Sophos XG: Basic configuration for home use

Sophos XG is a powerful firewall platform that’s designed for business/enterprise use but also offers a Home version that has most of the same features with a few exceptions (i.e. sandstorm). While most of the default settings should suffice, here are some settings I change with a new install of Sophos XG for a fairly basic home network (no servers). This is based on Sophos XG V17-MR3.

Note: Anytime you change a setting, be sure to click ‘Apply’ on the very bottom of the web browser.

1. Browse to the ‘Administration’ page under ‘System’ and select the ‘Device Access’ tab. Uncheck ‘User Portal’ on the ‘WAN’ line in the ‘Local Services ACL’ section. This is enabled by default and allows users to access the User Portal page from outside your network by opening port 443.

basic_config_1

2. Browse to the ‘Administration page under ‘System’ and select the ‘Time’ tab. Select ‘Use pre-defined NTP server’. This will keep the Sophos XG time up-to-date with a Network Time Protocol (NTP) server.

basic_config_2

3. Browse to the ‘System Services’ page under ‘Configure’ and select the ‘Log Settings’ tab. Uncheck ‘Invalid Traffic’ in the ‘Firewall’ section under ‘Log Settings’. If you keep this enabled, you will see a significant amount of entires in your Log Viewer with the message, “Could not associate packet to any connection”. More information is provided in this Sophos Knowledge Base Article.

basic_config_3

4. Browse to the ‘System Services’ page under ‘Configure’ and select the ‘Traffic Shaping Settings’ tab. Set your ‘Total Available WAN Bandwidth’ to match your internet connection speeds. Note that these values are in KBps (KiloBytes per second) and not Kbps (Kilobits per second). Most internet speed tests show you results in Mbps (Megabits per second) but you can easily convert this to KBps using an online convertor such as on Google (search for ‘Mbps to KBps’ on Google).

basic_config_4

5. Browse to the ‘Advanced Threat’ page under ‘Protect’ and the first tab you’ll be on is the ‘Advanced Threat Protection’. Set the ‘Enable Advanced Threat Protection’ to ‘ON’. Set the ‘Policy’ to ‘Log and Drop’. According to the Sophos XG Knowledge Base, Advanced Threat Protection (ATP) “can help rapidly detect infected or compromised clients inside the network and raise an alert or drop the traffic from those clients.”

basic_config_5

6. Browse to the ‘Intrusion Prevention’ page under ‘Protect’ and select the ‘DoS & Spoof Protection’ tab. Scroll down to the ‘DoS Settings’ and enable ‘ARP Hardening’. This will restrict your devices from sending an Address Resolution Protocol (ARP) reply only if the destination IP is a local address and both the sender and destination IP address are in the same subnet. Basically, ARP replies will only be allowed within the same subnet.

basic_config_6

7. Browse to the ‘Email’ page under ‘Protect’ and select the ‘General Settings’ tab. Click the ‘Switch to Legacy Mode’ button under ‘SMTP Deployment Mode’. I’m still trying to learn the difference between the two modes and the benefit of using one or the other if you’re not running an email server at home. The reason I switched to Legacy Mode is because I was unable to send any email when it was in MTA mode. Additionally, on this same page, scroll down to the ‘SMTP TLS Configuration’ and ‘POP and IMAP TLS Configuration’ sections and enable ‘Disable Legacy TLS protocols’ in both sections. As the description next to the option mentions, this is recommended to overcome TLS vulnerabilities by disabling protocols lower than TLS1.1.

basic_config_7

8. While you can use the DNS servers provided by your ISP, I prefer to use different DNS servers for better performance and increased privacy. You can use a tool such as namebench to determine which DNS servers will provide the best performance and some research to decide which DNS servers will suit your needs (Cloudflare, Google, OpenDNS, Quad9, etc.). Browse to the ‘Network’ page and select the ‘DNS’ tab. Under the IPv4 section, select ‘Static DNS’ and enter the DNS servers you prefer. Personally, I use CloudFlare’s DNS servers of ‘1.1.1.1’ (DNS 1) and ‘1.0.0.1’ (DNS 2), and Google’s DNS server of ‘8.8.8.8’ (DNS 3). You can leave the IPv6 fields blank but if you want to add the IPv6 addresses, they are ‘2606:4700:4700::1111’, ‘2606:4700:4700::1001’ and ‘2001:4860:4860::8888’ for Cloudflare (DNS 1 & 2) and Google (DNS 3). Leave the ‘DNS Query Configuration’ set to ‘Choose server based on incoming request type’.

Note: If you decide to use a separate DNS server such as Pi-hole, the Sophos XG DNS server is still being utilized by the pharming protection feature which is enabled by default (‘Web’ -> ‘General Settings’ -> ‘Advanced Settings’). I use Pi-hole as my DNS server but leave pharming protection enabled to help protect against domain name poisoning attacks.

dnssettings.jpg

5 thoughts on “Sophos XG: Basic configuration for home use

  1. Just ran into your website, awesome articles have a few plans to try some of them out. I would love to see a guide on setting up XG in transparent mode (so I can use the XG IPS/ISD features that would bog down my Ubiquiti).

    Like

    1. Awesome, let me know if there’s anything about the guides that are confusing or can be more clear. I usually only create posts/guides on stuff I do for my home network so I’m not sure if/when I’ll get to creating one for transparent mode. However, it seems pretty straight forward – during the setup process you can select bridge mode which I think will achieve what you’re trying to do. Here’s an article on the official Sophos website: https://community.sophos.com/kb/en-us/122973

      Like

  2. Great articles, love the detail breakdown. I am working on my setup and need some assistance with IPV6 configuration. Do you by chance have an article on this?

    Like

    1. Unfortunately, I don’t. I do have IPv6 on my setup but Sophos XG seems to be very limited in its IPv6 implementation. For example, you still have masquerade IPv6 leaving your network. I may try to write an article on my setup at some point but I’m not entirely sure how it all works yet.

      Like

  3. Perhaps you have already noticed, the Advanced Threat Protection is extremely resource hungry and it cuts your bandwidth in half. I run mine as VM with xeon vcpu and 2g of ram (reserved resources) and my 100Mbps pipe with standard rule sets is cut to about 70Mbps and by the time I enable ATP it goes down to mid 30s.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s