This video is great it has inspired me to give Sophos another spin after many years. The features top notch for this product. I really hope you do more videos on this product.
Arguably, I think Sophos XG is most definitely the best firewall that's freely available for home use - and not at all limiting at which you can do. They provide the EXACT SAME features they do for business and enterprise users, completely for free to home users. I've been using Sophos products well since the days of Astaro UTM, and I can 100% recommend their product to this day.
You have a great channel. You’re helping to make tech topics easier to approach and accomplish for those of us who are trying to solve problems and make things easier. Your topics are fun and interesting. Keep it going!
Hi there, I followed the tutorial above and installed sophos XG home version on my zotac Ci329 which works great. My only challenge is, I am no longer able to torrent from my one of my vms dedicated to transmission bittorrent, can you assist?
Die Erklärung bei 26:52 ist so wichtig. Ich hab mich immer gefragt warum Traffic auf dem Rückweg auch ohne explizites Ruleset erlaubt wird. Jetzt weiß ich es. Vielen Dank dafür!! :)
Sophos Firewall is the only true NGFW that is free for home use with almost no restrictions other than supporting Heartbeat, Endpoint security and I believe Sandstorm.
Thanks for the video - just used it to set up a Sophos XG firewall on my new Proxmox server. Just some constructive criticism though - slow down a bit. Had to constantly pause and go back a few steps due to the pace of things.
I am coming from Untangle to Sophos. The place I work uses Sophos and it works very well for an antivirus!! An excellent video with great detail and explanation!! Well Done!!
Hi Christian, thank you so much for your work! your video helped me a lot to get the sophos working on my proxmox server! Now I am trying to figure out more features such as traffic shaping for services (there must always be enough bandwidth for teams and zoom sessions). Maybe you will hesitate to make a video on this? Stay safe and continue like this! So much appreciated!
I used XG Firewall for over a year but then switched back to pfsense. Its may a step back but there are some downsides on Sophos. The naming in the rules and natting cutted out after a few charachters (10 or so). Hard to get a fast overview of the rules and natting. Its impossible to set a hostname instead of a IP in the site-to-site vpn - useless for homeusers. […] XG has alot of cool features and tools already implemented which pfsense does not but XG is more like a software used at work with a option to use at home for free. No real community to ask questions, videos on their channel are outdated, the response of the support is like „it is how it is“. But you presentation is excellent as usual :-)!
i usually watch youtube videos on my laptop, i don't have my google account always logged in, so i cannot like or subscribe to many people, it gets lazy to login and verify by phone ect.. But for you, i made an exception, i logged for you with my account and liked and subs because your video was truly helpful. Thank you man.
This is a great way to use Sophos XG with newer hardware that is not supported by Sophos on a "bare metal" installation directly onto the hardware. One reason for having to virtualize the firewall or more specifically, the network adapters, is due to Sophos Firewall not having the latest drivers to support the newest hardware, and second, is because the home version of Sophos Firewall does not support booting UEFI mode yet which is used by most newer hardware. Although Sophos is a great firewall, there are a lot of caveats and gotchas...especially for home users.
Thank you for your comment about not supporting UEFI, which is probably why when I was attempting to install Sophos on bare metal an audible alarm was sounding.
I had the same issue with pfSense. I was forced to run on Proxmox because it didn't support my Realtek card. Fortunately both firewalls support VirtIO devices, so at least we can virtualize under Proxmox with reasonable efficiency. But that brings headaches. You need to become proficient at giving certain things static IPs and having some system that remembers what they are. If you lose access to the Proxmox IP because of something your firewall is doing there's much fiddling about to fix it.
It's been a few that I wanted to protect my homelab with a firewall. I initially choose pfsense, but your video make me go to sophos instead. It runs quite well and has many options that pfsense doesn't have and for free. Thank you for your content, good as usual 😊
I have an XG from my work so I'm going to take advantage of it. I'm a network newb aswell so great opportunity to learn. Keep up with the great content
Thank you so much for this tutorial. I manage to install it on a bare machine and replace my router, works verry well. Is an opportunity for me to learn more about firewalls. I like your videos and how you explain. Keep the good work.
Christian...fantastic video! Thanks...I had tried the Sophos XG firewall about a year ago. I was unable to get it deployed...after this, I'm going to try to deploy on my home LAN again. Keep these videos coming :)
Thanks for this Christian. Thinking about switching over to Sophos XG & not being used to the rule creation this will make it easier for me. Would love more about Sophos xg...thanks
Great Video. This was very interesting and well explained. I am looking at changing my unifi gateway to this or pfsense, I will setup this up in my proxmox and have a play. Thank you
I know pfsense and was using it on proxmox. But only this video gave me an idea to separate my WIFi devices to separate network. At first i was thinking about VLANs but NATing will be much simpler.
