Set up a RED device automatically
You can create a tunnel between Sophos Firewall and a RED appliance automatically using the Sophos provisioning server.
How automatic provisioning works
Here's how the provisioning server sets up a RED tunnel with the firewall:
- You turn on the RED provisioning service in the firewall.
- You add the RED to the firewall by adding a RED interface.
- The firewall uploads the RED configuration to the Sophos provisioning server.
- The RED downloads the configuration from the provisioning server.
- The RED creates a tunnel with the firewall.
In this setup, the RED and firewall must have internet access.
Objectives
To set up a RED device automatically, do as follows:
- Turn on the RED provisioning service.
- Add a custom zone for RED devices.
- Add a RED interface.
- Create a firewall rule for tunnel traffic.
Turn on the RED provisioning service
Before you can configure RED interfaces you must turn on the RED provisioning service in the firewall. Do as follows:
- Go to System services > RED.
- Under RED configuration, turn RED status on.
- Enter your information.
- Select the box to agree to the Sophos End User Terms of Use.
- Click Apply.
Add a custom zone for RED devices
When adding the RED interface, if you've set the RED device in the LAN zone, the firewall applies the same rules to the RED device as the rest of the LAN network. To maintain a logical separation between the RED and LAN networks, add a custom zone for RED devices or use an existing zone, such as VPN or WiFi.
To add a custom zone for RED devices, do as follows:
- Go to Network > Zones and click Add.
- Enter a name for the zone. For example, RED.
- For Type, select LAN or DMZ. See Add a zone.
- For Device access, select the service you want for this zone.
- Click Save.
Add a RED interface
To create an interface for the RED, do as follows:
- Go to Network > Interfaces, click Add interface, and select Add.
- Enter a branch name and select your RED device type.
- For Device deployment, select Automatically via provisioning service.
- Specify the other RED model settings as required.
- Under RED network settings, select the zone you created for RED devices.
- Click Save.
Allow RED services
To allow RED services from the required zones, do as follows:
- Go to Administration > Device access.
-
Under RED, select the zones in which your RED devices are located.
Tip
You can also create a Local service ACL exception rule for RED services. See Add local service ACL exception rule.
-
Click Apply.
(Optional) Synchronize time for offline REDs
RED devices must synchronize their time to complete the TLS handshake with the firewall. To ensure that RED devices in offline mode can do so, allow them internet access to connect with the Sophos NTP server pool. Alternatively, create a Local service ACL exception rule allowing them to connect to the firewall from the WAN zone as follows:
- Click Add.
- Enter a rule name.
- Set Source zone to WAN.
- Set Source network or host to the RED device's IP address.
- Set Destination host to the firewall's WAN port.
- Set Services to HTTPS.
- Set Action to Accept.
- Click Save.
Create a firewall rule for tunnel traffic
You can configure firewall rules for RED devices based on their zones.
If you use an existing zone, previously created firewall rules determine how traffic is routed. Make sure the rules that apply to the selected zone don't break security for your internal networks. For example, the VPN zone prevents the firewall from resolving DNS requests. The VPN zone instead uses DHCP to distribute a different DNS server.
To create a firewall rule for tunnel traffic, do as follows:
- Go to Rules and policies > Firewall rules.
- Select IPv4 or IPv6, select Add firewall rule, and then select New firewall rule.
- For Source zones, select the zone you created for RED devices.
- Select a network in Source networks and devices if you want the firewall rule to match a network within the zone. Otherwise, select Any.
- For Destination zones, select LAN and WAN.
- Select a network in Destination networks if you want the firewall rule to match a network within the zone. Otherwise, select Any.
- Click Save.