![](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-128x128.png)
Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
![Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz Sophos XG Firewall Web Interface Reference and Admin Guide v16.5 | Manualzz](http://s3.manualzz.com/store/data/037174985_1-9de931bfc0a44b747703e5ce337eaac1-360x466.png)
| Configure | 331
WAN Link Manager
A gateway routes traffic between the networks, and if the gateway fails, communication with an external network is not possible.
By default, the device supports only one gateway. However, to cope with gateway failure problems, the device provides an option to configure multiple gateways. But simply adding one more gateway is not an end to the problem.
Optimal utilization of all the gateways is also necessary. The device's WAN Link Manager provides link failure protection by detecting the dead gateway and switching over to an active link. It also offers a mechanism to balance traffic between various links.
At the time of deployment, you have configured the IP address for a default gateway through the Network
Configuration Wizard. You can change this configuration any time and configure additional gateways. You can use the WAN Link Manger to configure multiple gateways for load balancing and failover.
By default, all the gateways defined through the Network Configuration Wizard will be defined as “Active” gateway.
The device provides a powerful solution for routing and managing traffic across multiple Internet connections.
Designed to provide business continuity for an organization of any size, the WAN Link Manager optimizes the use of multiple Internet links, such as T1s, T3s, DSL and cable connections from one or multiple Internet service providers.
Capable of automatic failover in the event of link failure, it helps to assure that your network is always connected to the Internet.
It also gives you an option to configure multiple WAN interfaces to allow connecting your device to more than one
Internet service provider (ISP).
When you configure multiple external interfaces, you even have an option to control which interface an outgoing packet uses.
Load Balancing
Load balancing is a mechanism that permits to balance traffic between various links. It distributes traffic among various links, optimizing utilization of all the links to accelerate performance and cut operating costs. The device employs weighted round robin algorithm for load balancing to reach maximum utilization of the capacities across the various links.
Using link load balancing gives organizations the possibility to achieve:
• Traffic distribution that does not overburden any link
• Automatic ISP failover
• Improved user performance because of no downtime
• Increased bandwidth scalability
To achieve outbound traffic load balancing between multiple links:
• Configure links in active-active setup, defining gateways as Active
• Assign an appropriate weight to each gateway. Traffic is distributed across the links in proportion to the ratio of weights assigned to individual links.
How it works
Load balancing is determined by the load metric. The load metric is weight. Each link is assigned a relative weight and the device distributes traffic across links in proportion to the ratio of weights assigned to individual links. This weight determines how much traffic will pass through a particular link in relation to the other link(s).
The administrator can set the weight and define how the traffic will be directed to providers to best utilize their bandwidth investments. Weight can be selected based on:
• Link capacity (for links with different bandwidths)
• Link/Bandwidth cost (for links with varying costs)
A weighted load balancing feature enables network managers to optimize network traffic and balance the load between multiple links/interfaces.
| Configure | 332
Gateway failover
Gateway failover provides link failure protection so that when one link goes down; the traffic is switched over to the active link. This safeguard helps to provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service and without downtime.
To achieve WAN failover between multiple links:
• Configure links in active-backup setup
• Define Active gateway/interface
• Define backup gateway/interface – Traffic through this link is routed only when the active interface is down
• Define failover rule
In the event of Internet link failure, the WAN Link Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On failover, the backup gateway can inherit the parent gateway’s (active gateway) weight or can be configured.
The transition from the dead link to the active link is based on the failover rule defined for the link. The failover rule specifies:
• how to check whether the link is active or dead
• what action to take when a link is not active
The failover rule has the form:
IF Condition 1 AND/OR Condition 2 then Action
Depending on the outcome of the condition, traffic is shifted to any other available gateway.
A ping rule is automatically created for every gateway. The device periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. The selection of the gateway and how much traffic is to be routed through each gateway depends on the number of configured active and backup gateways.
Gateway Failback
During a link failure, the device regularly checks the health of a given connection, assuring a fast reconnection as soon as the Internet service is restored. When the connection is restored and the gateway is up again, without the administrator’s intervention, traffic is again routed through the active gateway. In other words, the backup gateway fails back on the active gateway.
WAN Link Manager
The WAN Link Manager page displays a list of configured IPv4 and IPv6 gateways. The page also displays the status
Active or Deactive for each gateway and failover rule in case multiple gateways are configured. You can change the gateway parameters, change the gateway status, add or remove the failover rule, and view the data transfer passed through the gateway.
For the backup gateway, the weight is NA while for the active gateway, the configured weight is displayed.
Click the data transfer icon under the Manage column of the corresponding gateway to view the total data transferred through the gateway in graphical as well as in tabular form.
Gateway Failover Timeout Configuration
Gateway Failover Timeout
Configure the gateway failover timeout in seconds.
This is the time period the device waits before the gateway failover occurs.
Default: 60 seconds
| Configure | 333
Acceptable Range: 1 to 65535
Figure 329: Gateway Failover Timeout Configuration
Update Gateway Configuration
You can update the gateway configuration from this page.
1. Go to Configure > Network > WAN Link Manager, click the gateway's Name hyperlink or click the edit icon under the Manage column to edit its settings.
2. Enter the gateway details.
Name
Enter the name of the gateway.
IP Address
Enter the IP address assigned to the gateway.
Interface
Specify the IP address of the interface.
Type
Specify the type of the gateway.
Available Options: Active - Traffic will route through the active gateway(s). If more than one active gateway is configured then the traffic will be load balanced between these gateways depending on the weight assigned to the each gateway.Backup – A gateway used in an active/ passive setup, where traffic is routed through the backup gateway only when the active gateway is down.
Weight
Depending on the weight, the gateway is selected for load balancing. The device distributes traffic across links in proportion to the ratio of weights assigned to individual links.
This weight determines how much traffic will pass through a particular link relative to the other link(s).
Gateways can be assigned a weight from 1 to100.
Note: When multiple gateways are configured and one gateway goes down, the traffic is switched over to the available gateways according to the ratio of the weights assigned to the available gateways.
Default NAT Policy
Select the NAT policy to be used as default for a particular gateway.
By default, the MASQ NAT policy is configured.
Select None, if NAT should not be applied on that particular gateway.
Figure 330: Update Active Gateway Configuration
3. Enter the backup gateway details (Only available, if the type is Backup)
Activate This Gateway
Select gateway activation condition: automatically or manually.
Automatic failover
For automatic failover, activate the option If ... Active gateway fails.
From the dropdown list, specify when the backup gateway should take over from the active gateway. This takeover process will not require the administrator’s intervention.
Available Options:
• Specific Gateway - The dropdown list displays all configured gateways. The backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails.
• ANY – The backup gateway will take over and traffic will be routed through the backup gateway when any of the active gateway fails.
• ALL – The backup gateway will take over and traffic will be routed through the backup gateway when all the configured active gateways fail.
Manual failover
If you select Manually, the administrator will have to change the gateway manually when the active gateway fails.
Action on Activation
Configure weight for the backup gateway. The device distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.
Inherit weight of the failed active gateway
If this option is selected, the backup gateway will inherit the parent gateway’s (active gateway) weight
Use configured weight
If this option is selected, the weight specified in the Weight field will be used for the backup gateway.
| Configure | 334
| Configure | 335
Figure 331: Backup Gateway Details
4. Click Save.
The gateway details have been updated.
5. Configure the Failover Rules.
IF Then Condition
From the dropdown list, select the communication protocol, such as TCP or PING (ICMP). Select the protocol depending on the service to be tested on the host.
Port: For TCP communication, specify the port number for communication.
on IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.
Condition
• AND - All the conditions must be satisfied before the specified action is taken
• OR - At least one condition must be satisfied before the specified action is taken.
A request is sent to an IP address. If the IP address does not respond to the request, the device considers the IP address as unreachable.
Figure 332: Configure Failover Rules
6. Click Save.
The failover rule has been updated.
Add Failover Rule
You can add failover rule from this page.
1. Go to Configure > Network > WAN Link Manager, click the gateway's Name hyperlink or click the edit icon under the Manage column and click Add under the Failover Rules section.
2. Configure the failover rules.
IF Then Condition
From the dropdown list, select the communication protocol, such as TCP or PING (ICMP). Select the protocol depending on the service to be tested on the host.
Port: For TCP communication, specify the port number for communication.
on IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.
Condition
• AND - All the conditions must be satisfied before the specified action is taken
• OR - At least one condition must be satisfied before the specified action is taken.
A request is sent to an IP address. If the IP address does not respond to the request, the device considers the IP address as unreachable.
| Configure | 336
Figure 333: Configure Failover Rules
3. Click Save.
The failover rule has been added.
Network Traffic Report for Default Gateway
Click the data transfer icon under the Manage column of the corresponding gateway to view the total data transferred through the gateway in graphical as well as in tabular form.
Network Traffic Report for Default Gateway
Period
From the available options, select the period for the report of the network traffic that passed through the gateway.
Available Options:
• Weekly
• Monthly
• Custom
The graph displays the upload, download and total data transfer through the gateway.
• X-axis: Date (depending on the period selected)
• Y-axis: KB/MB/GB used
Legend
• Orange Color – Upload Network Traffic (MB)
• Purple Color – Download Network Traffic (MB)
• Green Color – Total Network Traffic (MB)
Note: When the selected period is Custom, then the user can select to view data of not more than the last six (06) months. At one time, only thirty (30) days data will be displayed.
| Configure | 337
Figure 334: Network Transfer Report
DNS
Use this page to configure the DNS settings of the device.
The DNS server is configured at the time of installation. You can add additional DNS servers to which the device can connect for name resolution. If multiple DNS are defined, they are queried in the order as they are entered.
Note: You can also view and manage the DNS server status on the Monitor & Analyze > Diagnostics >
Services page.
Sophos XG Firewall supports static DNS host entry where the device acts as a DNS Name Server that provides the requesting client with 'A' records to resolve their requested URL.
You can manually add static DNS host entries for a particular domain name. Sophos XG Firewall checks DNS host entries for the requested domain name. If the domain name requested by the user matches the DNS host entry then the device performs DNS resolution and replies to the client with the IP address found in the static DNS host entry. DNS requests do not need to be redirected to the Local/Authoritative DNS server any longer. This facilitates faster data transfer and avoids multiple DNS resolution cycles for every client request. You can also add multiple IP addresses for a single website hosted behind Sophos XG Firewall.
When you want external domains names to be resolved through internal DNS servers in your network, you can add
DNS request routes to such servers. This will decrease the Internet traffic over the network and speed up DNS client requests as queries will not be forwarded outside the network. Also, DNS information would be less exposed on the
Internet thus enhancing security.
IPv4
Obtain DNS from DHCP
Click to override the device DNS with the DNS address received from the DHCP server.
The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.
Obtain DNS from PPPoE
Click to override the device DNS with the DNS address received from the PPPoE server.
The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.
Static DNS
Select to provide a static IPv4 DNS server address.
A maximum of three static DNS IPv4 addresses can be provided.
| Configure | 338
Figure 335: IPv4 DNS Settings
IPv6
Obtain DNS from DHCP
Click to override the device DNS with the DNS address received from the DHCP server.
The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.
Static DNS
Select to provide a static IPv6 DNS server address.
A maximum of three static DNS IPv6 addresses can be provided.
Figure 336: IPv6 DNS Settings
DNS Query Configuration
Choose server based on incoming requests record type
Select to choose the DNS server to be used for resolving the domain name on the basis of the incoming requests record type. Incoming request can be of A or AAAA type.
Choose IPv6 DNS server over IPv4
Select to first choose the IPv6 DNS server for resolving the DNS and then the IPv4 DNS server.
If both IPv6 and IPv4 DNS servers are configured, then it first selects the IPv6 DNS server for all requests followed by the IPv4 DNS server.
