This video is great it has inspired me to give Sophos another spin after many years. The features top notch for this product. I really hope you do more videos on this product.
Arguably, I think Sophos XG is most definitely the best firewall that's freely available for home use - and not at all limiting at which you can do. They provide the EXACT SAME features they do for business and enterprise users, completely for free to home users. I've been using Sophos products well since the days of Astaro UTM, and I can 100% recommend their product to this day.
Die Erklärung bei 26:52 ist so wichtig. Ich hab mich immer gefragt warum Traffic auf dem Rückweg auch ohne explizites Ruleset erlaubt wird. Jetzt weiß ich es. Vielen Dank dafür!! :)
I am coming from Untangle to Sophos. The place I work uses Sophos and it works very well for an antivirus!! An excellent video with great detail and explanation!! Well Done!!
You have a great channel. You’re helping to make tech topics easier to approach and accomplish for those of us who are trying to solve problems and make things easier. Your topics are fun and interesting. Keep it going!
Hi Christian, thank you so much for your work! your video helped me a lot to get the sophos working on my proxmox server! Now I am trying to figure out more features such as traffic shaping for services (there must always be enough bandwidth for teams and zoom sessions). Maybe you will hesitate to make a video on this? Stay safe and continue like this! So much appreciated!
It's been a few that I wanted to protect my homelab with a firewall. I initially choose pfsense, but your video make me go to sophos instead. It runs quite well and has many options that pfsense doesn't have and for free. Thank you for your content, good as usual 😊
Thanks for the video - just used it to set up a Sophos XG firewall on my new Proxmox server. Just some constructive criticism though - slow down a bit. Had to constantly pause and go back a few steps due to the pace of things.
Sophos Firewall is the only true NGFW that is free for home use with almost no restrictions other than supporting Heartbeat, Endpoint security and I believe Sandstorm.
This is a great way to use Sophos XG with newer hardware that is not supported by Sophos on a "bare metal" installation directly onto the hardware. One reason for having to virtualize the firewall or more specifically, the network adapters, is due to Sophos Firewall not having the latest drivers to support the newest hardware, and second, is because the home version of Sophos Firewall does not support booting UEFI mode yet which is used by most newer hardware. Although Sophos is a great firewall, there are a lot of caveats and gotchas...especially for home users.
Thank you for your comment about not supporting UEFI, which is probably why when I was attempting to install Sophos on bare metal an audible alarm was sounding.
I had the same issue with pfSense. I was forced to run on Proxmox because it didn't support my Realtek card. Fortunately both firewalls support VirtIO devices, so at least we can virtualize under Proxmox with reasonable efficiency. But that brings headaches. You need to become proficient at giving certain things static IPs and having some system that remembers what they are. If you lose access to the Proxmox IP because of something your firewall is doing there's much fiddling about to fix it.
Thank you so much for this tutorial. I manage to install it on a bare machine and replace my router, works verry well. Is an opportunity for me to learn more about firewalls. I like your videos and how you explain. Keep the good work.
Christian...fantastic video! Thanks...I had tried the Sophos XG firewall about a year ago. I was unable to get it deployed...after this, I'm going to try to deploy on my home LAN again. Keep these videos coming :)
I have an XG from my work so I'm going to take advantage of it. I'm a network newb aswell so great opportunity to learn. Keep up with the great content
Hi there, I followed the tutorial above and installed sophos XG home version on my zotac Ci329 which works great. My only challenge is, I am no longer able to torrent from my one of my vms dedicated to transmission bittorrent, can you assist?
Thanks for this Christian. Thinking about switching over to Sophos XG & not being used to the rule creation this will make it easier for me. Would love more about Sophos xg...thanks
I used XG Firewall for over a year but then switched back to pfsense. Its may a step back but there are some downsides on Sophos. The naming in the rules and natting cutted out after a few charachters (10 or so). Hard to get a fast overview of the rules and natting. Its impossible to set a hostname instead of a IP in the site-to-site vpn - useless for homeusers. […] XG has alot of cool features and tools already implemented which pfsense does not but XG is more like a software used at work with a option to use at home for free. No real community to ask questions, videos on their channel are outdated, the response of the support is like „it is how it is“. But you presentation is excellent as usual :-)!
Why would you not put the firewall between your modem, and your router, adn just keep letting your current router do it's job? A serious question, just trying to understand.
It's useful when you want to do port-forwardings or expose the firewalls services. Because when there is a router in front of the firewall you need to maintain the configuration on both devices, rather than just on the firewall. However, it's just for convenience, you can still use your router as it is, and just put the firewall behind it with DHCP, just like I did in the video.
Great tutorial! In case the Firewall is behind the router, I assume a potential reverse proxy Server comes after the firewall. Would then a port forwarding still work from the router to a client within the LAN, as router and LAN client are no longer in the same IP range.
