Port numbering in Sophos XG Home on Sophos appliances

By Andreas Walker 21 May, 2022

Sophos XG appliances with SFP dual-personality ports (e.g., Sophos XG 105 Rev. 3) have different port numbering than printed on the appliance. This will be corrected in the appliance-specific SFOS firmware. When installing Sophos Home or another firewall OS (e.g. OPNsense or PFsense), this correction is naturally not made.

Sophos XG 105 Rev. 3

Anyone who has ever installed Sophos XG Home on a newer Sophos XG 105 Rev. 3 appliance will have noticed that the port marked as port 2 on the appliance simply goes down after the installation is complete. In addition, the port marked as port 1 will not issue a DCHP lease to a connected device.

After a bit of trial and error, I noticed that on port 4, the appliance is assigning an IP address from the 172.16.16.0/24 subnet via DHCP to the connected Notebook. This is because Sophos XG Home, unlike the native installation, numbers the interfaces strictly according to the PCI identifier. In this case, the shared SFP / Gigabit port has the PCI ID pci0:1:0:0, and is therefore recognized as “Port 1” and used as the default LAN interface.

Other firewall operating systems such as OPNsense are also affected by this problem. The ports are assigned differently from the labeling on the hardware.

This results in the following port numbering in Sophos XG Home / OPNsense:

Port numbering of the Sophos XG 105 Rev.3 appliance in Sophos XG Home / OPNsense

Native SFOS installations correct this via customized port mappings in the appliance-specific firmware.

Other Sophos XG appliances

According to my current knowledge, this problem only affects the newer Sophos XG appliances with sharred SFP ports. It seems that the ports are numbered more or less strictly from left to right.

Method for detecting deviating port numbering

A good tool for detecting port mappings is OPNsense. This can be booted as a live system from a USB stick. After that you can watch in the shell which interfaces go UP & Down.

The following console capture of an OPNsense instance on a Sophos XG 105 Rev. 3 shows how the Gigabit interfaces 1-4 are connected in the order of the labeling on the appliance. The interface ID is highlighted in yellow:

root@OPNsense:~ # 
igb1: link state changed to UP
igb2: link state changed to UP
igb3: link state changed to UP
igb0: link state changed to UP

It should be noted that the interface numbering under BSD starts with 0. Therefore, the interface “igb0” corresponds to Port 1 in Sophos XG Home.

Related links

Sources

Andreas Walker completed an apprenticeship in gastronomy and worked in this industry for almost 15 years. In addition to his work in the hospitality industry, he built up a small IT company and supported small SMEs in IT projects in his spare time. Over time, he slipped into the IT of his employer and managed the site IT of a business hotel of the internationally active hotel chain IHG. In the summer of 2019, he graduated with an Advanced Federal Diploma of Higher Education in Information Technology. Since spring 2019, Andreas Walker is working for a local IT provider in the canton of Glarus as a system engineer, where he primarily supports SME customers.