Sophos Xg Access Point

| Posted on by



  1. I needed better wifi coverage in my rooms so I picked this up on eBay new for $30 shipped. Sophos access points are lightweight and they are controlled from.
  2. Sophos (XG) Firewall v17: Integrated Wireless Access Point. This video covers the basics of setting up wireless networking on the XG Firewall. How to configure a wireless network.

When friends and family are visiting and require wifi access, we typically give them complete access to our network by providing the password to our wireless access point. While most friends and especially family wouldn’t be doing anything malicious on our network, the bigger concern is the devices they’re using to connect to the network could potentially be infected with viruses or malware, possibly spreading to other devices on our network. In most cases, guests simply need internet access and an easy way to allow this while keeping them isolated from the rest of your network is by creating a separate guest network.

Sophos

If your wireless access point supports creating multiple wireless networks or has a guest network feature, you can use VLANs to isolate the guest network from your private network which I explain in this post. The steps below will explain how to setup a guest wireless network using a separate wireless access point, which in this case is using an Apple Airport Express.

1. Setup the device you’ll be using as a second wireless access point for guest users. Setup the wireless settings as desired (i.e. create a different SSID and password from your main wireless network). Also change the mode of your device to ‘Bridge Mode’. For Apple devices, this is located in the Airport Utility under the ‘Network’ tab -> ‘Router Mode’ -> ‘Off (Bridge Mode)’.

You can only use Sophos AP as Access point and manage them through XG. The other option is to use the external AP as a separate AP and create a new interface with different IP/Subnet and create the proper firewall rules.

2. Plug in your guest wireless access point to an open ethernet port on your Sophos XG device.

3. From the Sophos XG web user interface, we’ll first need to setup the new interface by accessing the ‘Interfaces’ tab on the ‘Network’ page and select the port you plugged the guest wireless access point into. Configure the following settings:

  • Network Zone: Specify the zone this new interface will be. For this example, choose ‘LAN’.
  • IPv4 Configuration: This should be checked.
  • IP Assignment: Select ‘Static’ since we will define the IP address for this interface.
  • IPv4/Netmask: Enter an IP address for this interface that is in a different subnet than the interface for your main network. For example, if your main network interface has an IP of 172.16.16.16 (Sophos XG default), something such as ‘172.16.17.17’ will work. Leave the netmask defaulted to ’24/255.255.255.0′.
  • Leave ‘IPv6 Configuration’ unchecked unless you obviously need IPv6 for your network.
  • The advanced settings can be left to their default settings. Click ‘Save’ at the bottom.

4. Next, create an IP Host for the guest subnet to be used for a firewall rule. Access the ‘IP Host’ tab on the ‘Host and Services’ page and click ‘Add’. Configure the following settings:

Software
  • Name: Type in a name such as ‘Guest Subnet’.
  • IP Address: Type in the IP address for this guest network such as ‘172.16.17.0’ and leave the default subnet to ‘/24 (255.255.255.0)’.
  • IP Host Group: This allows you to add this IP Host to an IP Host Group but for this example, leave it blank. Click ‘Save’ at the bottom.

5. Create a DHCP server for your guest network by accessing the ‘DHCP’ tab on the ‘Network’ page. Under the ‘Server’ section, click ‘Add’ and configure the following settings:

  • Name: Provide a name such as ‘Guest DHCP’.
  • Interface: Select the port your guest wireless access point is connected to.
  • Start IP: Enter the starting IP address for the range that will be available for assignment to users on the guest network. For example, ‘172.16.17.18’
  • End IP: Enter the ending IP address. For example, “172.16.17.254′.
  • Subnet Mask: Leave the default of ‘/24 (255.255.255.0)’.
  • Domain Name: This can be left blank.
  • Gateway: Leave the default ‘Use Interface IP as Gateway’ checked.
  • Default Lease Time/Max Lease Time: Leave the default values.
  • Conflict Detection: Enable this so clients aren’t being assigned the same IP address.