In your video the Sophos router is doing NAT. I guess your Fitz-box is doing the same. As a result, your network has double NAT. I’ve always been told that that is not desirable. Would you be able to get the same security level if you configure Sophos in transparent mode? For me the advantage would be that you could work around a firewall outage by simply plugging the LAN-port of the firewall back in de Fitz-box router. In your video the Sophos router is doing NAT.
i usually watch youtube videos on my laptop, i don't have my google account always logged in, so i cannot like or subscribe to many people, it gets lazy to login and verify by phone ect.. But for you, i made an exception, i logged for you with my account and liked and subs because your video was truly helpful. Thank you man.
4vCPU and 16GB Memory maximum at home? Our company's Check Point Open Server are running 3vCPU each for like, 500 LAN users and a few hundreds more of VPN users... xD
Great Video. Can you a more detailed video about configuration (Wireless AP, VPN tunneling, interfaces and zones, etc) It will be great to dig deeper in this and learn more about its capabilities
Cool video! I am now interested in one thing in particular. Does the Sophos firewall provide any functionality regarding traffic shaping, QoS and packet scheduling? I am using OPNsense for that and I like to have next to no jitter for my web traffic... :)
@@christianlempa It's been a while! Wanted to let you know I successfully integrated Sophos into my network, now. I've done a complete rework with Sophos running in KVM. Regarding traffic shaping, it works like a charm. I manage to keep ping below 20 ms under full load (about 2 ms increase). I must say I am very pleased with the results. I probably won't go back to OPNsense, any time soon.
Wish you could do a short video or just directions on how to properly setup sophos xg to allow an xbox to work properly. I have attempted it but whenever I get a dlc I am required to use my phone's hotspot instead of the house network
Hi, I find the steps from 11:45 to 12:30 quite confusing, You created LAN and WAN bridges, Im guessing for the LAN thats just the address for proxmox and your routers address. And the WAN is a made up address? Would this work for a setup going: modem -> sophos firewall -> router(set to ap and used as switch)?
Wow best firewall video ever... thanks for your effort! And sharing this information... now i have to buy a firewall server... can you please do a deep dive into that topic?
Great Video. This was very interesting and well explained. I am looking at changing my unifi gateway to this or pfsense, I will setup this up in my proxmox and have a play. Thank you
Could you make a video on Sophos, on how to create firewall/NAT rules for use with external DNS-servers like technitium? It is not as simple as setting the dns up addresses under Network>dns|dhcp
I'm currently not planning any new firewall videos this year unfortunately, I'm still wondering whether I'd like to replace my home firewall with another system somewhere next year, but we'll see.
Excellent video!! I followed it to build my xg firewall on promox. Do you have any plans for a follow up on this video, would be very welcome. I would love to learn more!
Hi Christian, first of all, your videos are really cool. I also come from IT and found my place in the server virtualization and storage area. But also the topic network and network security is a cool topic. I have now also looked into the Sophos XG Home Edition and have a question about it. You downloaded the SecurityAppliance_SSL_CA root certificate in your video. This works really well with the decryption and re-encryption. However, the blocking pages are displayed with a different certificate. So if a user comes to a blocked page, then a certificate error is issued. Is it possible to install this certificate on the clients? Thanks for your help and I look forward to the conversation with you! And keep up the good work!
Hey, thank you so much for the nice feedback! The appliance cert is indeed something I wish I'd included in the video, but then it probably would be too long :D Here is quickly what you need to do: 1. Create a new self-signed cert on the firewall and put the DNS name AND the local IP address of the firewall in the "subject Alt Names" 2. Switch the Default Cert of the admin panel to your self-signed created one: System -> Administration -> Admin and User Settings -> Certificate 3. Import the "Default CA" just like the SSL CA onto the client to import the self-signed cert into the trusted certifications store Then you shouldn't see a cert warning for the admin interface or any block pages, captive ports, etc. anymore.
Thank you very much for the awesome tutorial. I have a doubt about the network configuration in proxmox. Long in short I can use 4 ethernet ports on my dell r710, now port1 is dedicated to Proxmox GUI and VMs, port2 to VMs, and port 3-4 are bonded toghether for a truenas instance. Now, I'd like to use port1 for wan, port2 for LAN (and VMs/PVE GUI?), and port3/4 for truenas. Does it worth it? What do you suggest me? How can I switch proxmox GUI from port1 to port 2? Thanks
@@christianlempa Found nothing, unfortunately... I've connected WAN to another port and LAN to the proxmox one and it works the same. Anyways Sophos is absolutely fantastic! Thanks again mate
Absolutely love this video. I got a Zotac Ci329 specifically to install this and use as my home firewall. Interface looks fantastic. My only challenger right now, is not been able to torrent. My previous configuration had pfsense on the VM that was serving the rest of the network and I could use PIA (private internet access) vpn and also torrent using one of the dedicated servers (transmission bittorrent vm), since I put sophos in front of it all, my torrents have suddenly stopped working. Can anyone assist? Also, is there a way to put the entire network behind a VPN with PIA?
I know pfsense and was using it on proxmox. But only this video gave me an idea to separate my WIFi devices to separate network. At first i was thinking about VLANs but NATing will be much simpler.
Hello colleague, I have an issue with a virtual machine on Proxmox. My "local-lvm" is growing from the initial 6GB until it runs out of space, causing Sophos XG to stop working. I've cleared the Sophos XG report in the terminal, but it hasn't helped. How can I resolve this problem? Thank you for your assistance.
Counter-intuitively, it's better to look for videos showing how to run pfsense on Sophos Firewall hardware, of which there are plenty. From there it's not a big step to switch over to Sophos.
I did not see you address getting qemu guest agent installed for the Sophos VM - seems like a pretty serious oversight as you would want control over the startup/shutdown of your virtualized firewall. After some searching on this topic it looks like it might not even support installing the guest agent? Can you advise if it is supported and create a quick walkthrough for it?
Thank you for this how to, very informative. What hardware would you or anyone reading this recommend that would run software without any issue and not break the bank??
Good Afternoon, I set up using an old dell optiplex I had on hand. The issue I've been having is I'm trygin to use it in bridge mode but once I set it using assistant I can't access webui and I dont get any ip to endpoint. I read sophos documentation but same issue. I apologize if it sounds like a dumb question I'm fairly new to sophos and IT in general. I'm not sure if it will be good to use between my modem and unifi UDM.@@christianlempa
@@christianlempa 1 more question, how do I install the cert in my linux machine to keep it updated? I tried updating my machine and I keep getting a certificate not trusted error.
Christian, can you provide a walk-through for users wanting to use the remote access VPN on the Sophos Firewall?? Does the Proxmox firewall allow port forwarding to the Sophos VM so that remote access clients can connect to the VPN?
Good question, that could be an interesting video! Maybe about setting up IPSEC and OpenSSL.However, that will take me some time, probably in second half of this year.
Question from a security standpoint: Which difference does it make, to a) use the described bridge moder in Proxmox or b) to pass through the NIC via IOMMU... b) after setting up Sophos my TrueNAS couldnt communicate to the update server ^^ P.S.: Kudos fpr speaking so fast!
Hi Christian, great video thank you. a question: is it possible to set up a home-lab on my hardware (laptop) only? using VMware/virtualbox to deploy the firewall, while using the actual hardware PC as the management station? your prompt response would be appreciated. Many thanks
Don't do it how Christian says. Google 'sophosXG firewall installers', choose the KVM one, fake details and 'boom' you've got it. Follow the instructions to register the firewall later during install, it's much easier than the way described here.
Wow! What an awesome video! Can you make a video, diving deeper into traffic shaping and QOS? My aim is to setup a network where any authenticated user will have the full bandwidth speed and unauthenticated users will be limited to a certain internet speed.
Tried to install SW-19.0.1_MR-1-365.iso on my machine, and i got a sqeeking sound when the installer loads trough bootloader. Idk what you guys are doing there, but this is nuts. If you can forward this to your test team. Any other iso works fine.
Thank you for your insight to Sophos, I do have one of there boxes and have installed pfsense but I think ill install Sophos home edition instead, one of the things that would help me is, can it monitor open ports (port forwarding) for bad activities, if you know? Thanks again for your video 😁
Hi Christian, how should I set this up when my Proxmox Server has just 1 NIC. The managed switch should then be connected to the ISP router and Proxmox to a different port on the managed switch? And how can Proxmox 'see' what is WAN traffic and what is LAN traffic. (VLANs on the managed switch?)
Got a Dell r310 and I must be missing something stupid as the gb2 ethernet port doesn’t get an ip from the cable modem or cannot connect manually with my old router. Fearful the port is dead but this is the first server computer I've messed with
Should have updated my results of the server. I loaded windows 10 on it and updated all the drivers while using my cellphone as a USB modem. Everything works great
This is really nice and I considered switching from OPNSense to Sophos Firewall at some point. However I have one issue because it seems that there is no way to use WireGuard on Sophos Firewall. For some reason Sophos is not willing to add Wireguard support for years now. Currenlty I am sending almost my entire internet traffic (with a few exceptions) through Private Internet Access (Wireguard). But Sophos Firewall only allows OpenVPN and IPSec I think. So now I wonder if there is any way to use Wireguard and also use a Sophos Firewall.
No way to use wireguard directly on the XG, unfortunately. I don’t think we’ll add it soon :/ however you have 2 other options: use Sophos RED, IPSec or SSL, or install wireguard on one server in your network.
