Sophos UTM Home Edition Install

There are a lot of options when it comes to Firewall\Unified Threat Management appliances – including hardware, software, and virtual appliance. Several names come to mind including pfSense, Untangle, m0n0wall, and the topic of this post – the Sophos UTM Home Edition appliance (formerly Astaro Gateway). After doing fairly extensive research, I decided upon this distribution for a few reasons:

  • Available as a virtual appliance, or software to run on your choice of hardware (or Sophos hardware $)
  • The free edition is surprisingly feature-rich including:
    • Intrusion detection and prevention
    • Full featured firewall
    • Web content filtering for both HTTP and HTTPS
    • Web AV scanning
    • Email anti-spam
    • Remote access with several VPN options
    • An easy to use web UI
    • Integration with Sophos endpoint AV protection for 10 users
  • All of the above is $0 with the limitation of 50 users
I chose to go the software running on whitebox hardware as it allowed lots of flexibility and did not rely on the complexity of an underlying hypervisor – an unofficial HCL is available here.

The Hardware

Some low-power Intel Atom solutions may work for this application, but due to the number of options available with this UTM, a minimum of an I3 processor is recommended to be able to push throughput with advanced services such as IPS and AV – I chose the Supermicro SYS-5018D-MF
  • 4th Generation i3, Xeon E3 V3 support
  • Up to 32 GB ECC UDIMM memory
  • Dedicated IPMI LAN
  • PCIE x8 slot
  • Dual Intel i210 1Gbps Ethernet
  • Enterprise grade server hardware quality I’ve come to expect from Supermicro
To get started, you will need to request a Home Edition license from Sophos – do that here.
Once you receive your license, you will need to download the software from here. There are two options – a hardware appliance and software appliance. The hardware appliance is specific to Sophos Hardware – if you try to use this installer on non-Sophos hardware, it will be detected, and installation will stop. So you want to download the software appliance for both installation on custom hardware or in a virtual machine.
*Note: This is a firewall – you must have at least 2 network interfaces – the installer will check for this.
The installation is fairly straightforward – you will need to choose an inside interface and address type:

Next, select options for a 64 bit kernel, if you would like the enterprise toolkit, and then partition setup. Once complete, the system will reboot and most, if not all configuration will be from the webadmin console: https://[console_IP_Address]:4444/

 

Getting the Sophos UTM Home Edition Installed and Configured

Once the system is back up, you will run through a basic system setup specifying hostname, admin password, etc. You will then continue system setup – you will need your license file at this point. You will also configure the WAN interface and type, basic firewall services and advanced protection services.

Finally, you will arrive at the main dashboard – depending on what you configured, this may look different.

The next thing you will want to do is define your networks – internal network, any DNS servers you may have, and any internal web servers you may have. Some network definitions are auto added based on connectivity and defaults (any IPV4, etc).

Next, assuming you have a single public IP address, you want to configure NAT masquerading – this is similar to NAT overload on an interface or PAT. Simply choose the network to be translated and which interface to use – in the below example, ‘Production’ is defined as any inside network, with ‘Outside’ being the WAN interface.

At this point, you should at least have internet access from any inside hosts. In the next post, I’ll cover configuring advanced protection services and allowing dynamic NAT for internal web servers, etc.

12 thoughts on “Sophos UTM Home Edition Install

  1. what is your opinion on pfSence?
    I recently got my hands on lenovo thinkcenter m58p
    core 2duo @ 3Ghz 2GB ram and plan to build out a router out of it for my home. I only considered 2 options. pfSence and Sophos UTM, but no the fence between them.

    I plan to have about 15 users and not all of them on all the time.
    I have a main PC and Laptop.
    I have 2 phones and 2 tablet
    I have an HTPC
    a VM/file server ,
    will have a VM running deluge or transmission (I do not torrent much but on some occasion having a always on client helps)
    SubNZB/coach potato/sick beard (either as standalone VM or running along side the deluge)
    a PlexServer VM
    and maybe a MythTV VM

    need a good setup to have an outside connection via SSH and Web UI to monitor and admin my server and VMs. the server will run Cloudmin and most clients will run Webmin. FTP serer or MyCloud
    not sure about VPN but that might be a possibility.

    thanks.

  2. Vlad-
    It’s hard to say if that hardware is up to snuff – the more you enable, the more CPU is used – though it may work just fine. For example, take a look at the unofficial HCL for the UTM here: https://www.astaro.org/gateway-products/hardware-installation-up2date-licensing/28426-unofficial-hardware-compatibility-list-hcl.html

    I briefly used pfsense, and I know that it has a great community and support. My reason for choosing UTM was ease of administration of some of the more advanced firewall features – and an overall easier to use UI in general in my opinion.

  3. if it can run on Atom(1.6GHz) it should be very comfy on Intel Core 2 Duo (3.0)
    as for RAM I can always stick another 2GB
    into machine :-).

  4. Hello one question hope you got a Idea i didn´t found any solution in the net.
    I fail with the installation with the message “no hardware appliance detected”

    • Hi Sven,

      It sounds like you downloaded the wrong installation media. There are two: one for actual Sophos appliances (which is what you have…it checks for the Sophos hardware), then the other for virtual firewalls and whitebox hardware (this is what you need to download).

  5. Also, i read that XG Firewall is not quite production ready as it is full of bugs? I am quite a noob with firewall although i am using IPFire at home. I setup a firewall to handle URL and keywords filtering and port forwarding. Most routers I got (in the past) cannot handle more than 300k sessions.

  6. XG is free for home use and not limited to 50 active IP addresses as the UTM was – useful for me as I maintain a lab and there can be numerous active IP addresses at any time. The Home use XG is limited to hardware – I believe it’s 2 cores and 6GB of memory. I don’t believe it is allowed to be used for business in any way.

    The interface is a bit wonky and have seen a few minor bugs, but nothing show stopping – it more than does what I need it to do, and again, it removes the 50 IP limit. Getting used to setting it up has been difficult, but not impossible.

Leave a Reply