This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Integrate Sophos XG transparently with current Juniper SRX

Hi,

I've playing around during the last few days with Sophos XG at home, but I can't seem to make it work the way I want and need. I have a Juniper SRX210 doing all the routing and layer3 filtering, and I want to integrate the XG transparently in bridge mode to be able to sniff all the traffic and see what I can do with it.

My current setup is as follows:

firewall/router SRX210 HE

switch T1700G-28TQ

server ESXi 6.0

My SRX is ingesting a public IP from a VM router in modem mode, and for this is using a different VLAN which is connected to the switch and ingested via a LACP between the SRX and the switch. I also have an LAG between the ESXi and the switch, which host the VLANs below (replicated in the SRX)

In addition to this I have SSIDs, one home standard and the other with admin permissions over the network, each one on a single VLAN. I do want to test this integration with the latest admin SSID, to not disturb my missus, which will cause me headache as she won't reach Instagram.

So, let's focus on the matter. As the XG installation requires two or more interfaces to work, I've created two VLANs, IPS_External and IPS_Internal, which will then be obviously on the SRX and with different network addressing.

As of now, I've tested the XG installation with both interfaces on the same VLAN (IPS_External), but when I turn it into bridge, my whole network stops behaving, and buy the looks of it I DDoS my SRX somehow, which I suspect is an ARP flooding meaning the same IP with different MAC addresses through the same port/trunk, or even a Spanning Tree problem (I've no idea whether the XG has STP by default).

I really like the looks of XG and the guys from Abingdon are doing a great work, though have lot of stuff to refine. The above said, I have several questions that I hope the community or even some staff from Sophos is able to help me with:

I wonder how this bridge capability works and which MAC address of the two you merge, the XG uses once in bridge mode?
what is likely to be causing me problems once I setup bridge mode?
how the XG will behave regarding layer2/3 if I setup each interface on different VLANs (IPS_Internal & IPS_External) and fusion them into a bridge one?

The web/ftp/dns traffic forwarding through the XG is a different matter and it's out of the scope of my main problem.

I hope all the above makes sense to someone :)

Many Thanks in advance,

Alberto.

This thread was automatically locked due to age.

LuCar Toni over 7 years ago

Hi,

there are two KBAs which are talking about the bridge mode.

https://community.sophos.com/kb/en-us/122973

https://community.sophos.com/kb/en-us/123098

123098 talks about the different kind of deployments like Layer 2 and Layer 3 bridges.

But it can get a little bit complicated, if we talk about VLAN bridges.

Personally i do not recommend to use bridges as scanning devices. From my point of view, i would rather recommend to use a application and gateway firewall instead of having a bridge firewall with a gateway firewall.

Also keep in mind, XG can not have more than one VLAN on a bridge in the current firmware. So basically this is a limitation.

For more information, take a look at this thread:

https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/v16beta/f/sfos-v16-beta-feedback/79102/xg-and-vlans-on-bridges---feedback-needed#pi2151=2
Cancel
Vote Up 0 Vote Down

Cancel
alopez over 7 years ago in reply to LuCar Toni

Hello,

Thanks for your quick reply and those links have been helfpul.

I like the XG because I think I could integrate the Sophos Home free version we have in our laptops and somehow "manage them" from the XG. I also like more the webUI of the XG, but if there is no support for different VLANs on a single bridge then it doesn't fit my requirements. I definitely was causing a loop using two interfaces in the same VLAN, but this shouldn't happen by default, the XG should have STP enable by default.

I've tested the UTM v9 version and you can enable STP manually on a bridge at the time of creating it. I'll give it a try, and leave the XG for future testing.

Thank you very much indeed for your help,

Alberto.
Cancel
Vote Up 0 Vote Down

Cancel