This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

My Experience with SFOS v.18 - Confusion with Firewall Rules [linked-NAT], NAT Rules , SD-WAN policy routing and Routing - Traffic shaping need to be "Enterprise Traffic shaping"

My opinion:

Firewall Rule: should define how the firewall should behave when a rule is matched (until now no problem although I would have preferred a sharp cut with the past No-Linked NAT rules [My Opinion])

The DNAT wizard: needs a refinement: the option to specify any PAT (Port Address Translation) is missing!

Enterprise NAT is the thing I like the most.
It's nice that it can specify the outbound interface and its translate source: if I have 2 ISP, I can specify outbound interfaces and related IPs, but that setting doesn't apply if there's no SD-WAN rule that "repeats" what I want to achieve in the NAT rule (Linked SD-WAN rules??)

V17 -> v18 Migrations
Migrating a firewall from version 17 to version 18, I noticed that by default, SD-WAN rules are processed before routes.
In my opinion, this approach is dangerous as there may be firewall interfaces that connect to other corporate remote networks (where static routing lives for example).

SD-WAN rules, I would like to understand why I can't use also zones instead of specifying IP networks.

Traffc shaping: in traffic shaping, there is no possibility to define different policies depending on the flow of traffic (input interface - output interface)... Maybe tomorrow Sophos could pour/replicate in traffic shaping what was done with the Enterprise NAT....

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 5 years ago

DNAT Wizard was the first shot of a little help for admins, who are not using XG in general. Like the VPN Wizard in my opinion. I do not have numbers, would say it is not used "quite often".

There is work to be done for the Wizard.

Enterprise NAT + SD-WAN Policies will get more work in the future, because the SD-WAN Story is not completed in V18. As mentioned earlier, the first shot of the decouple process.

SD-WAN Priority: Would recommend a look at the Online help. Sophos spend some time to explain your scenario and what is going on. Per Default in a "New installation v18", the route precedence is changed, but in concurrent installations, we are not changing the precedence to not involve with customer setups.

SD-WAN Zones, Good question! It is not feature complete as for now, so there will follow more information and features in the future to get a better overview.

SD-WAN + Traffic Shaping will follow for specific scenarios.

Overall many "it is in the pipeline". But to get all those features out at the same time would cost longer duration for you to wait.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 5 years ago

DNAT Wizard was the first shot of a little help for admins, who are not using XG in general. Like the VPN Wizard in my opinion. I do not have numbers, would say it is not used "quite often".

There is work to be done for the Wizard.

Enterprise NAT + SD-WAN Policies will get more work in the future, because the SD-WAN Story is not completed in V18. As mentioned earlier, the first shot of the decouple process.

SD-WAN Priority: Would recommend a look at the Online help. Sophos spend some time to explain your scenario and what is going on. Per Default in a "New installation v18", the route precedence is changed, but in concurrent installations, we are not changing the precedence to not involve with customer setups.

SD-WAN Zones, Good question! It is not feature complete as for now, so there will follow more information and features in the future to get a better overview.

SD-WAN + Traffic Shaping will follow for specific scenarios.

Overall many "it is in the pipeline". But to get all those features out at the same time would cost longer duration for you to wait.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data