Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 3 answers
  • Subscribers 27 subscribers
  • Views 8477 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

few questions of XG

nbctcp bo

I manage to install Sophos XG in Unetlab

https://nbctcp.wordpress.com/2015/07/02/unetlab-installation-on-esxi/

Few questions in my mind

1. whether XG has 2 firmware partition like in HP or Juniper, where I can upgrade Secondary partition first, then boot from it.
If ok then if needed I can upgrade Primary partition too

2. I want to test virtual XG Cluster Active/Active in Unetlab
Do I need two serial device license to emulate 2 different Hardware or just 1 license is enough


3. Is there in GUI that allow to set only allow GUI management from certain ip

 

thanks



This thread was automatically locked due to age.
Parents
  • 0

    1. XG hardware has a single partition only

    2. For an active-active HA cluster you will need to purchase two licenses. For active-backup, sophos allows you to use one license for both. However I am not sure how the licensing works for the virtual appliance.

    3. Yes you can definitely do that. The way you set it up is go into Administration -> Device Access. In here you select what zones you want complete access for. So if you select LAN zone to have access to https, ALL IPs in the LAN zone will have access to the firewall via https. For any zone you want to give limited access to, what you do is disallow access to the zone and then add a local service ACL exception rule like in the following settings:

     

     

     

    Hope this helps

Reply
  • 0

    1. XG hardware has a single partition only

    2. For an active-active HA cluster you will need to purchase two licenses. For active-backup, sophos allows you to use one license for both. However I am not sure how the licensing works for the virtual appliance.

    3. Yes you can definitely do that. The way you set it up is go into Administration -> Device Access. In here you select what zones you want complete access for. So if you select LAN zone to have access to https, ALL IPs in the LAN zone will have access to the firewall via https. For any zone you want to give limited access to, what you do is disallow access to the zone and then add a local service ACL exception rule like in the following settings:

     

     

     

    Hope this helps

Children
  • 0 in reply to Muhammad Osama

    What I want to block is from 1 admin PC in LAN to FW portA (LAN Port) accessing ADMIN PORTAL https port 4444.

    STEPS TAKEN

    OPTION1

    1. Local Service ACL LAN, off HTTPS and SSH

    2. Local Service ACL Exception Rule

    From ADMIN PC ip HTTPS and SSH are accepted

     

    OPTION2

    1. create ADMIN PC IP object

    2. create a Service TCP port 4444

    3. create firewall rule

    ADMIN PC IP to Firewall LAN Port A Service TCP4444  is accepted

     

    Both options failed.

    I can use any ip in LAN to connect to ADMIN PORTAL 4444

     

    My requirement is simple

    Only allow ADMIN PORTAL from 1 Admin PC in LAN subnet

     

    tq

  • 0 in reply to nbctcp bo

    Sorry missed this post. This is what you need to do:

    1 - Go to System -> Administration -> Device Access. Here UNCHECK HTTPS for LAN

    2 - Just below this under Local Service ACL Exception Rule add the following rule: