Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 11339 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I deploy XG firewall in a control network with no internet access?

daniel wang

My company has a department that manages our energy management system control networks. They are currently using Cisco ASA firewalls but are considering other more affordable solutions. But due to our regulatory compliance requirement, their firewalls cannot have direct internet connections.

I realize you can manually download the firmware and update the firewall sfos from the pc. But I wander if there is a way to activate the firewall licenses and update things like AV signatures, geoip databases, etc., from the PC or usb thumb drive. No, they don't need RED.

 

Thank you!

daniel



This thread was automatically locked due to age.
Parents
  • 0

    To my knowledge, no.

    The main issue you will have is downloading updates.  The most obvious of these is pattern updates for antivirus and IPS.  However things like the CRACK vulnerability was also fixed via an automatic update.

    You will have two problems - initial install and ongoing.  If  you can do the initial install with internet access and then move it afterward it would be a help.

    Some components, like the AV will not start until there are virus definitions in place.   But IIRC the AV subsystem will also stop working if the patterns are too out of date (I don't recall if is it 30 days or 90).

    If you are using firewall only and don't care about those systems....  maybe?

     

  • 0 in reply to Michael Dunn

    We could activate it with Internet access and move it to the control network. But compliance requires AV and IPS so they need to be updated. Is there not a feature or feature on the roadmap in the near future to allow updates from a proxy/repository in house? Our control networks are not allow to have direct Internet access but are allowed controlled access to the corporate side of the network.

    It would be nice to be able to point the control network firewall to another firewall to pick up those updates.

    Thanks!

  • 0 in reply to daniel wang

    As far as I know there is no in-house deployment of an update server.  To my knowledge it is not on the roadmap - but this is not my area of expertise.  You would have to talk to a Sales Engineer.

    However if you are ok with the XG contacting the Sophos website via another web proxy, there is a definite solution.

    Go to Routing \ Upstream Proxy.

    Anytime that the XG needs to download anything from the web (this includes all updates) it will use the upstream proxy.

    You could then configure the upstream proxy that the only site that the XG is allowed to visit is sophos.com (there may be 2 or 3 other sites needed as well).

     

    Note that you may also have to do similar things to configure DNS, NTP and other systems to use internal rather than external resources.

Reply
  • 0 in reply to daniel wang

    As far as I know there is no in-house deployment of an update server.  To my knowledge it is not on the roadmap - but this is not my area of expertise.  You would have to talk to a Sales Engineer.

    However if you are ok with the XG contacting the Sophos website via another web proxy, there is a definite solution.

    Go to Routing \ Upstream Proxy.

    Anytime that the XG needs to download anything from the web (this includes all updates) it will use the upstream proxy.

    You could then configure the upstream proxy that the only site that the XG is allowed to visit is sophos.com (there may be 2 or 3 other sites needed as well).

     

    Note that you may also have to do similar things to configure DNS, NTP and other systems to use internal rather than external resources.

Children
No Data