Sophos XG Firewall Web Interface Reference and Admin Guide v16.5
Add to My manuals627 Pages
Sophos XG Firewall is a comprehensive network security solution that protects your network from threats, including malware, viruses, and intrusions. It is designed to be easy to use and manage, and offers a wide range of features to help you secure your network.
advertisement
| Configure | 348
IPv6 Router Advertisement
Address Assignment for IPv6 Devices
IPv6 clients are assigned an IP address through:
• DHCP for IPv6
• Stateless address auto configuration (SLAAC)
DHCP for IPv6
Similar to IPv4, IPv6 can use DHCP to assign IP addresses to any clients. The device can be configured to be a stateful DHCP server. The DHCP server is responsible for assigning the IP address to the client and for keeping a record of all clients and the IPv6 addresses assigned to them.
Stateless Address Auto Configuration
The IPv6 protocol supports address auto configuration for stateless addresses. IPv6 devices automatically create unique link-local addresses for IPv6 enabled interfaces, and clients use router advertisement messages to configure their own IP address automatically.
Router Advertisement
The device acting as a router has the ability to participate in stateless auto configuration (SLAAC) and by default provides a IPv6 address and a default gateway to the client.
When the device interface is connected to a network and enabled, the host may send out an ICMPv6 (type 135)
Router Solicitation (RS) message that requests the device to generate Router Advertisement (RA) immediately instead of waiting until their next scheduled time. On receiving the RS message, the device immediately sends an ICMPv6
(type 134) router advertisement (RA) message announcing the state of its availability. Router advertisements include information about which method to be used for address assignment, prefixes used for on-link determination and/or address configuration, hop limit value, several flag status, etc. The critical parameters can be administered centrally and if necessary, can be propagated automatically to all hosts on the network. The device advertises information about various interfaces and Internet parameters either periodically or in response to the RS message, informing all the nodes on the network about any modification regarding addressing information. Thus, Router advertisement (along with prefix flags) permits simple stateless auto configuration and guides a host in generating an address using autoconfiguration.
Note: You can also view and manage the router advertisement service status on the Monitor & Analyze >
Diagnostics > Services page.
Configure IPv6 Router Advertisement settings
You can configure the router advertisement settings for an interface from this page.
1. Go to Configure > Network > IPv6 Router Advertisement and click Add.
2. Enter details for the General Settings.
Interface
Select an interface for router advertisement.
All IPv6 enabled physical interfaces, LAG, VLAN and bridge interfaces can be selected.
Description
Enter a description for the interface to be selected for router advertisement.
Min Advertisement Interval
Specify the minimum time interval in seconds between two consecutive unsolicited router advertisement messages sent to the clients.
Acceptable range: 3 to 1350 seconds
Default: 198 seconds
If the Max Advertisement Interval is 9 seconds or above, then the Min Advertisement Interval must be: 0.75 * maximum advertisement interval.
Max Advertisement Interval
Specify the maximum time interval in seconds between two consecutive unsolicited router advertisement messages sent to the clients.
Acceptable Range: 4 to 1800 seconds
Default: 600 seconds
Managed Flag
Select to set the managed flag. When this flag is set, IPv6 addresses are obtained from the DHCPv6 server.
By default, this flag is not selected.
Note: The option must be selected only if a DHCPv6 Server is available else IPv6 clients would not get IPv6 addresses
Other Flag
Select to set the other flag. When this flag is set, the DHCPv6 client obtains other network parameters such as DNS server, domain name, NIS, NISP, SIP, SNTP, and BCMS servers from the
DHCPv6 server.
Note: This option must be selected only if a DHCPv6 server is available.
Default Gateway
Select to use the device as default gateway for communication with the client.
Life Time
Specify the time in seconds to be used for router advertisement as a default gateway at the client end.
The value specified should be between the value specified for Max Advertisement Interval and
9000 seconds.
Default: 1800 seconds
Prefix Advertisement Configuration
Prefix Advertisement includes zero or more prefix options containing information that the default gateway advertises. This information is used by stateless address auto configuration to auto-generate a global IPv6 address. Prefix advertisement has its own list of attributes:
Prefix / 64
Provide the first 64 bits of the IPv6 address.