Wow best firewall video ever... thanks for your effort! And sharing this information... now i have to buy a firewall server... can you please do a deep dive into that topic?
In your video the Sophos router is doing NAT. I guess your Fitz-box is doing the same. As a result, your network has double NAT. I’ve always been told that that is not desirable. Would you be able to get the same security level if you configure Sophos in transparent mode? For me the advantage would be that you could work around a firewall outage by simply plugging the LAN-port of the firewall back in de Fitz-box router. In your video the Sophos router is doing NAT.
Great Video. Can you a more detailed video about configuration (Wireless AP, VPN tunneling, interfaces and zones, etc) It will be great to dig deeper in this and learn more about its capabilities
4vCPU and 16GB Memory maximum at home? Our company's Check Point Open Server are running 3vCPU each for like, 500 LAN users and a few hundreds more of VPN users... xD
Cool video! I am now interested in one thing in particular. Does the Sophos firewall provide any functionality regarding traffic shaping, QoS and packet scheduling? I am using OPNsense for that and I like to have next to no jitter for my web traffic... :)
@@christianlempa It's been a while! Wanted to let you know I successfully integrated Sophos into my network, now. I've done a complete rework with Sophos running in KVM. Regarding traffic shaping, it works like a charm. I manage to keep ping below 20 ms under full load (about 2 ms increase). I must say I am very pleased with the results. I probably won't go back to OPNsense, any time soon.
Wish you could do a short video or just directions on how to properly setup sophos xg to allow an xbox to work properly. I have attempted it but whenever I get a dlc I am required to use my phone's hotspot instead of the house network
Wow! What an awesome video! Can you make a video, diving deeper into traffic shaping and QOS? My aim is to setup a network where any authenticated user will have the full bandwidth speed and unauthenticated users will be limited to a certain internet speed.
Excellent video tutorial, also Sophos XG/XGS firewalls are very powerful, but if you ask me, XG interface GUI has some weird logic, which many do not find...emmm, logical? There are some important features, which you bet you saw somewhere in GUI a time ago, but you spend 15 minutes going over each and every menu and you cannot find it again :) You simply need to get used to it, train and read/watch tutorials.
Why would you not put the firewall between your modem, and your router, adn just keep letting your current router do it's job? A serious question, just trying to understand.
It's useful when you want to do port-forwardings or expose the firewalls services. Because when there is a router in front of the firewall you need to maintain the configuration on both devices, rather than just on the firewall. However, it's just for convenience, you can still use your router as it is, and just put the firewall behind it with DHCP, just like I did in the video.
Great tutorial! In case the Firewall is behind the router, I assume a potential reverse proxy Server comes after the firewall. Would then a port forwarding still work from the router to a client within the LAN, as router and LAN client are no longer in the same IP range.
Hi Christian, first of all, your videos are really cool. I also come from IT and found my place in the server virtualization and storage area. But also the topic network and network security is a cool topic. I have now also looked into the Sophos XG Home Edition and have a question about it. You downloaded the SecurityAppliance_SSL_CA root certificate in your video. This works really well with the decryption and re-encryption. However, the blocking pages are displayed with a different certificate. So if a user comes to a blocked page, then a certificate error is issued. Is it possible to install this certificate on the clients? Thanks for your help and I look forward to the conversation with you! And keep up the good work!
Hey, thank you so much for the nice feedback! The appliance cert is indeed something I wish I'd included in the video, but then it probably would be too long :D Here is quickly what you need to do: 1. Create a new self-signed cert on the firewall and put the DNS name AND the local IP address of the firewall in the "subject Alt Names" 2. Switch the Default Cert of the admin panel to your self-signed created one: System -> Administration -> Admin and User Settings -> Certificate 3. Import the "Default CA" just like the SSL CA onto the client to import the self-signed cert into the trusted certifications store Then you shouldn't see a cert warning for the admin interface or any block pages, captive ports, etc. anymore.
Excellent video!! I followed it to build my xg firewall on promox. Do you have any plans for a follow up on this video, would be very welcome. I would love to learn more!
Question from a security standpoint: Which difference does it make, to a) use the described bridge moder in Proxmox or b) to pass through the NIC via IOMMU... b) after setting up Sophos my TrueNAS couldnt communicate to the update server ^^ P.S.: Kudos fpr speaking so fast!
