Posted   by 

Sophos Utm Ipv6



The ‘issue’ with HA configuration

Sophos stops everything malicious and provides us with alerts, so we can respond quickly—and that’s worth its weight in gold.” Cliff Hogan, CIO, D4C Dental Brands Switching to Sophos Central was a simple transition and 80% of the work was carried out within just one week.”. This is because on the Sophos UTM, the WAN interface has IPv4 and IPv6 as either DHCP or static - can't have one DHCP and the other static. Sophos utm do not work currently for ipv6 properly right now. Check out the old www.astaro.org and it will send you to the current forums. There are multiple threads on the subject. You can get the cable modem to lease the IP and set up DHCP but then the utm messes up the gateway info. As the most firewalls, the Sophos UTM (based on a Linux OS; using iptables) is working with top-down-first-match. In our example I allowed Marketing and Sales network to use windows shares and make NTP and DNS lookups. This document lists IPv6 features that Sophos Firewall supports and IPv6 features that aren't supported. Current activities Keep track of currently signed-in local and remote users, current IPv4, IPv6, IPsec, SSL, and wireless connections.

When you set up High Availability (HA) on a Sophos UTM, you simply select the interface your UTMs are connected with as your ‘Sync NIC’, name your device (e.g. Node1), press apply then change the operation mode to Hot Standby (active-passive), like the below.

This is quick and easy to set up, but it’s also easy to forget future diagnostic information e.g. what if I need to get shell access to the SLAVE node? What is the IP address? How on earth are they communicating?

Behind the scenes both actually do get an IP address, more specifically an RFC 2544 address, which is an address space for special IPV4 benchmark testing, reserved by IANA ranging from 198.18.0.0 to 198.19.255.255.

In order to truly understand what we are doing we need to first SSH to our MASTER node.

First gain access to the master node

Assuming you have shell access enabled on the MASTER, settings found below, this settings and credentials will replicate to the SLAVE node.

Continue to use your favourite utility for shell access, I’m going to use PuTTy in this example.

Sophos Utm Ipv6 Address

NOTE: If this is your first time SSHing into a UTM you need to keep in mind that you first need to log into the ‘loginuser’ before you can elevate your privileges to root (via the SU command).

Now SSH into the MASTER node, you don’t need to gain access to the root account, but if you want to then run the su command when you’re logged in as loginuser.

Sophos Utm Ipv6 Ip

Now you’re logged into the shell of the MASTER node, we can finally get into the SLAVE node.

Gaining access to the slave node from the master node

There are two powerful commands at our arsenal that help us fully understand what is going on here.

Sophos utm ipv6 setup

ha_daemon –c status

This will show us the basic status of the HA setup, including the IP address of the MASTER and the IP address of the SLAVE which is assigned across the backup link.

Here we can see that the current mode is HA MASTER, because we are currently logged into the MASTER node.

Sophos Utm Ipv6 Fritzbox

ha_utils ssh

This is the most useful of commands as this will automatically find the SLAVE’s IP address and will attempt to login as the loginuser via SSH, which will prompt you for credentials.

Once you’re logged in, that’s it! You can now check it over.

It’s not often you’re going to need to gain sole access to the slave, being that all changes on the MASTER are replicated to the SLAVE, but on the off chance that you need to you know can have peace of mind that there is a way.

Stay in the loop

Our how-to guides, cyber security advice and productivity tips help businesses stay on track.

Related

Hey there,

more and more IPv6 addresses are assigned, and since we are using IPSec-tunnels to encrypt the traffic between our branch-offices, I was wondering ‘how far has the support for IPSec via IPv6 come’?

Sophos Utm Ipv6 Howto

So, I checked it out, using our Astaro (now Sophos) Firewall at work and my M0n0wall at home.

First of all, you of course need IPv6 activated on both ends and need an active connection. Wether you get that native from your provider or, for example, through https://www.sixxs.net is up to you. If you see fe80:… addresses: These are the link local addresses and do not work for us here.

Setup on the Astaro (Sophos UTM):

  • Go to ‘Site-to-Site VPN’ -> ‘IPSec’, create a ‘Remote Gateway’. We use a Preshared Key for our test setup now, in a real setup you might want to use RSA or a certificate. For the gateway you use the IPv6 WAN address of the m0n0wall. Oh, and don’t forget to add the remote networks. (This can be the whole /48 for example, no need to use several /64).
  • Then go to ‘Connections’ and create a new connection, using our just created gateway. I use TrippleDES for a policy here.
  • If you hit ‘automatic firewall rules’ your remote network gets full access to your local network. If this is unwanted, don’t do it! You can create the rules you like under ‘Network Security’ -> ‘Firewall’
Sophos utm ipv6 fritzbox

Sophos Utm Ipv6 Einrichten

All done here!

Setup on the M0n0wall:

  • Go to ‘VPN’ -> ‘IPSec’ and click the + symbol to create a new tunnel
  • For the interface chose ‘WAN’, unless you are routing internal or something (the interface should have the same IP that you chose for the remote gateway on the Astaro).
  • Enter your local subnet, I chose my /48 here.
  • Enter remote gateway (again, WAN IPv6 from the astaro)
  • Phase 1: Use 3DES, MD5, DH Keygroup 5, Lifetime 7800, PreShared Key
  • Phase 2: 3DES, MD5, Lifetime 3600

These are the values taken from the pre-existing definition for 3DES on the Astaro. You could change that, but do it on both sides.

Now just create rules what traffic you want to allow through the tunnel and which not. Remember: Both sides must fit in order for traffic to go through.

Ricoh is200e driver download for windows 10. All save, all encrypted, all IPv6.

Sophos Utm Ipv6 Settings

Voilà: Enjoy your Site-to-Site IPv6 tunnel.