Introduction to Wireless

Protection on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW5505: Introduction to Wireless Protection on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Introduction to Wireless Protection on Sophos Firewall - 1

 Introduction to Wireless Protection on Sophos Firewall

In this chapter you will learn the RECOMMENDED KNOWLEDGE AND EXPERIENCE
three modes of operation that ✓ Wireless network communication
can be used for the wireless ✓ Sophos Firewall deployment options
networks, the range of access
points supported, and which
appliances have built-in wireless.

DURATION

9 minutes

In this chapter you will learn the three modes of operation that can be used for the wireless
networks, the range of access points supported, and which appliances have built-in wireless.

Introduction to Wireless Protection on Sophos Firewall - 2

 Network connections
Company laptop access
Wireless Overview Guest laptop access

Internet
Company laptop connected to
the company wireless network Guest laptop connected to the
guest network

Sophos Firewall
Access
Point
Access RED
Point

Company laptop connected to

Internal computers and servers the company wireless network
connected to the network

With Sophos Firewall you can deploy and manage wireless access points giving you the same
control and security features that you have for wireless devices as those that are physically
connected to the network.

Sophos access points can be used to broadcast multiple wireless networks to keep traffic
separated, for example for corporate and guest networks.

You are not limited to managing wireless networks in the local office, you can deploy access points
in remote offices that are connected to the Sophos Firewall with a RED.

Introduction to Wireless Protection on Sophos Firewall - 3

 Client Traffic Modes: Bridge to AP LAN
Wireless
clients
Internet
Local Network

Traffic
Traffic

Traffic
Switch
Traffic Traffic

Sophos Management
Access point
Firewall

Sophos Firewall supports three different modes of operation for wireless networks; let’s take a
look at these client traffic modes, starting with Bridge to AP LAN.

The Bridge to APLAN configuration is used when traffic needs to be routed to the network that the
access point is directly connected to. With Bridge to AP LAN, the traffic is never sent to the Sophos
Firewall by the access point; instead, it simply takes the traffic and drops it right onto the LAN that
it is connected to. The Sophos Firewall is only used for management of the AP and to collect
logging information from the access point.

Introduction to Wireless Protection on Sophos Firewall - 4

 Client Traffic Modes: Bridge to VLAN
Wireless
clients
Internet
Local Network VLAN X
VALN Z Guest

VLAN X Traffic
Traffic

Traffic
Trunk port

VLAN Z Guest Traffic

Tagged traffic
VLAN Y Management Traffic Managed
Sophos Switch Access point
Firewall

Next is Bridge to VLAN.

In a Bridge to VLAN configuration, wireless traffic is tagged by the access point allowing upstream
switches, or the Sophos Firewall, to identify that the traffic is associated to a specific VLAN. This
allows the wireless network to extend that VLAN wirelessly.

The access point must be connected to a trunk or hybrid port on the switch so that it is able to
read the VLAN tags and route the traffic correctly.

Again, the Sophos Firewall still communicates with the access point for management and to collect
logging, but it may not necessarily be involved in routing the traffic.

Please note that to broadcast a bridge to VLAN wireless network, the access point must be
configured to use a VLAN for management traffic. The bridge to VLAN options only become
available once you have set a VLAN for management.

Introduction to Wireless Protection on Sophos Firewall - 5

 Client Traffic Modes: Separate Zone
Wireless
clients
Internet
Local Network VLAN X

Traffic
Traffic

Blocked by firewall
rule

VXLAN
Switch
Management
Sophos Access point
Firewall

Lastly, we have the Separate Zone configuration.

Separate zone allows an administrator to segment the wireless traffic without using a VLAN, which
is often very useful in smaller environments that may not use managed switches or have a complex
network environment but still want to secure wireless traffic, for example, for guest access. With a
separate zone configuration, all traffic is fed into a VXLAN tunnel by a wireless interface on the
Sophos Firewall. From there, the Sophos Firewall will treat it like any other traffic coming in
through an interface. By default, the interface is called wlan<NUMBER>. This traffic must then be
routed to any allowed networks, either internally or externally and rules need to be created to
allow this traffic.

When configuring a separate zone, you may also need to:

• Create a DHCP server for the wireless network on that interface
• Enable DNS for the zone
• Create firewall and NAT rules that include Web protection, IPS policies, and any other security
modules to protect the users

Introduction to Wireless Protection on Sophos Firewall - 6

 Access Point Models

APX series access points APX 120

APX 320
APX 530
APX 740

Legacy AP series access points AP 15

AP 55
Legacy AP series access points are AP 100
end of sales and are not supported on AP 100X
XGS series appliances

Sophos Firewall supports Sophos’ APX series access points that include support for 802.11 ac wave
2 as well as the legacy AP series access points.

Please note that the AP series access points are now end of sale and are not supported on XGS
series appliances.

Introduction to Wireless Protection on Sophos Firewall - 9

 Access Point Model Naming

MIMO capabilities
Next-gen access Range or model 2 = 2x2
Product Generation
point series 3 = 3x3
4 = 4x4

Example: APX 3 2 0

To help you understand the range of APX access points let’s take a look at their naming scheme.

The APX part of the model name is made up of AP for access point followed by the X. This denotes
that this model is next-gen. Any legacy models are referred to as the AP series.

The first number in the naming sequence refers to the range or model series, in this example we
use 3.

The second number denotes the MIMO capabilities of the model, in this example this is 2 for 2x2.

The last number is the product generation number, in this example this is 0.

This gives you the full name of the model, in this example; APX 320.

Introduction to Wireless Protection on Sophos Firewall - 10

 Access Point Models – APX Series
APX 120 APX 320 APX 530 APX 740

Deployment Indoor, desktop, wall or Indoor; desktop, wall or ceiling Indoor; desktop, wall or ceiling Indoor; desktop, wall or ceiling
ceiling mount mount mount mount
Maximum 300 Mbps + 867 Mbps 300 Mbps + 867 Mbps 450 Mbps + 1.3 Gbps 450 Mbps + 1.7 Gbps
Throughput
Multiple SSIDs 8 per radio 8 per radio 8 per radio 8 per radio
(16 in total) (16 in total) (16 in total) (16 in total)
LAN Interfaces 1x 12V DC-in 1 x RJ45 connector console 1 x RJ45 connector console serial 1 x RJ45 Connector console
1x RJ45 10/100/1000 serial port port serial port
Ethernet w/PoE 1 x RJ45 10/100/1000 1 x RJ45 10/100/1000 Ethernet 1 x RJ45 10/100/1000 Ethernet
Ethernet w/PoE Port port
1 x RJ45 10/100/1000 Ethernet 1 x RJ45 10/100/1000 Ethernet
w/PoE w/PoE
Support WLAN 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2 802.11 a/b/g/n/ac Wave 2
Standards
Power over Ethernet 802.3af 802.3af 802.3at 802.3at

Number of Radios 1x 2.4 GHz single band 1 x 2.4 GHz/5 GHz dual-band 1 x 2.4 GHz single band 1 x 2.4 GHz single band
1x 5 GHz single band 1 x 5 GHz single band 1 x 5 GHz single band 1 x 5 GHz single band
1 x Bluetooth low energy (BLE) 1 x Bluetooth low energy (BLE) 1 x Bluetooth low energy (BLE)
MIMO Capabilities 2x2 2x2 3x3 4x4

The APX series of Access Point models support WLAN Standard 802.11ac Wave 2.0, and all four
models are optimized for both wall and ceiling mount and are for indoor use.

Please note that the outdoor APX 320X is not supported on Sophos Firewall and requires Sophos
Central.

This table provides a more technical comparison of these models.

Introduction to Wireless Protection on Sophos Firewall - 11

 Deployment Guide
Video Conferencing
Basic Connectivity Mixed Browsing High Speed Connectivity
High Speed Connectivity

Approximate number of Approximate number of Approximate number of Approximate number of

clients: clients: clients: clients:
7-25 (2.4 GHz)
1-15 Up to 30 (5 GHz) 7-25 7-35+
Schools & Small Offices Medium size offices Large offices & Medium
Small companies
Unmanaged endpoints BYOD & COD Mobile Enterprise
Mix of mobile devices
& mobile devices devices Managed Endpoints

APX 120 APX 320 APX 530 APX 740

Now that you know the available access point models, you need to determine which model is best
to use based on your environment. We will focus on the APX range for access points.

Firstly, let’s split the types of activities wireless is used for into the following categories:

• Basic connectivity
• Mixed browsing
• High speed connectivity
• Video conferencing

Now, we can assign an approximate number of clients to those categories.

• For basic connectivity between 1 – 15 clients per access point is the recommended use
• For mixed browsing between 7-25 clients per access point and up to 30 clients in dual 5 GHz
• For high-speed connectivity between 7-25 clients per access point
• For video conferencing between 7-35+ clients per access point

So, let’s apply this to example deployments.