@@christianlempa That would probably not work if I want to route my internet traffic through PIA. I don't really understand why Sophos and other next-gen firewall manufacturers won't add wireguard to their software.
In your video the firewall is on the proxmox. Do you see any security risks to run the XG on the same maschine as your other services like sensible files on truenas?
Then How if we use the mobile phone android/IoS app to access the internet? Which is we can't install the certificate into each of these applications. Thanks
Hello. I have BIG problem with Sophos XG. I made bridge on 4 Ethernet card and... Computers connected via cable are receiving IP from DHCP server, but devices connected by WiFi are not able to receive IP address from DHCP server ( static IP is working ). Wifi router is in bridge mode. I'm using 2 ports of Tp-Link both of them are switch connectors - one is connected to Sophos directly and second is connected to my PC. And guess what - PC is receiving address and phone isn't. Have You encounter with this kind of situation?
This video is great it has inspired me to give Sophos another spin after many years. The features top notch for this product. I really hope you do more videos on this product.
Oh that's great to hear! Thank you
Nah dude, the XG is the worst firewall on the market.
@@a.m.653 Im sure you have your reasons, but it would helpful to all that read you comments to give details on why you feel that way.
@@seanwoods1526 hmm, I posted a comment around 10 mins ago, but it has since been removed.
@@seanwoods1526 ok, posted it now. If the above comment is about the removal, it has been again removed.
Sophos products are difficult to find tutorials for. Awesome work!
That's true! Thank you :)
I agree. Good work. Maybe next movie on vlans? I will be very grateful.
Arguably, I think Sophos XG is most definitely the best firewall that's freely available for home use - and not at all limiting at which you can do.
They provide the EXACT SAME features they do for business and enterprise users, completely for free to home users.
I've been using Sophos products well since the days of Astaro UTM, and I can 100% recommend their product to this day.
That's really nice to hear! I also think it's a great system and yeah Astaro UTM definitely was as well ;)
@christianlempa can you compare to the firewalla gold?
Die Erklärung bei 26:52 ist so wichtig. Ich hab mich immer gefragt warum Traffic auf dem Rückweg auch ohne explizites Ruleset erlaubt wird. Jetzt weiß ich es. Vielen Dank dafür!! :)
Vielen Dank für dein Feedback! :)
I am coming from Untangle to Sophos. The place I work uses Sophos and it works very well for an antivirus!! An excellent video with great detail and explanation!! Well Done!!
Thank you so much! :)
You have a great channel. You’re helping to make tech topics easier to approach and accomplish for those of us who are trying to solve problems and make things easier. Your topics are fun and interesting. Keep it going!
Thank you so much 😃
1000% agree with this ^^^ Comment !
Hi Christian, thank you so much for your work! your video helped me a lot to get the sophos working on my proxmox server! Now I am trying to figure out more features such as traffic shaping for services (there must always be enough bandwidth for teams and zoom sessions). Maybe you will hesitate to make a video on this? Stay safe and continue like this! So much appreciated!
Hi Christian, thank´s for the useful walkthrough and applause for your honesty that you are working for Sophos. :)
Thank you 😁
It's been a few that I wanted to protect my homelab with a firewall. I initially choose pfsense, but your video make me go to sophos instead. It runs quite well and has many options that pfsense doesn't have and for free. Thank you for your content, good as usual 😊
Awesome! Thank you :)
I like this video:
-Not clickbait
-Informal
-Detailed
Thanks for the video - just used it to set up a Sophos XG firewall on my new Proxmox server. Just some constructive criticism though - slow down a bit. Had to constantly pause and go back a few steps due to the pace of things.
wow you are very accurate with your explanations which I appreciate and didn't expect for another youtuber IT person.
I'm surprised. This Sophos software is more advanced than I would have assumed. Neat.
Sophos Firewall is the only true NGFW that is free for home use with almost no restrictions other than supporting Heartbeat, Endpoint security and I believe Sandstorm.
This is a great way to use Sophos XG with newer hardware that is not supported by Sophos on a "bare metal" installation directly onto the hardware. One reason for having to virtualize the firewall or more specifically, the network adapters, is due to Sophos Firewall not having the latest drivers to support the newest hardware, and second, is because the home version of Sophos Firewall does not support booting UEFI mode yet which is used by most newer hardware. Although Sophos is a great firewall, there are a lot of caveats and gotchas...especially for home users.
Thank you for your comment about not supporting UEFI, which is probably why when I was attempting to install Sophos on bare metal an audible alarm was sounding.
@@TainuiaKid1973 That sounds like a BIOS error beep code rather than a Sophos issue.
I had the same issue with pfSense. I was forced to run on Proxmox because it didn't support my Realtek card. Fortunately both firewalls support VirtIO devices, so at least we can virtualize under Proxmox with reasonable efficiency. But that brings headaches. You need to become proficient at giving certain things static IPs and having some system that remembers what they are. If you lose access to the Proxmox IP because of something your firewall is doing there's much fiddling about to fix it.
As always straight to the point! Great tutorial!
Thanks!
The Route based VPN is a very cool feature to route certain devices or traffic over the VPN for internet breakout if you have ISP issues :)
Nice!
Thank you so much for this tutorial. I manage to install it on a bare machine and replace my router, works verry well. Is an opportunity for me to learn more about firewalls. I like your videos and how you explain. Keep the good work.
Glad it helped
Christian...fantastic video! Thanks...I had tried the Sophos XG firewall about a year ago. I was unable to get it deployed...after this, I'm going to try to deploy on my home LAN again. Keep these videos coming :)
Thank you! Glad it inspired you to get started again :)
I have an XG from my work so I'm going to take advantage of it. I'm a network newb aswell so great opportunity to learn. Keep up with the great content
Thanks, I'll do ;)
@@christianlempa I even mentioned your channel in my work and my colleague said he had spoken with you before when phoning Sophos support :D
Fantastic video! Really well explained
Hi there, I followed the tutorial above and installed sophos XG home version on my zotac Ci329 which works great. My only challenge is, I am no longer able to torrent from my one of my vms dedicated to transmission bittorrent, can you assist?
I have a follow up question, is there a way, I can put the entire home network behind PIA VPN?
Hi Sophos support, is home edition still available ? Cannot find it anymore on your website :(
Hi, Any plan on making a in deep tutorial on Sophos Firewall Home Edition?
Love how sophos directed me to this video, love your little giggle at the explicit content🤣🤣
Really? Who was it? :D
Thanks for this Christian. Thinking about switching over to Sophos XG & not being used to the rule creation this will make it easier for me. Would love more about Sophos xg...thanks
I used XG Firewall for over a year but then switched back to pfsense. Its may a step back but there are some downsides on Sophos.
The naming in the rules and natting cutted out after a few charachters (10 or so). Hard to get a fast overview of the rules and natting.
Its impossible to set a hostname instead of a IP in the site-to-site vpn - useless for homeusers. […]
XG has alot of cool features and tools already implemented which pfsense does not but XG is more like a software used at work with a option to use at home for free. No real community to ask questions, videos on their channel are outdated, the response of the support is like „it is how it is“.
But you presentation is excellent as usual :-)!
Great videos, 👍🏼... after watching your videos I switched from pfsense to sophos xg. Please make more videos!!
I would really like to see more in-deph video about all the features and creation/management of more complex rules and zones.
Great quality video and audio. Your tuts are pretty awesome.
Thank you! :)
More videos on Sophos XG would be amazing :)
Thanks mate, yeah that's probably coming early next year ;)
Why would you not put the firewall between your modem, and your router, adn just keep letting your current router do it's job? A serious question, just trying to understand.
It's useful when you want to do port-forwardings or expose the firewalls services. Because when there is a router in front of the firewall you need to maintain the configuration on both devices, rather than just on the firewall.
However, it's just for convenience, you can still use your router as it is, and just put the firewall behind it with DHCP, just like I did in the video.
@AstroCat Thank you.
@@christianlempa Thank you so much.
Great tutorial!
In case the Firewall is behind the router, I assume a potential reverse proxy Server comes after the firewall.
Would then a port forwarding still work from the router to a client within the LAN, as router and LAN client are no longer in the same IP range.
In your video the Sophos router is doing NAT. I guess your Fitz-box is doing the same. As a result, your network has double NAT. I’ve always been told that that is not desirable. Would you be able to get the same security level if you configure Sophos in transparent mode? For me the advantage would be that you could work around a firewall outage by simply plugging the LAN-port of the firewall back in de Fitz-box router. In your video the Sophos router is doing NAT.
This video is great! It‘s packed with information and for me not too much and not too fast
Thank You So Much! 🙂The SSL feature was awesome!
i usually watch youtube videos on my laptop, i don't have my google account always logged in, so i cannot like or subscribe to many people, it gets lazy to login and verify by phone ect..
But for you, i made an exception, i logged for you with my account and liked and subs because your video was truly helpful.
Thank you man.
Cool Video, Please create more content about Sophos XG Firewall :) Very good content. I love it
Thank you! Oh there is something really cool coming out the next weeks, look for it on my instagram :D
4vCPU and 16GB Memory maximum at home? Our company's Check Point Open Server are running 3vCPU each for like, 500 LAN users and a few hundreds more of VPN users... xD
Sure. 4 cpus with 22 cores each... Router without firewall is piece of crap.
