Set up a RED device automatically
You can create a tunnel between Sophos Firewall and a RED appliance automatically using the Sophos provisioning server.
How automatic provisioning works
Here's how the provisioning server sets up a RED tunnel with the firewall:
- You turn on the RED provisioning service in the firewall.
- You add the RED to the firewall by adding a RED interface.
- The firewall uploads the RED configuration to the Sophos provisioning server.
- The RED downloads the configuration from the provisioning server.
- The RED creates a tunnel with the firewall.
In this setup, the RED and firewall must have internet access.
To set up a RED device automatically, do as follows:
- Add a custom zone for RED devices.
- Add a RED interface.
- Create a firewall rule for tunnel traffic.
Add a custom zone for RED devices
When adding the RED interface, if you've set the RED device in the LAN zone, the firewall applies the same rules to the RED device as the rest of the LAN network. To maintain a logical separation between the RED and LAN networks, add a custom zone for RED devices or use an existing zone, such as VPN or WiFi.
To add a custom zone for RED devices, do as follows:
- Go to Network > Zones and click Add.
- Enter a name for the zone. For example, RED.
- For Type, select LAN or DMZ. See Add a zone.
- For Device access, select the service you want for this zone.
- Click Save.
Add a RED interface
To create an interface for the RED, do as follows:
- Go to System services > RED and turn on the RED provisioning service.
- Go to Network > Interfaces, click Add interface, and select Add.
- Enter a branch name and select your RED device type.
- For Device deployment, select Automatically via provisioning service.
- Specify the other RED model settings as required.
- Under RED network settings, select the zone you created for RED devices.
- Click Save.
Create a firewall rule for tunnel traffic
You can configure firewall rules for RED devices based on their zones.
If you use an existing zone, previously created firewall rules determine how traffic is routed. Make sure the rules that apply to the selected zone don't break security for your internal networks. For example, the VPN zone prevents the firewall from resolving DNS requests. The VPN zone instead uses DHCP to distribute a different DNS server.
To create a firewall rule for tunnel traffic, do as follows:
- Go to Rules and policies > Firewall rules.
- Select IPv4 or IPv6, select Add firewall rule, and then select New firewall rule.
- For Source zones, select the zone you created for RED devices.
- Select a network in Source networks and devices if you want the firewall rule to match a network within the zone. Otherwise, select Any.
- For Destination zones, select LAN and WAN.
- Select a network in Destination networks if you want the firewall rule to match a network within the zone. Otherwise, select Any.
- Click Save.