• For small companies that require basic coverage using a mixture of mobile devices – basic
connectivity will be recommended
• For environments such as schools and small offices using entry level endpoints and unmanaged
mobile devices – mixed browsing will be recommended
• For medium size offices using a mixture of BYOD and corporate owned mobile devices such as
iPads – High speed connectivity will be recommended
• For large offices and medium enterprise companies using managed endpoints made up of

Introduction to Wireless Protection on Sophos Firewall - 12

laptops and mobile devices – video conferencing/high speed will be recommended

Introduction to Wireless Protection on Sophos Firewall - 12

 Built-In Wireless

XGS 87w XGS 107w XGS 116w XGS 126w XGS 136w
Retail/SOHO Small office Small office Small branch office Growing branch office
Deployment
Desktop Desktop Desktop Desktop Desktop
Multiple SSIDs 8 per radio
Supported WLAN 802.11a/b/g/n/ac
Standards 2.4 GHz/5 GHz
Number of radios 1 1 1
(2nd WI-FI module available)
MIMO capabilities 2x2:2 2x2:2 2x2:2 3x3:3 3x3:3

In addition to the APX and AP access points, the desktop models of Sophos Firewall are available
with a built-in wireless access point that supports either 2.4Ghz or 5Ghz with a single radio.

The built-in wireless differs from the external access points by not connecting through a network
interface and instead appearing as a local device.

The coverage of the built-in wireless can be extended by connecting external Sophos access points
to the network.

Introduction to Wireless Protection on Sophos Firewall - 13

 Chapter Review

Sophos Firewall can manage wireless network traffic using three client traffic modes:
bridge to AP LAN, bridge to VLAN, and separate zone

Sophos Firewall supports the APX series and legacy AP series access points

The desktop models of XGS have an internal wireless variant that includes a single radio.
Larger desktop models include an option to add a second wireless radio module

Here are the main things you learned in this chapter.

Sophos Firewall can manage wireless network traffic using three client traffic modes: bridge to AP
LAN, bridge to VLAN, and separate zone.

Sophos Firewall supports the APX series and legacy AP series access points.

The desktop models of XGS have a wireless variant that includes a single radio. Larger desktop
models include an option to add a second wireless radio module.

Introduction to Wireless Protection on Sophos Firewall - 14

Introduction to Wireless Protection on Sophos Firewall - 15
 Deploying Wireless Protection
on Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]

Sophos Firewall
FW5510: Deploying Wireless Protection on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Deploying Wireless Protection on Sophos Firewall - 1

 Deploying Wireless Protection on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to deploy access points and ✓ Modes of operation that can be used for Sophos
configure wireless networks. Firewall wireless networks
✓ Supported access points
✓ Sophos Firewall appliances that have built-in
wireless

DURATION

8 minutes

In this chapter you will learn how to deploy access points and configure wireless networks.

Deploying Wireless Protection on Sophos Firewall - 2

 Wireless Networks

Configuration deployed to access points to allow clients to connect

Define security and authentication requirements

Define network parameters

Wireless networks are the configuration that access points use to allow clients to connect. They
define the security and authentication requirements for devices that want to access the network
as well as network parameters such as IP range and gateway.

Deploying Wireless Protection on Sophos Firewall - 3

 Wireless networks are configured in:
Creating Wireless Networks PROTECT > Wireless > Wireless networks

No encryption
Visible network WEP Open
name WPA Personal/Enterprise
WPA2 Personal/Enterprise (recommended)

Separate Zone
Bridge to AP LAN
Bridge to VLAN

Configuration for separate zone wireless interface

Here you can see the main configuration for a wireless network. The main elements are:
• The SSID, which is the visible network name that devices will connect to
• The security mode, we recommend using WPA2 either with a passphrase or using a RADIUS
server to authenticate users by selecting Enterprise
• How to route client traffic, either to the same network as the access point, a specific VLAN or
directly back to the Sophos Firewall using a separate zone

Separate zone configuration is used to create a wireless interface on the Sophos Firewall. The
traffic for the wireless network is then routed back to that interface on the Sophos Firewall using a
VXLAN.

Deploying Wireless Protection on Sophos Firewall - 4

 Additional information in
Advanced Settings the notes

There are also several advanced settings that allow you to control options such as which bands the
network is broadcast on, when the network is available and whether clients can see each other on
the network.

[Additional Information]
Fast BSS (Base Service Set) Transition allows the key negotiation and the request for wireless
resources to happen concurrently, in order to enable fast and secure handoffs between base
stations to deliver seamless connectivity for wireless devices as they move around. This is
supported on WPA2 Personal and Enterprise networks only. The clients must also support 802.11r
as well.

To enable Fast Transition, use the option in the advanced settings of the wireless network
configuration.

Access points will announce support for both WPA-PSK/Enterprise and FT-PSK/Enterprise, so they
can perform normal roaming for clients which are not capable of Fast Transition.

Deploying Wireless Protection on Sophos Firewall - 5

 Additional information in
Access Point Discovery the notes

Discovery packet is sent to 1.2.3.4 so it is sent to the default gateway

DHCP IP address and gateway

Connect to ‘magic IP’
Intercept and respond
Sophos Access Point
Firewall

DHCP can be used to override the magic IP if the Sophos Firewall is not the default gateway

Before we jump into deploying access points it is useful to understand how the discovery process
works.

