Add a RED interface
You can create two types of RED interfaces. The configuration steps vary depending on the type of interface you create.
- RED hardware model: Dedicated RED hardware without a user interface.
- Firewall RED: The firewall acts as a RED in a client-server configuration. It needs network settings only.
You must first turn on the RED service on System services > RED.
Warning
If a failover occurs in an HA cluster, there's a delay in reconnecting the RED tunnels to the auxiliary firewall. The time to reconnect the tunnels varies based on the number of interfaces and other settings. This applies to site-to-site RED tunnels and RED appliances.
Depending on the type of interface you're creating, do one of the following:
Add an interface for a RED hardware model.
Do as follows:
- Go to Network > Interfaces, click Add interface, and select Add RED.
- Enter a branch name.
-
Select the type of RED interface from the list.
Warning
RED 15, 15 (w), and 50 are now end-of-life (EOL). From SFOS 20.0 MR1 and later versions, you can't connect tunnels using these devices even though they appear as options in this list. To continue to use them, you must run SFOS 20.0 GA or earlier versions. We recommend you select SD-RED 20 or 60. See End of life of RED 15/15(w) and RED 50 and Retirement calendar.
-
Specify the RED settings.
Setting Description RED ID RED identification number. You can find the ID on the back of the device and on the product packaging. Tunnel ID Tunnel identifier. Make sure you use a tunnel that's not in use on either device. Unlock code A code that allows the provisioning servers to accept a new RED configuration. The RED provisioning server assigns a unique code to each RED hardware model.
For first-time configurations, leave the unlock code blank.
Firewall IP/hostname Public IP address or hostname of the firewall. 2nd firewall IP/hostname Alternative public IP address or hostname of the firewall. Use 2nd IP/hostname for Choose from the following:
- Failover: The secondary host automatically takes over when the primary fails.
- Load balancing: Distribute traffic equally between the primary and the secondary hosts.
Device deployment Choose from the following:
- Automatically via provisioning service: Sophos Firewall provisions the remote RED appliance automatically through the RED provisioning server.
- Manually via USB stick: Use this option to provision a RED appliance located in a private network. Do as follows:
- Go to Network > Interfaces.
- Click Menu and click Download provisioning file.
- Copy the file to the root directory of a USB device, and insert it into the remote RED appliance.
Note
RED devices synchronize their time with the Sophos NTP server pool. The synchronization is required for the TLS handshake with the firewall.
To ensure that devices in offline mode can update their time, allow them internet access to connect with the NTP servers or create a Local service ACL exception rule allowing the RED to connect to the firewall from the WAN zone. See RED device in offline mode doesn't connect to the firewall.
-
Specify uplink settings.
Setting Description Uplink connection Choose from the following:
- DHCP: Assign the address dynamically. We recommend you use this method. If you're setting up the RED using the provisioning service, the RED must connect to a DHCP network at least once to download the configuration.
- Static: Provide a static IP address. Use this option only if DHCP isn't supported. For static configuration, you must set up the RED device manually. See Set up a RED device manually.
2nd uplink connection Choose a method for the second RED uplink. 2nd uplink mode Choose from the following:
- Failover: The secondary uplink automatically takes over when the primary fails.
- Load balancing: Distribute traffic equally between the primary and secondary uplink.
3G/UMTS failover Use a mobile network in case of a WAN failure. Obtain the settings from your service provider. 3G/UMTS failover requires a USB dongle. Note
3G/UMTS failover isn't available if you set RED operation mode to Transparent/Split.
The RED firmware 2.0.018 doesn't support the D-Link DWM-222 USB adapter.
-
Specify the RED network settings.
Setting Description RED operation mode Select a mode to integrate the remote network behind the RED into your local network. Split networks don't support FQDN hosts.
For more information, see RED operation modes.
RED IP IP address of the RED.
When you change the IP address of an existing RED interface and the new IP address range is outside the range of the RED DHCP server, Sophos Firewall turns the RED DHCP server off.
Zone Zone assigned to the interface. Configure DHCP Allow the RED to provide DHCP to devices. RED DHCP range DHCP range for devices behind the RED. Split network Traffic to the networks listed goes through the firewall. The remaining internet-bound traffic goes through the default gateway. Requests to internal resources in the remaining traffic (not part of the split network) go directly to those resources. MAC filtering type Choose from the following:
- Allow list: Allow only addresses on the list.
- Block list: Block addresses on the list.
Check your device specifications for the maximum number of MAC addresses allowed.
Tunnel compression Compress the tunnel traffic to increase the throughput. MTU Maximum Transmission Unit (MTU) value, in bytes. It's the largest packet size that a network can transmit. Packets larger than the specified value are divided into smaller packets before they're sent. -
Specify Switch settings.
SD-RED 60 devices support VLANs.
For more information, see RED LAN modes.
-
Specify PoE settings. You can turn on Power over Ethernet for one or both PoE ports of SD-RED 60.
-
Specify Advanced settings for SD-RED 20 and SD-RED 60.
Remote IP assignment assigns an IP address to the bridge with the RED tunnel on the WAN interface. Use this option only if the devices behind a RED aren't responding to ARP requests. Select DHCP to let the local DHCP server assign the IP address or Static to manually assign the IP address.
-
Click Save.
Add a RED interface for a RED tunnel between two Sophos Firewall devices or Sophos Firewall and Sophos UTM.
Do as follows:
- Go to Network > Interfaces, click Add interface, and select Add.
- Enter a branch name.
-
Select an option as follows:
- Firewall RED Server: This firewall is the server.
- Firewall RED Client: This firewall is the client.
- Firewall RED Server Legacy: This firewall is the server.
- Firewall RED Client Legacy: This firewall is the client.
Setting Description Tunnel ID Tunnel identifier. Make sure you use a tunnel that's not in use on either device. Firewall IP/hostname Public IP address or hostname of the firewall. Provisioning file File containing the configuration data to be provided to the client firewall. -
Specify the RED network settings.
Setting Description RED IP IP address of the RED.
When you change the IP address of an existing RED interface and the new IP address range is outside the range of the RED DHCP server, Sophos Firewall turns the RED DHCP server off.
RED netmask Subnet mask of the RED IP address. Zone Zone assigned to the interface. Tunnel compression Compress tunnel traffic. Data compression can increase the throughput of RED traffic in regions with slow internet connections. MTU Maximum Transmission Unit (MTU) value, in bytes. It's the largest packet size that a network can transmit. Packets larger than the specified value are divided into smaller packets before they're sent. -
Click Save.
Update an existing RED interface
You can do one of the following:
- Update the existing DHCP server settings, such as Dynamic IP lease, Static IP MAC mapping, DNS, and other related settings.
- Create a new DHCP server for the new IP address range.
More resources