Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 5005 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When do I use MAC Host / IP Host

NoName NoName2

Hello,

can someone explain to me when I should use a MAC host and / or an IP host, when does that make sense.

Or do I even have to create both, although in my other thread it was already discussed why there is not a finished client object.

It is absolutely not understandable for me what it is supposed to create a MAC host or IP host separately.

Well, that would be worth an answer in my other thread.

Back again, when do I use a MAC host or IP host.

I absolutely do not understand this type, because a client basically has a MAC and IP, at least for my understanding when trying to work with rules.

Thanks and greetings



This thread was automatically locked due to age.

Top Replies

  • in reply to NoName NoName2 +3 verified

    In SG you "should" not use a static DHCP lease within the DHCP lease range. But SG allowed it anyways, even if this causes much trouble in networks. See UTM online help:

    Note – To avoid an IP address clash between regularly assigned addresses from the DHCP pool and those statically mapped make sure that the latter are not in the scope of the DHCP pool. For example, a static mapping of 192.168.0.200 could result in two systems receiving the same IP address if the DHCP pool is 192.168.0.100  192.168.0.210.

    In XG, we avoid this to happen in the first place by blocking the static mapping to the lease range. So for example you can setup a DHCP lease range of 192.168.100.0 - .50. And static map .51-254 for your devices based on the static mapping. The static mapping is done based on the DHCP server. See: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/NetworkConfigureDHCPServer.html

    But again: This is not the same as on UTM. The approach is differently, therefore this looks odd to people, knowing UTM. UTM used the unified approach to do this (since 9.1) in the network context. So you can maintain your static IP based on a object in network objects: One object which contains the MAC and the static IP etc. 

    In XG, we build the entire authentication method differently. So we do not need a static mapping anymore and can use the context of a user. To get a user information (What is your currently logged in user name?) we need a authentication method. Most likely this is build for a AD environment. But there are several other methods for other customers as well. 

    The most used on home deployments, which do not have AD, or anykind of authentication service in place is clientless based.

    https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/concepts/ClientlessUsers.html

    So it relay on again a administrator, maintaining this in different screens (DHCP static lease + mapping the IP to a User). 

    There are other methods like a client based approach: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/AuthenticationClientDownloads.html

    But those tools require you to install a piece of software. 

    This is not great for home users to begin with, as Sophos heavily requires some sort of authentication. Because if you start with AD or Radius, you can completely automate this process. Like STAS: It will simply map every device to a username and work that way. Or our own endpoint client will do the same for windows clients as well. Or Intercept X for server will map all RDP Sessions to individual sessions etc. There is also NTLM/Kerberos to map a existing username to a device. For IoT Devices, there is Radius WPA2 Enterprise to map the mobile device to a username etc. 

    The question remains of what you want to achieve: Smaller customers (XGS107 for example) are basically using LAN to WAN Rules and turn on the IPS, web filtering and do not use segmentation (As they likely have only 5 devices for example). And bigger customers uses AD or Azure AD and turn on the authentication on that level. 

    There are internal feature request to extend the usability for smaller customers to reduce the amount of windows you have to create something, but this is not a easy task to begin with. 

    Jump to answer