Hello everyone. I got Sophos XG Home installed this past Friday and have been configuring it this weekend. I would like to thank Ian and Prism for their hardware recommendations because the install process was very smooth. I have about 10 rules setup so far and I have a few questions so far after playing around with this for a couple days now. IPS – When I turn IPS on for a rule my download speed seems to take a hit. For example, on most of my outbound rules I have the LAN TO WAN IPS policy attached. When I got to speedtest.net and run a test, I am getting 500-600 Mbps down and like 930 Mbps up (I have gigabit down/up through FiOS). Any reason why the download would be taking a little hit and the upload is running at cap? Speedtest.net might not be the best tool to use so if there is something better, let me know. Also, is the LAN TO WAN policy a good policy to start with for home use? It seems like the LAN TO WAN is a more tailored template where the lantowan_general just turns everything on with whatever the recommended action is. Are the LAN TO WAN policies protecting others from being attacked from my network? I am little confused on that works. I have turned on WAN TO LAN on some of my inbound rules to servers that I have opened specific ports on for certain services. Ideally, I want IPS on to make sure intrusions into my network are being dropped. Match Known User – In my home network/lab here I have a Windows DC with AD, DHCP, DNS, etc. I wanted to create a couple rules to match based on group membership. For example, have rule apply to anyone in Domain Admins, Domain Users, or even a custom group that I create in AD. I added my DC to Sophos XG and imported some groups but when I wrote the rule and told it to match to Domain Admins, it was not recognizing and just going out my default allow rule. Did I set this up the right way? I saw some posts and a Sophos Knowledgebase article about the STAS setup. Do I need to setup STAS in order for this to work? If I have to setup STAS, I can still have rules that are not tied to users but are tied to single IPs, Networks, etc., correct? Geo IP Blocking – I wanted to block certain country groups inbound and outbound. I followed this Sophos Knowledgebase article to setup two rules. The rules are the same with the only difference being one rule has the country groups as the source networks and the other the destination. The destination rule is blocking traffic out to these country groups as I see it in the logs and on the rule statistics. The rule with the country groups as the source has been sitting at 0 in 0 out since yesterday morning. I know being a home network I am probably not getting too many inbound hits from foreign countries but I figured I would see some traffic from certain foreign entities try to scan for open ports, etc. Did I set these rules up correctly? Should I be seeing dropped traffic on that rule with the countries as the source networks or is there probably nothing coming in to be blocked. Block Known Bad IP from IP lists like Talos – I was thinking of creating a top-level rule to block known bad IPs from an IP list like Cisco TALOS intelligence or other similar lists. Do I do this just by creating an IP list in Sophos XG and copying the IPs into the list? Do you guys do this at all on your systems? I read some posts here on the community that said it is not really necessary because of all the false positives that come along with it. Not sure if that is accurate or not. Certificates, VPN, and SSL Decryption – So I have a Windows CA server in my home lab. I imported the CA into Sophos last night (without the private key). Created a CSR in Sophos. Submitting to windows ca and signed it as a Web Server. Uploaded that back to Sophos and set it as the certificate for admin portal, user portal, etc. When I access the admin console now from one of my domain machines, it comes up secure which is what I wanted. I wanted to create certs from my Windows root CA for the VPN cert and SSL Decryption. Do those certs require any specific extensions or attributes to be used for those services? Has anyone else done it this way with a Windows CA or is it generally just recommended to use the Appliance default certificate that is there from the start? Also, for SSL decryption, how do you guys handle things like mobile devices, non-domain computers, etc. Do you just put them in rules with no decryption or do you have a method to get decryption working for them? I know from past experience dealing with decryption and things like iOS and Android can be difficult. Sorry for long post and all the questions. I am new to Sophos XG. I tried searching through Knowledgebase and community. I found some information but nothing very specific. Appreciate your time and help.

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Just Setup XG Home. Running well but have a few questions.

Hello everyone. I got Sophos XG Home installed this past Friday and have been configuring it this weekend. I would like to thank Ian and Prism for their hardware recommendations because the install process was very smooth. I have about 10 rules setup so far and I have a few questions so far after playing around with this for a couple days now.

