We are in the planning stages right now, going to invest in full suite of Sophos products. We currently have 8 pfSense boxes with site-to-site Static Key OpenVPN Tunnels deployed on SuperMicro hardware, they are working great, but we need to comply with NIST 800-171, basically requiring a fully integrated security platform, unfortunately. We have 3 main sites where file, AD and application servers are located. Each of these sites will have XG Firewall installed on existing SuperMicro C2758 hardware (8-Core, 8GB Memory, Quad Intel NIC). Although I don't think we can afford the XG license to utilize all 8 cores. Will likely end up getting the 2-core, 4GB RAM FullGuard license. The remaining 5 sites are home offices with 1 person each, they all have dedicated broadband business connections, 100x20 mbps minimum. It would be nice to utilize the existing superMicro appliances at these 5 sites its relatively new/powerful hardware I'd hate to scrap. Question 1) Is there a licensing option that would allow for SD-RED functionality only, and not the full suite of XG features? If not, I assume we have to purchase SD-RED 20 appliances. Looks like they are about $350, I highly doubt there will be licensing option that costs less then this. So, a few questions about those appliances. Question 2) Does the SD-RED 20 allow for multiple simultaneous tunnels? For example, home office site #1 SD-RED 20 appliance can connect to each of the 3 main sites where the XG Firewalls are located. This would allow for more direct routing rather then always having to traverse 1 site. Question 3) Does the SD-RED 20 require a router be installed before it, or does it have the ability to specify/pull an IP from the ISP? At the home sites, we currently have Cable Modem -- Router. Could we replace that Router with the SD-RED 20, or would it have to be: Cable Modem -- Router -- SD-RED 20, where the LAN port of the Router connects to the WAN port of the SD-RED 20, essentially double NAT'ing? thanks!

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-RED appliance and new setup, questions.

We are in the planning stages right now, going to invest in full suite of Sophos products. We currently have 8 pfSense boxes with site-to-site Static Key OpenVPN Tunnels deployed on SuperMicro hardware, they are working great, but we need to comply with NIST 800-171, basically requiring a fully integrated security platform, unfortunately.

We have 3 main sites where file, AD and application servers are located.
Each of these sites will have XG Firewall installed on existing SuperMicro C2758 hardware (8-Core, 8GB Memory, Quad Intel NIC). Although I don't think we can afford the XG license to utilize all 8 cores. Will likely end up getting the 2-core, 4GB RAM FullGuard license.

The remaining 5 sites are home offices with 1 person each, they all have dedicated broadband business connections, 100x20 mbps minimum.
It would be nice to utilize the existing superMicro appliances at these 5 sites its relatively new/powerful hardware I'd hate to scrap.

Question 1) Is there a licensing option that would allow for SD-RED functionality only, and not the full suite of XG features?

If not, I assume we have to purchase SD-RED 20 appliances. Looks like they are about $350, I highly doubt there will be licensing option that costs less then this. So, a few questions about those appliances.

Question 2) Does the SD-RED 20 allow for multiple simultaneous tunnels? For example, home office site #1 SD-RED 20 appliance can connect to each of the 3 main sites where the XG Firewalls are located. This would allow for more direct routing rather then always having to traverse 1 site.

Question 3) Does the SD-RED 20 require a router be installed before it, or does it have the ability to specify/pull an IP from the ISP? At the home sites, we currently have Cable Modem -- Router. Could we replace that Router with the SD-RED 20, or would it have to be: Cable Modem -- Router -- SD-RED 20, where the LAN port of the Router connects to the WAN port of the SD-RED 20, essentially double NAT'ing?

thanks!

This thread was automatically locked due to age.

0 emmosophos over 5 years ago

Hello Dan,

Thank you for contacting the Sophos Community.

Have you been contacted by any Sales Engineer from Sophos? they are usually the best ones answering this type of question if you haven't let me know your location and I can have one of them to reach out to you.

I will try to answer your questions:

1 ) You would need a Network Protection for the RED

2) The RED 20 and RED 60 only connects to one XG. The RED 60 has two WAN interfaces that allow for failover and/or load balance. [Edited RED 60]

3) No, you can connect the RED directly to the Internet Modem, if the modem uses an Ethener cable, the RED can also work behind a NATed device.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 dan becker over 5 years ago in reply to emmosophos

emmosophos said:

Hello Dan,

Thank you for contacting the Sophos Community.

Have you been contacted by any Sales Engineer from Sophos? they are usually the best ones answering this type of question if you haven't let me know your location and I can have one of them to reach out to you.

I will try to answer your questions:

1 ) You would need a Network Protection for the RED

I realize that the XG Firewall has to have Network Protection in order for an SD-RED to connect to it. But, I'm wondering if there is a license I can purchase that will allow me to install ONLY the firmware that's installed on SD-RED appliances, essentially using my own hardware for the SD-RED devices rather then buying new appliances from Sophos.

2) The RED 20 only allows for one tunnel to a specific XG.

Does the RED 60 allow for more then 1 simultaneous RED tunnel?

3) No, you can connect the RED directly to the Internet Modem, if the modem uses an Ethener cable, the RED can also work behind a NATed device.

Regards,

I added a few more clarifications in-line above.

I also sent you a PM re: the sales engineer. Thanks again!
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 5 years ago in reply to dan becker

Hello Dan,

Thank you for the follow-up.

I have replied to your PM, also I have updated my answer above, RED 60 only can be connected to an XG, the additional WAN link on RED-60 is used for redundancy and/or load balance.

As per the first question REDs only work with Sophos Hardware/Virtual appliances, so there is no separate license you can purchase and connect to a 3rd party firewall.

But the XG can be deployed on your own hardware/virtually/cloud so this can give you some additional options on how to deploy the RED in your environment.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 dan becker over 5 years ago in reply to emmosophos

emmosophos said:

As per the first question REDs only work with Sophos Hardware/Virtual appliances

So, the only option for a RED is to purchase a RED appliance from Sophos.

Understand, I was just looking for a way to re-purpose our remote SuperMicro boxes rather then buying SD-RED 20s.
Cancel
Vote Up 0 Vote Down

Cancel