Topology / Network Design for medium / large network with serveral branches

As far as i know XG doesnt have a mesh VPN as such.  I would recommend using RED vpns with Sophos XG, you could setup RED Server and client VPNs to each of your firewalls and that would give you vpn between your branches.  But as XG has no mesh VPN as such you would need to setup routes so that each XG firewall could access all the branch's.  You could get away with only 4 VPN links Server 1 to Server 2, 2 to 3, 3 to 4 and 4 to 1.  Then as i mentioned just setup static routes so that branches that dont directly connect to another branch ie 1 to 3.  Or you would setup VPNs from each branch to every other branch but that would get very complicated.  The last method would be to setup an XG instance to act as a central hub Datacentre then setup RED VPNs between each branch to that XG.  

If it was me i would just setup RED VPNs from each branch to every other branch, that way you dont have the addional cost of licencing the Datacentre XG.

When it comes to the Heartbeat you mentioned thats done by each endpoints local XG server, Sophos Central should detect which of your endpoints is behind which XG server as long as you have each XG servers logged in with an account from the same Central instance you have.  Then in the Firewall rules on your XG servers you specify if you want to block traffic without a heartbeat or specify that if an endpoint has a Yellow or Red status then restrict traffic per status colours.  

Hope that helps

JK

Perfect, thank you!!

I like the RED connection as well, but there I need to set static routes too? To get it a bit more complicated, there are two branches where the XG need to act als L3 between 2 VLANs...

I know you used to have to do that, but in V17 i dont think you do?? Well ive not used RED lately but this excert suggests not.

RED This page describes how to enable RED. RED is short for Remote Ethernet Device and is a means to connect remote sites, e.g., branch offices, to your main office as if the remote site was part of your local network. The setup consists of the Sophos XG Firewall in your main office and a Remote Ethernet Device (RED) in your remote office. Establishing a connection between the two is utmost easy as the RED device itself does not need to be configured at all. As soon as the RED device is connected to your device it behaves like any other Ethernet device on your device. All traffic of your branch office is safely routed via your device which means that your branch office is as secure as your local network. These types of RED devices are currently available: • RED 10: RED solution for small remote offices • RED 15: RED solution for medium remote offices • RED 15w: RED solution for small remote offices, including WiFi. • RED 50: RED solution for bigger remote offices which comes with two uplink interfaces. Additionally, you have the choice to establish a RED Site-to-Site tunnel between two SF devices which are connected through the RED technology on Layer 2. One device acts as server while the other is the client. For more information, see chapter Configure RED Site-to-Site Tunnel. Each RED device or SF device that is configured here is able to establish a connection to your SF device. Note: For RED devices to be able to connect, you need to enable RED support on the Configure > System Services > RED page first. RED setup example Related tasks Add RED on page 119 This page allows you to configure a Remote Ethernet Device (RED) at a remote office.

P286: - 

http://docs.sophos.com/nsg/sophos-firewall/v17.0.2/PDF/Sophos%20XG%20Firewall%20Web%20Interface%20Reference%20Guide.pdf

Like i say ive not used RED since UTM, but if anyone using XG v17 RED could update this please do...

JK

Sorry from this KB article you do still need to add static routes manually.  But still its not too many and if you can use Sophos Firewall Manager to manage all your XG firewalls you can even setup templates to make the job easier.

JK