IPS – When I turn IPS on for a rule my download speed seems to take a hit. For example, on most of my outbound rules I have the LAN TO WAN IPS policy attached. When I got to speedtest.net and run a test, I am getting 500-600 Mbps down and like 930 Mbps up (I have gigabit down/up through FiOS). Any reason why the download would be taking a little hit and the upload is running at cap? Speedtest.net might not be the best tool to use so if there is something better, let me know. Also, is the LAN TO WAN policy a good policy to start with for home use? It seems like the LAN TO WAN is a more tailored template where the lantowan_general just turns everything on with whatever the recommended action is. Are the LAN TO WAN policies protecting others from being attacked from my network? I am little confused on that works. I have turned on WAN TO LAN on some of my inbound rules to servers that I have opened specific ports on for certain services. Ideally, I want IPS on to make sure intrusions into my network are being dropped.
Match Known User – In my home network/lab here I have a Windows DC with AD, DHCP, DNS, etc. I wanted to create a couple rules to match based on group membership. For example, have rule apply to anyone in Domain Admins, Domain Users, or even a custom group that I create in AD. I added my DC to Sophos XG and imported some groups but when I wrote the rule and told it to match to Domain Admins, it was not recognizing and just going out my default allow rule. Did I set this up the right way? I saw some posts and a Sophos Knowledgebase article about the STAS setup. Do I need to setup STAS in order for this to work? If I have to setup STAS, I can still have rules that are not tied to users but are tied to single IPs, Networks, etc., correct?
Geo IP Blocking – I wanted to block certain country groups inbound and outbound. I followed this Sophos Knowledgebase article to setup two rules. The rules are the same with the only difference being one rule has the country groups as the source networks and the other the destination. The destination rule is blocking traffic out to these country groups as I see it in the logs and on the rule statistics. The rule with the country groups as the source has been sitting at 0 in 0 out since yesterday morning. I know being a home network I am probably not getting too many inbound hits from foreign countries but I figured I would see some traffic from certain foreign entities try to scan for open ports, etc. Did I set these rules up correctly? Should I be seeing dropped traffic on that rule with the countries as the source networks or is there probably nothing coming in to be blocked.
Block Known Bad IP from IP lists like Talos – I was thinking of creating a top-level rule to block known bad IPs from an IP list like Cisco TALOS intelligence or other similar lists. Do I do this just by creating an IP list in Sophos XG and copying the IPs into the list? Do you guys do this at all on your systems? I read some posts here on the community that said it is not really necessary because of all the false positives that come along with it. Not sure if that is accurate or not.
Certificates, VPN, and SSL Decryption – So I have a Windows CA server in my home lab. I imported the CA into Sophos last night (without the private key). Created a CSR in Sophos. Submitting to windows ca and signed it as a Web Server. Uploaded that back to Sophos and set it as the certificate for admin portal, user portal, etc. When I access the admin console now from one of my domain machines, it comes up secure which is what I wanted. I wanted to create certs from my Windows root CA for the VPN cert and SSL Decryption. Do those certs require any specific extensions or attributes to be used for those services? Has anyone else done it this way with a Windows CA or is it generally just recommended to use the Appliance default certificate that is there from the start? Also, for SSL decryption, how do you guys handle things like mobile devices, non-domain computers, etc. Do you just put them in rules with no decryption or do you have a method to get decryption working for them? I know from past experience dealing with decryption and things like iOS and Android can be difficult.

Sorry for long post and all the questions. I am new to Sophos XG. I tried searching through Knowledgebase and community. I found some information but nothing very specific. Appreciate your time and help.

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 5 years ago

Hi Brian,

please check this thread forr issues with your download speed, it also refers to another thread on a similar subject.

https://community.sophos.com/products/xg-firewall/f/network-and-routing/117488/utm9-to-xg-migration

Blocking countries, outgoing, make sure the rule is reject and at the top of firewall rule table. Incoming is really aimed at servers not general internet access and that rule also need to be a reject at the top of the list. Also be aware that not all bad sites originate from a bad country because they use AWS in various countries for their servers. Make sure you have disabled remote access to your XG.

Why do you need to block known bad IP addresses, you are a home user?

Ian
Cancel
Vote Up 0 Vote Down

Cancel
0 Brian Santomauro over 5 years ago in reply to rfcat_vk

Hi Ian,

Thank you for your response. I read through that post but did not see anything about the IPS and reduced download speeds. The only thing I saw related to IPS is when he said that the IPS was stopping his PS4 from working at which point he turned it off. The link that was in there was to change the settings for DoS protection. I currently don't have any of those flags applied. Did I miss something in the post? I don't have any connectivity issues when I have IPS enabled on a rule, I just get slightly reduced download speed. If I take the IPS off, then I get 800-900+ Mbps down. Upload doesn't seem to be affected whether IPS is on or off.

I changed my Geo IP rules from drop to reject. I still see traffic being denied on the rule where the country groups are the destination. Nothing comes up in the logs for the rule where they are the source. The rule number doesn't matter right? The rules work top to bottom regardless of the rule number, correct? For example, if rule 8 is above rule 4, the traffic would be handled by 8 if it matched the zone, networks, users, etc. As for the blocking known bad IP, this is something I have always had implemented at my work environments. Your right, this is a home network. I also use this as a home lab so I like to play around with different things that may normally be seen in the Enterprise. So I guess to answer your question, there is no specific reason why I need to block known bad IP but it was something I was thinking about setting up to play around.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Brian Santomauro

Hi Brian,

there are many threads on XG performance and downloading as well as a KBA.

Country blocking outgoing you will see in the rules/logviewer. Incoming they would appear not to hitting your XG.

Incoming country blocking is only really worth configuring if you persistently get junk mail or have a server exposed to the internet.

Bad IP addresses appears to be a never ending source of activity keeping the list accurate, again an issue for exposed servers, but for normal users that should be picked up in your firewall rules/proxy settings.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 rfcat_vk over 5 years ago in reply to Brian Santomauro

Hi Brian,

there are many threads on XG performance and downloading as well as a KBA.

Country blocking outgoing you will see in the rules/logviewer. Incoming they would appear not to hitting your XG.

Incoming country blocking is only really worth configuring if you persistently get junk mail or have a server exposed to the internet.

Bad IP addresses appears to be a never ending source of activity keeping the list accurate, again an issue for exposed servers, but for normal users that should be picked up in your firewall rules/proxy settings.

Ian
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Brian Santomauro over 5 years ago in reply to rfcat_vk

Hi Ian,

Thank you. I will not worry about the bad known IP for now then. Any idea with the Match Known User. I thought configuring connection to AD would be what is needed but it won't recognize my user account when I match known user to Domain Admins. Do I need to setup STAS for that to work?
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 5 years ago in reply to Brian Santomauro

Hi Brian,

I think you will need STAS if you want to use your AD as the authentication controller.

I use clientless, setting up an AD became too difficult and the users we're not co-operative eg DO NOT MAKE MY LIFE DIFFICULT.

Ian
Cancel
Vote Up 0 Vote Down

Cancel