Thank You Christian now i have good firewall now
You’re welcome ☺️
Hi Christian. Could you please do a Snort tutorial, ideally with a Web GUI? Thank you
Great suggestion! I'm planning a snort video, however I won't include a GUI. What we can talk about though is logging in ELK
First a thumbs up then watch the video
Yes indeed
Haha awesome! Thanks :D
@@christianlempa can't wait for more in depth videos about sophos xg
@32:16 - can we apply multiple web filters to a firewall rule ???
Great Video. Can you a more detailed video about configuration (Wireless AP, VPN tunneling, interfaces and zones, etc) It will be great to dig deeper in this and learn more about its capabilities
There will be some stuff coming out for Sophos soon! Dont know how deep I will go, but I will cover wireless APs and Zones 😉 stay tuned
@@christianlempa Great. Thanks
Very useful video, THX Christian.
Liked this video. Thanks for being specific and teach us step by step. Congrats
Thank you!
Cool video! I am now interested in one thing in particular. Does the Sophos firewall provide any functionality regarding traffic shaping, QoS and packet scheduling?
I am using OPNsense for that and I like to have next to no jitter for my web traffic... :)
Thanks! Yeah it does. You can schedule firewall rules and do traffic Shaping and QoS, it also works together with the AppControl
@@christianlempa It's been a while!
Wanted to let you know I successfully integrated Sophos into my network, now.
I've done a complete rework with Sophos running in KVM.
Regarding traffic shaping, it works like a charm. I manage to keep ping below 20 ms under full load (about 2 ms increase).
I must say I am very pleased with the results. I probably won't go back to OPNsense, any time soon.
NiCe to See some More Videos on SOPhos XG from You.
Wish you could do a short video or just directions on how to properly setup sophos xg to allow an xbox to work properly. I have attempted it but whenever I get a dlc I am required to use my phone's hotspot instead of the house network
So confused at the network configuration part. Is there a video that explains how to do that?
Hi, I find the steps from 11:45 to 12:30 quite confusing, You created LAN and WAN bridges, Im guessing for the LAN thats just the address for proxmox and your routers address. And the WAN is a made up address? Would this work for a setup going: modem -> sophos firewall -> router(set to ap and used as switch)?
very good video , i m waiting future videos with proxmox interfaces ( dmz )
Wow best firewall video ever... thanks for your effort! And sharing this information... now i have to buy a firewall server... can you please do a deep dive into that topic?
Thank you so much! Yeah I'm thinking about more Linux Security videos and Firewall as well 😁
Great Video. This was very interesting and well explained. I am looking at changing my unifi gateway to this or pfsense, I will setup this up in my proxmox and have a play. Thank you
Thank you! I'm curious what you say in comparison with pfsense, let me know ;)
@@christianlempa , I'm more curious if @Peter Thornton knows about OPNsense and the Zenarmor/Sensei extension :)
Could you make a video on Sophos, on how to create firewall/NAT rules for use with external DNS-servers like technitium? It is not as simple as setting the dns up addresses under Network>dns|dhcp
I'm currently not planning any new firewall videos this year unfortunately, I'm still wondering whether I'd like to replace my home firewall with another system somewhere next year, but we'll see.
Excellent video!! I followed it to build my xg firewall on promox.
Do you have any plans for a follow up on this video, would be very welcome.
I would love to learn more!
great! i was waiting for this! thank you
Glad you liked it!
Hi Christian,
first of all, your videos are really cool. I also come from IT and found my place in the server virtualization and storage area. But also the topic network and network security is a cool topic.
I have now also looked into the Sophos XG Home Edition and have a question about it. You downloaded the SecurityAppliance_SSL_CA root certificate in your video. This works really well with the decryption and re-encryption. However, the blocking pages are displayed with a different certificate. So if a user comes to a blocked page, then a certificate error is issued. Is it possible to install this certificate on the clients?
Thanks for your help and I look forward to the conversation with you! And keep up the good work!
Hey, thank you so much for the nice feedback! The appliance cert is indeed something I wish I'd included in the video, but then it probably would be too long :D
Here is quickly what you need to do:
1. Create a new self-signed cert on the firewall and put the DNS name AND the local IP address of the firewall in the "subject Alt Names"
2. Switch the Default Cert of the admin panel to your self-signed created one: System -> Administration -> Admin and User Settings -> Certificate
3. Import the "Default CA" just like the SSL CA onto the client to import the self-signed cert into the trusted certifications store
Then you shouldn't see a cert warning for the admin interface or any block pages, captive ports, etc. anymore.
Seems like a really slick firewall, might have to give it a try 🙂
Glad to hear that! ;)
I have a Problem
I try to run this in a lan only network but i cant Manage to get the DNS and gateway to run...
wow. I am so glad I watched this.
Thanks ;)
Thank you very much for the awesome tutorial.
I have a doubt about the network configuration in proxmox. Long in short I can use 4 ethernet ports on my dell r710, now port1 is dedicated to Proxmox GUI and VMs, port2 to VMs, and port 3-4 are bonded toghether for a truenas instance.
Now, I'd like to use port1 for wan, port2 for LAN (and VMs/PVE GUI?), and port3/4 for truenas. Does it worth it? What do you suggest me?
How can I switch proxmox GUI from port1 to port 2? Thanks
Np. Unfortunately, I had the same problem lately and haven't found the docs for changing the port. Mabe you'll find that :D
@@christianlempa Found nothing, unfortunately...
I've connected WAN to another port and LAN to the proxmox one and it works the same. Anyways Sophos is absolutely fantastic! Thanks again mate
I just downloaded an ISO file (v20) and installed on my proxmox.. why is method presented here (KVM image) better?
hey,
did you know how to add a interface in a zone over CLI?
No, you should configure in the web UI, or API
Absolutely love this video. I got a Zotac Ci329 specifically to install this and use as my home firewall. Interface looks fantastic. My only challenger right now, is not been able to torrent. My previous configuration had pfsense on the VM that was serving the rest of the network and I could use PIA (private internet access) vpn and also torrent using one of the dedicated servers (transmission bittorrent vm), since I put sophos in front of it all, my torrents have suddenly stopped working. Can anyone assist? Also, is there a way to put the entire network behind a VPN with PIA?
Great video! Thanks
Glad you liked it!
I know pfsense and was using it on proxmox. But only this video gave me an idea to separate my WIFi devices to separate network. At first i was thinking about VLANs but NATing will be much simpler.
Great feedback! Thank you so much :)
Would you recommend running a second firewall? Perhaps from a different vendor?
Thank you so much for your sharing and keep up the great work.
You are so welcome
Great vid, we are looking at deploying Sophia for some of our clients
Is it possible to buy a hardware appliance, for example XGS 107 / 107w and use home lab licens with it?
Great product review and presentation.
Thank you :)
Hello colleague,
I have an issue with a virtual machine on Proxmox. My "local-lvm" is growing from the initial 6GB until it runs out of space, causing Sophos XG to stop working. I've cleared the Sophos XG report in the terminal, but it hasn't helped. How can I resolve this problem? Thank you for your assistance.
Loved.
A bit too technical for me but I loved the content
Thanks ;) Hope it still inspired you, even though it was too tough
@@christianlempa yes for sure, it's just that I gave up with technical stuff for years but I really like your approach, you give hope to the hopeless
mysophos was no longrer existed. The lastest SFOS v20 firewall rule relys on DNAT instead of NAT for port fowarding.
Can you make a video about how to use Sophos Home Firewall on a sophos hardware device like an XG135 please?
It's not officially supported, so I won't do that, however, you can flash the old hardware (delete partitions) and reinstall with any OS you like ;)
It's easy, delete original disk or mount a new one. After this, tu can install Sophos Home Edition without problems.
Counter-intuitively, it's better to look for videos showing how to run pfsense on Sophos Firewall hardware, of which there are plenty. From there it's not a big step to switch over to Sophos.
@The Digital Life
I noticed you didn't say anything about the QEMU guest agent is that option not available for the XG?
I did not see you address getting qemu guest agent installed for the Sophos VM - seems like a pretty serious oversight as you would want control over the startup/shutdown of your virtualized firewall. After some searching on this topic it looks like it might not even support installing the guest agent? Can you advise if it is supported and create a quick walkthrough for it?
Thank you for this how to, very informative. What hardware would you or anyone reading this recommend that would run software without any issue and not break the bank??
I've recently tested it on a ZimaBoard, which is a small mini PC with 2 network interfaces, that runs well and is not too expensive :)
Good Afternoon, I set up using an old dell optiplex I had on hand. The issue I've been having is I'm trygin to use it in bridge mode but once I set it using assistant I can't access webui and I dont get any ip to endpoint. I read sophos documentation but same issue. I apologize if it sounds like a dumb question I'm fairly new to sophos and IT in general. I'm not sure if it will be good to use between my modem and unifi UDM.@@christianlempa
@@christianlempa 1 more question, how do I install the cert in my linux machine to keep it updated? I tried updating my machine and I keep getting a certificate not trusted error.
Christian, can you provide a walk-through for users wanting to use the remote access VPN on the Sophos Firewall?? Does the Proxmox firewall allow port forwarding to the Sophos VM so that remote access clients can connect to the VPN?
Good question, that could be an interesting video! Maybe about setting up IPSEC and OpenSSL.However, that will take me some time, probably in second half of this year.
Do you know, if there will be an update to v21 for Home-Users?
Hmm good question, Maybe Q4 next year I'm doing an update because then we should have v22 with many more feature updates.
