Knowledge Base

Bitte , um Beiträge und Themen zu erstellen.

RED troubleshooting

mpachmann
#1 · 22. August 2022, 17:37

https://support.sophos.com/support/s/article/KB-000036699?language=en_US

 

Overview

Sophos Remote Ethernet Device (RED) is a small network appliance, designed to be as simple to deploy as possible. Its main purpose is to provide a secure tunnel from its deployment location to a Sophos Firewall.

There is no user interface on the RED appliance. It is designed to be fully configured and managed from Sophos Firewall. RED devices can be shipped to a remote site, connected to any DHCP connection to the internet, and be fully configured by a remote administrator with no prior knowledge of the site, and no need to walk local personnel through technical setup steps.

This guide details how to set up Sophos RED in each of its operational modes, and outlines common troubleshooting steps to resolve connection issues.

The following sections are covered:

 

Product and Environment

  • Sophos Firewall
  • Sophos RED

 

RED provisioning

When a RED is configured on Sophos Firewall, the configuration options chosen by the administrator are uploaded to the Sophos provisioning servers. The configuration is little more than the following items:

  • IP Address of the firewall
  • WAN Uplink Mode (DHCP, Static IP)
  • Tunnel operation mode (Standard)
  • If static uplink mode is chosen, RED WAN address settings (Address, Netmask, Default Gateway, and DNS server)
  • Optionally, mobile broadband connection settings for RED hardware
  • Unlock code

The unlock code is not stored on the RED appliance, but is used to prevent a RED that is in use from being accidentally or maliciously redirected. The correct unlock code must be supplied for the provisioning servers to accept new configuration for a RED. Initially, the unlock code is blank, until a RED has been connected to  Sophos Firewall once. The first time you configure a RED device on the firewall, the unlock code should be left blank. Every time a RED connects to a new firewall, the old unlock code must be entered to move the RED. Once the settings push to the provisioning server, it issues a new unlock code and displays in the Admin Console of Sophos Firewall.

The provisioning servers store the configuration provided by the administrator, on a centrally reachable set of servers. RED devices are centrally configured due to this mechanism. When a RED device has no configuration or the configuration it has is unsuccessful, it looks to the provisioning servers for updated instructions. A DNS lookup of red.astaro.com returns the closest provisioning server, which it will then securely connect to, and check for new instructions from the provisioning servers. As long as a RED has a working configuration, it does not connect to the provisioning servers again.

Chapter 1: RED operation modes

RED can operate in several modes. This section helps to understand how each of these modes operates, and help you to decide which modes are best suited to which circumstances.

These scenarios reference two different Sophos devices. One is the RED appliance, which sits at the remote location. The other is Sophos Firewall with which the RED establishes a tunnel. Both have a connection to the internet, as shown in figure 1.

tidy_fix_alt
Figure1: General RED layout

Standard/Unified mode

Standard/Unified is the commonly used mode. In this mode, we expect that the remote network is fully managed by Sophos Firewall, through the RED. DHCP can be offered for the remote LAN by Sophos Firewall, and the RED may be the only device connecting the LAN to the Internet. While another router may sit in front of the RED, there is not a parallel path around the RED to the internet.

tidy_fix_alt
Figure 2: RED Used in Standard/Unified mode

Figure 2 illustrates the flow of data in this operational mode. All traffic from the remote LAN passes through the RED tunnel, whether it is heading for the local LAN or the internet. This allows Sophos Firewall to allow or deny requests in the same manner as it does for traffic coming from the Local LAN. Traffic between local and remote LANs can be blocked or allowed by using firewall rules. Web traffic can be filtered using the web security module, and applications such as Skype or BitTorrent can be controlled for remote LAN users, just as they can be for LAN users. This provides the highest level of security and manageability for remote networks. Its biggest drawback is the increased bandwidth requirements it may place on the Sophos Firewall’s internet link. Since all internet traffic from the remote LAN also uses internet bandwidth at Sophos Firewall, the bandwidth at Sophos Firewall must be large enough to service requests from both its local users and all remote RED users. The RED 10 appliance is capable of tunneling data at up to 30 Mbps.

If the RED loses contact with Sophos Firewall, and the tunnel fails, the RED stops routing traffic. Remote LAN users lose access to the internet  and the Sophos Firewall’s internal networks until the tunnel can reconnect.

Standard/Split mode

Standard / Split mode is physically similar to Standard / Unified. We expect that the remote network may be managed by Sophos Firewall, and can provide DHCP to the remote LAN. The RED is likely the only device between the LAN and the internet, only traffic for selected networks is sent through the tunnel. All other traffic is sent directly out the local internet connection. The RED masquerades outbound traffic to come from its public IP address. This feature minimizes bandwidth usage over the tunnel and lightens the bandwidth requirements on Sophos Firewall, but it also reduces the manageability of the remote network substantially. Traffic to or from the internet cannot be filtered or protected from threats. Security can only be applied between the remote and local LANs.

tidy_fix_alt
Figure 3: RED used in Standard/Split mode

If the RED loses contact with Sophos Firewall, and the tunnel fails, the RED stops routing traffic. Remote LAN users lose access to the internet and the Sophos Firewall’s internal networks until the tunnel can reconnect.

Transparent/Split mode

In this mode, Sophos Firewall is not expected to manage the remote network. It is connected to the remote LAN and the remote LAN’s gateway and expects to receive an address on the remote LAN via DHCP. Similar to the Standard/Split option, only traffic destined for certain networks transmits down the tunnel. In this case, the RED does not act as the gateway, but it is in-line with the gateway and can transparently redirect packets down the tunnel.

tidy_fix_alt

This option requires no reconfiguration of the remote network and does not allow any management of the remote LAN. It provides security between the remote LAN and any local subnets which are accessible through the tunnel. If the RED tunnel fails, the internet is inaccessible for any devices behind the RED. This is because the RED device continues to reboot to bring the tunnel up and all traffic passing through the RED is dropped until the tunnel is re-established.

Chapter 2: RED setup

Basic setup instructions

This section outlines the basic steps required to add a new RED to Sophos Firewall manually. In some cases, more detailed setup options are needed, but this is outside of the scope of this document.

Before we add the RED, we need to activate the RED service. Go to System services > RED and enable RED status. You are required to fill out an Organization nameCityCountry, and Email. Click Apply to activate the RED service.

In this tab, you may also enable Force TLS 1.2 for extra security or activate Automatic device deauthorizationAutomatic device deauthorization is a feature that allows for a RED appliance to disassociate from the firewall after a period of inactivity; this is to prevent someone from moving a RED device to another location without the system administrator's knowledge. A device that loses its connection from Sophos Firewall after the Deauthorize after period has elapsed needs someone with Administrator access to reactivate the RED before using it.

Adding RED to the Sophos Firewall

tidy_fix_alt

  1. In the Admin Console, go to Network > Interfaces.
  2. Click on Add interface.
  3. Select Add RED.

Configure the RED interface

  1. Enter a descriptive branch name in the Branch name field.
  2. Select the Type of RED Device.
  3. Enter the RED ID. You may find the ID on the bottom of the RED appliance.
  4. If the device has been set up on another Sophos Firewall before, an Unlock code is required to save the configuration. The Unlock code is found on the firewall that the RED was last connected to, in the Admin Console or Webadmin, if it was previously connected to a Sophos UTM.
  5. Firewall IP/Hostname field. The RED uses this address to locate the Sophos Firewall across the internet. A publicly resolvable fully qualified domain name or public IP address must be employed.
  6. You should allow the Uplink mode to remain set as DHCP if possible. A static address should be chosen if there is no option for DHCP. When setting a static IP address, keep in mind that the RED must connect to a DHCP network at least once to download the configuration. If a static address is chosen, additional fields appear for IP address, Netmask, Gateway IP, and DNS servers.
  7. Choose the RED operation mode you wish to enable. Refer to Chapter 1 for explanations of each operating mode. Depending on your mode choice, there may be additional instructions.
  8. Enable Tunnel compression if needed.
  9. Click Save.

 

Creating firewall rules

Follow this section for all operation modes.

On Sophos Firewall, all traffic is routed and allowed or disallowed by firewall rules.  The RED devices are controlled based on which zones they are members of and can be further refined by firewall rules for networks within each zone.

When creating a RED and setting it to be a member of the LAN network, it may seem as if firewall rules were created automatically, but this is not the case. The firewall identified that the RED was a member of the LAN Zone and then applied the same rules to it as it did the rest of the LAN. To maintain more separation between the LAN and the RED networks, you could use an existing zone such as VPN or WiFi or create a new one called RED to give a more logical separation of zones.

Create a Zone (optional)

tidy_fix_alt

  1. To create a new zone go to Network > Zones and click Add.
  2. Fill out the Name for the new zone.
  3. Select the Type of zone. LAN zones are more secure as they are meant to protect private resources while DMZ zones have fewer security restrictions. Go to the online help for more details on the difference between these two choices.
  4. Under Device access choose which services are offered over this zone. Even if the firewall rule allows it, DNSWeb Proxy and other access types listed here are not available to the zone unless enabled. You can always go back later to edit the zone at Administration > Device access to modify or remove settings.

 

Create a firewall rule

Previously created firewall rules determine how traffic is routed if using an existing zone. Double-check to make sure the rules that apply to the zone do not break security for your internal networks. Be careful when selecting existing zones since some of them, like the VPN zone, do not allow DNS to be resolved by Sophos Firewall and instead must use DHCP to distribute a different DNS server.

Here we have created a new firewall rule to use with the new RED zone we created earlier.

tidy_fix_alt

There is no one way to build RED firewall rules. The advantage of the RED device is the freedom to treat it like any other network interface on a firewall and configure it the same way.

Note: In Standard/Unified or Standard/Split mode, when accessing internet resources you need a RED to WAN rule with Masquerading enabled. You may want to keep two separate firewall rules, one for RED to LAN and one for RED to WAN to be more secure.

Deployment scenarios

  • Sophos Firewall hostname = Failover
  • RED uplink = Failover

The RED establishes a connection between RED_WAN1 and SFOS_WAN1.

tidy_fix_alt

If SFOS_WAN1 is down: RED_WAN1 will connect to SFOS_WAN2

tidy_fix_alt

If SFOS_WAN1 and RED_WAN1 is down: RED_WAN2 will connect to SFOS_WAN2

tidy_fix_alt

  • Sophos Firewall hostname = Balancing
  • RED uplink = Failover

The RED establishes a connection between RED_WAN1 and SFOS_WAN1 / SFOS_WAN2

tidy_fix_alt

If RED_WAN1 is down: RED_WAN2 will connect to SFOS_WAN1 / SFOS_WAN2

tidy_fix_alt

  • Sophos Firewall hostname = Failover
  • RED uplink = Balancing

The RED establishes a connection between RED_WAN1 / RED_WAN2 and SFOS_WAN1

tidy_fix_alt

If SFOS_WAN1 is down: RED_WAN1 / RED_WAN2 will connect to SFOS_WAN2

tidy_fix_alt

  • Sophos Firewall hostname = Balancing
  • RED uplink = Balancing

The RED establishes a connection between RED_WAN1 / RED_WAN2 and SFOS_WAN1 / SFOS_WAN2

tidy_fix_alt

Note:

If any interfaces go down, the interface will be checked until it is working again. The connection will be restored to the original interface if it becomes available again.

Chapter 3: Advanced operations

Manual/Split setup

Manual/Split setup is not an option that can be chosen when configuring RED but is implemented mostly through physical configuration. This mode is not unlike Transparent/Split mode, but it allows the tunnel to go down without also disabling local internet access. In this scenario, the RED is configured in Standard/Unified mode but is not placed in front of the remote LAN. It is connected to an alternate gateway on the remote LAN, and routes must then be added on the existing default gateway to access remote networks behind the RED.

The WAN port is plugged into the same LAN switch that LAN clients are connected to, and once the RED receive its mode configuration, you then connect a LAN port to the same LAN switch.

The setup is physically more complex than other modes, but is logically simpler, and allows for a tunnel or RED hardware failure, without disrupting normal internet traffic.

Bridged RED setup

When dealing with a large number of RED devices, it may be simpler to treat all remote RED networks as a single LAN. Sophos Firewall supports creating a single bridge interface, bridging any number of NICs. If you have not set up a bridge interface already, you may bridge more than one RED connection together, to effectively treat all remote RED connections as a single LAN. Firewall rules can still control access from RED to RED, so security does not need to be diminished in this setup.

To setup bridging, follow the Adding RED to the Sophos Firewall instructions for at least two RED devices. Then, in the Sophos Firewall Admin Console, go to Network > Interfaces. Click Add interface and then select Add bridge. Now fill out the name and then choose the RED devices under Member interfaces as well as the zone to which this bridge belongsClick Save to apply the settings.

Follow the remaining RED setup steps, but choose the Bridge hardware interface, instead of a reds# interface. Additional REDs can be added to the bridge under Network > Interfaces and then edit the bridge. Select the new RED interface and click Save to apply the changes. All rules set up for one RED, will immediately also apply to the newly added RED device.

Sophos Firewall to Sophos Firewall RED setup

As of version 16, you may now use a Sophos Firewall to create a RED tunnel with another Sophos Firewall or Sophos UTM. This increases the possible number of ways a RED tunnel can be utilized. This guide covers the setup of the tunnel and the general operating principles of the Sophos Firewall client tunnels. Once a tunnel is created, configuring traffic between two Sophos Firewall becomes a matter of routing and creating firewall rules. This tunnel type is best suited for environments that:

  • Prefer or require subscription features such as web or email filtering to be done on the remote internet connection
  • Sites that need only to access certain network resources at the server end of the tunnel
  • Sites that have hosted services that should be publicly available via the local public IP of the client end of the connection
  • Sites that require greater flexibility than a standard RED appliance can offer
  • Sites requiring greater than 30Mbps throughput over the RED tunnel

To set up a Sophos  Firewall-to-Sophos Firewall RED tunnel, first, choose one firewall to be the server. The server role is not related to how traffic flows through the tunnel, only on which side listens, and which side initiates the connection. The server waits for connections from the client.

To set up a RED client connection,

On the Server Sophos Firewall:

  1. Go to Network > Interfaces, then click Add interface > Add RED.
  2. Give it a Branch name.
  3. For the Type, select Firewall RED server.
  4. Leave the Tunnel ID as Automatic.
  5. Set an available IP address for the RED IP.
  6. Configure the RED netmask for the new network that uses the RED IP’s address.
  7. Choose the Zone for this RED tunnel.
  8. Enable Tunnel compression if needed.
  9. Click Save.

The firewall then generates a provisioning file for the remote Sophos Firewall.  Click the Edit icon next to the RED interface and then click on Download provisioning file, to save the .red provisioning file to disk.

tidy_fix_alt

On the Client Sophos Firewall:

  1. Browse to Network > Interfaces, then click Add Interface > Add RED.
  2. Give it a Branch name.
  3. For the Type, select Firewall RED Client.
  4. Choose a definition for the Firewall IP/hostname field. The host should be the public IP of the server Sophos Firewall or a DNS host definition which resolves to its public IP.
  5. Upload the provisioning file generated on the server.
  6. Set an available IP address for the RED IP.
  7. Configure the RED netmask for the new network that uses the RED IP’s address.
  8. Choose the Zone for this RED tunnel.
  9. Click Save.

At this point, the tunnel should connect automatically, and each Sophos Firewall has a virtual RED interface that may be configured in whatever manner required. For split tunnel operation, simply route the selected destination networks to the Sophos Firewall IP at the other end of the RED tunnel.

Go to Sophos Firewall: How to configure Site-to-Site RED Tunnels for further details & instructions on configuring site-to-site RED tunnels.

Chapter 4: Troubleshooting

RED boot sequence

The LEDs in front of the RED device are the most valuable source of information when troubleshooting a RED. When first plugged in, the power light should be lit solidly. The device then loads its current firmware.

  • The System LED lights solid once loading is complete. From this point, the behavior varies depending on the RED model.

RED ports

RED hardware Ports
RED 10 TCP 3400 + UDP 3400
RED 15 TCP 3400 + UDP 3410
RED 50 TCP 3400 + UDP 3410

Legend

Red solid LED
Red blinking LED
Green solid LED
Green blinking LED
Unlit LED

RED 10 Rev. 2/Rev. 3 – Troubleshooting using LED error codes

RED 10 Revision 2 (RED Rev. 2) appliance status LEDs are different from RED Rev. 1 status LEDs.

RED normal states

LED Description
Power Indicates whether or not power is connected to the device.
System Indicates the startup state of the machine. During boot, the LED will be unlit. Once the unit successfully loads its boot image from the onboard flash memory, it will be lit solid GREEN.
Router Either an address has been received from DHCP, or static assignment, and appears valid. The gateway address is reachable.
Internet The LED will light solid once the device establishes contact with the internet.
Tunnel Once the device establishes a connection with its parent UTM device and is able to communicate through an encrypted tunnel, the Tunnel LED will be lit solid
LAN1-4 Each of the four LAN LEDs will light solid when an Ethernet link is established on that port. It will blink to indicate data activity.
WAN LED will be lit solid green when an Ethernet link is established on the WAN port. It will blink to indicate data activity.

RED error states

Power System Router Internet Tunnel Error
No configuration is available from the provisioning server, or a firmware update failed.
The default gateway is unreachable. Static address settings may be incorrect, or DHCP server is configured incorrectly.
The gateway is reachable, but the internet cannot be reached.
The internet is reachable, but a tunnel cannot be established to the UTM. Check that the UTM host is a valid fully qualified domain name, or that it is the correct public IP address of the target UTM.
Ethernet WAN connection has failed, attempting to use a mobile broadband backup connection.
Either an address has been received from DHCP, or static assignment, and appears valid. The mobile broadband gateway address is reachable.
The internet is reachable using the mobile broadband backup.

RED 15 – Troubleshooting using LED error codes

RED 15 uses an additional port than the RED10. The UDP port 3410 and TCP port 3400 need to be allowed. The appliance status LEDs are the same as the RED 10 Rev. 2/3 status LEDs.

RED normal states

LED Description
Power Indicates whether or not power is connected to the device.
System Indicates the startup state of the machine. During boot, the LED will be unlit. Once the unit successfully loads its boot image from the onboard flash memory, it will be lit solid GREEN.
Router Either an address has been received from DHCP, or static assignment, and appears valid. The gateway address is reachable.
Internet The LED will light solid once the device establishes contact with the internet.
Tunnel Once the device establishes a connection with its parent UTM device and is able to communicate through an encrypted tunnel, the Tunnel LED will be lit solid
LAN1-4 Each of the four LAN LEDs will light solid when an Ethernet link is established on that port. It will blink to indicate data activity.
WAN LED will be lit solid green when an Ethernet link is established on the WAN port. It will blink to indicate data activity.

RED error states

Power System Router Internet Tunnel Error
No configuration is available from the provisioning server, or a firmware update failed.
The default gateway is unreachable. Static address settings may be incorrect, or DHCP server is configured incorrectly.
The gateway is reachable, but the internet cannot be reached.
The internet is reachable, but a tunnel cannot be established to the UTM. Check that the UTM host is a valid fully qualified domain name, or that it is the correct public IP address of the target UTM.
Ethernet WAN connection has failed, attempting to use a mobile broadband backup connection.
Either an address has been received from DHCP, or static assignment, and appears valid. The mobile broadband gateway address is reachable.
The internet is reachable using the mobile broadband backup.

RED 50 – Troubleshooting using LCD and LED error codes

Connecting the RED papliance to the power supply

Connect the RED appliance to the power supply. Plug the power supply into the electrical outlet. The Power LED will light and the system will boot. The LCD will show the message “Starting RED” and the RED-ID.

tidy_fix_alt

Establishing a tunnel between the branch office and the central UTM Gateway

The RED 50 will now automatically retrieve its configuration from the Internet and establish a tunnel to your central office. After successfully establishing the tunnel, the LCD will show the message “Tunnel is up (wan1)” and either the IP address or the hostname of the UTM appliance to which the RED 50 is connected.

tidy_fix_alt

Controls, LED Codes and LCD messages

Controls

Power (LED)
tidy_fix_alt Power off
tidy_fix_alt Power on

 

Error
tidy_fix_alt No error
tidy_fix_alt Error

 

LAN/WAN connection
tidy_fix_alt Link established
tidy_fix_alt Network activity

 

LCD and keys
LCD Display of 2 rows x 20 characters
Navigation keys 4 x keys to cycle through the LCD menu

 

Interfaces
WAN1-WAN2, LAN1-LAN4 6 x 10/100/1000 Base-TX interface
USB 2.0 2 x USB 2.0 interface
COM Serial console interface
DC IN 12 V Power

 

Navigation keys
Open menu, switch from value to a menu or sub-menu entry
▲▼ Navigate between the menu entries
Enter sub-menus and value


The following menu entries are available

Live-Log
WAN_Status ► IP addresses ► Local WAN1 IP:
Local WAN2 IP:
Local PPP0 IP:
UTM Hostname:
2nd UTM Hostname:
Throughput ► WAN1 in/out:
WAN2 in/out:
Tunnel ► WAN1->UTM WAN1:
WAN1->UTM WAN2:
WAN2->UTM WAN1:
WAN2->UTM WAN2:
RED-Status ► Device ► ID:
Firmware ► Version:
Uptime:
3G/UMTS-Status ► Signal Strength:


LCD messages

Message Description
Booting up The RED device is booting.
Shutting down The RED device is shutting down.
Starting RED ID $RED_ID The RED device is starting (the displays shows the RED ID as printed on the product label).
Starting RED Network Setup The RED device is configuring DHCP or a static setup.
Starting RED Try $uplink The RED device is connecting to the displayed uplink (wan1, wan2, or umts).
Starting RED UTM $hostname The RED device is connecting to the UTM appliance.
Got new config The RED device has received a new configuration.
Tunnel is up ($uplink) UTM $hostname The RED tunnel has been established; $uplink can be wan1, wan2, or umts; $hostname can be hostname or IP address of UTM appliance.
ERROR Invalid device ID The RED device has not been provisioned correctly.

Important note: Do not unplug the power while the firmware is updating. Otherwise, the RED appliance will be rendered inoperable and must be returned to the reseller.

Additional troubleshooting techniques

Tunnel keeps disconnecting

If you see the tunnel constantly going up and down you may need to disable hardware acceleration.

Sign in to the console of Sophos Firewall and run the following commands.

console> system firewall-acceleration show This command will show whether or not hardware acceleration is enabled.
console> system firewall-acceleration disable This command disables the hardware acceleration and should stop the RED tunnel from disconnecting.


Troubleshooting static address assignments

Problem: If a RED is deployed to a location that only supports a static public IP address and the RED was not configured with a static IP through the Sophos Firewalll before shipping.

Solution: RED requires a DHCP connection with access to the Internet at least once, before being deployed with a static IP address. If RED is replacing an existing firewall, and that firewall distributes DHCP addresses to internal clients, first try to connect the RED WAN port to the existing internal network. Watch the front LEDs to see that the RED connects to the Internet. It connects to the Internet, obtains its settings, then reboots. After reboot, it should fail to connect to its gateway, or to the Internet. This indicates that it has loaded its configuration and static IP settings.

If there is not a DHCP connection available locally, a DHCP connection to the Internet needs to be found, before the RED can be configured.

Problem: RED has been correctly configured with a static IP address, but it is not connecting to the Internet.

Solution: The most straightforward method to validate that the static address settings applied to the RED are valid, is to test those same settings on another device. For instance, configure the ethernet port of a laptop to use the same configuration, then unplug the ethernet cable from the RED WAN port, and connect it to the laptop. Before connecting the laptop, be sure that it has a firewall enabled, and ensure that other connections such as wireless, or mobile broadband are disabled. Once the laptop is configured and connected, both IP connectivity to the internet, as well as DNS resolution should be tested. To test these settings manually, do the following steps:

  1. Open Command Prompt (In Windows, ÿ + r, then type “cmd.exe” and click Ok.)
  2. First, test that the internet is reachable. This can easily be done by “pinging“ an IP address. An easy address to test with is Google’s public DNS servers – 8.8.8.8.
  3. Run the following command, then press enter: ping 8.8.8.8
  4. If the command fails completely, it may look like this:
    Pinging 8.8.8.8 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Ping statistics for 8.8.8.8: 
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
  5. It is also possible that it may fail only partially. In this case, one or more of the replies may be Request timed out, as shown above. If either is true, this may be why the RED is failing, and the location’s IPS may need to be consulted to verify that the address settings are correct.
  6. If the test above does not fail, then run ping www.sophos.com
  7. If it succeeds, it resolves http://www.sophos.com to an IP address, then attempts to ping it.

 

Gathering more information

Once you are aware of the blink codes, what error code the RED is displaying, it may be useful to collect some additional information about your REDs configuration. Gather the following information from your Sophos Firewall, under Network > Interfaces and edit the device that is not functioning correctly.

The RED model, which also indicates the hardware revision, is listed on the sticker on the bottom of the appliance.

If you need to contact Sophos Support for assistance, the above information may be useful to have ready. Also, be aware of any devices such as switches, routers or other firewalls which may sit between both endpoints and their connections to the internet.

Make sure the internet type and settings of each end are recorded and available. What kind of internet connection exists at the remote office? How is that connection provided to the site?
Related information

x