Sophos Firewall Advanced Interface Configuration PDF
Document Details
Uploaded by ConsistentAntigorite2330
2022
Sophos
Tags
Summary
This Sophos document details the advanced interface configuration settings for Sophos Firewall version 19.0v1, published in April 2022. It covers topics such as physical and virtual interfaces and explains configurations like MTU, MSS, VLAN filtering, and bridge interfaces.
Full Transcript
Advanced Interface Configuration on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW1520: Advanced Interface Configuration on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may...
Advanced Interface Configuration on Sophos Firewall Sophos Firewall Version: 19.0v1 [Additional Information] Sophos Firewall FW1520: Advanced Interface Configuration on Sophos Firewall April 2022 Version: 19.0v1 © 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP. Sophos Firewall: Advanced Interface Configuration - 1 Advanced Interface Configuration on Sophos Firewall In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE advanced configuration settings ✓ The types of interface supported by Sophos that are available for physical Firewall and virtual interfaces. ✓ Configuring firewall interfaces DURATION 9 minutes In this chapter you will learn the advanced configuration settings that are available for physical and virtual interfaces. Sophos Firewall: Advanced Interface Configuration - 2 Interfaces The Sophos Firewall supports several different interface types that can be created. These include: Physical and wireless interfaces Bridge VLAN Alias LAG (Link Aggregation) And RED Sophos Firewall: Advanced Interface Configuration - 3 Edit Interface The menu beside each interface allows you to edit and view settings such as MMS and MTU. MTU (Maximum Transmission Unit) is the largest packet size that a network can transmit in bytes. Packets larger than the specified value are divided into smaller packets before they are sent. MSS (Maximum Segment Size) is the amount of data in bytes that can be transmitted in a TCP packet. Sophos Firewall: Advanced Interface Configuration - 4 MTU and MSS Configuration You can configure the MTU and MSS for interfaces, and this includes support for jumbo frames with more than 1500-byte payloads. This can be configured in the WebAdmin in the ‘Advanced settings’ for the interface, or in the console as shown here. Sophos Firewall: Advanced Interface Configuration - 5 Bridge Interfaces: VLAN Filtering Define which VLANs can pass across the bridge Bridge interfaces include a few additional controls and settings that we will look at over the next few slides, starting with filtering VLANs. This allows you to define which VLANs can pass across the bridge without requiring an interface in the VLAN. If you select filtering, but don't specify the permitted VLANs, Sophos Firewall drops tagged traffic from all the VLANs. Please note that untagged traffic and system generated traffic will not be affected by this filter. Sophos Firewall: Advanced Interface Configuration - 6 Additional information in Bridge Interfaces: Advanced Settings the notes Permit ARP broadcast is enabled by default Filter Ethernet Frames using the 4-digit ID Turn on Spanning Tree Protocol (STP) By default, bridge interfaces forward ARP (Address Resolution Protocol) broadcasts to discover the destination MAC addresses. In ‘Advanced settings’ you can clear the check box to prevent ARP broadcasts. You can use this when there's a broadcast storm. You can turn on STP (Spanning Tree Protocol) to prevent bridge loops, which occur when there's more than one path between two bridge interfaces. Redundant paths can result in a broadcast storm in the network. STP also enables failover to redundant paths dynamically when the primary path fails. The default setting for Filter Ethernet Frames allows all frame types to pass through the bridge. You can optionally filter using the 4-digit hexadecimal ID. For example, 809B is for AppleTalk. If you select filtering, but don't specify the permitted Ethernet frame types, Sophos Firewall drops traffic for all Ethernet frames except the frame types specified in the additional notes, which are always allowed. [Additional Information] Spanning Tree Protocol IEEE 802.1D RFC 7727. One STP instance is created for the entire bridged network. Drop Ethernet Frames: The drop setting doesn't affect the frames of ARP, IPv4, IPv6, 8021Q and EXTE traffic, which are always allowed. Sophos Firewall: Advanced Interface Configuration - 7 Additional information in Bridge Interfaces with No IP Address the notes Sophos Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering, or if it matches a NAT rule. These dropped packets are not logged. [Additional Information] To prevent NAT rules from causing the traffic to drop, follow these instructions: Go to Rules and policies > NAT rules and select the SNAT rule to edit. Select Override source translation for specific outbound interfaces. Set Outbound interface to the bridge interface without IP address. Set Translated source (SNAT) to Original and click Save. Sophos Firewall: Advanced Interface Configuration - 8 VLANs Create multiple VLAN interfaces on a single physical interface Allows tagged and untagged traffic on the same