SOPHOS XG v18 with 2xisp and 1x data circuit

Hi Madni Malik,

Thank you for reaching out to Sophos Community.

Q1: I want to do load balancing and failover in 2xISP. in V17, this was simple by using firewall rule. i can select
primay gateway and backup gatway or i was able to select WAN load balancer.

- In V18 to achieve failover i create a firewall rule and then NAT rule , in that rule if add both ISP ports as outgoing
then it will start doing load balancing as well as Failover? please correct me if i am wrong

==> If both gateways are configured as 'Active', then load balancing and failover both would work with above NAT rule setup.

- In V18 if i need to configure primary and backup internet gatway then for this i have to create SD-WAN routing policy?
please correct me if am wrong.

==> In v18, you need to configure SD-WAN policy to route the traffic from a specific internet link(gateway).

Q2:to use MPLS DATA link so that i can get connected with my Head office. assuming Data circuit is on separate port
- In V17 it was simple, as i have to create a firewall rule, disable masquerade and select primary as MPLS data link for this rule.
in V18 how can i achieve it? by using SD-WAN policy or if i create a static route for that subnet will also work? i dont have
to make a NAT rule for this? how can avoid this traffic to get NAtted.

==> This depends on whether the MPLS link is terminated as a WAN or LAN(in lan zone or different zone).

i. MPLS link is terminated as WAN: Below configuration needs to be done on Sophos Firewall.

• LAN to WAN firewall rule with required source and destination networks.
• SD-WAN policy with source and destination networks with the primary gateway as MPLS.
• If you've not set up any NAT policy for above MPLS network then traffic won’t be NATed. If the traffic is being NAted by any override NAT policy then you may configure the linked NAT rule with SNAT as 'Original'.

ii. MPLS link is terminated as LAN:

• Assuming MPLS port is kept in a separate MPLS zone, then LAN to MPLS & MPLS to LAN firewall rules will be required.
• Static routes to MPLS networks with specific gateway IP.
• You can also configure a custom gateway with MPLS interface and use it in SD-WAN policy.

Q3: what if DATA and internet traffic is coming on same interface given by ISP?? in that case what should i do?

==> You need to differentiate the traffic with specific source and destination networks in the firewall rules.

Hi Madni Malik,

Thank you for reaching out to Sophos Community.

Q1: I want to do load balancing and failover in 2xISP. in V17, this was simple by using firewall rule. i can select
primay gateway and backup gatway or i was able to select WAN load balancer.

- In V18 to achieve failover i create a firewall rule and then NAT rule , in that rule if add both ISP ports as outgoing
then it will start doing load balancing as well as Failover? please correct me if i am wrong

==> If both gateways are configured as 'Active', then load balancing and failover both would work with above NAT rule setup.

- In V18 if i need to configure primary and backup internet gatway then for this i have to create SD-WAN routing policy?
please correct me if am wrong.

==> In v18, you need to configure SD-WAN policy to route the traffic from a specific internet link(gateway).

Q2:to use MPLS DATA link so that i can get connected with my Head office. assuming Data circuit is on separate port
- In V17 it was simple, as i have to create a firewall rule, disable masquerade and select primary as MPLS data link for this rule.
in V18 how can i achieve it? by using SD-WAN policy or if i create a static route for that subnet will also work? i dont have
to make a NAT rule for this? how can avoid this traffic to get NAtted.

==> This depends on whether the MPLS link is terminated as a WAN or LAN(in lan zone or different zone).

i. MPLS link is terminated as WAN: Below configuration needs to be done on Sophos Firewall.

• LAN to WAN firewall rule with required source and destination networks.
• SD-WAN policy with source and destination networks with the primary gateway as MPLS.
• If you've not set up any NAT policy for above MPLS network then traffic won’t be NATed. If the traffic is being NAted by any override NAT policy then you may configure the linked NAT rule with SNAT as 'Original'.

ii. MPLS link is terminated as LAN:

• Assuming MPLS port is kept in a separate MPLS zone, then LAN to MPLS & MPLS to LAN firewall rules will be required.
• Static routes to MPLS networks with specific gateway IP.
• You can also configure a custom gateway with MPLS interface and use it in SD-WAN policy.

Q3: what if DATA and internet traffic is coming on same interface given by ISP?? in that case what should i do?

==> You need to differentiate the traffic with specific source and destination networks in the firewall rules.