So, we have been running Sophos UTM for a while for a couple of sites but have now upgraded the devices to XG.
I have watched the how-to videos and are starting to get a good understanding on XG firewall, but I would like some assistance from you wonderful Sophos experts on best practices for our setup. Below is a basic design and desired connections:
Main Site: SG 230:
PortE0 - LAN - 192.168.170.2 - Local domain with DC and terminal server (email is through O365)
PortE1 - WAN - 192.168.1.10 - Connected to draytek router with load balance between fiber and adsl internet (This internet is to be shared to all sites)
PortE2 - DEPOT - 192.168.183.3 - AirFiber link to Depot site
PortE3 - LIBRARY - 192.168.181.3 - Wireless Link to Library site
PortE4 - VISITOR - 192.168.0.3 - Fiber cable link to Visitor Centre site
PortE5 - YOUTH - 192.168.188.3 - Wireless link to Youth services site
Each remote site has a SG 125 with XG firewall on.
They will be getting their internet from the main office WAN.
All staff will be on the same domain as sites are too small to require their own subdomains and/or servers.
We have Sophos Central with heartbeat now enabled on the main 230.
Questions:
What would be the best firewall rules to setup between the sites to only allow the basics though (AD, dhcp, SMB, rdp)?
What static routes would I need to allow these different sites to communicate only to the main site and not to eachother?
What would be the best firewall rule to setup to allow internet from the WAN port to all the sites?
Do I need to install the Sophos certificate to all computers in the different sites as the Sophos 230 will be the gateway to the internet for all sites?
Is the general intrusion prevention policy good enough to allow on each rule?
Thanks in advance for any help. Please feel free to ask for more information
This thread was automatically locked due to age.