interface VLAN support follows IEEE 802.1q standards Physical interface does not need to be configured Supports up to 4096 VLANs 0, 1 and 4095 are reserved VLANs 2 – 4094 are configurable You can create multiple VLAN interfaces on a single physical interface and allow for tagged as well as untagged traffic on the same physical interface in the Sophos Firewall. VLAN support on the Sophos Firewall follows the IEEE 802.1q standards with support for up to 4096 VLANS on the device. There a 3 reserved VLANs: VLAN 0 is used when a device needs to send priority-tagged frames but does not know the specific VLAN it resides in VLAN 1 is reserved for the physical LAN VLAN 4095 is reserved as per the IEEE 802.1q standard. VLAN ID 4095 is a special purpose VLAN ID. When configured it acts like a trunk port for the vSwitch Sophos Firewall: Advanced Interface Configuration - 9 VLAN Configuration Interface and Zone VLAN ID IP address for the VLAN interface A VLAN can be created on a physical interface such as PortA, or eth0. The physical port does not need to be configured with an IP address before a VLAN can be added to it, and you can add multiple VLAN interfaces to a physical port. A VLAN can also be created for a virtual interface such as bridge and LAG. A zone must also be selected for the new VLAN network, and then a VLAN ID needs to be assigned to the interface. Please note the valid ID range is listed next to the input box. Finally, an IP address needs to be assigned to the new VLAN interface. Sophos Firewall: Advanced Interface Configuration - 10 Additional information in Link Aggregation the notes Combine multiple ports/interfaces to create single logical interface Advantages: Scales bandwidth usage according to the number of links Provides link redundancy with failover and failback Facilitates load sharing across links Requires no changes to the existing network deployment or additional hardware Supported LAG modes: Active-Backup provides link failover LACP (802.3ad) provides failover and load balancing All connected device must support LACP Member interfaces must be the same type and speed All links must be full-duplex Link Aggregation Groups (LAG) combine multiple physical links into a single logical link to increase bandwidth and make automatic failover available. Link aggregation provides the following advantages: Scales bandwidth usage according to the number of links used in the group Provides link redundancy with failover and failback for a continuous session Facilitates load sharing across links Requires no changes to the existing network deployment or any additional hardware Sophos Firewall supports the following LAG modes: Active-Backup provides link failover. LACP (802.3ad) provides failover and load balancing. In this mode, traffic is distributed among all links. LACP must be enabled at both ends of the link. All the member interfaces must be of the same type and have the same interface speed. All links must be full-duplex. [Additional Information] Note: Link Aggregation is also known as: Port trunking Link building NIC bonding NIC teaming Link aggregation control protocol (LACP) is a part of the IEEE specification; it groups two or more physical links into a single logical link. You must turn on LACP at both ends of the link for it to Sophos Firewall: Advanced Interface Configuration - 11 function. Link aggregation is a devices’ ability to combine multiple physical interfaces into one single logical unit. Sophos Firewall: Advanced Interface Configuration - 11 Link Redundancy ‘Active-Backup’ LAG mode managed by Sophos Firewall Supports devices that do not understand LACP Can failover between links of different speeds The Active Backup LAG mode can be used with devices that do not support 802.3ad (LACP). In active-backup, the Sophos Firewall manages the links, keeping one link active and the other in an inactive backup state. Because of this, active-backup does not have the benefit of increased bandwidth, only redundancy. However, it does allow for the option to failover between links for different speeds. Sophos Firewall: Advanced Interface Configuration - 12 Chapter Review You can configure the MTU and MSS for interfaces using ‘Advanced settings’ in the WebAdmin or from the console You can create multiple VLAN interfaces on a single physical interface and allow for tagged as well as untagged traffic on the same physical interface LAG combines multiple physical links into a single logical link to increase bandwidth and make automatic failover available Here are the three main things you learned in this chapter. You can configure the MTU and MSS for interfaces, and this includes support for jumbo frames with more than 1500-byte payloads. This can be configured in the WebAdmin in the ‘Advanced settings’ for the interface or in the console. You can create multiple VLAN interfaces on a single physical interface and allow for tagged as well as untagged traffic on the same physical interface in the Sophos Firewall. Link Aggregation Groups, (LAG), combine multiple physical links into a single logical link to increase bandwidth and make automatic failover available. Sophos Firewall: Advanced Interface Configuration - 17 Sophos Firewall: Advanced Interface Configuration - 18
