Deploy Sophos Firewall in discover mode

When you deploy Sophos Firewall in discover mode, you can monitor network traffic without making any changes to your network schema.

Introduction

You want to deploy Sophos Firewall in discover mode using a TAP interface and schedule a security audit report (SAR) email.

Before you begin, make sure that you integrate Sophos Firewall with external authentication servers, such as Active Directory (AD), RADIUS, LDAP, Apple Directory, or Novell eDirectory, so you can get user-specific data in the security audit report.

Connect and access the Sophos Firewall

To connect your Sophos Firewall to the switch, and access your firewall's web admin console, do as follows:
  1. Connect port A of your Sophos Firewall to a port on the network switch.
  2. Change the IP address of the computer from which you want to access your Sophos Firewall to 172.16.16.2 and the subnet mask to 255.255.255.0.
  3. Open a web browser on the computer and browse to https://172.16.16.16:4444.
  4. Sign in to the web admin console of your Sophos Firewall, with the default username and password (both admin).

Turn on discover mode on an unbound interface

Note You can only turn on discover mode on an unbound interface.

By default, ports A, B, and C are bound to the LAN, DMZ, and WAN zones, while the rest of the ports are unbound. However, you can bind any port, including ports A, B, and C, to other zones at any time. In this example, you turn on discover mode on port D.

If you want to turn on discover mode on a previously bound interface, you need to unbind it. To unbind an interface, go to Network > Interfaces, select the required interface, and set the Network zone as None.

Note We recommend you bind the TAP interface with a CPU to get the desired output. To do this, change the port-affinity settings and configure the interface by using the bind-with option on the CLI console before using the interface for discover mode.

To turn on discover mode on an unbound interface, do as follows:

  1. Connect the unbound port (port D) and a port on the network switch (on which you'll configure port mirroring).
  2. Sign in to the command-line console (CLI) of Sophos Firewall.
  3. Choose the following option: 4. Device Console.
  4. Enter the following command to turn on discover mode on port D: console> system discover-mode tap add PortD
    You'll see the following message: Discover Interface added successfully

    The image below shows the interface page on Sophos Firewall with port D configured as the TAP interface.

    Interfaces page showing port D

Configure port mirroring on the switch. To find out how to do this, see the documentation for the switch.

Schedule security audit report emails

To schedule security audit report emails, do as follows:
  1. Go to Reports > Show report settings > Report scheduling.
  2. Click Add to add a report schedule.
  3. Select Security audit report and enter your settings.
  4. Click Save.

The image below shows the report scheduling page on Sophos Firewall.

Report scheduling page

Additional information

When you deploy Sophos Firewall in discover mode, you can't apply security policies.

You can combine discover mode with the gateway, mixed, and bridge modes. When you combine discover mode with any of these modes, you need to know the following:

  • You can connect the TAP interface and the LAN port on Sophos Firewall to the same switch. You must connect the TAP interface on Sophos Firewall to the SPAN port on the switch and the LAN port on Sophos Firewall to another port on the switch.
  • You can't apply a security policy to the traffic on a TAP interface, but you can apply it on other interfaces.

You can use discover mode on virtual Sophos Firewall devices.

Discover mode and high availability (HA)

  • Discover mode doesn't work in HA active-active mode.
  • Synchronized application control is disabled in HA active-active mode.
  • Discover mode works in HA active-passive mode.
  • You can't configure HA when a TAP interface is active. To configure HA, you must first deactivate the TAP interface on both firewalls (from the command line interface). After you've established HA, you can re-activate the TAP interface.
  • When you turn on HA, the TAP interface is active on the passive Sophos Firewall.