Choose IPv4 DNS server over IPv6
Select to first choose the IPv4 DNS server for resolving the DNS and then the IPv6 DNS server.
If both IPv6 and IPv4 DNS servers are configured, then it first selects the IPv4 DNS server for all requests followed by the IPv6 DNS server.
Choose IPv6 if request originator address is IPv6, else IPv4
Select to choose the IPv6 DNS server if a request is received from an IPv6 source or choose the
IPv4 DNS server, if a request is received from an IPv4 source.
Apply
Click to save the configuration.
Test Name Lookup
Click and provide an IP address or host name for testing the connectivity with the DNS server.
| Configure | 339
Figure 337: DNS Query Configuration
DNS Host Entry
The DNS Host Entry section displays the list of all the configured host entries. You can filter the list based on the host/domain name. This section provides the option to add, update, or delete entries.
DNS Request Route
This section displays a list of all the configured DNS request routes. You can filter the list based on the name or the target. Additionally, you can add, update and delete routes.
Add DNS Host Entry
The Add DNS Host Enry page allows you to create and manage DNS host entries.
1. Go to Configure > Network > DNS and click Add under DNS Host Entry section.
2. Enter the host entry details.
Host/Domain Name
Provide a fully qualified domain name (FQDN) for the host/domain.
Address
Enter the address details for the host entry.
Entry Type
Select the DNS host entry type.
Available Options:
• Manual – Enter the IP address for the host manually
• Interface IP – Configure an interface as host
IP Address
Specify the IP address of the host/domain or select an interface IP depending on the option selected for the entry type.
Maximum entries per host: 8
Time to Live (seconds)
Specify the TTL in seconds.
Default: 60 seconds
Weight
Specify the weight for load balancing the traffic. The device distributes traffic across the links in proportion to the ratio of weights assigned to individual links.
This weight determines how much traffic will pass through a particular link relative to the other link(s).
Default: 1
Publish on WAN
Enable to publish the DNS host entry on WAN.
Default: Disabled
Reverse DNS Lookup
Reverse DNS lookup is the resolution of an IP address to its designated domain name. Enable to allow reverse DNS lookup.
Note: If there are multiple hosts resolving to the same IP address then Reverse DNS
Lookup can only be configured for one of the IP addresses.
• Only A, AAAA, and PTR type of DNS records are supported.
• Address (A) record points a hostname to an IP address and returns a 32-bit IPv4 address.
• AAAA record points a hostname to an IP address and returns a 128-bit IPv6 address.
• Pointer records (PTR) are just the reverse of A records and are used for reverse lookups. They map the IP address to a hostname.
• Maximum DNS entries supported: 1024
• If the device interface is used as a DNS in the client system then a query is sent to the configured DNS servers prior to querying the ROOT severs.
| Configure | 340
Figure 338: DNS Host Entry
3. Click Save.
The DNS host entry has been created and appears on the DNS page.
Add DNS Request Route
This page allows you to configure DNS Request routes to internal DNS servers.
1. Go to Configure > Network > DNS and click Add under DNS Request Route section.
2. Enter DNS request route details.
Host/Domain Name
Specify the domain for which you want to use the internal DNS server.
Target Servers
Select a DNS server(s) to resolve the domain specified above.
You can also add IP address to the DNS from this page by entering it in the entry field. Up to eight
IP addresses can be added.
| Configure | 341
Figure 339: Add DNS Request Route
3. Click Save.
The DNS request route has been created and appears on the DNS page.
DHCP
The DHCP section allows you to configure DHCP for your network.
On a network, the dynamic host configuration protocol (DHCP) automatically assigns IP addresses to the hosts on a network, thus reducing the administrator’s configuration task. Instead of requiring administrators to assign, track and change (when necessary) IP addresses for every host on a network, DHCP settles it automatically. Furthermore,
DHCP ensures that duplicate addresses are not used.
The DHCP section covers the following topics:
Server
The device acts as a DHCP server: it assigns a unique IP address to a host and releases the address when the host leaves and re-joins the network. Each time, when the host connects to the network, it can have another IP address. In other words, the device provides a mechanism for allocating the IP address dynamically so that addresses can be reused.