Could you make a video on Sophos, on how to create firewall/NAT rules for use with external DNS-servers like technitium? It is not as simple as setting the dns up addresses under Network>dns|dhcp
I'm currently not planning any new firewall videos this year unfortunately, I'm still wondering whether I'd like to replace my home firewall with another system somewhere next year, but we'll see.
In dem Szenario mit dem WAN Port, der eine DHCP Adresse vom Router bekommt ist es doch alles etwas schwieriger, wenn man die Sophos komplett nutzen möchte. Doppeltest NATting z.B. aber sonst ist alles richtig gut erklärt! 👌
Vielen Dank! Wenn du eine Fritzbox hast, kannst du die auf exposed host stellen, dann brauchst du kein port forwarding einrichten und es landet alles bei der XG.
@@christianlempa danke für die Antwort! Beim exposed Host hat man leider Probleme mit IPsec. Ich betreibe nun seit ein paar Tagen eine Draytek Box und die läuft mit der XGS super! 👍
@@ChristianWorks cool! Das liegt daran dass das ESP Protokoll von IPSec keine Ports benutzt und daher auch nicht über ein NAT transportiert werden kann. IPSec kann über NAT Traversal in UDP gekapselt werden, wodurch man es auch mit NAT benutzen kann, allerdings muss man das dann auf beiden Sites konfigurieren.
Hi, I find the steps from 11:45 to 12:30 quite confusing, You created LAN and WAN bridges, Im guessing for the LAN thats just the address for proxmox and your routers address. And the WAN is a made up address? Would this work for a setup going: modem -> sophos firewall -> router(set to ap and used as switch)?
Hello colleague, I have an issue with a virtual machine on Proxmox. My "local-lvm" is growing from the initial 6GB until it runs out of space, causing Sophos XG to stop working. I've cleared the Sophos XG report in the terminal, but it hasn't helped. How can I resolve this problem? Thank you for your assistance.
I got as far as trying to access the web console but thats not working for me. Getting err_connection_timed_out, Im pretty sure ive followed every step the same
Absolutely love this video. I got a Zotac Ci329 specifically to install this and use as my home firewall. Interface looks fantastic. My only challenger right now, is not been able to torrent. My previous configuration had pfsense on the VM that was serving the rest of the network and I could use PIA (private internet access) vpn and also torrent using one of the dedicated servers (transmission bittorrent vm), since I put sophos in front of it all, my torrents have suddenly stopped working. Can anyone assist? Also, is there a way to put the entire network behind a VPN with PIA?
Thank you for your insight to Sophos, I do have one of there boxes and have installed pfsense but I think ill install Sophos home edition instead, one of the things that would help me is, can it monitor open ports (port forwarding) for bad activities, if you know? Thanks again for your video 😁
Thank you very much for the awesome tutorial. I have a doubt about the network configuration in proxmox. Long in short I can use 4 ethernet ports on my dell r710, now port1 is dedicated to Proxmox GUI and VMs, port2 to VMs, and port 3-4 are bonded toghether for a truenas instance. Now, I'd like to use port1 for wan, port2 for LAN (and VMs/PVE GUI?), and port3/4 for truenas. Does it worth it? What do you suggest me? How can I switch proxmox GUI from port1 to port 2? Thanks
@@christianlempa Found nothing, unfortunately... I've connected WAN to another port and LAN to the proxmox one and it works the same. Anyways Sophos is absolutely fantastic! Thanks again mate
I did not see you address getting qemu guest agent installed for the Sophos VM - seems like a pretty serious oversight as you would want control over the startup/shutdown of your virtualized firewall. After some searching on this topic it looks like it might not even support installing the guest agent? Can you advise if it is supported and create a quick walkthrough for it?
Hi Christian, thanks a lot for this great video! I used Sophos (UTM, XG) for many years and I like its features very much. Could you please tell me/us, how you set up DNS in your Network-Environment, because thats a service what is not so fully implemented in Sophos products? And do you use a router (Fritzbox) too? So you have double NAT in your network? It would be very nice if you let us know more about some Main-Features of the Sophos XG: Application Control, Web Server Protection, Email Protection.
Thank you! I currently just use the Sophos XG for DNS, but I think I might add a pihole in this setup at some point. My Fritzbox runs as a router, using the exposed host mode. And yeah maybe I'll dive deeper into other features of XG, sounds like a great idea :)
A short correction to your video: after login the first time, you have to register sophos xg with your serial number. This process may crash (licenceserver not reachable or so) if you use the standard time settings (use no ntp-server). So you have to skip the registration and change time settings (use predefined ntp-server + sync now). Then the registration will work properly.
Okay, this is great in a lab, but now that it's installed and you go to connect the real wide web to your physical box running proxmox with XG inside.... should probably address what needs to be done to the proxmox server so the whole world can't look up your proxmox servers' dress (as it were...).
Eine Frage stellt sich mir. Du oeffnest http und https und das Internet funktioniert. Haette es nicht auch noch dns Port 53 gebraucht? Oder hast du dns over https eingestellt?
This video explains very well but can you go indep how to add rules and so you can block intruders. I have a problem where people gets into my windows pc and watch me and the thing is I dont have wifi on my network I had to remove my wifi because it was hacked as well
Christian, can you provide a walk-through for users wanting to use the remote access VPN on the Sophos Firewall?? Does the Proxmox firewall allow port forwarding to the Sophos VM so that remote access clients can connect to the VPN?
Good question, that could be an interesting video! Maybe about setting up IPSEC and OpenSSL.However, that will take me some time, probably in second half of this year.
In your video the firewall is on the proxmox. Do you see any security risks to run the XG on the same maschine as your other services like sensible files on truenas?
I like this video:
-Not clickbait
-Informal
-Detailed
Sophos products are difficult to find tutorials for. Awesome work!
That's true! Thank you :)
I agree. Good work. Maybe next movie on vlans? I will be very grateful.
This video is great it has inspired me to give Sophos another spin after many years. The features top notch for this product. I really hope you do more videos on this product.
Oh that's great to hear! Thank you
Nah dude, the XG is the worst firewall on the market.
@@a.m.653 Im sure you have your reasons, but it would helpful to all that read you comments to give details on why you feel that way.
@@seanwoods1526 hmm, I posted a comment around 10 mins ago, but it has since been removed.
@@seanwoods1526 ok, posted it now. If the above comment is about the removal, it has been again removed.
Arguably, I think Sophos XG is most definitely the best firewall that's freely available for home use - and not at all limiting at which you can do.
They provide the EXACT SAME features they do for business and enterprise users, completely for free to home users.
I've been using Sophos products well since the days of Astaro UTM, and I can 100% recommend their product to this day.
That's really nice to hear! I also think it's a great system and yeah Astaro UTM definitely was as well ;)
@christianlempa can you compare to the firewalla gold?
You have a great channel. You’re helping to make tech topics easier to approach and accomplish for those of us who are trying to solve problems and make things easier. Your topics are fun and interesting. Keep it going!
Thank you so much 😃
1000% agree with this ^^^ Comment !
Fantastic video! Really well explained
Hi there, I followed the tutorial above and installed sophos XG home version on my zotac Ci329 which works great. My only challenge is, I am no longer able to torrent from my one of my vms dedicated to transmission bittorrent, can you assist?
I have a follow up question, is there a way, I can put the entire home network behind PIA VPN?
Hi Sophos support, is home edition still available ? Cannot find it anymore on your website :(
Die Erklärung bei 26:52 ist so wichtig. Ich hab mich immer gefragt warum Traffic auf dem Rückweg auch ohne explizites Ruleset erlaubt wird. Jetzt weiß ich es. Vielen Dank dafür!! :)
Vielen Dank für dein Feedback! :)
The Route based VPN is a very cool feature to route certain devices or traffic over the VPN for internet breakout if you have ISP issues :)
Nice!
Love how sophos directed me to this video, love your little giggle at the explicit content🤣🤣
Really? Who was it? :D
I'm surprised. This Sophos software is more advanced than I would have assumed. Neat.
Sophos Firewall is the only true NGFW that is free for home use with almost no restrictions other than supporting Heartbeat, Endpoint security and I believe Sandstorm.
Thanks for the video - just used it to set up a Sophos XG firewall on my new Proxmox server. Just some constructive criticism though - slow down a bit. Had to constantly pause and go back a few steps due to the pace of things.
As always straight to the point! Great tutorial!
Thanks!
I am coming from Untangle to Sophos. The place I work uses Sophos and it works very well for an antivirus!! An excellent video with great detail and explanation!! Well Done!!
Thank you so much! :)
Hi Christian, thank´s for the useful walkthrough and applause for your honesty that you are working for Sophos. :)
Thank you 😁
Hi Christian, thank you so much for your work! your video helped me a lot to get the sophos working on my proxmox server! Now I am trying to figure out more features such as traffic shaping for services (there must always be enough bandwidth for teams and zoom sessions). Maybe you will hesitate to make a video on this? Stay safe and continue like this! So much appreciated!
More videos on Sophos XG would be amazing :)
Thanks mate, yeah that's probably coming early next year ;)
I used XG Firewall for over a year but then switched back to pfsense. Its may a step back but there are some downsides on Sophos.
