS 2100 to distribute network connectivity to servers, workstations, and other devices.
  • Use VLANs to segment traffic (e.g., servers, workstations, and IoT devices).
  1. Servers and Workstations:
  • Connect servers and workstations to the Cisco switch.
  • Assign them to appropriate VLANs based on their roles.
  1. Service Router:
  • If the service router is provided by your ISP, configure it in bridge mode to allow the Sophos XGS 2100 to handle routing and firewall functions.
  • If the service router is required for specific purposes (e.g., MPLS or backup WAN), configure it as a secondary WAN connection on the Sophos XGS 2100.
  1. Patch Panels:
  • Use patch panels to organize and manage cabling between devices.

Step-by-Step Configuration

1. Sophos XGS 2100 Initial Setup

  • Connect the XGS 2100:
  • Connect the WAN port to your ISP modem or service router.
  • Connect the LAN port to the Cisco Catalyst 3650 PoE Switch.
  • Access the Web Interface:
  • Connect a computer to the LAN port and access the Sophos XGS 2100 web interface via https://192.168.1.1 (default IP).
  • Log in with the default credentials (admin/admin) and change the password.
  • Configure WAN Interface:
  • Go to Administration > Device Access and configure the WAN interface with the IP provided by your ISP (static or DHCP).
  • Enable NAT (Network Address Translation) for outbound traffic.
  • Configure LAN Interface:
  • Assign a static IP to the LAN interface (e.g., 192.168.10.1/24).
  • Enable DHCP server for the LAN to assign IPs to workstations and servers.
  • Update Firmware:
  • Go to Administration > Backup & Firmware and update the XGS 2100 to the latest firmware.

2. Configure VLANs on Cisco Catalyst 3650

  • Create VLANs:
  • Access the Cisco switch CLI or web interface.
  • Create VLANs for different segments (e.g., VLAN 10 for servers, VLAN 20 for workstations).
  configure terminal
  vlan 10
  name Servers
  exit
  vlan 20
  name Workstations
  exit
  • Assign Ports to VLANs:
  • Assign switch ports to VLANs based on device connections.
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport access vlan 10
  exit
  • Configure Trunk Port:
  • Configure the port connected to the Sophos XGS 2100 as a trunk port to carry multiple VLANs.
  interface GigabitEthernet1/0/24
  switchport mode trunk
  switchport trunk allowed vlan 10,20
  exit

3. Configure VLANs on Sophos XGS 2100

  • Create VLAN Interfaces:
  • Go to Configure > Interfaces and create VLAN interfaces for each VLAN.
  • Example:
    • VLAN 10: 192.168.10.1/24
    • VLAN 20: 192.168.20.1/24
  • Configure DHCP for VLANs:
  • Go to Configure > DHCP and set up DHCP servers for each VLAN.
  • Example:
    • VLAN 10: DHCP range 192.168.10.100-192.168.10.200
    • VLAN 20: DHCP range 192.168.20.100-192.168.20.200

4. Configure Firewall Rules

  • Create Firewall Rules:
  • Go to Configure > Firewall Rules and create rules to allow traffic between VLANs and the internet.
  • Example:
    • Allow VLAN 10 (Servers) to access the internet.
    • Allow VLAN 20 (Workstations) to access VLAN 10 (Servers).
  • Enable Intrusion Prevention and Threat Protection:
  • Go to Protect > Intrusion Prevention and enable IPS.
  • Go to Protect > Threat Protection and enable scanning for malware, exploits, and phishing.

5. Configure VPN (Optional)

  • Set Up Site-to-Site or Remote Access VPN:
  • Go to Configure > VPN and configure a VPN for secure remote access or site-to-site connectivity.

6. Test and Monitor

  • Test Connectivity:
  • Ensure devices in each VLAN can communicate as intended.
  • Test internet access from workstations and servers.
  • Monitor Traffic:
  • Use the Sophos XGS 2100 dashboard to monitor traffic, threats, and performance.

Summary of Best Practices

  1. Segment Network with VLANs: Isolate servers, workstations, and other devices for better security.
  2. Enable Threat Protection: Use Sophos XGS 2100’s advanced security features (IPS, malware scanning, etc.).
  3. Regular Updates: Keep the Sophos XGS 2100 firmware and threat definitions up to date.
  4. Backup Configuration: Regularly back up the Sophos XGS 2100 configuration.
  5. Monitor and Optimize: Continuously monitor network traffic and optimize firewall rules as needed.

By following this deployment model and configuration guide, you can ensure a secure, efficient, and scalable network for your small office.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top