The interface uses this prefix information from the router advertisement message to determine the last 64 bits (interface identifier) of its 128-bit IPv6 address.
The first 64 bits (higher order bits) of the IPv6 address so provided, specify the network, while the remaining specify a particular address in the network. Hence, IPv6 addresses in one network have the same first 64 bits and are called “prefix”.
On-link
Select to set the prefix to be “On-link”. With the attribute On-link set, the devices with IPv6 addresses that are within this prefix are reachable on the subnet without a need of a router.
By default, this flag is set.
Autonomous
Select to set the prefix attribute Autonomous. On being set, the global IPv6 address is automatically generated by appending the 64 bit interface identifier to the prefix (prefix /64) advertised in the prefix information.
| Configure | 349
Only those prefixes that has the Autonomous flag set gets a stateless address auto configuration
(SLAAC) IPv6 address.
By default, the flag is set.
Preferred Life Time
Specify the time in minutes for a valid address to remain in the preferred state. The use of the preferred address is unlimited.
On expiry of the valid life time, the preferred address becomes deprecated. The use of the deprecated address must be avoided, however, it is not forbidden and can be continued to be used as source address for an existing communication.
The IPv6 address will continue to remain in the preferred state as long as it is refreshed by prefixes in the router advertisement or by any other means or are renewed by DHCPv6.
Acceptable values: 0 to 71582789 minutes
Default: 240 minutes
Specify the attribute value as “-1” for an infinite preferred life time.
Valid Life Time
Specify the time in minutes for an address to remain in the valid state.
This value determines the time for an address to be in the valid state. Until the time expires, the prefix is considered to be on-link and auto-configured addresses using the prefix can be used.
On expiry of the valid life time, the IPv6 address becomes invalid and cannot be used to send or receive traffic.
Acceptable range: 0 to 71582789 minutes
Default: 1440 minutes
Specify the attribute value as “-1” for an infinite valid life time.
Use the and icons to add or remove a prefix.
Note: The value of attribute Valid Life Time must be greater than or equal to value of Preferred Life Time.
| Configure | 350
Figure 346: General Settings
3. Enter the details for the Advanced Settings
Using the network discovery protocol (NDP) devices on the same interface discover the presence of each other and the respective link-layer addresses, find gateway routers and maintain the reachability information about the active paths to the peers.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement
Table of contents
- 7 What's New in this Release
- 9 Introduction
- 9 Flavors
- 9 Administrative Interfaces
- 10 Administrative Access
- 10 Using Admin Console
- 12 Supported Browsers
- 12 Menus
- 13 Pages
- 14 List Navigation Controls
- 14 Monitor and Analyze
- 14 Control Center
- 21 Current Activities
- 21 Live Users
- 22 Live Connections
- 24 Live Connections IPv
- 26 View Live Connection Details
- 30 IPsec Connections
- 30 Remote Users
- 30 Diagnostics
- 31 Tools
- 34 System Graphs
- 39 URL Category Lookup
- 40 Packet Capture
- 45 Connection List
- 49 Support Access
- 50 Protect
- 50 Firewall
- 52 User / Network Rule
- 64 Business Application Rule
- 119 Intrusion Prevention
- 119 DoS Attacks
- 120 IPS Policies
- 125 Custom IPS Signatures
- 126 DoS & Spoof Prevention
- 136 Policies
- 139 User Activities
- 140 Categories
- 142 URL Groups
- 142 Exceptions
- 143 Protection
- 145 Advanced
- 146 File Types
- 146 Surfing Quotas
- 149 User Notifications