The naming in the rules and natting cutted out after a few charachters (10 or so). Hard to get a fast overview of the rules and natting.
Its impossible to set a hostname instead of a IP in the site-to-site vpn - useless for homeusers. […]
XG has alot of cool features and tools already implemented which pfsense does not but XG is more like a software used at work with a option to use at home for free. No real community to ask questions, videos on their channel are outdated, the response of the support is like „it is how it is“.
But you presentation is excellent as usual :-)!
i usually watch youtube videos on my laptop, i don't have my google account always logged in, so i cannot like or subscribe to many people, it gets lazy to login and verify by phone ect..
But for you, i made an exception, i logged for you with my account and liked and subs because your video was truly helpful.
Thank you man.
very good video , i m waiting future videos with proxmox interfaces ( dmz )
This is a great way to use Sophos XG with newer hardware that is not supported by Sophos on a "bare metal" installation directly onto the hardware. One reason for having to virtualize the firewall or more specifically, the network adapters, is due to Sophos Firewall not having the latest drivers to support the newest hardware, and second, is because the home version of Sophos Firewall does not support booting UEFI mode yet which is used by most newer hardware. Although Sophos is a great firewall, there are a lot of caveats and gotchas...especially for home users.
Thank you for your comment about not supporting UEFI, which is probably why when I was attempting to install Sophos on bare metal an audible alarm was sounding.
@@TainuiaKid1973 That sounds like a BIOS error beep code rather than a Sophos issue.
I had the same issue with pfSense. I was forced to run on Proxmox because it didn't support my Realtek card. Fortunately both firewalls support VirtIO devices, so at least we can virtualize under Proxmox with reasonable efficiency. But that brings headaches. You need to become proficient at giving certain things static IPs and having some system that remembers what they are. If you lose access to the Proxmox IP because of something your firewall is doing there's much fiddling about to fix it.
wow you are very accurate with your explanations which I appreciate and didn't expect for another youtuber IT person.
I would really like to see more in-deph video about all the features and creation/management of more complex rules and zones.
It's been a few that I wanted to protect my homelab with a firewall. I initially choose pfsense, but your video make me go to sophos instead. It runs quite well and has many options that pfsense doesn't have and for free. Thank you for your content, good as usual 😊
Awesome! Thank you :)
Great videos, 👍🏼... after watching your videos I switched from pfsense to sophos xg. Please make more videos!!
I have an XG from my work so I'm going to take advantage of it. I'm a network newb aswell so great opportunity to learn. Keep up with the great content
Thanks, I'll do ;)
@@christianlempa I even mentioned your channel in my work and my colleague said he had spoken with you before when phoning Sophos support :D
Thank you so much for this tutorial. I manage to install it on a bare machine and replace my router, works verry well. Is an opportunity for me to learn more about firewalls. I like your videos and how you explain. Keep the good work.
Glad it helped
Christian...fantastic video! Thanks...I had tried the Sophos XG firewall about a year ago. I was unable to get it deployed...after this, I'm going to try to deploy on my home LAN again. Keep these videos coming :)
Thank you! Glad it inspired you to get started again :)
NiCe to See some More Videos on SOPhos XG from You.
Cool Video, Please create more content about Sophos XG Firewall :) Very good content. I love it
Thank you! Oh there is something really cool coming out the next weeks, look for it on my instagram :D
Thanks for this Christian. Thinking about switching over to Sophos XG & not being used to the rule creation this will make it easier for me. Would love more about Sophos xg...thanks
Hi, Any plan on making a in deep tutorial on Sophos Firewall Home Edition?
Thank You So Much! 🙂The SSL feature was awesome!
This video is great! It‘s packed with information and for me not too much and not too fast
Great quality video and audio. Your tuts are pretty awesome.
Thank you! :)
Great vid, we are looking at deploying Sophia for some of our clients
Thank You Christian now i have good firewall now
You’re welcome ☺️
First a thumbs up then watch the video
Yes indeed
Haha awesome! Thanks :D
@@christianlempa can't wait for more in depth videos about sophos xg
Seems like a really slick firewall, might have to give it a try 🙂
Glad to hear that! ;)
Very useful video, THX Christian.
Liked this video. Thanks for being specific and teach us step by step. Congrats
Thank you!
Great Video. This was very interesting and well explained. I am looking at changing my unifi gateway to this or pfsense, I will setup this up in my proxmox and have a play. Thank you
Thank you! I'm curious what you say in comparison with pfsense, let me know ;)
@@christianlempa , I'm more curious if @Peter Thornton knows about OPNsense and the Zenarmor/Sensei extension :)
Thank you so much for your sharing and keep up the great work.
