VDSL2 SFP modem to directly connect to a VDSL line (via a RJ11 cable). These modules are not delivered with the appliance but available through your Sophos partner. Please note that there are different Mini-GBIC module types. The required type is determined by the existing network. The following SFP GBIC module types may be used: SFP: 1000 Base-T. The following is the general SPF record for Central Email outbound scanning. V=spf1 include:spf.prod.hydra.sophos.com all. It expands into the following SPF records as shown in. Sophos FleXi Port - expansion module - Gigabit SFP x 4 + 1000Base-T x 4 Specs - CNET. Sophos Platinum Partner in Whole Americas (US, Central America & Caribbean, and Latam) with local delivery/warranty. Call us if need any sales/support/post sale question or request. Interact with our awesome customer support team, we thrive on Customer Support experience.

  1. Go to Network > Interfaces, click Add interface, and then click Add bridge.
  2. Enter a name. You can change this name later.

    Maximum number of characters: 58

    The subsystems will show the customizable Name and not the Hardware name of the interface.

  3. Enter a hardware name for the interface. You can't change this name later.

    Maximum number of characters: 10

    Allowed characters: (A-Za-z0-9_)

  4. Specify the settings.
    Option
    Description
    Enable routing on this bridge pairTurn on routing on this bridge.

    If you've turned it on, you must assign an IP address to the bridge interface.

    InterfaceInterfaces on which you can set up a bridge:
    • A physical interface, for example, Port1, PortA, or eth0.
    • RED
    • LAG
    • VLAN interface on a physical interface, RED, or LAG

    A bridge can have a maximum of 64 member interfaces.

    ZoneZone assigned to the interface.

    Member interfaces

    Interface and Zone of bridge members. You can select physical and VLAN interfaces.

    To add more interfaces, select the plus button .

    XG Firewall drops traffic related to bridge interfaces without an IP address if the traffic matches a firewall rule with web proxy filtering or if it matches a NAT rule. These dropped packets aren't logged. To prevent NAT rules from causing the traffic to drop, do the following:

    1. Go to Rules and policies > NAT rules and select the SNAT rule to edit.
    2. Select Override source translation for specific outbound interfaces.
    3. Set Outbound interface to the bridge interface without IP address.
    4. Set Translated source (SNAT) to Original and click Save.
  5. Optional Specify the IPv4 or IPv6 configuration details. You must specify these settings if you selected routing on the bridge interface.
    Option
    Description
    IP assignment

    Method of assigning the IP address. Select from the following options:

    • Static
    • DHCP
    IPv4/netmask or IPv6/PrefixFor static IP assignment, enter the IP address and select the netmask or prefix.
    Gateway nameFor bridge members with WAN ports, enter the gateway name.
    Gateway IPIf you selected static IP assignment and bridge members with WAN ports, enter the gateway IP address.
  6. Specify the VLAN settings to forward or drop VLAN traffic passing through the bridge interface.

    Name

    Description

    Filter VLANs

    Select to drop VLAN traffic passing through the bridge interface.

    If you select filtering, but don't specify the permitted VLANs, XG Firewall drops tagged traffic from all the VLANs. Untagged traffic isn't dropped.

    VLAN filtering applies only to bridged traffic. It won't apply to routed traffic.

    Permitted VLAN ID or ID range

    Enter VLAN IDs or ranges (example: 20-35).

    Use this to forward traffic from the specified VLANs to the other bridge members.

  7. Optional Specify the advanced settings. Use this to control broadcasts and traffic forwarded by the bridge interface.
    Option
    Description

    Permit ARP broadcast

    By default, bridge interfaces forward ARP (Address Resolution Protocol) broadcasts to discover the destination MAC addresses.

    Clear the check box to prevent ARP broadcasts. You can use this when there's a broadcast storm.

    In the absence of ARP broadcasts, bridge interfaces can't create a bridge table with MAC addresses. To specify IP-MAC binding, go to Network and create static entries using Neighbors (ARP–NDP).

    Turn on Spanning Tree Protocol (STP)

    Turn on STP to prevent bridge loops, which occur when there's more than one path between two bridge interfaces. Redundant paths can result in a broadcast storm in the network.

    STP also enables failover to redundant paths dynamically when the primary path fails.