An interface having static IP assignment can also act as a DHCP server. You can disable or change this DHCP server configuration. You can configure IPv4 and IPv6 DHCP servers.
Using the Server section, you can configure and manage DHCP servers on the device. It displays a list of all configured DHCP servers, and you can filter the list based on the IP family.
Note:
| Configure | 342
• The device cannot act as DHCPv6 server and DHCPv6 relay agent simultaneously.
• DHCPv4 Server and DHCPv4 Relay cannot be configured using the same Interface.
Relay
Deploying DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and therefore all the computers on the segment can listen and respond to these broadcasts. But things get complicated when there is more than one subnet on the network. The reason is that the DHCP broadcast messages do not cross the router interfaces by default. The DHCP relay agent makes it possible to place DHCP clients and DHCP servers on different networks. The relay agent allows DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or from a server which is not located on the local subnet. If the DHCP relay agent is not configured, clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet.
Using the Relay section, you can configure and manage DHCP relay agents on the device. It displays a list of all interfaces configured as a relay agent, and you can filter the list based on the relay agent name and the IP family.
Lease
The device acting as a DHCP server assigns or leases an IP address from an address pool to a host DHCP client. The
IP address is leased for a determined period of time or until the client relinquishes the address. The IPv4/IPv6 Lease section displays a list of all IPv4 and IPv6 addresses leased dynamically, and you can filter the lists based on the leased IP, or the client's physical address.
IPv4 Lease
For each IPv4 address, the list displays the following:
• Leased IP address
• Leased start and end time
• Client physical address
• Client host name
• Lease type
IPv6 Lease
For each leased IPv6 address the list displays the following:
• Leased IP address
• Leased start and end time
• Client physical address
• DUID
Related information
Configure DHCP Options
Configure Interface as DHCPv4 Server
This page describes how to configure an interface as DHCP server for IPv4.
1. Go to Configure > Network > DHCP, click Add in the Server section and select IPv4 using the default filter.
2. Specify the General Settings details.
Name
Enter a name to identify the DHCPv4 server uniquely.
Interface
Select an interface to set it as DHCPv4 server. DHCP service can be configured on a virtual interface but not on an interface alias.
Note: DHCPv4 Server and DHCPv4 Relay cannot be configured using the same
Interface.
Dynamic IP Lease
Specify the range of IP addresses from which the DHCP server must assign an IP address to the clients and set a subnet mask for the IP address range. You can configure multiple IP ranges for the same interface. Furthermore, you can provide multiple IP ranges for the DHCP server.
Click and to add or delete a range.
Static IP MAC Mapping
If you want to assign specific IP addresses to some or all clients permanently, you can define static
MAC address-to-IP address mappings. To define a MAC-IP mapping, you should know the MAC address of the client’s network card. The MAC address is usually specified in hexadecimal digits separated by colons (for example, 00:08:76:16:BC:21). Specify the host name, the MAC address and the IP address. You can provide multiple MAC-IP mappings for the DHCP server.
Use and to add or delete a MAC-IP mapping.
Subnet Mask
Select a subnet mask for the server.
Domain Name
Specify the domain name that the DHCP server will assign to the DHCP clients.
Gateway
Use this option to apply an interface IP as gateway.
Specify the IP address to be used as default gateway or select Use Interface IP as Gateway to use the IP address entered for Interface
Default Lease Time
Specify the default lease time.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 1440 minutes
Max Lease Time
Specify the maximum lease time. The DHCP client must ask the DHCP server for new settings after the specified maximum lease time has expired.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 2880 minutes
Conflict Detection
Enable IP conflict detection to check the IP address before leasing. If enabled, the already leased IP address will not be leased again.
| Configure | 343
Figure 340: General Settings
3. Specify the DNS Server details.
Use Device’s DNS Settings
Click to use the device's DNS server. In this case, the first two configured DNS will be used.
If not enabled, provide a primary and secondary DNS to be used.
Primary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IP address of the primary DNS server.
