Jump to content
RESET Forums (homeservershow.com)

Sophos Copernicus is now out of Beta and Has a New Name, Sophos XG Firewall


itGeeks

Recommended Posts

I have port forwarding working for Plex.

 

But PLEASE tell us how to get the webfilter switched on without breaking video streaming stuff!!

 

Pretty please?

 

 

We have ITGeeks in this forum to thank for this solution as everyone has the same issue.  You do have to "bypass" some of your playback devices that are impacted from the webfilter (which is the same as a regular router does out of the box).  There are variations of this and remember you only do this on specific devices you are having an issue with such as Xbox, Rokus, or Apple TVs.  What he describes is "methodology" that sets up a structure for future rules and better identifies your devices on your network.  You do not have to put static IP's on everything right now and can add it later but it is a good strategy for finite control in the future.  In addition, it allows you to just add or remove devices quickly but just adding or removing from a group without changing the whole rule.  I annotated some of the items in RED to limit your task.  It looks complicated but after you do it it is pretty straightforward.  Hope this helps thanks again to ITGeeks for this solution.

 

 

What I did first was give everything on my network a (You can limit this to just streaming devices for now)

  1. Static-dhcp by going to system->network->DHCP
  1. Next what I did was setup IP Hosts for all the devices on my network by going to objects->hosts & services->IP Host. For naming the IP Host I for example used My Desktop (IP-Host).  Wife Laptop (IP-Host), Kids Tablet (IP-Host), Basement Printer (IP-Host), ect. You get the idea, The reason for adding in () IP-Host is so I can identify the objects when I am using them throughout Sophos.
  2. Next up I created several IP-Host Groups by going to objects->hosts & services->IP Host Group, I created several groups for my IP-Hosts that we created above for example I have one group called Desktops & Laptops, Another called Phones & Tablets, another for IP Cameras and so on, You get the idea.  (You can start with just the one group for now and do the rest later.)
  3. Next up you need to create a new policy for the devices you want to bypass HTTP Scanning, Web filter, ect. and set the position at the top of the policy list. When setting up the policy in the source section it would be Zone=LAN, Networks* This is where you add either the Hosts or the Hosts-Groups we created earlier, Now for turning of the web filter scroll down the page to "Policy For User Applications" and set web filter from "Allow-All" to NONE, That turns off the web filter. 

 

 

Just as side commentary, the more I use this the more I realize the potential.  Yes, it is a bit painful to learn and setup because it is different, but this time the journey has been much better.  I have much more to learn and to tweak but progress is being made.  Let us know how things are going.

Link to post
Share on other sites
  • Replies 300
  • Created
  • Last Reply

Top Posters In This Topic

  • itGeeks

    92

  • nrf

    53

  • pcdoc

    46

  • psykix

    40

Top Posters In This Topic

Popular Posts

for intrusion prevention, the equivalent in UTM9 is the 'attack patterns' tab on the intrusion prevention page. since I am not hosting internet services I orient both toward protecting clients. on XG

Here is what Sophos had to say about this brand new platform- https://blogs.sophos.com/2015/11/10/sophos-xg-firewall-a-network-security-ecosystem-with-many-innovations/#more-30035   You can downloa

Well I was almost there this weekend but had to bail out.  Got everything working very well such as port forwarding, filtering, application policies etc.  Got my home automation, cameras, and streamin

Great guide. Sounds very similar to Sophos UTM 9.3. Has anyone chosen to install XG yet over an existing UTM install and selected the upgrade option? Curious if it's capable of migrating existing config into XG. Their website doesn't mention this feature. Rather they will release a web migration tool in late 2016.

 

 

Sent from my iPhone using Tapatalk

Link to post
Share on other sites

Neal I am sorry I was only trying to have some fun with you. I think its great that you donate unused stuff to charity. I don't want to hijack this thread but I see you use "Genius Vision" for your security cameras NVR, How is that program? Have you ever tried XProtect GO? It is free for 8 Cameras 5 days of recording. I am trying XProtect GO for the last 30 days or so and I really like it so far but I am always open to options if there better then what I am using. https://www.milestonesys.com/our-products/xprotect-software-suite/xprotect-go/

Here are some videos of XProtect https://www.milestonesys.com/videotutorials

 

How does it compare to iSpy?