    You can't turn on STP on any bridge interface when HA is enabled.

    STP max age

    Interval at which bridges transmit their configuration information. The default interval is 20 seconds.

    Bridges send bridge protocol data units (BPDU) to transmit information, such as their interface, MAC address, port priority to other bridges at the STP max age interval. This enables them to update their tables with the network topology. BPDUs help detect failed paths in the network.

    MAC aging

    Interval at which inactive MAC addresses are removed from the bridge table. The default interval is 300 seconds.

    Bridges record the timestamp of when they learn a MAC address. MAC addresses with timestamps older than the interval are removed.

    In dynamic networks, such as guest Wi-Fi networks, you can use lower MAC aging intervals. In stable networks, such as networks with data centers, you can use higher intervals.

    MTUMTU (Maximum Transmission Unit) value, in bytes. It's the largest packet size that a network can transmit. Packets larger than the specified value are divided into smaller packets before they are sent.

    If the MTU of the bridge interface and its members differs, the bridge interface inherits the lower value. To see the inherited MTU, go to the interface table.

    Example:

    Bridge MTU: 9000

    MTU of the interface used in VLAN (bridge member): 1500

    Inherited bridge MTU becomes 1500.

    Override MSS

    Select to override the MSS value.

    MTU is the sum of the TCP and IP header values and the payload value. When additional packet encapsulation takes place, for example in IPsec tunnels, the packet size can become larger than the defined MTU value, leading to dropped packets or additional fragmentation.

    Overriding the specified MSS value ensures that the packet size stays within the defined MTU value.

    MSS

    MSS (Maximum Segment Size), in bytes. It's the amount of data that can be transmitted in a TCP packet.

    Filter Ethernet frames

    The default setting allows all Ethernet frames to pass through the bridge.

    Select to drop Ethernet frames from passing through the bridge. The drop setting doesn't affect the frames of ARP, IPv4, IPv6, 8021Q, EXTE traffic, which are always allowed.

    If you select filtering, but don't specify the permitted Ethernet frame types, XG Firewall drops traffic for all Ethernet frames except the frames that are always allowed.

    Forwarded Ethernet frame types

    Specify the EtherTypes whose Ethernet frames you want to forward through the bridge interface. Enter the four-digit hexadecimal ID of the EtherType.

    Example: AppleTalk (809B) Novell (8138), PPPoE (8863 and 8864)

    To update the log viewer with dropped packet details, go to System services > Log settings. Under Firewall, select Bridge ACLs.

    To see the logs, go to Log viewer and select Add filter. Set the field to Log component and Value to Bridge ACLs.

    Additionally, you can set the field to Log subtype and value to ARP broadcasts, EtherType filtering, or VLAN filtering.

  8. Click Save.

Sophos Spf Record

Your organization should already have an SPF record for your domains registered with Microsoft Office 365. You need to update this record in the DNS zone for the relevant domain.

Sophos

You can replace your existing SPF record or add to it, depending on your requirements.

It is normal to replace the record. However, if your outbound email is being routed through Sophos Email and Office 365 simultaneously for a period, you can add an include statement for Sophos Email to your existing SPF record.

You can use the all parameter in different ways. You must understand how to do this and the implications of your choice.

  • Hard fail:

    You can use a dash (-) before the all parameter for a hard fail. If your mail isn't sent from Sophos Email, and your recipients' mail servers carry out SPF checks, they will reject your mail.

  • Soft fail:

    You can use a tilde (~) before the all parameter instead, for a soft fail. The command won't fail if an IP address doesn't exist, it continues and processes the rest of the IP addresses. If your recipients' mail servers carry out SPF checks, they won't reject your mail.

Sophos Sg 310 Sfp

For more information on soft and hard fails, see How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing

Sophos Xg 210 Sfp

Sophos Sfp

Replacing your SPF record

If your outbound email is only routed through Sophos Email you can use the Sophos Email SPF record.

  • Remove v=spf1 include:spf.protection.outlook.com –all.
  • If you are certain that you do not have any third parties sending mail on your behalf, and all your outbound mail is routed through Sophos Email, you can set your record to:
  • If you aren't routing all your email through us, or you are unsure, use a soft fail:

    v=spf1 include:_spf.prod.hydra.sophos.com ~all