6. Create a firewall rule that will allow users on the guest network to access the internet. Access the ‘Firewall’ page and click ‘Add Firewall Rule’ -> ‘User/Network Rule’. If you’re unfamiliar with the firewall rule settings, see my previous guide on firewall rules. Configure the following settings:

  • Rule Name: Provide a name such as ‘Guest Network’.
  • Description: Provide a description as desired.
  • Action: Accept
  • Source Zone: Select ‘LAN’ since this is the zone we added the guest interface to.
  • Source Networks and Devices: Select the IP Host we created in step 4, ‘Guest Subnet’.
  • During Scheduled Time: Set this as desired but for this example, we’ll leave it set to ‘All the Time’.
  • Destination Zone: Select ‘WAN’ since we want users to be able to access our ISP modem/internet.
  • Destination Networks: Select ‘Any’ since we don’t know exactly what protocols and/or ports our guest users will be utilizing.
  • Configure the rest of the settings as desired and click ‘Save’ at the bottom.

7. You should now be able to connect to your guest network and have full access to the internet. Of note, you can still access your Sophos XG web user interface from this guest network since the interface falls under the ‘LAN’ zone. See my other post on completely isolating the guest and local networks.

(Optional) If desired, you can limit the bandwidth available for your guest users by creating a Traffic Shaping Policy for the firewall rule we just created. You can create a new policy from the firewall rule page itself by clicking the ‘Traffic Shaping Policy’ drop down and click ‘Create new’. This page can also be accessed on the ‘Traffic Shaping’ tab on the ‘System Services’ page. Configure the following settings:

  • Name: Provide a name such as ‘Guest Rule’.
  • Policy Association: Select ‘Rule’ since this will be applied to a firewall rule.
  • Rule Type: Select ‘Limit’ as the goal is to limit the available bandwidth to guest users.
  • Limit Upload/Download Separately: As the name implies, you can set a limit on the limit and download bandwidth throughput separately. For this example, select ‘Enable’.
  • Priority: This settings allows you to define priorities such that if you have multiple traffic shaping policies, Sophos XG will know how to prioritize the various connections. For this example, select ‘3 – (Normal)’ as our guest users just need basic internet access.
  • Upload Bandwidth: Specify the maximum upload speed in KBps (not to be confused with Kbps). Search for ‘Mbps to KBps’ using google to convert Mbps which is most commonly for bandwidth speeds to KBps. For example, if I want to limit my guest users upload to 10 Mbps, enter ‘1250’ into this field.
  • Download Bandwidth: Same as above except for the download speed. For example, if I want to limit guest users to a download of 100 Mbps, enter ‘12500’ into this field.
  • Bandwidth Usage Type: Leave ‘Individual’ selected as this policy will apply to the entire guest firewall rule. Click ‘Save’ at the bottom.

Make sure to assign this new Traffic Shaping Policy to your guest firewall rule.

Sophos APX Series access points are now supported on every platform: Sophos Central, XG Firewall, and Sophos SG UTM (from v9.7). With our latest generation of access points, you can offer an attractive replacement for every one of our legacy AP Series indoor models. You can learn more about the benefits of the APX Series in this Partner Portal blog post. Please note that all APX Series access points have a five-year warranty.

Last month we sent an email to all partners who have sold any AP Series model to give advance notice of the final order (End-of-Sale) date for the current indoor AP Series models and the subsequent lifecycle milestones.

All platforms allow you to manage all current AP and APX Series in a mixed environment. This means that your customers who have only recently purchased their AP Series access points are under no pressure to upgrade straight away. They can simply add newer APX models as they extend or make changes to their deployment. Bach e vivaldi. Our lifecycle plan gives you sufficient time to plan a gradual transition to the APX Series with your customers over a three-year period.

Why are we starting the End-of-Life process for the AP Series?

