Sophos Firewall DHCP Options (SFOS)

This article will show you how to configure DHCP options on a Sophos firewall using the SFOS operating system.

Requirements

  • Sophos Appliance with SFOS

1. Create DHCP server

To be able to specify DHCP options, you need a DHCP server first. This can be created via the admin interface. Sophos has already explained how to do this in its own Knowledge Base article:

Important: The DHCP name should not contain spaces or special characters. Take e. g. CamelCase or separate with hyphen (-) or underscore (_).

2. Connecting to the console

The DHCP options are not found in the WebAdmin GUI. You have to connect to the appliance via SSH to set it. On Windows there is the tool Putty and on macOS the pre-installed Terminal can be used.

  1. open the terminal of macOS and type ssh admin@192.168.1.1 into the console. When using Putty, you only need to enter the IP address. The IP address of your firewall can be different, of course. Afterwards you have to enter your username and password to log in to your firewall via SSH.
  2. After connecting, select 4. Device Console to get to the shell.
Sophos Firewall OS shell login overview

3. Configuring DHCP Option Objects

Sophos has written its own Knowledge Base article for this purpose, but in our view it is not easy to understand. What we find very useful in this article is the additional information about the DHCP options. This is why we have added a link to Sophos’s KB Post to help you find the complete table of options: https://community.sophos.com/kb/en-us/123529

Example 1 - Part 1

For example, do you have the problem that a Sophos RED 15w can’t detect the integrated access point? Let’s take this case as an example and see how you can create a DHCP option for it.

Define DHCP option

Before you can fill the option with data, you must first define an option. The command looks like this:

system dhcp dhcp-options add optioncode <Nr> optionname <SAMPLE-NAME> optiontype <TYPE>
  • Nr: Here you define the option code. There are a total of 255 such option codes. At KB Post from Sophos you will find the command to output all the option codes in the terminal. SAMPLE-NAME: Here you can enter a name that best describes the option.
  • TYPE: Here you define the type that is needed for your option. The following types are available: array-of, boolean, four-byte, ipaddress, one-byte, string, two-byte

Important: In my examples, remove < and >.

The working command for our example now looks like this:

system dhcp dhcp-options add optioncode 234 optionname dhcp_magic_ip optiontype ipaddress

Example 1 - Part 2

Now that the option has been defined, we will enter the data. The command looks like this:

system dhcp dhcp-options binding add dhcpname <DHCP-NAME> optionname <SAMPLE-NAME>(234) value <WERT>
  • DHCP-NAME: Enter the name of the DHCP server that you created using the GUI.
  • SAMPLE-NAME: Enter the same name as before. The spelling must be exactly the same.
  • WERT: An IP address is expected as value here. For our RED example, this would be the IP address of the RED 15w at the remote location.

The working command for our example now looks like this:

system dhcp dhcp-options binding add dhcpname dhcp_red_avanet optionname dhcp_magic_ip(234) value 10.10.10.12

Another example

Now that we’ve explained which two commands need to be sent, here are a few examples to help you create your own Sophos Firewall DHCP options.

With this option you specify to a ThinClient which server the image is located on.

system dhcp dhcp-options add optioncode 161 optionname ThinClientServer optiontype ipaddress
system dhcp dhcp-options binding add dhcpname DHCP_Server_Avanet_LAN optionname ThinClientServer(161) value '10.10.10.12'

This command now includes the port to which the ThinClient can report to the server. The option type chosen here is not ipaddress but string. At best, the manufacturer of the device will provide you with this information.

system dhcp dhcp-options add optioncode 192 optionname ThinClientServerPort optiontype string
system dhcp dhcp-options binding add dhcpname DHCP_Server_Avanet_LAN optionname ThinClientServerPort(192) value '443'

Delete the option

You might want to delete such an option, then the command would be as follows:

system dhcp dhcp-options delete optionname dhcp_magic_ip(234)

Display DHCP options

This command gives you a list of all DHCP options already defined on the Sophos Firewall.

system dhcp dhcp-options list

Display DHCP options bindings

system dhcp dhcp-options binding show dhcpname <DHCP-NAME>
  • DHCP-NAME : This is the name of the option you have defined yourself.

The working command for our example now looks like this:

system dhcp dhcp-options binding show dhcpname DHCP_Server_Avanet_LAN