Connect Two XG Firewalls With Backup WAN

Question

I have a scenario that I'm having trouble thinking through how to configure on the XG firewalls. 
 Let's say I have two separate buildings (Building A and Building B) on a campus that sit adjacent to each other. Both buildings have XG firewalls and both have their own ISP for internet access. The two buildings have to talk to one another and are currently connected via site-to-site IPSec VPN through the ISPs. There is buried fiber between the buildings and I would like to use it instead of the VPN to which I'm confident I can get configured. What else I would like to do is WAN failover. For example, if the ISP connection for building A were to get cut by a backhoe, I would like the firewall in building A to route traffic for the internet through the ISP connection at building B. I'm assuming that the ports connecting the fiber between Building A to Building B would have to be WAN ports, but is this possible with the XGs? I'm kind of confused on where to start with it.

Keyur · Accepted Answer

Hi Nathan Johnson Scenario When the IPsec connection is not there. If both the firewalls are connected through fiber and terminated on each XG firewall interface, I would propose the below configuration which might help you to achieve your requirement. Please configure Fiber Connected Interface on XG as the WAN zone in Building A as a backup of the primary ISP link, so when the primary ISP link goes down, the traffic would be forwarded through Fiber Link configured as a WAN zone. Now when traffic reaches to Building B Fiber Interface which is also configured as WAN zone, you need WAN to WAN firewall rule in the building B firewall so traffic would be forwarded through Building B ISP. For IPSec/MPLS Failover, please refer to the article - https://community.sophos.com/kb/en-us/123323

Nathan Johnson · Answer

I finally had time to work on this last night and I have it working. It was really simple and for some reason I was making it harder than it actually was in my head. So here's what I did: 
 I configured a port on the XG of Building A with a /30 IP address and connected it to a port on the XG in Building B with the other /30 IP address. 
 Then I went in to Network and Wan Link Manager of each XG set the ports connecting the buildings to failover if ALL other WAN links were down. 
 Then I went in to Routing and set a Policy Route on each XG to route the appropriate traffic across the fiber ports. 
 Finally, I simply created the appropriate firewall rules to allow the traffic to flow. 
 Everything works perfectly EXCEPT the DHCP relay. Our DHCP server for the corporate data network is at Building A. When the site to site VPN was in place, I had set up a relay to route it over IPSec and it worked fine. But now it's not working for some reason. That's not too important of an issue to fuss over as I have simply set up a DHCP server on the XG to service those requests for now, though I would like to get the relay to work again if possible.

Nathan Johnson · Answer

Yes, you have to create a WAN-to-WAN rule on both firewalls. Basically, what you want to do is create a rule on building B that uses the IP of the port from building A that connects to building B as the source and then set the destination to WAN - ANY. Then just do the opposite on the firewall at building A (see screenshot below).

Depending on your requirements, I think you can either create a policy route or the WAN link manager. I'm actually using both because building A houses a domain controller, so traffic needs to flow between the buildings regardless if a WAN connection is down or not. But if you're just going to use it as a backup WAN connection, I believe you can get away with just creating a rule under the WAN link manager.

I hope that helps!

Nathan Johnson · Answer

Simply create a regular firewall rule on each firewall that allows the required IP(s) or subnets from the other side to pass. For example, if you wanted everything from building A LAN to talk to anything on building B LAN, just create a rule that allows just that (see below). Then, just do the opposite on the firewall of building B.

Nathan Johnson · Answer

OK, so I was finally able to work out everything as I needed. All I had to do was go in to the NAT rule and click the checkbox "Override source translation for specific outbound interfaces" and add my primary ISP interface as well as my backup ISP interface. Once I did that, it all flowed perfectly as expected. I hope this helps anyone else who might be trying to accomplish the same scenario.

Connect Two XG Firewalls With Backup WAN

Top Replies