RED models

Interfaces for RED models specify device configuration and network settings.

Note Support for the following settings varies according to device model and RED version. Check your device and firmware specifications for details.


Branch name
Branch office where the RED is located.
RED model.
RED identification number. You can find the ID on the back of the device and on the product packaging.
Tunnel ID
Tunnel identifier. Ensure that the ID is the same for the RED and the firewall.
Unlock code
Code that allows the provisioning servers to accept a new configuration for a RED.

If you are configuring the RED for the first time, leave the unlock code blank. If the device has been set up previously on another Sophos firewall, type the unlock code.

The unlock code is sent to the email address that you provided when you turned on the RED provisioning service.

Important Retain the unlock code. You will need the code if you want to deploy the RED on another firewall.
Separate unlock codes are generated for each deployment method. For subsequent deployments, make sure that you use the corresponding unlock code.

If you cannot find the unlock code, contact Sophos Support.

Firewall IP/hostname
Public IP address or hostname of the firewall.
2nd firewall IP/hostname
Alternate public IP address or hostname of the firewall.
Use 2nd IP/hostname for
The way in which the second IP address or hostname is to be used.
Choose from the following:
  • Failover The secondary host takes automatically over when the primary fails.
  • Load balancing Distribute traffic equally between the primary and the secondary hosts. Select this option if both uplinks the first and the second hostname correlate to, are equal in latency and throughput.
Device deployment
Method by which the device is configured and deployed.
Choose from the following:
  • Automatically via provisioning service
  • Manually via USB stick

Uplink settings

Define uplink connections type details and failover modes.

Uplink connection
Method by which the WAN connection on the RED obtains an IP address.
Choose from the following:
  • DHCP Assign the address dynamically. Using this method is recommended. If you are deploying using the provisioning service, the RED must connect to a DHCP network at least once to download the configuration.
  • Static Provide a static IP address. Use this option only if DHCP is not supported.
3G/UMTS failover
Use a mobile network in case of a WAN failure. Obtain the settings from your service provider. 3G/UMTS failover requires a USB dongle.
Note The RED firmware 2.0.018 doesn't support the D-Link DWM-222 USB adapter.

RED network settings

RED operation mode
Method by which the remote network behind the RED is to be integrated into your local network.
Note Split networks don't support FQDN hosts.
Choose from the following:
  • Standard/Unified The firewall fully manages the remote network through the RED. It acts as DHCP server and as default gateway.
    Note Handle VLAN traffic through the Standard/Unified mode if VLAN is deployed behind the RED.
  • Standard/Split The firewall manages the remote network and acts as DHCP server. Only traffic targeted to split networks is redirected to your local firewall. All traffic not targeted to the split networks is directly routed to the internet.
    Note This mode is not compatible with VLAN tagged frames.
  • Transparent/Split The firewall does not manage the remote network. It is connected to the remote LAN and the remote LAN’s gateway and receives an address on the remote LAN through DHCP. Only traffic destined for certain networks transmits down the tunnel. In this case, the RED does not act as the gateway, but it is in-line with the gateway and can transparently redirect packets down the tunnel.
    Note This mode is not compatible with VLAN tagged frames.
IP address of the RED.
Zone assigned to the interface.
Configure DHCP
Allow the RED to provide DHCP to devices.
RED DHCP range
DHCP range for devices behind the RED.
Split network
Traffic to the networks listed is redirected to the firewall. The remaining traffic is routed directly to the internet.
MAC filtering type
Type of MAC filtering.
Choose from the following:
  • Whitelist Allow only addresses on the list.
  • Blacklist Block addresses on the list.

Check your device specifications for the maximum number of MAC addresses allowed.

Tunnel compression
Compress tunnel traffic. Data compression can increase the throughput of RED traffic in regions with slow internet connections.

Switch settings

Configure LAN ports as simple switches or for VLAN usage.

RED 50 and SD-RED 60 devices support VLANs.

Switchport mode
Choose from the following:
  • Switch Send traffic to all ports.
  • VLAN Filter traffic according to the Ethernet frames’ VLAN tag. This option allows you to tunnel more than one network into the RED tunnel.

PoE settings

You can turn on Power over Ethernet for one or both PoE ports of RED 60.