Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 29 subscribers
  • Views 858 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Emergency access to remote Sophos Firewall if tunnel is down

Thomas Schachtner1

Hi there,

I am new to the Sophos Firewall product, and so my question might sound stupid for all the wizards here...

I like the security hints and warnings the firewall shows when configuring insecure settings, such as the access to the configuration frontend from the WAN zone.

In my usage scenario, there are several Sophos Firewall devices in the branch offices (BO) and another device in the head office (HO).

In the BOs, there are no IT personnel and the people there depend on a working connection to the HO. The connections to the offices are established using site-to-site IPSec VPN tunnels.

If - for whichever reason - the tunnel goes down, there is no way to connect to the remote firewall and see what is going on there or to try to re-establish the tunnels.

With our old Sophos UTM devices, the animated interface was enabled on WAN interface, but access was limited only to the HO's IP address.

This is now regarded insecure with Sophos Firewall (which is definitely true), but nevertheless we need another way of connection to the device and check the settings.

What's the recommended configuration for this scenario now?

Thanks,

Tom



This thread was automatically locked due to age.
  • +1

    Hi,

    I would suggest you setup a CM account. There are two types, the free one stores 7 days data and does not mail reports, where as the paid one hs many more features. You start iwith a trial and decide on whether you are going down the paid path or the free path.

    The CM will allow access to an XG assuming it is still on-line.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    BTW: If you have the most common bundle (xStream Protection) you have Central Orchestration, which includes 30 Days reporting. To most likely most customer have 30 days + reporting advanced features. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    You advise that after I post the CM as a suggestion. I have checked my XG115 licence and I do not have an x-stream licence. My licence has Central orchestration which include SD-WAN and CFR. I suspect that x-stream licence only comes with XGS, not XG would I be correct?

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    xStream is a bundle for SFOS. It is not limited to any kind of Hardware. If you have Central Orchestration, your appliance should uplift the Central Installation to 30 Days with CFR. Check the licensing page in Central for more insights. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    CM stands for Central Management, right?

  • +1 in reply to Thomas Schachtner1

    Yes, exactly.

    You setup a "trial" to get an account, then you register from your firewall to that account with your device's serialnumber.

    Depending on your license(s) you have several options to turn on, then.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML