Many firewall deployments do not have fixed public IP addresses, and instead, receive a dynamically allocated IP from the ISP connected to the WAN interface. This dynamic IP can change over time, causing issues if you need access to the firewall from the outside.

Dynamic DNS is a service you can use to make the site accessible from the outside in. Routers, firewalls or network device can register a public DNS name on a Dynamic DNS service. When they receive a new public IP address from the ISP, they then contact the Dynamic DNS service and update the public DNS name with the new IP. You can then simply use the public DNS name to access the firewall from the outside, and it will always point to the correct IP address.

Well known providers of such services include:

  • DynDNS
  • ZoneEdit
  • EasyDNS
  • DynAccess

Some of these providers offer a free Dynamic DNS service, but none of them are free for commercial use, or for use at scale.

The Sophos XG Firewall supports these four Dynamic DNS providers, but it also includes a fifth provider simply called Sophos, and the great news is it’s free! Well, free in the sense that it is covered by your Sophos subscription license, without requiring additional subscriptions/fees.

How to Configure Sophos XG’s Free Dynamic DNS Service

To get started with Sophos XG’s free Dyanmic DNS service:

  1. Browse to Configure | Network  | Dynamic DNS
  2. Click the Add button
  3. For hostname specify <yourdesiredname>.myfirewall.co
  4. Select your External interface normally Port2
  5. Set the IPv4 Address to NATed Public IP address (if the interface is set to the actual DSL dial-up PPPoE interface, then you would select “Use Port IP “)
  6. Set the IP Edit check interval to 5 minutes
  7. Set the Service provider to Sophos
  8. Click Save
Configure Free Dynamic DNS Service on Sophos XG UTM

You will be redirected to the Dynamic DNS screen, and see the status of the registration.

Configure Free Dynamic DNS Service on Sophos XG UTM

You can to verify the public DNS record using a tool such as digwebinterface.com.

In the screenshot below, you can also see that this service is backed by 4 AWS DNS instances.

Conclusion

This is a great feature for Sophos to include “in the box.” As someone who has extensively used services like this for large deployments, it’s great to finally have it included as a free Dynamic DNS service that is native and robust.

PS – Did you know that Fastvue Sophos reporter now supports XG firewall?