You are so welcome
I know pfsense and was using it on proxmox. But only this video gave me an idea to separate my WIFi devices to separate network. At first i was thinking about VLANs but NATing will be much simpler.
Great feedback! Thank you so much :)
Wow best firewall video ever... thanks for your effort! And sharing this information... now i have to buy a firewall server... can you please do a deep dive into that topic?
Thank you so much! Yeah I'm thinking about more Linux Security videos and Firewall as well 😁
Many Thanks for all the Knowledge sharing you do as always🤝🙂
Thank you! :)
wow. I am so glad I watched this.
Thanks ;)
In your video the Sophos router is doing NAT. I guess your Fitz-box is doing the same. As a result, your network has double NAT. I’ve always been told that that is not desirable. Would you be able to get the same security level if you configure Sophos in transparent mode? For me the advantage would be that you could work around a firewall outage by simply plugging the LAN-port of the firewall back in de Fitz-box router. In your video the Sophos router is doing NAT.
Great Video. Can you a more detailed video about configuration (Wireless AP, VPN tunneling, interfaces and zones, etc) It will be great to dig deeper in this and learn more about its capabilities
There will be some stuff coming out for Sophos soon! Dont know how deep I will go, but I will cover wireless APs and Zones 😉 stay tuned
@@christianlempa Great. Thanks
great! i was waiting for this! thank you
Glad you liked it!
Great video…only suggestion..breathe! 😂 seriously interesting content..thank you.
Thanks 😂
Great video! Thanks
Glad you liked it!
Great product review and presentation.
Thank you :)
Hello, amazing content, thanks !
Thanks for this great review!
You're welcome!
I prefer OPNSense which is open source instead of closed source commercial trial products
Great Video on the XG Home
Glad you enjoyed it
Loved.
A bit too technical for me but I loved the content
Thanks ;) Hope it still inspired you, even though it was too tough
@@christianlempa yes for sure, it's just that I gave up with technical stuff for years but I really like your approach, you give hope to the hopeless
4vCPU and 16GB Memory maximum at home? Our company's Check Point Open Server are running 3vCPU each for like, 500 LAN users and a few hundreds more of VPN users... xD
Sure. 4 cpus with 22 cores each... Router without firewall is piece of crap.
Pretty nice video thanks 😊
I just discovered your channel today... love the content and subscribed.
hi,
perfect video.
i use a intel nuc with 2 ethernet ports at home :)
Thank you 🙏
Thanks for the tips bro
No problem 👍
Cool video! I am now interested in one thing in particular. Does the Sophos firewall provide any functionality regarding traffic shaping, QoS and packet scheduling?
I am using OPNsense for that and I like to have next to no jitter for my web traffic... :)
Thanks! Yeah it does. You can schedule firewall rules and do traffic Shaping and QoS, it also works together with the AppControl
@@christianlempa It's been a while!
Wanted to let you know I successfully integrated Sophos into my network, now.
I've done a complete rework with Sophos running in KVM.
Regarding traffic shaping, it works like a charm. I manage to keep ping below 20 ms under full load (about 2 ms increase).
I must say I am very pleased with the results. I probably won't go back to OPNsense, any time soon.
Wish you could do a short video or just directions on how to properly setup sophos xg to allow an xbox to work properly. I have attempted it but whenever I get a dlc I am required to use my phone's hotspot instead of the house network
Wow! What an awesome video! Can you make a video, diving deeper into traffic shaping and QOS? My aim is to setup a network where any authenticated user will have the full bandwidth speed and unauthenticated users will be limited to a certain internet speed.
Interesting suggestion, so maybe at some point, but I have no current plans for that right now.
@@christianlempa Cool, thanks for the reply!
Excellent video tutorial, also Sophos XG/XGS firewalls are very powerful, but if you ask me, XG interface GUI has some weird logic, which many do not find...emmm, logical? There are some important features, which you bet you saw somewhere in GUI a time ago, but you spend 15 minutes going over each and every menu and you cannot find it again :) You simply need to get used to it, train and read/watch tutorials.
Thank you ;) Absolutely agree on that, that's we have so much training material and certifications for XG engineer and architect.
more sophos tutorial please
Good idea, there is something coming for you in the next weeks ;)
@@christianlempa big thankful for you sir
So confused at the network configuration part. Is there a video that explains how to do that?
Why would you not put the firewall between your modem, and your router, adn just keep letting your current router do it's job? A serious question, just trying to understand.
It's useful when you want to do port-forwardings or expose the firewalls services. Because when there is a router in front of the firewall you need to maintain the configuration on both devices, rather than just on the firewall.
