Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Set up a RED device manually

To set up RED devices manually, you must download the provisioning file for the RED interface and save it to a USB stick.

Objectives

To set up a RED device manually, do as follows:

  1. Configure an NTP server on the firewall.
  2. Add a custom zone for RED devices.
  3. Add a RED interface and download the provisioning file.
  4. Install the provisioning file on the RED device.
  5. Create a firewall rule for tunnel traffic.

Configure an NTP server

When you manually set up a RED device, the firewall must act as an NTP server.

To configure the firewall as an NTP server, do as follows:

  1. Go to Administration > Time and click Use custom NTP server.
  2. In the Search/Add field, type the IP address of the firewall and click Add Add button..
  3. Click Apply.

Add a custom zone for RED devices

When you add the RED interface, if you set the RED device in the LAN zone, the firewall applies the same rules to the RED device as the rest of the LAN network. To maintain a logical separation between the RED and LAN networks, add a custom zone for RED devices or use an existing zone, such as VPN or WiFi.

To add a custom zone for RED devices, do as follows:

  1. Go to Network > Zones and click Add.
  2. Enter a name for the zone. For example, RED.
  3. For Type, select LAN or DMZ. See Add a zone.
  4. For Device access, select the service you want for this zone.
  5. Click Save.

Add a zone for RED devices.

Add a RED interface

Create an interface for the RED that you're manually setting up.

  1. Go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and select Add.
  3. Enter a branch name and select your RED device type.
  4. For Device deployment, select Manually via USB stick.
  5. Specify the other RED model settings as required.
  6. Under RED network settings, select the zone you created for RED devices.
  7. Click Save.

    The firewall generates a provisioning file for the interface.

Install the provisioning file

Download the provisioning file associated with the RED interface and provide the file to the device using a USB stick.

  1. Turn off the RED.
  2. Go to Network > Interfaces.
  3. For the RED interface, click Menu Menu button., and download the provisioning file.

    Download RED provisioning file.

  4. Move the file to the root directory of the USB stick.

  5. Plug the USB stick into the RED.
  6. Turn on the RED.

    The RED gets the configuration from the USB stick.

(Optional) Synchronize time for offline REDs

RED devices must synchronize their time to complete the TLS handshake with the firewall. To ensure that RED devices in offline mode can do so, allow them internet access to connect with the Sophos NTP server pool. Alternatively, create a Local service ACL exception rule allowing them to connect to the firewall from the WAN zone as follows:

  1. Click Add.
  2. Enter a rule name.
  3. Set Source zone to WAN.
  4. Set Source network or host to the RED device's IP address.
  5. Set Destination host to the firewall's WAN port.
  6. Set Services to HTTPS.
  7. Set Action to Accept.
  8. Click Save.

Create a firewall rule for tunnel traffic

You can configure firewall rules for RED devices based on their zones.

If you use an existing zone, previously created firewall rules determine how traffic is routed. Make sure the rules that apply to the selected zone don't break security for your internal networks. For example, the VPN zone prevents the firewall from resolving DNS requests. The VPN zone instead uses DHCP to distribute a different DNS server.

To create a firewall rule for tunnel traffic, do as follows:

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 or IPv6, select Add firewall rule, and then select New firewall rule.
  3. For Source zones, select the zone you created for RED devices.
  4. Select a network in Source networks and devices if you want the firewall rule to match a network within the zone. Otherwise, select Any.
  5. For Destination zones, select LAN and WAN.
  6. Select a network in Destination networks if you want the firewall rule to match a network within the zone. Otherwise, select Any.
  7. Click Save.

Allow RED services

To allow RED services from the required zones, do as follows:

  1. Go to Administration > Device access.
  2. Under RED, select the zones in which your RED devices are located.

    Tip

    You can also create a Local service ACL exception rule for RED services. See Add local service ACL exception rule.

  3. Click Apply.

Select the zones in which your RED devices are located.