Device Configuration : Configure : Network : RED Device Management : Add RED
Add RED
You can configure RED from this page.
1. Ensure that RED is activated. This can be done from Configure > System Services > RED .
2. Go to Device Configuration > Configure > Network > RED Device Management and click Add .
3. Enter the RED settings.
Branch Name
Enter the name for the remote location where the RED will be set up.
Type
Select the client type from the drop-down list depending on the type of RED device you want to connect:
RED 10
RED 15
RED 15w
RED 50
Firewall-RED-Server
Firewall-RED-Client
Firewall RED Server Legacy
Firewall RED Client Legacy
* Firewall RED Server Legacy and Firewall RED Client Legacy are used to connect Sophos XG Firewall and Sophos UTM via RED Site2Site.
Using Firewall-RED-Server and Firewall-RED-Client you can configure a RED Site-to-Site tunnel between two Sophos XG Firewall devices which are connected through the RED technology. One device acts as server while the other is the client.
For more information, refer Configure RED Site-to-Site Tunnel.
Firewall Device
Select the firewall device from the list of available devices.
RED ID
Enter the RED ID.
The RED ID is a 15-character string printed on a sticker located on the back of the RED. If you do not want to open the package, you can also find it on the outer carton sticker.
Tunnel ID
Enter the Tunnel ID.
By default, Automatic is selected, this will number tunnels consecutively.
Unlock Code (optional)
Enter the unlock code.
The Unlock code is an 8-character string that is generated when a RED is added to a Sophos XG Firewall . If this RED is now being deployed for the first time, the unlock code is not required. If this RED has been deployed before, you will need to enter the unlock code here. The unlock code is generated during the deployment of a RED device, and is emailed instantly to the address you provided by activating RED. is emailed instantly to the address you provided for activating RED. This is a security feature, which ensures that a RED device cannot simply be removed and installed elsewhere.
For manual deployment via USB stick and automatic deployment via Provisioning Service (see below), two separate unlock codes are generated. If you switch a RED device from one deployment method to the other, make sure to use the corresponding unlock code: For manual deployment, provide the unlock code of the last manual deployment; for automatic deployment, provide the unlock code of the last automatic deployment.
2nd Firewall/Hostname (only applicable for client types RED 15 and RED 50)
Enter the hostname of the second Sophos XG Firewall .
Use 2nd IP/Hostname for (only applicable for client types RED 15 and RED 50)
Select from the following options:
Failover: Select this option if you want to use the second Sophos XG Firewall in case the primary Sophos XG Firewall fails. The second host will then take over automatically without loss of connection.
Load Balancing: Select this option if you want to distribute traffic equally on both, the primary and the second Sophos XG Firewall .
Firewall IP /Host Name
Enter the hostname of the Sophos XG Firewall .
The Sophos XG Firewall hostname must be a publicly resolvable DNS name or IP address for this Sophos XG Firewall . The RED will use this name or IP to connect back to the Sophos XG Firewall .
Description (optional)
Enter a description for the RED settings.
Device Deployment
Select the deployment method:
Automatically via Provisioning Service
Manually via USB Stick
* If you select manual deployment, it is extremely important to keep the unlock code, which is sent by email. If you lose the unlock code, you can never again connect the RED device to another Sophos XG Firewall .
By default, the Sophos XG Firewall provides the RED's configuration data automatically via Sophos ' RED
Manually via USB Stick
* If you select manual deployment, it is extremely important to keep the unlock code, which is sent by email. If you lose the unlock code, you can never again connect the RED device to another Sophos XG Firewall .
By default, the Sophos XG Firewall provides the RED's configuration data automatically via Sophos ' RED Provisioning Service. In this case, the RED device receives its configuration via Internet. If for example your RED does not have an Internet connection, you can provide the configuration manually, via USB stick. If you deploy a RED device manually, you have to ensure that Sophos XG Firewall is acting as NTP server. Therefore activate NTP on the Sophos XG Firewall and allow the correct network or at least the IP address of the RED.
4. Enter the uplink settings.
Uplink Connection
Select the connection type for the uplink:
DHCP: The RED pulls an IP address from a DHCP server.
Static: Enter an IPv4 address, a corresponding netmask, a gateway and a DNS server.
3G/UMTS Failover
Enable/disable the 3G/UMTS failover function.
* The RED device offers a USB port, where you can plug in a 3G/UMTS USB stick. If selected, this stick can serve as Internet uplink failover in case of a WAN interface failure. For the necessary settings please refer to your Internet provider's data sheet.
Mobile Network: Select the mobile network type, which is either GSM or CDMA.
Username/Password (optional): If required, enter a username and password for the mobile network.
* Avalable only for CDMA Mobile Network.
PIN (optional): Enter the PIN of the SIM card if a PIN is configured.