However, it's just for convenience, you can still use your router as it is, and just put the firewall behind it with DHCP, just like I did in the video.
@AstroCat Thank you.
@@christianlempa Thank you so much.
Great tutorial!
In case the Firewall is behind the router, I assume a potential reverse proxy Server comes after the firewall.
Would then a port forwarding still work from the router to a client within the LAN, as router and LAN client are no longer in the same IP range.
Hi Christian. Could you please do a Snort tutorial, ideally with a Web GUI? Thank you
Great suggestion! I'm planning a snort video, however I won't include a GUI. What we can talk about though is logging in ELK
Hi Christian,
first of all, your videos are really cool. I also come from IT and found my place in the server virtualization and storage area. But also the topic network and network security is a cool topic.
I have now also looked into the Sophos XG Home Edition and have a question about it. You downloaded the SecurityAppliance_SSL_CA root certificate in your video. This works really well with the decryption and re-encryption. However, the blocking pages are displayed with a different certificate. So if a user comes to a blocked page, then a certificate error is issued. Is it possible to install this certificate on the clients?
Thanks for your help and I look forward to the conversation with you! And keep up the good work!
Hey, thank you so much for the nice feedback! The appliance cert is indeed something I wish I'd included in the video, but then it probably would be too long :D
Here is quickly what you need to do:
1. Create a new self-signed cert on the firewall and put the DNS name AND the local IP address of the firewall in the "subject Alt Names"
2. Switch the Default Cert of the admin panel to your self-signed created one: System -> Administration -> Admin and User Settings -> Certificate
3. Import the "Default CA" just like the SSL CA onto the client to import the self-signed cert into the trusted certifications store
Then you shouldn't see a cert warning for the admin interface or any block pages, captive ports, etc. anymore.
Excellent video!! I followed it to build my xg firewall on promox.
Do you have any plans for a follow up on this video, would be very welcome.
I would love to learn more!
Question from a security standpoint: Which difference does it make, to a) use the described bridge moder in Proxmox or b) to pass through the NIC via IOMMU... b) after setting up Sophos my TrueNAS couldnt communicate to the update server ^^ P.S.: Kudos fpr speaking so fast!
Could you make a video on Sophos, on how to create firewall/NAT rules for use with external DNS-servers like technitium? It is not as simple as setting the dns up addresses under Network>dns|dhcp
I'm currently not planning any new firewall videos this year unfortunately, I'm still wondering whether I'd like to replace my home firewall with another system somewhere next year, but we'll see.
thanks
Thank you sir
Welcome!
Would you recommend running a second firewall? Perhaps from a different vendor?
Love the tutorial, good stuff! But Sophos lost me as 'registration'.
mysophos was no longrer existed. The lastest SFOS v20 firewall rule relys on DNAT instead of NAT for port fowarding.
I have a Problem
I try to run this in a lan only network but i cant Manage to get the DNS and gateway to run...
In dem Szenario mit dem WAN Port, der eine DHCP Adresse vom Router bekommt ist es doch alles etwas schwieriger, wenn man die Sophos komplett nutzen möchte. Doppeltest NATting z.B. aber sonst ist alles richtig gut erklärt! 👌
Vielen Dank! Wenn du eine Fritzbox hast, kannst du die auf exposed host stellen, dann brauchst du kein port forwarding einrichten und es landet alles bei der XG.
@@christianlempa danke für die Antwort! Beim exposed Host hat man leider Probleme mit IPsec. Ich betreibe nun seit ein paar Tagen eine Draytek Box und die läuft mit der XGS super! 👍
@@ChristianWorks cool! Das liegt daran dass das ESP Protokoll von IPSec keine Ports benutzt und daher auch nicht über ein NAT transportiert werden kann. IPSec kann über NAT Traversal in UDP gekapselt werden, wodurch man es auch mit NAT benutzen kann, allerdings muss man das dann auf beiden Sites konfigurieren.
@@christianlempa man lernt nie aus! Danke ☺️ 🖖
Hi, I find the steps from 11:45 to 12:30 quite confusing, You created LAN and WAN bridges, Im guessing for the LAN thats just the address for proxmox and your routers address. And the WAN is a made up address? Would this work for a setup going: modem -> sophos firewall -> router(set to ap and used as switch)?
Hello colleague,
I have an issue with a virtual machine on Proxmox. My "local-lvm" is growing from the initial 6GB until it runs out of space, causing Sophos XG to stop working. I've cleared the Sophos XG report in the terminal, but it hasn't helped. How can I resolve this problem? Thank you for your assistance.