- 149 Applications
- 149 Application List
- 150 Application Filter
- 153 Traffic Shaping Default
- 154 Wireless
- 154 Wireless Client List
- 154 Wireless Networks
- 158 Access Point Overview
- 164 Access Point Groups
- 165 Mesh Networks
- 168 Hotspots
- 177 Hotspot Voucher Definition
- 178 Rogue AP Scan
- 180 Wireless Settings
- 181 Hotspot Settings
- 182 Email
- 183 MTA Mode
- 209 Legacy Mode
- 236 Web Server
- 236 Web Servers
- 238 Protection Policies
- 242 Authentication Policies
- 244 Authentication Templates
- 245 SlowHTTP Protection
- 246 Advanced Threat
- 246 Advanced Threat Protection
- 247 Security Heartbeat
- 249 Sandstorm Activity
- 250 Sandstorm Settings
- 250 Configure
- 251 IPsec Connections
- 273 SSL VPN (Remote Access)
- 275 SSL VPN (Site to Site)
- 278 VPN Client
- 281 L2TP (Remote Access)
- 285 Clientless Access
- 285 Bookmarks
- 287 Bookmark Groups
- 287 PPTP (Remote Access)
- 289 IPsec Profiles
- 295 SSL VPN
- 299 Network
- 299 Interfaces
- 328 Zones
- 331 WAN Link Manager
- 348 IPv6 Router Advertisement
- 351 Cellular WAN
- 353 IP Tunnels
- 355 Neighbors (ARP-NDP)
- 358 Dynamic DNS
- 360 Routing
- 361 Static Routing
- 364 Policy Routing
- 366 Gateways
- 374 Information
- 387 Upstream Proxy
- 389 Multicast (PIM-SIM)
- 394 Authentication
- 395 Servers
- 404 Services
- 412 Groups
- 416 Users
- 423 One-Time Password
- 426 Captive Portal
- 429 Guest Users
- 435 Clientless Users
- 438 Guest User Settings
- 443 Client Downloads
- 445 System Services
- 446 High Availability
- 453 Traffic Shaping Settings
- 456 Log Settings
- 462 Data Anonymization
- 465 Traffic Shaping
- 469 Services
- 470 System
- 470 Profiles
- 471 Schedule
- 473 Access Time
- 475 Surfing Quotas
- 478 Network Traffic Quota
- 482 Network Address Translation
- 482 Device Access
- 484 Hosts and Services
- 485 IP Host
- 486 IP Host Group
- 487 MAC Host
- 488 FQDN Host
- 489 FQDN Host Group
- 489 Country Group
- 490 Services
- 491 Service Group
- 492 Administration
- 493 Licensing
- 494 Device Access
- 497 Admin Settings
- 500 Central Management
- 501 Notification Settings
- 503 Netflow
- 503 Messages
- 506 Backup & Firmware
- 509 Import Export
- 510 Firmware
- 512 Pattern Updates
- 514 Certificates
- 516 Certificate Authorities
- 517 Certificate Revocation Lists
- 518 Appendix A - Logs
- 518 Log Viewer
- 519 View List of System Events
- 520 View List of Web Filter Events
- 521 View List of Application Filter Events
- 522 View List of Malware Events
- 523 View List of Email Events
- 524 View List of Firewall Events
- 525 View List of IPS Events
- 526 View List of Authentication Events
- 527 View List of Admin Events
- 527 View List of Web Server Protection (WAF) Events
- 528 View List of Advanced Threat Protection Events
- 529 View List of Security Heartbeat Events
- 530 Log ID Structure
- 530 Log Type
- 531 Log Component
- 533 Log Subtype
- 534 Priority
- 534 Common Fields for all Logs
- 535 System Logs
- 544 Web Filter Logs
- 545 Module-specific Fields
- 545 Application Filter Logs
- 546 Module-specific Fields
- 547 Malware Logs
- 547 Module-specific Fields
- 549 Email Logs
- 550 Module-specific Fields
- 551 Firewall Rule Logs
- 552 Module-specific Fields
- 554 IPS Logs
- 555 Module-specific Fields
- 557 Authentication Logs
- 558 Module-specific Fields
- 558 Admin Logs
- 559 Module-specific Fields
- 559 Sandbox Report Logs
- 560 Web Application Firewall (WAF) Logs
- 561 Advanced Threat Protection (ATP) Logs
- 561 Heartbeat Logs
- 562 System Health Logs
- 562 Appendix B - IPS - Custom Pattern Syntax
- 569 Appendix C - Default File Type Categories
- 573 Appendix D - Supported Micro-Apps
- 576 Appendix E - USB Compatibility List
- 626 Appendix F - Compatibility with SFMOS
- 627 Appendix G - Additional Documents
- 627 Copyright Notice