Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 1214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS XG86 Issue with SDWAN Routing

Rodney Altamera

Hi to all Sophos Experts!

I would like to share my experience with my SOPHOS XG86 Firewall. I tried to create a new firewall policy after updating the firmware to v18. I did some test and I encountered a weird issue with routing wherein when I selected "Any" in the "Destination Networks" in SD-WAN Policy routing. The PC IP Address I assigned to the said Routing Policy cannot connect to the internet. When I tried to specify my local subnet in the "Destination Networks" 192.168.100.0/24 the said PC was able to access the internet. It is a bit weird since in our main firewall XG310 with the "Any" option it is working. 

Does anyone here have any idea what is wrong with my setup.

Below are some sample screenshot.

Below is my NAT Policy

Thanks

rodneyaltam



This thread was automatically locked due to age.
Parents
  • 0

    Hello Rodney,

    Thank you for contacting the Sophos Community.

    If you do a packet capture in the GUI what do you see when the computer tries to access the internet or a Ping?

    What is the Matching criteria in the NAT rule?

    Regards,

  • 0 in reply to emmosophos

    Hi Emmanuel,

    Sorry for the late response. I checked this and it goes to the Test FW Rule. The problem it is not going thru PLDT (Primary ISP). The problem it is routing thru the DCTECH(backup ISP). It is weird since on my Sophos XG310 this kind of issue doesn't exist.

    Thanks.

    Rodney

  • 0 in reply to Rodney Altamera

    Hello Rodney,

    Thank you for the screenshot.

    Can you share a screenshot of your NAT  rule configuration?

    Regard

  • FormerMember
    0 FormerMember in reply to Rodney Altamera

    Just adding on what Emmanuel has said.

    In NAT rule please ensure that you have added both WAN interface or ANY under outbound interface.

    Or you can also create a NAT rule with TEST-PC101 source.

  • 0 in reply to FormerMember

    Hi Yash Kothari,

    Good day. Yes I'll post the screenshot for the NAT rules.

    Thanks

  • 0 in reply to emmosophos

    Hi emmosophos,

    I already posted the screenshot for the NAT rules.

    Thanks

  • FormerMember
    0 FormerMember in reply to Rodney Altamera

    Thank you for posting a snapshot. The configuration seems ok.

    Request to perform the following steps to further investigate the reported behavior.

    ================================================

    ==> Enable "TEST FW-RULE" SD-WAN policy route configured with 'PLDT-ISP' as a primary gateway and set Destination networks as 'ANY'.

    ==> Login to SSH > 5. Device Management > 3. Advanced Shell and run the below command.

    18.0.4 MR-4# conntrack -E | grep -e '163.53.76.86'

    ==> Initiate a ping from 'TEST-PC101' machine to 163.53.76.86 IP address with below command.

    C:\Windows\system32> ping -n 1 163.53.76.86

    ================================================

    ==> Request to perform the above steps again with Destination networks as '100(192.168.100.0/24)' in SD-WAN policy route.

    ================================================

    Share both SSH session output here or via PM.

    1. Destination networks as 'ANY':

    conntrack output:

    2. Destination networks as '100(192.168.100.0/24)':

    conntrack output:

Reply
  • FormerMember
    0 FormerMember in reply to Rodney Altamera

    Thank you for posting a snapshot. The configuration seems ok.

    Request to perform the following steps to further investigate the reported behavior.

    ================================================

    ==> Enable "TEST FW-RULE" SD-WAN policy route configured with 'PLDT-ISP' as a primary gateway and set Destination networks as 'ANY'.

    ==> Login to SSH > 5. Device Management > 3. Advanced Shell and run the below command.

    18.0.4 MR-4# conntrack -E | grep -e '163.53.76.86'

    ==> Initiate a ping from 'TEST-PC101' machine to 163.53.76.86 IP address with below command.

    C:\Windows\system32> ping -n 1 163.53.76.86

    ================================================

    ==> Request to perform the above steps again with Destination networks as '100(192.168.100.0/24)' in SD-WAN policy route.

    ================================================

    Share both SSH session output here or via PM.

    1. Destination networks as 'ANY':

    conntrack output:

    2. Destination networks as '100(192.168.100.0/24)':

    conntrack output:

Children