Sophos XG and Unifi USG

Peter Evans -

Previously I was using a Sophos UTM and Unifi USG for my home lab. Why? Anyone in the Ubiquiti Unif Environment will understand, the Unifi GUI looks much nicer when all the services are filled in and you get DPI info. However i felt the USG wasnt good enough as a firewall, IPS, IDS system so i decided to implement a Sophos UTM firewall. Fast forward a few years an I am now looking to move from the out dated UTM to the XG.

As the previous guide - https://blog.awelswynol.co.uk/2020-01-sophos-utm-infront-of-unifi-usg/

A few services need to be configured to allow them to play nicely together.

In theory enabling OSPF and using Dynamic Routing would have been a quick and easy set up, however OSPF isnt really needed for a small, simple network and the overhead of CPU and memory utilisation wasnt worth it.

Ok so how do we do it? First lets visualise it.

USG WAN is my backup link to the internet incase my Sophos goes down.

USG WAN2 connects to the Sophos LAN port

Sophos WAN port connect to the Internet.

Unifi

Let's start with the Unifi USG and Unifi Controller.

If you are familiar with config.gateway.json - this file is used for when a USG re-provisions. Normally the config doesnt survive the process without a json file.

On the USG you have WAN, LAN and WAN2/LAN2. eth0,eth1 and eth2 respectively. In my case I use WAN (eth0) as my main connection to the internet, LAN (eth1) connects to my LAN Switch and then WAN2 (eth2) will be the connection to the Sophos XG before it connects to the internet.

The json below adds a NAT masquerade rule to eth2 port (WAN2)

{
"service": {
	"nat": {
		"rule": {
			"5999": {
				"exclude": "''",
				"outbound-interface": "eth2",
				"type": "masquerade"

			}		
			}
			
		}
	}
}

Save the file as config.gateway.json and save it in your Unifi Controller folder

...data/sites/**site name**/config.gateway.json

In your Unifi Controller create a new network

Settings > Networks > Create New

Choose WAN and then WAN2

Create a network that will connect your USG to the Sophos XG

Static IP

10.0.0.2 - IP of USG

10.0.0.1 - IP of Sophos XG

255.255.255.252 - subnet or CIDR /30

10.0.0.1 or 1.1.1.1 or 8.8.8.8 as DNS.

Head over to your Unifi Devices list and select the USG

Ports > Configure Interface

Set Port WAN 2 / LAN 2 to use WAN 2

USG Firewall.

Finally on the USG we need to create a Firewall Rule on WAN IN. This allows the Sophos XG to communicate with LAN Devices.

Settings > Routing & Firewall > Firewall > WAN In

Name = WAN2 to Internal Subnets

Rule Applied = After predefined rules

Action = Accept

IPv4 Protocol = All

Source = IP 10.0.0.1 (Sophos XG LAN IP)

Destination = IPv4 address group = All LAN Subnets (you have to create a group with all LAN subnets listed)

Port Group = Any

Save

Sophos XG

Now lets log into the Sophos XG admin page https://**IP**:4444

First lets configure the Network Interfaces

Network > Interfaces

Port 1 LAN

Port 2 WAN

Make sure they are in the correct Zones.

Port 1 LAN

IP assignment = Static

IP Address = 10.0.0.1/30

Network > Routing > Static Routing

A static route is required to inform the Sophos XG that to reach your LAN subnets it needs to send traffic via in the interface that is connected to your USG.  In IPv4 Unicast route create new routes, 1 for each of your LAN subnets

example

Destination IP = 192.168.40.0/26

Gateway = 10.0.0.2 (The IP of your USG WAN 2 interface)

Interface = Port 1 - LAN

Distance = 1

Network > Routing > Gateways

Configure a Gateway Health Check. Add a new IPv4 Gateway

Name = LAN Gateway

IP = 10.0.0.2 (USG WAN 2 IP)

Interface = Port 1 - LAN Interface

Health Check = Ping 10.0.0.2

Firewall Rules

Finally we need to create 2 firewall rules.

Protect > Rules & policies > Firewall rules

First Rule creates a Masqurade NAT.

· Name = Masq NAT

· Action = Accept

· Source = LAN

· Source Networks = ** List of your LAN Subnets**

· Destination Zone = WAN

· Desintation Networks = any

· Services = any

Create a Linked NAT Rule

Linked NAT

Just change Translated source (SNAT) to MASQ

Firewall Rule 2

This next rule is only for testing. it will basically turn off your firewall and allow all traffic from all destinations and all sources.

Name = Allow Everything

Action = Accept

Source Zone = Any

Source Network = Any

Destination Zone = Any

Destination Network = Any

Services = Any

If everything is correct above you should now be able to test your connection by disconnection WAN 1 on the USG.