I got as far as trying to access the web console but thats not working for me. Getting err_connection_timed_out, Im pretty sure ive followed every step the same
@
The Digital Life Aaaaaaah, this is so fucking awesome - I WANT IT!!! 😍
Haha 👍
Veri god Video. wery god Video. 😎
Thank you very much!
Super Video, danke dafür! Könntest du vielleicht ein Video für Apple AirPrint machen? Die Sophos XG soll das ja können. Danke und Gruß.
Absolutely love this video. I got a Zotac Ci329 specifically to install this and use as my home firewall. Interface looks fantastic. My only challenger right now, is not been able to torrent. My previous configuration had pfsense on the VM that was serving the rest of the network and I could use PIA (private internet access) vpn and also torrent using one of the dedicated servers (transmission bittorrent vm), since I put sophos in front of it all, my torrents have suddenly stopped working. Can anyone assist? Also, is there a way to put the entire network behind a VPN with PIA?
Thank you for your insight to Sophos, I do have one of there boxes and have installed pfsense but I think ill install Sophos home edition instead, one of the things that would help me is, can it monitor open ports (port forwarding) for bad activities, if you know? Thanks again for your video 😁
Thank you very much for the awesome tutorial.
I have a doubt about the network configuration in proxmox. Long in short I can use 4 ethernet ports on my dell r710, now port1 is dedicated to Proxmox GUI and VMs, port2 to VMs, and port 3-4 are bonded toghether for a truenas instance.
Now, I'd like to use port1 for wan, port2 for LAN (and VMs/PVE GUI?), and port3/4 for truenas. Does it worth it? What do you suggest me?
How can I switch proxmox GUI from port1 to port 2? Thanks
Np. Unfortunately, I had the same problem lately and haven't found the docs for changing the port. Mabe you'll find that :D
@@christianlempa Found nothing, unfortunately...
I've connected WAN to another port and LAN to the proxmox one and it works the same. Anyways Sophos is absolutely fantastic! Thanks again mate
I did not see you address getting qemu guest agent installed for the Sophos VM - seems like a pretty serious oversight as you would want control over the startup/shutdown of your virtualized firewall. After some searching on this topic it looks like it might not even support installing the guest agent? Can you advise if it is supported and create a quick walkthrough for it?
I think I'm going to test this with the intention of ditching untangle.
Nice! Let us know how it works :)
Is it possible to buy a hardware appliance, for example XGS 107 / 107w and use home lab licens with it?
Hi Christian, thanks a lot for this great video! I used Sophos (UTM, XG) for many years and I like its features very much. Could you please tell me/us, how you set up DNS in your Network-Environment, because thats a service what is not so fully implemented in Sophos products? And do you use a router (Fritzbox) too? So you have double NAT in your network? It would be very nice if you let us know more about some Main-Features of the Sophos XG: Application Control, Web Server Protection, Email Protection.
Thank you! I currently just use the Sophos XG for DNS, but I think I might add a pihole in this setup at some point. My Fritzbox runs as a router, using the exposed host mode. And yeah maybe I'll dive deeper into other features of XG, sounds like a great idea :)
A short correction to your video: after login the first time, you have to register sophos xg with your serial number. This process may crash (licenceserver not reachable or so) if you use the standard time settings (use no ntp-server). So you have to skip the registration and change time settings (use predefined ntp-server + sync now). Then the registration will work properly.
Okay, this is great in a lab, but now that it's installed and you go to connect the real wide web to your physical box running proxmox with XG inside.... should probably address what needs to be done to the proxmox server so the whole world can't look up your proxmox servers' dress (as it were...).
@32:16 - can we apply multiple web filters to a firewall rule ???
Eine Frage stellt sich mir. Du oeffnest http und https und das Internet funktioniert. Haette es nicht auch noch dns Port 53 gebraucht? Oder hast du dns over https eingestellt?
This video explains very well but can you go indep how to add rules and so you can block intruders. I have a problem where people gets into my windows pc and watch me and the thing is I dont have wifi on my network I had to remove my wifi because it was hacked as well
Thanks! I might do some videos about XG in the future, but I'm not sure what exactly we will cover.
Christian, can you provide a walk-through for users wanting to use the remote access VPN on the Sophos Firewall?? Does the Proxmox firewall allow port forwarding to the Sophos VM so that remote access clients can connect to the VPN?
Good question, that could be an interesting video! Maybe about setting up IPSEC and OpenSSL.However, that will take me some time, probably in second half of this year.
In your video the firewall is on the proxmox. Do you see any security risks to run the XG on the same maschine as your other services like sensible files on truenas?