* If you enter a wrong PIN, in case of a WAN interface failure, the connection via 3G/UMTS cannot be established. Instead, the 3G/UMTS Failover checkbox of the RED device will automatically be unselected. Thus, the wrong PIN will only be used once. When the WAN interface comes up again, a warning will be displayed for the RED device: A wrong PIN was entered for 3G/UMTS failover uplink. Please change the login data. When you open the Edit RED dialog box, a message is displayed which tells you that the 3G/UMTS failover was automatically unselected. Correct the PIN before selecting the checkbox again. Please note that after three connection attempts with a wrong PIN, the SIM card will be locked. Unlocking cannot be done via the RED device or the Sophos XG Firewall.
* Avalable only for GSM Mobile Network.
APN (only with GSM): Enter your provider's access point name information.
Dial String (optional): If your provider uses a different dial string, enter it here. Default is *99# for GSM and #777 for CDMA.
5. Enter the RED network settings.
RED Operation Mode
You can define how the remote network will be integrated into your local network:
Standard/Unified: The Sophos XG Firewall completely controls the network traffic of the remote network. Additionally, it serves as DHCP server and as default gateway. All remote network traffic will be routed through the Sophos XG Firewall .
Standard/Split: The Sophos XG Firewall completely controls the network traffic of the remote network. Additionally, it serves as DHCP server and as default gateway. In contrast to the Unified mode, only certain traffic will be routed through the Sophos XG Firewall />. Define local networks in the Split Networks box below which can be accessed by remote clients.
* VLAN tagged frames cannot be handled with this operation mode. If you use a VLAN behind your RED device, use the standard operation mode instead.
Transparent/Split The Sophos XG Firewall does not control the network traffic of the remote network, it does neither serve as DHCP server nor as default gateway. On the contrary, it pulls an IP address from the DHCP server of the remote network to become a part of that network. However, you can enable access for remote clients to your local network. For that you need to define Split Networks that are allowed to be accessed by the remote network. Additionally, you can define one or more Split Domains to be accessible. If your local domains are not publicly resolvable, you need to define a Split DNS Server, which can be queried by remote clients.
* VLAN tagged frames cannot be handled with this operation mode. If you use a VLAN behind your RED device, use the standard operation mode instead.
RED IP
(not for Transparent/Split)
Enter the IP address of the RED device.
RED Netmask
(not for Transparent/Split)
Select the netmask from the drop-down menu.
Zone
Select the requested zone:
LAN
DMZ
VPN
WiFi
Configure DHCP
Enable if you want to configure a DHCP range for RED.
RED DHCP Range
(only if Configure DHCP is enabled)
Enter the DHCP range.
Split Network
(not for Standard/Unified)
Add one or more split networks.
* Only traffic targeted to networks listed in the Split Network box is redirected to your local Sophos XG Firewall . All traffic not targeted to the defined split networks is directly routed to the Internet.
Example: You have a branch office and you want it to have access to your local intranet or you want to route traffic of the remote network via your Sophos XG Firewall for security reasons, e.g. to have the traffic checked for viruses or to use an HTTP proxy.
Split Domains
(only for Transparent/Split)
Add one or more split domains.
* Since the Sophos XG Firewall is only a client of the remote network, routing traffic to the split networks the same way as with the other modes is not possible. Therefore, the RED device intercepts all traffic: Traffic targeting to a network listed in the Split Network box or going to a domain listed in the Split Domain box is redirected to the Sophos XG Firewall interface. This is accomplished by replacing the default gateway's MAC address in the respective data packets with the Sophos XG Firewall's MAC address.
Example: There is a partner or a service provider who should have access to your intranet or a certain server in your local network. Using a RED device, that partner's network will stay completely independent of your network, but they can access a defined part of your network for certain purposes, as if they were connected via LAN.
MAC Filtering Type
To restrict the MAC addresses allowed to connect to this RED device, select Blacklist or Whitelist. With Blacklist, all MAC addresses are allowed except those listed on the MAC address list selected below. With Whitelist, all MAC addresses are prohibited except those listed on the MAC address list selected below.
MAC Address:The list of MAC addresses used to restrict access to the RED device. MAC address lists can be created on the Objects > Host and Services > MAC Host page. Note that for RED 10, a maximum of 200 MAC addresses is allowed, whereas for RED 50, the list may contain up to 400 MAC addresses.
MAC filtering only works for RED rev. 2 or newer.
If no MAC Addresses are configured then "No Configured MAC address lists found" will be displayed.
Tunnel Compression
Enabling tunnel compression will compress all traffic that is sent through the RED tunnel. Data compression might increase the throughput of the RED device in areas with a very slow Internet connection such as 1-2 Mbps. However, any performance increase mainly depends on the entropy of the data being sent (for example, already compressed data such as HTTPS or SSH cannot be compressed any further). In some circumstances it might therefore be possible that enabling data compression could actually reduce the throughput of the RED device. In that case, please disable data compression.
* Tunnel compression is not available for RED 10 rev.1.
6. Click Save to save your settings.
 
The RED interface is created and appears in the RED Device Management list.