VDSL2 SFP modem to directly connect to a VDSL line (via a RJ11 cable). These modules are not delivered with the appliance but available through your Sophos partner. Please note that there are different Mini-GBIC module types. The required type is determined by the existing network. The following SFP GBIC module types may be used: SFP: 1000 Base-T. The following is the general SPF record for Central Email outbound scanning. V=spf1 include:spf.prod.hydra.sophos.com all. It expands into the following SPF records as shown in. Sophos FleXi Port - expansion module - Gigabit SFP x 4 + 1000Base-T x 4 Specs - CNET. Sophos Platinum Partner in Whole Americas (US, Central America & Caribbean, and Latam) with local delivery/warranty. Call us if need any sales/support/post sale question or request. Interact with our awesome customer support team, we thrive on Customer Support experience.
Maximum number of characters: 58
The subsystems will show the customizable Name and not the Hardware name of the interface.
Maximum number of characters: 10
Allowed characters: (A-Za-z0-9_)
Description | |
---|---|
Enable routing on this bridge pair | Turn on routing on this bridge. If you've turned it on, you must assign an IP address to the bridge interface. |
Interface | Interfaces on which you can set up a bridge:
A bridge can have a maximum of 64 member interfaces. |
Zone | Zone assigned to the interface. |
Member interfaces | Interface and Zone of bridge members. You can select physical and VLAN interfaces. To add more interfaces, select the plus button . |
XG Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent NAT rules from causing the traffic to drop, do the following:
Description | |
---|---|
IP assignment | Method of assigning the IP address. Select from the following options:
|
IPv4/netmask or IPv6/Prefix | For static IP assignment, enter the IP address and select the netmask or prefix. |
Gateway name | For bridge members with WAN ports, enter the gateway name. |
Gateway IP | If you selected static IP assignment and bridge members with WAN ports, enter the gateway IP address. |
Description | |
---|---|
Filter VLANs | Select to drop VLAN traffic passing through the bridge interface. If you select filtering, but don't specify the permitted VLANs, XG Firewall drops tagged traffic from all the VLANs. Untagged traffic isn't dropped. VLAN filtering applies only to bridged traffic. It won't apply to routed traffic. |
Permitted VLAN ID or ID range | Enter VLAN IDs or ranges (example: 20-35). Use this to forward traffic from the specified VLANs to the other bridge members. |
Description | |
---|---|
Permit ARP broadcast | By default, bridge interfaces forward ARP (Address Resolution Protocol) broadcasts to discover the destination MAC addresses. Clear the check box to prevent ARP broadcasts. You can use this when there's a broadcast storm. In the absence of ARP broadcasts, bridge interfaces can't create a bridge table with MAC addresses. To specify IP-MAC binding, go to Network and create static entries using Neighbors (ARP–NDP). |
Turn on Spanning Tree Protocol (STP) | Turn on STP to prevent bridge loops, which occur when there's more than one path between two bridge interfaces. Redundant paths can result in a broadcast storm in the network. STP also enables failover to redundant paths dynamically when the primary path fails. You can't turn on STP on any bridge interface when HA is enabled. |
STP max age | Interval at which bridges transmit their configuration information. The default interval is 20 seconds. Bridges send bridge protocol data units (BPDU) to transmit information, such as their interface, MAC address, port priority to other bridges at the STP max age interval. This enables them to update their tables with the network topology. BPDUs help detect failed paths in the network. |
MAC aging | Interval at which inactive MAC addresses are removed from the bridge table. The default interval is 300 seconds. Bridges record the timestamp of when they learn a MAC address. MAC addresses with timestamps older than the interval are removed. In dynamic networks, such as guest Wi-Fi networks, you can use lower MAC aging intervals. In stable networks, such as networks with data centers, you can use higher intervals. |
MTU | MTU (Maximum Transmission Unit) value, in bytes. It's the largest packet size that a network can transmit. Packets larger than the specified value are divided into smaller packets before they are sent. If the MTU of the bridge interface and its members differs, the bridge interface inherits the lower value. To see the inherited MTU, go to the interface table. Example: Bridge MTU: 9000 MTU of the interface used in VLAN (bridge member): 1500 Inherited bridge MTU becomes 1500. |
Override MSS | Select to override the MSS value. MTU is the sum of the TCP and IP header values and the payload value. When additional packet encapsulation takes place, for example in IPsec tunnels, the packet size can become larger than the defined MTU value, leading to dropped packets or additional fragmentation. Overriding the specified MSS value ensures that the packet size stays within the defined MTU value. |
MSS | MSS (Maximum Segment Size), in bytes. It's the amount of data that can be transmitted in a TCP packet. |
Filter Ethernet frames | The default setting allows all Ethernet frames to pass through the bridge. Select to drop Ethernet frames from passing through the bridge. The drop setting doesn't affect the frames of ARP, IPv4, IPv6, 8021Q, EXTE traffic, which are always allowed. If you select filtering, but don't specify the permitted Ethernet frame types, XG Firewall drops traffic for all Ethernet frames except the frames that are always allowed. |
Forwarded Ethernet frame types | Specify the EtherTypes whose Ethernet frames you want to forward through the bridge interface. Enter the four-digit hexadecimal ID of the EtherType. Example: AppleTalk (809B) Novell (8138), PPPoE (8863 and 8864) |
To see the logs, go to Log viewer and select Add filter. Set the field to Log component and Value to Bridge ACLs.
Additionally, you can set the field to Log subtype and value to ARP broadcasts, EtherType filtering, or VLAN filtering.
Your organization should already have an SPF record for your domains registered with Microsoft Office 365. You need to update this record in the DNS zone for the relevant domain.
You can replace your existing SPF record or add to it, depending on your requirements.
It is normal to replace the record. However, if your outbound email is being routed through Sophos Email and Office 365 simultaneously for a period, you can add an include statement for Sophos Email to your existing SPF record.
You can use the all parameter in different ways. You must understand how to do this and the implications of your choice.
You can use a dash (-) before the all parameter for a hard fail
. If your mail isn't sent from Sophos Email, and your recipients' mail servers carry out SPF checks, they will reject your mail.
You can use a tilde (~) before the all parameter instead, for a soft fail
. The command won't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your mail.
If your outbound email is only routed through Sophos Email you can use the Sophos Email SPF record.
v=spf1 include:_spf.prod.hydra.sophos.com ~all