Wireless technology and standards are constantly evolving. The use of Wi-Fi in most environments has increased considerably over the past five-plus years, predominantly due to the number of mobile and other Wi-Fi connected devices now available. The majority of the current AP Series models have been in the Sophos portfolio since 2015 (the AP 100 since 2014) and these models do not support the most commonly used Wi-Fi standards available today. Newer standards, such as 802.11ac Wave 2 (which is still the most commonly used standard in business environments) include technology innovations to offer better performance, even when a larger number of clients are connected simultaneously. They are also built to handle the applications more commonly used today, such as voice and video, and so provide a better user experience.

Which models are affected?

Model / SKUEnd-of-SaleEnd-of -SupportEnd-of-LifeAPX Alternative
AP 15March 31, 2020March 31, 2021March 31, 2023APX 120
AP 15CMarch 31, 2020March 31, 2021March 31, 2023APX 120
AP 55March 31, 2020March 31, 2021March 31, 2023APX 320*
AP 55CMarch 31, 2020March 31, 2021March 31, 2023APX 320*
AP 100March 31, 2020March 31, 2021March 31, 2023APX 530 (or APX 740)
AP 100CMarch 31, 2020March 31, 2021March 31, 2023APX 530 (or APX 740)

* Under some circumstances, the dual-radio APX 120 may be a viable, lower-cost alternative.

What will these dates mean for your customers?

We have made every effort to provide advance notice and therefore make the transition as easy as possible and avoid any disruption for your customers. We will continue to process RMAs for all customers with a valid support contract (e.g. as part of their subscription) until the End-of Life date.

The lifecycle milestones are described in detail below.

End-of-Sale: March 31, 2020

The AP Series models mentioned below will no longer be sold by Sophos:

  • Indoor only: AP 15, AP 15C, AP 55, AP 55C, AP 100, AP 100C

Software SKUs for the following subscriptions can no longer be ordered:

  • Central Wireless Standard – Entry
  • Central Wireless Standard – Performance (unless for AP 100X)

After this date the product:

  • will not receive any new features
  • will receive only critical security patches and bug fixes but only until March 31, 2021
  • Will not be supported by any new hardware models released after this date

Your access point will continue to operate as normal.

PointSophos Xg Access Point

End-of-Support: March 31, 2021

After this date:

  • Sophos will process RMAs but no longer offer support
  • The affected AP models will no longer receive any software updates or bug fixes of any kind
  • APs will continue to operate on the last supported firmware version

RMAs: Will be processed for any AP Series model with a valid warranty or support license (if the same model is not available, an equivalent model will be supplied as a replacement).

Support: Technical support is no longer provided. Hotline calls will only be accepted for RMA processing.

End-of-Life: March 31, 2023

From this date, management support for the above-mentioned AP Series models will no longer be included in new software releases for Sophos Central Wireless, XG Firewall (SFOS), and SG UTM.

Please reach out to your local Sophos sales team before this date to discuss the hardware refresh options for your customers to ensure a smooth transition to newer technology.

What about the AP 100X?

Please note that the AP 100X outdoor model is not affected by this announcement and will continue to be sold until an equivalent APX model is available (in early May 2020) and the support dates on all platforms are clear.

Sophos Xg Appliances

What about older AP Series access points?

Should any of your customers still be using the much older AP Series access points, such as the AP 5, AP 10, AP 30, and AP 50 with either Sophos UTM or XG Firewall, those models have already been End-of-Life since at least 2018, and therefore management support cannot be guaranteed for those models on any platform. By using End-of-Life hardware, your customers may be risking interruptions in the correct functioning of their Wi-Fi network or their connectivity as a whole. In some scenarios, this could also affect their compliance status. We would request that all partners work with these customers to refresh their access points to models which are still supported.

What should I do with End-of-Life hardware?

After the End-of-Life of any hardware device, Sophos suggests that you dispose of the unit responsibly and in accordance with the environmental requirements in your region.

Sophos Xg Access Points

Sophos Xg Access Point

Sophos Xg Access Point Inactive

Who can I contact to get more help?

Sophos Xg Access Point Inactive

Should you have any questions, please do not hesitate to reach out to your local Sophos team. They can help you to find the optimal plan for a managed lifecycle for your customers’ hardware.