Question from a security standpoint: Which difference does it make, to a) use the described bridge moder in Proxmox or b) to pass through the NIC via IOMMU... b) after setting up Sophos my TrueNAS couldnt communicate to the update server ^^ P.S.: Kudos fpr speaking so fast!
Great Video on the XG Home
Glad you enjoyed it
Couldn't even find the downloads section of the new sophos central
Where can I find Sophos firewall home edition? The website has changed.
Hi Christian, great video thank you. a question: is it possible to set up a home-lab on my hardware (laptop) only? using VMware/virtualbox to deploy the firewall, while using the actual hardware PC as the management station?
your prompt response would be appreciated. Many thanks
Thanks for this great review!
You're welcome!
Hello, amazing content, thanks !
Could someone share an alternative download link for the KVM image. since the link on the manufacturer's page does not work ?
Don't do it how Christian says. Google 'sophosXG firewall installers', choose the KVM one, fake details and 'boom' you've got it. Follow the instructions to register the firewall later during install, it's much easier than the way described here.
Wow! What an awesome video! Can you make a video, diving deeper into traffic shaping and QOS? My aim is to setup a network where any authenticated user will have the full bandwidth speed and unauthenticated users will be limited to a certain internet speed.
Interesting suggestion, so maybe at some point, but I have no current plans for that right now.
@@christianlempa Cool, thanks for the reply!
Tried to install SW-19.0.1_MR-1-365.iso on my machine, and i got a sqeeking sound when the installer loads trough bootloader. Idk what you guys are doing there, but this is nuts. If you can forward this to your test team. Any other iso works fine.
tried on another machine, the error gives a hint about the error, firmware installation error.
Is the home edition still available for download? I'm being redirected to an online demo every time i try to find it...
can you make a video on pf sense content and packet filtering
Hm I'll probably stick with Sophos XG, as I don't see pfsense would actually improve my setup.
@@christianlempa but sophos comes with community license and will it provide content filter in it with community???
more sophos tutorial please
Good idea, there is something coming for you in the next weeks ;)
@@christianlempa big thankful for you sir
Thank you for your insight to Sophos, I do have one of there boxes and have installed pfsense but I think ill install Sophos home edition instead, one of the things that would help me is, can it monitor open ports (port forwarding) for bad activities, if you know? Thanks again for your video 😁
Hi Christian, how should I set this up when my Proxmox Server has just 1 NIC. The managed switch should then be connected to the ISP router and Proxmox to a different port on the managed switch? And how can Proxmox 'see' what is WAN traffic and what is LAN traffic. (VLANs on the managed switch?)
You need at least 2 nics, one connects to the switch, one connects to the ISP router, XG sits between the two.
Got a Dell r310 and I must be missing something stupid as the gb2 ethernet port doesn’t get an ip from the cable modem or cannot connect manually with my old router. Fearful the port is dead but this is the first server computer I've messed with
Should have updated my results of the server. I loaded windows 10 on it and updated all the drivers while using my cellphone as a USB modem. Everything works great
This is really nice and I considered switching from OPNSense to Sophos Firewall at some point.
However I have one issue because it seems that there is no way to use WireGuard on Sophos Firewall. For some reason Sophos is not willing to add Wireguard support for years now.
Currenlty I am sending almost my entire internet traffic (with a few exceptions) through Private Internet Access (Wireguard). But Sophos Firewall only allows OpenVPN and IPSec I think.
So now I wonder if there is any way to use Wireguard and also use a Sophos Firewall.
No way to use wireguard directly on the XG, unfortunately. I don’t think we’ll add it soon :/ however you have 2 other options: use Sophos RED, IPSec or SSL, or install wireguard on one server in your network.
@@christianlempa That would probably not work if I want to route my internet traffic through PIA.
I don't really understand why Sophos and other next-gen firewall manufacturers won't add wireguard to their software.
In your video the firewall is on the proxmox. Do you see any security risks to run the XG on the same maschine as your other services like sensible files on truenas?
Many Thanks for all the Knowledge sharing you do as always🤝🙂
Thank you! :)
Then How if we use the mobile phone android/IoS app to access the internet? Which is we can't install the certificate into each of these applications. Thanks
You can download and install the certs on android and IOS as well, then it works the same way like on a PC
Is there any time based access like a device shouldn't exceed 2 hours of internet access in Sophos XG FW?
Hello. I have BIG problem with Sophos XG. I made bridge on 4 Ethernet card and... Computers connected via cable are receiving IP from DHCP server, but devices connected by WiFi are not able to receive IP address from DHCP server ( static IP is working ). Wifi router is in bridge mode. I'm using 2 ports of Tp-Link both of them are switch connectors - one is connected to Sophos directly and second is connected to my PC. And guess what - PC is receiving address and phone isn't. Have You encounter with this kind of situation?
Never use bridge mode, double-nat all the way unless you want to give yourself headaches.
Thanks for the tips bro
No problem 👍