Different rules per interface under WAN zone?

Sagi,

which version of XG OS are you running?

Thanks

Used Trial version 17.5.9 until yesterday,

Few hours ago i have updated to latest 18.

Sagi,

on v18, you need to create SD-WAN policy under Routing menu. First create the firewall rule, the associated NAT and then the matching SD-WAN policy.

More info on the following video:

https://www.youtube.com/watch?v=TolZsFNbBuM

Regards

Will try now!

Thanks a lot Luk.

Hi again,

Still seem to fail here.

Under "WAN" zone i have 3 interfaces/gateways to 3 different ISP's

Only single ISP will be Up at a given moment.

ISP1  is very fast, so while ISP1 is active - no traffic shaping/qos needed.

If ISP1 is down - system will failover to ISP2:
ISP2 is very slow - So when the system is using this ISP, i
wish to give higher priority for Emails/Teamviewer and other "work" related things.

Problem is: if i use WAN zone all rules is applied no matter which ISP i'm on.
Destination zone = WAN
i need Destination zone= WAN(interface1) + WAN(interface2) for example... not both!

Sagi,

on v18, you need to use SD-WAN and make sure that SD-WAN takes precedence than static routes. You can check the route precedence on XG console:

system route_precedence show

On v17, you can select the gateway you want from the firewall rule.

If it does not work, please share the firewall rules.

Regards

Hi Luk,

First, thank you very much for the help here!

I'm out of the office atm, tomorrow's morning i will share the configurations.

Meanwhile:
SD-WAN does take precedence over static/vpn.
Traffic is able to pass from LAN --> WAN.
If the 1st gateway is down, taffic will be routed via the 2nd gateway. 

But i'm still struggling to find where i configure different QOS/Traffic shaping for each ISP individually.

Hope tomorrow you will help to find an answer for that!

Thanks again, and great night.

Sagi.

Traffic shaping can be applied based on:

• Users
• Application
• Service
• Website

https://community.sophos.com/kb/en-us/123062

https://community.sophos.com/kb/en-us/123061

https://community.sophos.com/kb/en-us/123058

https://community.sophos.com/kb/en-us/123060

Regards

Thanks again Luk.

So if i must to apply these only per service - and in WAN zone i cannot do seperation between interfaces.. 

What if i will work with 3 "LAN" zones that will act as WAN?

So i can do rules like:

Lan --> "WAN1"  accept HTTPS + traffic shaping X
Lan --> "WAN2"  accept HTTPS + traffic shaping Y
Lan --> "WAN3" accept HTTPS no traffic shaping.

Notice that these "WANS" zones are acctually configured as "LAN" zones. but they will be connected to my routers.
So when i'm on "WAN1" i have some type of traffic shaping for HTTP
but when i'm on "WAN2" i have different type of traffic shaping (or nothing at all if i wish).

I will have to configure NAT and probably gateways manually i guess?
Anything else i "lose" if i choose to not use WAN zone and just connect each router to different LAN zone?

Thanks again Luk.

So if i must to apply these only per service - and in WAN zone i cannot do seperation between interfaces.. 

What if i will work with 3 "LAN" zones that will act as WAN?

So i can do rules like:

Lan --> "WAN1"  accept HTTPS + traffic shaping X
Lan --> "WAN2"  accept HTTPS + traffic shaping Y
Lan --> "WAN3" accept HTTPS no traffic shaping.

Notice that these "WANS" zones are acctually configured as "LAN" zones. but they will be connected to my routers.
So when i'm on "WAN1" i have some type of traffic shaping for HTTP
but when i'm on "WAN2" i have different type of traffic shaping (or nothing at all if i wish).

I will have to configure NAT and probably gateways manually i guess?
Anything else i "lose" if i choose to not use WAN zone and just connect each router to different LAN zone?