When an access point is connected to the network it will need a DHCP server to provide it with an
IP address, DNS server and gateway.

The access point will send a discovery packet to 1.2.3.4, which we refer to as the magic IP. This is a
valid Internet address and so will be routed to the default gateway.

If the Sophos Firewall is the default gateway, or on the route to the Internet, it can intercept and
respond to the discovery packet beginning the registration process.

If the Sophos Firewall is not the default gateway or on the route to the Internet, you need to
configure a special DHCP option with the IP address of the Sophos Firewall so the access point can
find it. There is additional information in the notes regarding this.

[Additional Information]
If the Sophos Firewall is not in the path to the Internet, for example, it is not the default gateway
for the network, then a special DHCP option to select the target Sophos Firewall is required:
{ OPTION_IP , 0xEA }, /* wireless-security-magic-ip */
By default, the Sophos Firewall will configure and pass this option if it is configured as a DHCP
server for the network.

When a Sophos AP is connected to the network, the AP uses DHCP request broadcasts. The AP
acting as a DHCP client uses a Parameter Request List in its DHCP Discover message which requests
certain parameters from the DHCP server. If the DHCP server provides the special parameter, code

Deploying Wireless Protection on Sophos Firewall - 6

234, wireless-security-magic-ip, it will be used as the IP address to connect to when
starting the control connection.

For more information see KB-000034799.

https://support.sophos.com/support/s/article/KB-000034799

Deploying Wireless Protection on Sophos Firewall - 6

 Deployment

1 Connect the access point to the network

2 Navigate to PROTECT > Wireless > Access points

3 Accept the pending access point

4 Assign wireless networks to broadcast

Once you have connected an access point to the network and the discovery process has taken
place you need to navigate to PROTECT > Wireless > Access points in the WebAdmin.

In the pending access points section, you will see any access points that have been discovered. You
need to accept the access point before it will be managed by the Sophos Firewall.

Please note that the access point may go offline after being accepted. This is normal as it may
perform a firmware upgrade directly after being accepted, in order to match the firmware of the
firewall. This normally takes between 5 – 10 minutes.

Deploying Wireless Protection on Sophos Firewall - 7

 Access Points

External access point

Built-in wireless

When working with built-in wireless on a Sophos Firewall, there is no need to accept the built-in
access point.

It is a local device that is always active when the wireless protection feature is active on the device.
It is named LocalWifi0, and the name cannot be modified.

Deploying Wireless Protection on Sophos Firewall - 8

 Broadcasting Wireless Networks
Use access point groups to assign wireless
Assign wireless networks to access points
networks

When you accept an access point you can select which wireless networks it will broadcast.
Alternatively, you can assign the access point to a group and use the group to manage which
wireless network the member access points will broadcast.

Sophos access points can broadcast up to 8 wireless networks per radio. Almost all access point
models have 2 radios and so can broadcast up to 16 networks. However, in most scenarios you will
want to broadcast the wireless networks on both 2.4Ghz and 5Ghz so you can effectively use up to
8 networks per access point.

Deploying Wireless Protection on Sophos Firewall - 9

 DNS and DHCP

Remember, for the Sophos Firewall to respond to DNS requests from devices connected to the
wireless network it must be enabled for the zone that network is in. This is done in SYSTEM >
Administration > Device access.

When creating a wireless network where there is no DHCP server, this is usually the case for guest
networks or where you have used a separate zone configuration, you will most likely want to
create a DHCP server on the Sophos Firewall.

Deploying Wireless Protection on Sophos Firewall - 10

 Simulation: Deploying an Access Point

In this simulation you will deploy an

access point on Sophos Firewall.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/DeployAp/1/start.html

In this simulation you will deploy an access point on Sophos Firewall.

Deploying Wireless Protection on Sophos Firewall - 11

 Chapter Review

Access points send discover packets to 1.2.3.4, which as an Internet routable address
sent to the default gateway, assumed to be the Sophos Firewall. This can be overridden
by DHCP if Sophos Firewall is not the default gateway

Access points will appear as pending in the web admin until they are accepted by an
administrator

Wireless networks define security and authentication requirements as well as network

parameters. Wireless networks need to be assigned to access points to start
broadcasting

Here are the three main things you learned in this chapter.

Access points send discover packets to 1.2.3.4, which as an Internet routable address sent to the
default gateway, assumed to be the Sophos Firewall. This can be overridden by DHCP if Sophos
Firewall is not the default gateway.

Access points will appear as pending in the web admin until they are accepted by an administrator.

Wireless networks define security and authentication requirements as well as network parameters.
Wireless networks need to be assigned to access points to start broadcasting.

Deploying Wireless Protection on Sophos Firewall - 14

Deploying Wireless Protection on Sophos Firewall - 15