Link to post
Share on other sites
Drashna Jaelre

Great guide. Sounds very similar to Sophos UTM 9.3. Has anyone chosen to install XG yet over an existing UTM install and selected the upgrade option? Curious if it's capable of migrating existing config into XG. Their website doesn't mention this feature. Rather they will release a web migration tool in late 2016.

 

 

Sent from my iPhone using Tapatalk

Specifically, he's excluding entire devices from being scanned at all.  That's what I have a problem with. I want to exclude sites from being scanned when it will cause issues, not exclude devices.  

 

This is essentially using the "skip list" in UTM, not the exceptions list.

Link to post
Share on other sites

Specifically, he's excluding entire devices from being scanned at all.  That's what I have a problem with. I want to exclude sites from being scanned when it will cause issues, not exclude devices.  

 

This is essentially using the "skip list" in UTM, not the exceptions list.

 

Exactly this.

 

I'm aware you can exclude devices, and you can even create objects based on MAC address rather than IP address which will get around having to ensure that they have the same IP address every time.

 

For example, if I exclude the kids iPads (since they use them for Youtube) then I have no control over what websites they visit since the webfilter will be "off" for those devices.

 

That cannot be considered a solution, in fact it's not even a workaround, since you are completely disabling the webfilter for those devices.

Link to post
Share on other sites

seems like we need to know which particular part of the filtering is causing the problem so finer grain control can be exercised, much like what 'drashna' did for us on his blog. anyone looked at the logs you get when a device is having trouble? is the log worth anything?

Link to post
Share on other sites
Drashna Jaelre

seems like we need to know which particular part of the filtering is causing the problem so finer grain control can be exercised, much like what 'drashna' did for us on his blog. anyone looked at the logs you get when a device is having trouble? is the log worth anything?

the problem is... if you check the Sophos forums, there are a dozen posts about how the exceptions don't actually work.  So it doesn't matter right now.  The entire thing needs to be overhauled before it can be usable for my network (and many, many others, I'm sure). 

  • Like 1
Link to post
Share on other sites

I have port forwarding working for Plex.

 

But PLEASE tell us how to get the webfilter switched on without breaking video streaming stuff!!

 

Pretty please?

Right now its a waiting game to see "IF" Sophos is going to fix the video streaming stuff, The only workaround for now is to create a new Policy for all your streaming devices. I know its not the perfect solution but it does get the job done as long as you don't have kids in the house as this disables any control for those devices. If you do have kids in the house you could always pair this with the Circle device HSS Dave has been reviewing and seems to really like it, that would take care of keeping your kids safe online. I know that would be an extra cost/device but at the cost of FREE for the great protection of Sophos I am sure anyone wanting to keep there kids safe online could spend the 99.00 for Circle and have the best of both worlds, I know I would :)

Link to post
Share on other sites

Exactly this.

 

I'm aware you can exclude devices, and you can even create objects based on MAC address rather than IP address which will get around having to ensure that they have the same IP address every time.

 

For example, if I exclude the kids iPads (since they use them for Youtube) then I have no control over what websites they visit since the webfilter will be "off" for those devices.

 

That cannot be considered a solution, in fact it's not even a workaround, since you are completely disabling the webfilter for those devices.

Since your getting the great protection of Sophos FREE for home use with unlimited IP's you could always pair this with the Circle device HSS Dave has been reviewing and seems to really like, Yes its 99.00 but if you had to pay Sophos for there great protection it would cost you much more then 99.00. This would give you the best of both worlds :)

Link to post
Share on other sites

no offense interpreted.

 

nobody here seems to know about gv but it seems to me another great free thing (like utm9). I only have 2 of my 4 cameras set up at this point, and I can get to it fine either lan or internet, from a browser or android app.  it seems to do all I need without the frustrating foibles of the NVR that came with the cameras. I run dual mode - the nvr does its thing but is in an exposed area, I use gv as my backup in a more protected area. so they can steal the nvr but I still have them :)

 

I am not a real expert in this area but I am allergic to subscription fees. The performance impact seems minimal and a very rich set of features for free, most of which I don't need. One that I found important was to get email on Loss of Signal.

 

It's pretty easy to set up and control the storage allocation policy if you want to try it out some evening :)

Thanks for the info. I like your way of thinking of having two recording devices for your system. The cameras seem to be OK performance wise with this? Whats the specs of your cameras?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...