![]() They don't have to be completed on a certain holiday.) In this series, we call out current holidays and give you the chance to earn the monthly SpiceQuest badge! SpiceQuest September (2023) - Of Pirates and Parties Spiceworks Originals.There are online services that can do similar. If you're concerned about whether or not the device is doing its job, go home and use nmap to probe your XG WAN address, see what you've allowed through. Disable PPTP, use SSL VPN where possible. I don't have AD connected to any deployment, always standalone VPN users. Test, test, test, worry about users and VPNs next. The default deployment will have a basic LAN to WAN rule and it will protect your connection straight out of the box so don't stress.ĥ. Replicate firewall policies / access rules. Replicate hosts and services from the old firewalls into the XG.Ĥ. If you need to reconfigure or remove a VLAN be prepared to lose your DHCP config for that subnet.ģ. This will affect your firewall policies as well as DHCP server configurations if you use them. Get your interfaces, VLANs and zones planned/sorted out. I have one or two on 17.02 and it's ok for my requirements.Ģ. My HA deployment is stable on 16.05 MR 7. Research other peoples results on the Sophos forums first. Once you're up and running and comfy with one firmware - do not go ahead and install whatever they throw at you. The XG firmwares seem to be very much fix a few things, break a few things. It sounds like you're already up and running but here's what I do:ġ. Hey mate, I've done about 6 XG deployments now including 2x XG310s in HA. ![]() So long as they know the guest wifi will be down for 1-2 days and that VPN will need to be reconfigured as required they are OK with it. I think the important take away is you plan and test but also build a list if priorities for the business and set the expectation. As we did this on demand it was a great way to determine how many people 'working from home' were actually 'working' and how many were just 'at home'. Next day we had people setting up the APs for wifi and then migrated users to either REDs at home or SSL VPN if they were on the road. Swapped into place and got everything up and running. Once were happy we swapped back to the original firewalls and then planned the actual switch for the next night. Some things worked a few NAT rules needed tweaking as we didnt fully understand the dnat config. ![]() Once thats working we just unplugged the old firewalls out of hours and and dropped the UTM in place, swapped the WAN IP etc and tested live in production. Then built web browsing policy (categories blocked etc) and tested, configured endpoint integration so they were getting the same policy Set some bypass rules where needed for sites that were fussy Tested things like core connectivity, web filtering to check important sites we used like ERP system all worked OK. ![]() Then we got the UTM setup on a test internet egress, so we had all the functions setup as we thought we needed them but using a different internet feed. When we moved over we built a scope of works, documenting all the things we had in place (Firewall rules, NAT mappings, WAN IP address, IPSec tunnels, DNS records for VPN etc) to ensure we had all details to recover the the functionality to the Sophos and ensure we had points of contact, PSK, IPs etc etc I'm sure there's a tonne of stuff that I don't know that I don't know. We only have one location, an AD DC, a couple of file servers, a Ricoh document center (I've already given its IP full access to the Internet), and some VM hosts. I have all the defaults set up, I'm passing traffic with what I hope is some basic security but I need to get VPN users setup, connect the Sophos APs that were on our old UTM, and be reasonably sure I'm keeping the users safe. Short of reading my way through the entire manual, In what order do you suggest I set things up? (An outline, rough is fine.) What must be done in order and what's the most secure way to order those projects. I get the AD connected and only groups are populating etc, etc. The typical search reveals answers that include stuff I haven't set up yet, one step forward, two steps back. Setting up the new XG 210 is kicking my butt. Feeling my way through hardening or equipment the best I can. I am unfortunately, for the museum, the only Admin in our environment. I wouldn't say I was a total network novice but I'm certainly no expert.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |