Sophos Firewall From Scratch (2025): Dual-ISP Load Balancing, Failover, Staff/Guest Wi-Fi & Fewer CAPTCHAs

Who this is for (and what you’ll build)

This is a no-nonsense guide for new admins. You’ll take a factory-fresh Sophos Firewall (XGS) to production with: two ISPs, SD-WAN load balancing + automatic failover, VLAN-based Staff and Guest Wi-Fi, bandwidth shaping for 300+ users, and web policies tuned to reduce Google reCAPTCHA prompts (sticky egress + TLS exceptions). Links to official resources are included.

Pick the right model (quick sizing)

For ~300–400 users with IPS + web filtering + occasional TLS inspection, aim for the XGS 2300 class or higher. Smaller branches: XGS 87–136 family. Campus/edge: XGS 2100/2300/3100. Check current datasheets and your subscription bundle (Network Protection, Web, Email, Zero-Day) on the Sophos site before purchasing.

Start from factory default (zero to working GUI)

1. Cable it: Connect your laptop to Port 1 (LAN) on the Sophos. Default LAN is usually 172.16.16.16/24.
2. Set laptop IP: Static 172.16.16.2, mask 255.255.255.0, gateway 172.16.16.16.
3. Open the wizard: Go to https://172.16.16.16:4444 → proceed past the browser warning.
4. Initial setup: Create a strong admin password, set region/time zone, optionally register the device. You can link later in Sophos Central.
5. Save and sign in: You’re on the dashboard.

Rename interfaces, set LAN & DHCP

1. Network → Interfaces: Edit Port 1 → Zone = LAN, set IP 10.10.10.1/24 (or your plan). Enable DHCP (e.g., 10.10.10.50–10.10.10.250), DNS = internal AD or public (see below). Save.
2. Reconnect: Renew your laptop’s IP to join 10.10.10.0/24. Reopen at https://10.10.10.1:4444.
3. System → Administration → Device access: Allow HTTPS/SSH/Ping from LAN only. Disable from WAN.

Add both WAN links (ISP #1 and ISP #2)

1. Network → Interfaces: Edit the port to ISP #1 → Zone = WAN → select DHCP or add static details. Name it WAN1. Save.
2. Repeat for ISP #2 on another port. Name it WAN2.
3. Network → WAN link manager: Confirm both gateways are Active. Add health checks for each (ISP gateway + 1.1.1.1 or 8.8.8.8). Threshold: fail 2 of 3, interval 5s.

DNS & time (stability + clean logs)

1. Network → DNS: If you have Active Directory, point Staff clients to AD DNS; firewall can forward to public resolvers (1.1.1.1/8.8.8.8). For Guests use public DNS.
2. System → Time: Add pool.ntp.org or your corporate NTP, set the correct time zone.

Register & update firmware

1. Register/claim the device in Sophos Central (optional but recommended).
2. Backup first (System → Backup & firmware), then update to the latest recommended SFOS from Sophos Downloads.

Create VLANs for Staff & Guest Wi-Fi

1. Network → VLANs → Add: VLAN 20 on the LAN bridge/port, IP 10.10.20.1/23, Zone = LAN. DHCP: 10.10.20.50–10.10.21.250.
2. Add VLAN 30, IP 10.10.30.1/23, Zone = GUEST. DHCP: 10.10.30.50–10.10.31.250.
3. AP/Switch side: Trunk VLANs 20 & 30 to your APs. Map SSIDs → Staff = VLAN 20, Guest = VLAN 30. Using Sophos APs? Configure in Central Wireless (APX/AP6 family).
4. Product info (optional): Sophos Wireless/AP.

SD-WAN: load balance + failover with “Google stickiness”

We’ll keep Google properties on a single WAN to avoid mid-session IP changes that can trigger CAPTCHAs.

1. Objects → FQDN group → Add: Google-Core with *.google.com, *.gstatic.com, *.googleapis.com, *.youtube.com, *.googleusercontent.com.
2. Routing / SD-WAN → Profiles: Create SLA: Latency ≤100 ms, Jitter ≤30 ms, Loss ≤1%.
3. Routing / SD-WAN → Routes:
   • Policy 1 – Google sticky (Staff): Src = LAN + VLAN20, Dst = FQDN Google-Core, Primary = WAN1, Backup = WAN2.
   • Policy 2 – Realtime apps: Src = LAN + VLAN20, App group = VoIP/Video, Strategy Best Quality using SLA across WAN1/WAN2.
   • Policy 3 – Staff default: Src = LAN + VLAN20, Any → Strategy Load Balance (e.g., WAN1 weight 70, WAN2 weight 30) or Primary/Backup.
   • Policy 4 – Guest default: Src = VLAN30, Any → Primary WAN2, Backup WAN1 (or inverse weights).

NAT rules (deterministic egress)

1. Rules & Policies → NAT rules → Add: Staff-to-WAN MASQ — Source zones LAN + VLAN20, Dest = Any, MASQ (outgoing interface). Place above generic MASQ.
2. Guest-to-WAN MASQ — Source zone VLAN30, Dest = Any, MASQ.
3. Optional (best): If ISP gave a /29, SNAT Guests to a dedicated public IP. This isolates Guest reputation and further reduces CAPTCHAs for staff.

Firewall rules (allow good, block lateral)

1. Rules & Policies → Firewall rules → Add (top to bottom):
   1. Staff → WAN (Allow): Web policy = Staff, App control = Productivity, IPS = LAN→WAN, AV = ON, Linked NAT = Staff MASQ.
   2. Guest → WAN (Allow): Web policy = Guest-Safe (block malware, adult, proxies/VPN), IPS ON, Linked NAT = Guest MASQ.
   3. Guest → LAN (Block): Drop. Log this rule.
   4. Staff → Servers (Allow minimal): Limit to specific server IPs/ports (RDP/HTTPS/SQL as needed).

Web filtering & TLS inspection (for fewer CAPTCHAs)

1. Rules & Policies → Web policies: Create Staff (light productivity blocks) and Guest-Safe (stricter: proxies/VPN/gambling/warez).
2. Web → SSL/TLS inspection: Use Inspection for Staff but add Do-not-decrypt exceptions for: *.google.com, *.gstatic.com, *.googleapis.com, *.youtube.com, *.googleusercontent.com (and banking/health portals). This prevents breakage and reduces CAPTCHAs.
3. Make sure you’re not forcing random proxy categories for Staff; over-aggressive policies can trigger challenges.

Traffic shaping for ~300–400 users

1. WAN link manager: Enter accurate up/down for WAN1/WAN2 (from ISP speed tests).
2. Rules & Policies → Traffic shaping: Create Realtime-High for Zoom/Teams/VoIP (high priority, no hard cap). Apply to Staff rule.
3. Create Guest-Cap (e.g., per-user 5–10 Mbps down / 2 Mbps up). Apply to Guest rule.
4. QoS on switches/APs: Trust DSCP; mark EF for VoIP where applicable.

Guest Wi-Fi portal (optional)

1. Authentication → Captive portal: Enable for GUEST zone — click-to-accept, voucher, or social login (per your policy).
2. Whitelist OS update/CDN domains in the walled garden so basic connectivity works pre-auth.

Security hygiene & admin hardening

• Intrusion Prevention: Use LAN→WAN profile on Staff and Guest rules.
• Device access: Disable WAN admin; manage via Sophos Central or a VPN/jump host.
• Backups: Schedule nightly backups; export a copy to secure storage.
• Certificates: Import your internal CA if you’ll deploy TLS inspection to domain devices.
• Advanced threat: Enable anti-spoof, DoS/port-scan protection.

Monitoring & alerts (don’t fly blind)

• Log viewer & Reports: Watch SD-WAN decisions, web blocks, IPS hits.
• Email alerts: System → Notifications: WAN down/up, CPU/mem, IPS sig failures.
• In Central, set up Health and Security alerts for 24×7 visibility.

10-minute smoke test

✅ Staff gets IP on 10.10.20.0/23; Guest on 10.10.30.0/23
✅ Staff default egress honors policy (load balance or WAN1 primary)
✅ Google/YouTube stable with few/no reCAPTCHAs (sticky + TLS skip)
✅ Zoom/Teams follows SLA, picks best WAN
✅ Pull WAN1 cable: Staff/Guest fail over; reinsert: recover
✅ Guest cannot reach LAN; Staff can reach only allowed servers
✅ Guest bandwidth capped; Staff realtime flows prioritized
✅ Reports show SD-WAN routing, web categories, IPS blocks

Troubleshooting quick wins

WAN up but no Internet
• NAT rule order (Staff/Guest MASQ above generic)
• Gateway health checks failing (wrong targets)
• DNS mispointed (AD vs public)

CAPTCHAs everywhere
• Remove TLS inspection for Google domains
• Add sticky SD-WAN policy (Google-Core → WAN1)
• Avoid frequent WAN flaps or weighted 50/50 on SaaS traffic

FAQ

Q: Can I put Guests on a separate public IP? A: Yes—use an additional static IP (/29 from ISP) and an SNAT rule for Guest. It improves reputation and reduces CAPTCHAs for staff.

Q: Should I TLS-inspect everything? A: No. Start with Staff only and exclude well-known sensitive/brittle domains (banking/health/Google CDN). Roll out a root CA to managed devices first.

Q: One ISP slower—still load balance? A: Yes, with weighted load balance (e.g., 70/30). Keep SaaS sticky to the better line.