21 Dec

Sophos XG Firewall: How to add a NAT port forward

Sophos XG UTM Firewall ScreenshotIn July 2015, Infinite Networks became a Sophos Silver Partner located in Canberra with a focus on their firewall and network solutions.

On 9th November 2015, Sophos released their next-gen firewall the XG series which is a huge leap above the UTM product but as it is so new there will be feature deficiencies between the two products until the XG product matures. That said the XG platform is much nicer aesthetically and the reporting is much more advanced then the previous UTM generation.

As this is such a new product we are going to post a series of blog articles of useful tips when working on the Sophos XG series.

Sophos XG Instructions

  1. Browse to the Policies page (Shield with a tick)
  2. Click the ‘Add Firewall Rule’
  3. Add a new rule of type Business Application Policy.
  4. Choose the position you wish to add the rule on the policy list.
  5. Select the application template to be ‘Non-HTTP Based Policy’.
  6. Give your rule a name.
  7. Then under Source:
    1. Set your source host to any (If you would like it to be a public rule)
  8. Under Hosted Server:
    1. Set source zone to ‘WAN’ (Choose another interface if you have a different set up).
    2. Set hosted address to the port/ip representing your WAN interface. (This is your static IP address generally but if dynamic you can use MASQ).
  9. Under Protected Application Servers:
    1. Set protected zone to LAN (This could be DMZ or the zone where your server is located).
    2. Set protected application server(s) to the server/device object, if not created, create one representing your server/device.
    3. Please do not forward all ports as this will create a security risk.
  10. Under Port Forwarding:
    1. Set your protocol to TCP or UDP.
    2. Set you external port type to the appropriate setting Port, Port Range or Port List.
    3. Set your external port to whatever you may require (eg. 80 for a web server).
    4. Set your mapped port type is port to match your external port type
    5. And lastly set your internal port to the port your server/device is listening on (e.g. 80. or 443.)
  11. This should be the minimum required to activate the rule required. Depending on your security requirement you may need to adjust ‘Intrusion Prevention’ under ‘Policies for Business Applications’.
  12. Click save and test your rule.

Infinite prominently uses the virtualised instances for our Private Network clients but do support physically units for branch locations. Utilising the Sophos XG as your central firewall for your Infinite Private Network centralises and simplifies your internet gateway requirements allowing your IT resources to pro-actively manage your corporate network more effectively.

The Sophos XG firewall is a great solution for NBN connections allowing you to have full control over your high speed broadband from a security and traffic perspective. The Sophos XG provides you proactive reports and the capability to shape particular users or applications that may affect your services performance.

Share this