By visiting our site, you agree to our privacy policy regarding cookies, tracking statistics, etc.

Popular Topics
PopularView All
img setting up network policies for sophos xg controller sophos xg wireless controller

Setting up network policies for Sophos XG controller
Learn how to transform your Sophos XG into a dedicated wireless controller with comprehensive guidance on setting up network policies. This article covers essential configuration steps, including factory resets, access point onboarding, and firewall rules, ensuring efficient management and seamless operation of APX access points within your network.
28 September 2025
Total
0
Shares
0
0
0

Transforming a Sophos XG into a Wireless Controller: Configuration Steps

I had a client who wanted to keep two APX access points but swap the firewall brand. They wanted the Sophos XG to act solely as a wireless controller. That is doable, but it needs a clear plan. Below I walk through the decision points, the exact steps I use, and the checks that prove it works.

Decide: factory reset or clean the existing config

Start with the basics. Back up the current XG configuration. Export it from System > Backup. Keep a copy offline. I do this before any major change.

Next, check AP support. Sophos manages APs in a few different ways. Some APX models are managed only through Sophos Central. Check the official compatibility lists so you are not chasing unsupported hardware: Supported AP list and firewall AP docs. If your APX model requires Central, put them into Central rather than forcing them onto the XG. Supported access points – Sophos Central Admin and Access points – Sophos Firewall are the two pages I check first.

If the APs are supported by the XG, decide whether to factory reset. I use this rule of thumb:

  • If the XG config is small and tidy, cleaning interfaces, NAT and rules is faster. That keeps useful items like static routes or logs.
  • If the XG carried a complex, tangled firewall configuration or unknown custom rules, factory reset is safer. It removes legacy cruft that breaks access point management and VLANs.

Factory reset pros: clean slate, fewer surprises. Cons: you must reapply any needed routes, licences and static IPs. Cleaning pros: quicker, preserves non-wireless functions you want. Cons: you can miss hidden dependencies.

For a purpose-built wireless controller role I usually choose factory reset. It forces me to document the new minimal configuration. If you prefer not to reset, note every interface, policy and NAT rule you remove.

Step-by-step: convert the XG to a dedicated Sophos XG Wireless Controller

Below are the steps I follow, with concrete examples and verification checks. I keep sentences short and the examples concrete.

Preparation

  1. Backup current config and save the export. Take a screenshot of the current Wireless Protection and interface map.
  2. Note licences. If you move APs to Sophos Central later, check Central licensing and onboarding workflows.

If you choose factory reset

  1. Go to System > Backup & firmware. Download a local backup. Then go to System > Device > Reset to factory defaults.
  2. After reset, set the admin password and update firmware to a recent SFOS supported by your AP series.

Create the management plane

  1. Create a management interface for APs. Example: interface mgmt0 on VLAN 10 with IP 10.10.10.1/24.
  2. Create a DHCP scope for APs and client devices on that VLAN. Example: 10.10.10.10–10.10.10.250, gateway 10.10.10.1, DNS as required.
  3. Add a static route if your APs or management tools live in another subnet.

Enable wireless on the XG

  1. In the XG admin, go to Wireless Protection (the menu varies by firmware). Turn on wireless protection.
  2. Add a wireless network (an SSID). Example: OFFICE-STAFF mapped to VLAN 20, guest SSID mapped to VLAN 30.
  3. Choose bridging mode or NAT mode for each SSID. For a simple network setup I bridge VLANs to the wired network so clients get policy and DHCP from the firewall.

Access point onboarding and grouping

  1. Plug in APs into a switch port in the management VLAN. Ensure the AP has a route to the XG management IP.
  2. In Wireless Protection > Access Points, click Add access point. Follow the wizard to give the AP a name and group.
  3. Create AP groups when you need different SSID maps or radio settings. Example: AP group “Ground Floor” with high transmit, “Office” with reduced power.

Firewall configuration and network policies

  1. Allow management traffic from APs to the XG. In practice, the XG already listens for APs if on the same VLAN. If APs are remote, permit the management protocol and ports between subnets. Keep rules tight; only open what is needed.
  2. Create firewall rules for client traffic. Example rules:
    • Allow STAFF_VLAN to LAN and WAN as required.
    • Deny STAFFVLAN to MGMTVLAN except for authorised services.
    • Guest VLAN: restrict to internet only.
  3. Apply IDS/IPS and web filtering only where needed. I limit deep inspection on guest VLANs to avoid user issues.

Specifics for APX and AP models

  • Some APX models may be newer and only supported via Sophos Central Wireless. Confirm model support before you waste time onboarding. Use the support pages I linked earlier.
  • If you have APX devices that can be managed by the XG, the on-box process will show them under Wireless Protection once they have contact and a valid group assignment.

Verification and testing

  1. Check Access Points list. The AP should appear as Connected and show firmware and radio status.
  2. Confirm SSID is broadcasting. Use a laptop or phone to scan for the SSID.
  3. Connect a client. Check it gets an IP from the assigned VLAN DHCP range.
  4. Verify traffic flows and policy. From the client, test internet and internal resource access as per the policy. Confirm guest isolation works if configured.
  5. Look at logs: Wireless Protection and Network > Firewall logs. Confirm there are no blocked management packets.

Troubleshooting notes

  • If APs do not appear, confirm they can reach the XG. Ping the management IP from a device in the same VLAN.
  • Check VLAN tagging on trunk ports. A wrong tag is the most common cause.
  • If you see odd DHCP behaviour, confirm the DHCP server is bound to the correct interface.
  • If AP firmware mismatches are an issue, update AP firmware from the XG or Central depending on model support.

Concrete example configuration I use

  • MGMT VLAN 10: 10.10.10.1/24. DHCP 10.10.10.10–10.10.10.50.
  • STAFF VLAN 20: bridged SSID OFFICE-STAFF. DHCP 10.20.0.10–10.20.0.200.
  • GUEST VLAN 30: SSID GUEST-INTERNET with captive portal and internet-only firewall rule.

Final checks and operational tips

  • Document the minimal firewall configuration. Keep a named backup after you finish.
  • Label switch ports so future changes do not break the management VLAN.
  • If long-term AP management is a goal, consider moving APs to Sophos Central for easier lifecycle updates. That is the current Sophos direction for many APX models.

If you follow the steps above you will have a Sophos XG acting as a dedicated wireless controller with clean access point management and predictable network policies.

0
0
0
0
Leave a Reply

Your email address will not be published. Required fields are marked *

Prev
Nextcloud | v32.0.0
nextcloud v32 0 0

Nextcloud | v32.0.0

Discover the key features, security enhancements, performance boosts,
Next
Weekly Tech Digest | 28 Sep 2025
weekly tech digest

Weekly Tech Digest | 28 Sep 2025

Stay updated with the latest in tech!
You May Also Like