UPDATE: Part 4 – Definitions and Rules and Part 5 – SSL VPN are now available.
It’s been quite a while since I wrote the initial two Sophos UTM posts. I recently upgraded from a really old, re-purposed HP box to a slightly-less-old Dell Precision 670 courtesy of steiner, and I took the opportunity to document the setup process.
This post assumes you have followed the steps in Part 1 and Part 2. If you are looking to setup a Sophos UTM Home Edition from scratch, start there.
First Time Boot
I would recommend keeping your UTM attached to a monitor for the first boot, if only for peace of mind. Mine sits in my networking closet (AKA the cramped space next to the air return in the utility closet in my basement), so rather than having to shift it back and forth for troubleshooting during installation and setup, I ran a 25 ft Cat6 cable out to the main room where I could finish setting everything up in comfort.
You should be greeted by the screen seen on the left at boot time. Pressing F2 will drop you into the details view as seen below.
Once the boot process finishes, you are presented with a login prompt. Leave this be for now. By default, console login (root and user) for the UTM is disabled. I have not found any reason to enable it as I’ve been able to troubleshoot pretty successfully through the web interface.
Speaking of which, that’s where we’re headed now.
Make sure that you’ve got a network connection on the NIC you assigned as the WebAdmin login during the installation (covered in Part 2 of the blog series). Point a browser (on a system connected to the same network) to the WebAdmin page. This should have been presented to you at the conclusion of the installation process. It will probably be https://192.168.0.1:4444/ if you did not change anything during installation.
The login page will present you with an invalid certificate. Accept it for now; if you would like to spring for a valid certificate at some point, that can be changed later. You will then be dropped into the setup process.
Welcome to WebAdmin
On the first page, you will be asked to enter some basic information on your organization (and obviously, feel free to put “Home” or “Nunya Business, Inc.”) as well as choose a hostname for your shiny new UTM. I recommend establishing a naming scheme for your devices to make troubleshooting easier later on, depending on the size of your network. For instance, all of my network devices are named after various groups of robots (and I use the term loosely): infrastructure devices are Transformers, Kodi drones are Megaman characters, servers are Cylons, etc.
Regarding the email address that will be attached to the admin account, consider spinning up a new, dedicated account just for the purposes of monitoring the UTM. There are all kinds of options within the UTM that will result in emails being sent to you on a regular basis (daily guest WiFi passwords, weekly/daily summary reports, alerts, etc). If you are a security-best-practices kind of person, you won’t want these messages to get lost in the shuffle within an everyday-use email account.
Finally, you’ll have to create an administrative user for the web interface. I highly recommend using a non-default-sounding username. Also, and this should go without saying, make sure you set a lengthy, complex password. If your UTM gets compromised, the rest of your network will not be far behind.
Once you click “Next,” it will take the UTM up to sixty seconds to complete basic system setup before proceeding to the WebAdmin Login Screen as shown to the right.
Welcome to Sophos UTM
Once you’ve logged in with your administrative credentials, simply walk through the setup Wizard. First, you will have to upload your license file. If you’ve lost it in the few months since the last post, never fear! Simply log back into your MyUTM account (see the screenshot to the left) and re-download it. If you’ve forgotten that password and don’t want to recover it, simply click next; the UTM will be set up with a thirty day temporary license. You can re-upload your original license at a later time.
If you have to regenerate your license, make sure you end up with a license that is not “Unlimited.” Your UTM build will not accept it. It has to be a “Home” license. Refer to the screenshots below to see the difference between the two uploads.
Once your license is uploaded, you’ll have to configure the basic settings for your internal network, specifically the portion of the network that will be tied to your admin NIC. You can change the IP for the firewall and set a netmask. If you want the UTM to handle DHCP on this interface, click the check box and then set your desired range. It will end up looking similar to the screenshot on the right.
Next, you will establish your WAN interface for the UTM. For most home connections, you will select DHCP for “Address type.” As the page mentions, if you are on DSL instead of cable, you may have to add a username and password. If you have more than one spare NIC (and they all happen to be of the same make/model), this step may take some guess and check which is another reason I recommended keeping the box in an accessible area during the setup process. If you don’t want to set up your Internet-facing NIC now, or you’re using this build completely internally, click the “Setup Internet connection later” box and move onto the next step. Additional NIC interfaces can be established under the “Interfaces” section of the Dashboard.
On the “Allowed Services” page, you are presented with options that will automatically add rules to the firewall once setup is completed. I use my “admin” network for very specific purposes, so I limit outbound traffic for that particular network segment. If you do not plan to maintain multiple networks on multiple NICs or VLANs, select whatever you’d like. Before you proceed, I would recommend deselecting both of the “Ping Settings” options for security reasons.
The next page is very straightforward. If you would like to make use of the UTM’s Intrusion Prevention engine and/or the Botnet Detection engine, select one or both items. I found that on my older machine (only 1 GB of RAM), these services were fairly taxing. On the new-ish machine (4 GB of RAM) however, I have not had any resource problems. They can always be enabled or disabled from the WebAdmin interface at a later time if there are any concerns one way or the other.
“Web Protection Settings” allows you to filter certain web-specific traffic based on content categories as well as scan downloads for viruses. This is another resource-intensive service, but it is fairly effective. If you have household members whom you would like to protect from the ravages of the Internet, feel free to select the appropriate categories. These settings can also be altered later (or added to/removed from additional networks) from the WebAdmin interface. I should note that I have had some issues with block admin interfaces on certain networks where web protection is enabled (ie: blocking access to the WebAdmin page on a Guest Wireless network when web filtering is enabled). Use these at your own discretion.
The final settings page is for enabling Email Protection services. If you choose to set up an internal mail server and wish to scan POP3 traffic, this is where the initial configuration will take place. I do not make use of this particular service, so there is not much I can say about it, unfortunately.
The final page is just a summary of your chosen services and settings. Clicking “Finish” will complete the process and drop you back on the WebAdmin login page.
Now, whenever you login into WebAdmin, you will be presented with the Sophos UTM Dashboard. This screen is a quick snapshot on the status on your device, its configuration, and all of the available interfaces. You may have to reset your modem before your WAN interface will work properly.
In the next post (it won’t take eight months this time), I’ll cover creating services definitions, setting firewall rules, and labeling assets.