Moving from Managed Firewall to Sophos

Question

We currently have a managed firewall with our ISP, along with external IP Address that we use, 
 We are wanting to save money by bringing this in house, but of course this comes with questions and problems mainly for me.... 
 So i could do with some guidance on how to make sure that I setup the interfaces correctly and that I can get out on the web lol 
 Currently all traffic go through the UTM Device, Such as Email (inbound and outbound scanning), and HTTP/S (content filtering) 
 But also we have servers within the internal network that need access to the over internet so I presume I would need some NAT solution for this, but virgin call this a security policy change request, I have copy of the juniper firewall Config but have requested an up to date version of this, 
 And of course still reaming full protected 
 Thanks

Badrobot · Answer

Depending on what packages you bought will help determine what will help you protect better. If you can list those it will help more. 
 
 For example, do you have Web Server Protection? https://community.sophos.com/kb/en-us/120388 
 Otherwise, you need to establish a few things, one why SG? If you just bought I would go XG. But that is a different topic. 
 
 You need to setup your LAN, WAN, DMZ and other subnets, Interfaces & Routing -> Interface 
 
 Since you have email and internet working I am assuming you have this also, if you do not have a DMZ, pick an interface and configure it out. I would go with a different subnet then your LAN.

On your WAN interface you need to set the additional addresses, Interfaces & Routing -> Additional Interfaces 
 
 These are the other external IP addresses you have setup for your servers in your DMZ

Now you want to have your servers talk out to the internet but only for the traffic you want, so you will go to Network Services -> Firewall
 
 Here you will select DMZ and allow whatever services or protocols you need your servers to talk to the internet with outbound traffic.
 
 The rule should be Source DMZ 
 Services (Example) HTTP 
 Destinations (Example) Any 
 Action Allow 
 Time Period Always 
 Check Log Traffic so you can see what is going on.

Now you also want the people to get to your servers, this is where you make NAT rules go to Network Protection -> NAT -> NAT
 
 Create a new NAT rule, select the position (read firewall rules position https://help.f-secure.com/product.html?business/linux-security/11.00/en/concept_65EDE5505E7349878E3E1A3453928A6F-11.00-en ) 
 Rule Type DNAT for Destination 
 For traffic from: You can select ANY if this is a Web Server you want anyone to see or if this is a specific client you want to access say an SFTP server you would use their IP's 
 Using service Example Port 22 for SFTP or Port 80 & 443 for a Web Server 
 Going to External WAN 
 Change Destination to: Select your Internal IP in the DMZ for that server 
 Change the Service to: This is if you want to change the port, typically application specific or if you have changed common ports on the server itself, i.e. DNS from 53 to whatever. 
 Check log initial packets (I would)

Basically the DNAT will only allow who you want through, you should also have AV running and look into server hardening for DMZ placed servers based on the OS you are using as well.

DouglasFoster · Answer

The biggest issue with migrating to UTM is that its architecture is different from firewalls, because it does not have access control lists based on source-destination pairs. The Sophos documentation (at least at my last check) lacks tutorials, which is especially disappointing given the uniqueness of the product architecture. Consequently, your best bet is to hire a consultant. The downside to consultants is that they tend to do the work without doing the knowledge transfer that enables you to be safe and self-sufficient when they are gone. 
 For those who want to implement on their own, or who want to be self-sufficient after the consultant leaves, this forum has tutorials which attempt to provide what the documentation lacks. Start with the Wiki article about architecture, as it is fundamental. There are other articles in the WiKi section. Some other articles are pinned to the top of specific forums. 
 With that background, you can ask specific questions to get answers to specific situations.