Moving from Managed Firewall to Sophos

Depending on what packages you bought will help determine what will help you protect better.  If you can list those it will help more.

For example, do you have Web Server Protection? https://community.sophos.com/kb/en-us/120388

Otherwise, you need to establish a few things, one why SG?  If you just bought I would go XG.  But that is a different topic.

• You need to setup your LAN, WAN, DMZ and other subnets, Interfaces & Routing -> Interface 
  • Since you have email and internet working I am assuming you have this also, if you do not have a DMZ, pick an interface and configure it out.  I would go with a different subnet then your LAN.  

• On your WAN interface you need to set the additional addresses, Interfaces & Routing -> Additional Interfaces 
  • These are the other external IP addresses you have setup for your servers in your DMZ

• Now you want to have your servers talk out to the internet but only for the traffic you want, so you will go to Network Services -> Firewall
  • Here you will select DMZ and allow whatever services or protocols you need your servers to talk to the internet with outbound traffic.
    • The rule should be Source DMZ
    • Services (Example) HTTP
    • Destinations (Example) Any
    • Action Allow
    • Time Period Always
    • Check Log Traffic so you can see what is going on.

• Now you also want the people to get to your servers, this is where you make NAT rules go to Network Protection -> NAT -> NAT
  • Create a new NAT rule, select the position (read firewall rules position https://help.f-secure.com/product.html?business/linux-security/11.00/en/concept_65EDE5505E7349878E3E1A3453928A6F-11.00-en)
  • Rule Type DNAT for Destination
  • For traffic from: You can select ANY if this is a Web Server you want anyone to see or if this is a specific client you want to access say an SFTP server you would use their IP's 
  • Using service Example Port 22 for SFTP or Port 80 & 443 for a Web Server
  • Going to External WAN 
  • Change Destination to: Select your Internal IP in the DMZ for that server
  • Change the Service to: This is if you want to change the port, typically application specific or if you have changed common ports on the server itself, i.e. DNS from 53 to whatever.
  • Check log initial packets (I would)

Basically the DNAT will only allow who you want through, you should also have AV running and look into server hardening for DMZ placed servers based on the OS you are using as well.

Depending on what packages you bought will help determine what will help you protect better.  If you can list those it will help more.

For example, do you have Web Server Protection? https://community.sophos.com/kb/en-us/120388

Otherwise, you need to establish a few things, one why SG?  If you just bought I would go XG.  But that is a different topic.

• You need to setup your LAN, WAN, DMZ and other subnets, Interfaces & Routing -> Interface 
  • Since you have email and internet working I am assuming you have this also, if you do not have a DMZ, pick an interface and configure it out.  I would go with a different subnet then your LAN.  

• On your WAN interface you need to set the additional addresses, Interfaces & Routing -> Additional Interfaces 
  • These are the other external IP addresses you have setup for your servers in your DMZ

• Now you want to have your servers talk out to the internet but only for the traffic you want, so you will go to Network Services -> Firewall
  • Here you will select DMZ and allow whatever services or protocols you need your servers to talk to the internet with outbound traffic.
    • The rule should be Source DMZ
    • Services (Example) HTTP
    • Destinations (Example) Any
    • Action Allow
    • Time Period Always
    • Check Log Traffic so you can see what is going on.

• Now you also want the people to get to your servers, this is where you make NAT rules go to Network Protection -> NAT -> NAT
  • Create a new NAT rule, select the position (read firewall rules position https://help.f-secure.com/product.html?business/linux-security/11.00/en/concept_65EDE5505E7349878E3E1A3453928A6F-11.00-en)
  • Rule Type DNAT for Destination
  • For traffic from: You can select ANY if this is a Web Server you want anyone to see or if this is a specific client you want to access say an SFTP server you would use their IP's 
  • Using service Example Port 22 for SFTP or Port 80 & 443 for a Web Server
  • Going to External WAN 
  • Change Destination to: Select your Internal IP in the DMZ for that server
  • Change the Service to: This is if you want to change the port, typically application specific or if you have changed common ports on the server itself, i.e. DNS from 53 to whatever.
  • Check log initial packets (I would)

Basically the DNAT will only allow who you want through, you should also have AV running and look into server hardening for DMZ placed servers based on the OS you are using as well.