Secondary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IP address of the secondary DNS server.
Figure 341: DNS Server details
4. Specify WINS Server details.
Primary WINS Server
Specify the IP address of the primary WINS server.
Secondary WINS Server
| Configure | 344
| Configure | 345
Specify the IP address of the secondary WINS server.
Figure 342: WINS Server details
5. Click Save.
Related information
Configure DHCP Options
Configure Interface as DHCPv6 Server
This page describes how to configure an interface as DHCP server for IPv6.
1. Go to Configure > Network > DHCP, click Add in the Server section and select IPv6 using the default filter.
2. Specify the General Settings details.
Name
Enter a name to identify the DHCPv6 server uniquely.
Interface
Select an interface to set it as DHCPv6 server. DHCP service can be configured on a virtual interface but not on an interface alias.
Dynamic IP Lease
Specify the range of IPv6 addresses from which the DHCP server must assign an IP address to the clients and set a subnet mask for the IPv6 address range. You can configure multiple IPv6 range for the same interface.
Furthermore, you can provide multiple IP ranged for the DHCP server.
Click and to add and delete a range.
Static IP DUID Mapping
If you want to assign specific IP addresses to some or all clients permanently, you can define static
DUID address-to-IP address mappings. To define DUID-IP mapping, you should know the DHCP
Unique Identifier (DUID) of the client. The DUID address is usually specified in groups of two hexadecimal digits separated by colons.
*Each DHCP client and server has a DUID. DHCP servers use DUIDs to identify clients for the selection of configuration parameters. DHCP clients use DUIDs to identify a server in messages where a server needs to be identified.
Specify the host name, DUID and the IP address. You can provide multiple DUID-IP mappings for the DHCP server.
Click and to add or delete a DUID-IP mapping.
Preferred Time
Specify the preferred time.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 540 minutes
Note: Preferred time should be less than valid time.
Valid Time
Specify the valid time.
Acceptable range: 1 to 43200 minutes (30 days)
Default: 720 minutes
Figure 343: General Settings
3. Specify the DNS Server details.
Use Device’s DNS Settings
Click to use the device's DNS server. In this case, the first two configured DNS will be used.
If not enabled, provide a primary and secondary DNS to be used.
Primary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IPv6 address of the primary DNS server.
Secondary DNS (available only if Use Device' DNS Settings is disabled)
Specify the IPv6 address of the secondary DNS server.
Figure 344: DNS Server details
4. Click Save.
Related information
Configure DHCP Options
* RFC 3315 (Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
Add DHCP Relay Configuration
This page describes how to configure an interface as DHCP relay agent.
1. Go to Configure > Network > DHCP and click Add in the Relay section.
2. Enter the DHCP relay configuration details.
Name
Provide a name to identify the DHCP relay agent.
| Configure | 346
IP Family
Select the IP family for the DHCP relay agent.
Available Options:
• IPv4
• IPv6
Interface
Select an interface on which your client network is configured. Device listens for DHCP queries on this interface and is used to forward packets between client and server.
Interfaces having a static IP assignment can act as a DHCP relay agent.
The DHCP relay agent can be configured on a virtual interface but not on an interface alias.
Note:
• The device cannot act as DHCPv6 server and DHCPv6 relay agent simultaneously.
• DHCPv4 Server and DHCPv4 Relay cannot be configured using the same
Interface.
DHCP Server IP
Specify the DHCP server IP address. You can also configure multiple DHCP servers. This facilitates deploying DHCP servers in high availability environment. The DHCP relay will forward packets to all configured DHCP servers, and the active server will serve the request. In case the active server goes down, the backup server serves the request. The DHCP server takes care of leasing the IP address to a client.
Maximum DHCP servers configurable per DHCP relay: 8
Relay through IPSec (Only availabe if IP family is IPv4)
Select to relay DHCP messages through an IPSec VPN tunnel.
| Configure | 347
Figure 345: Add DHCP Relay Configuration
3. Click Save.
The DHCP relay agent has been created and appears on the DHCP page.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice