Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 610 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to setup XG Firewall as RED device in "Unified Mode"

SteffenDE

As suggested by Sophos, we bought some XG 86 to use them as RED-Devices for connecting branch offices. In some branch offices, we added licenses, yet, and operate them in transparent mode - hence, all internal network traffic is tunneled. But in some branch offices we do not have much traffic and want to operate them in unified mode - hence, in addition to internal traffic all traffic for mail, internet and so forth should be secured by tunneling to the head office.

The configuration steps for transparent/split mode are shown in several how-tos, but not for the case of unified mode. Can someone explain the basic steps to be done?

For sure, I can route all traffic by a default route to the head office, but that does not succeed. I expect there is a smoother way by using Firewall-/NAT-rules and maybe a special Gateway.

Configuration: Head Office: XG 135, RED Firewall Server; Branch Office: XG 86, RED Firewall Client



This thread was automatically locked due to age.
  • +1

    You will simply use routing to get this done. If you create a 0.0.0.0 static route on the XG86 and move everything through the tunnel, it will act as a standard unified mode appliance. It will route everything through the tunnel.

    If you want to specify a more granular design, you will move to sd-wan Policy based routing. There you can createa aroute based on IP or service. 

  • +1 in reply to LuCar Toni

    Thank you very much LuCar Toni, second solution(SD-WAN) is working fine and is what I've been searching for.

    In short:

    • I tried the default route 0.0.0.0 before but that didn't work - don't know why.
    • SD-WAN configuration works fine and I can also split GUEST-Traffic to not to be tunneled over head-office

    For interested ones - here the simple steps:

    1. Add the RED Interface as a Gateway (Routing -> Gateway) with the appropriate zone, in my case LAN-Zone
    2. Add SD-WAN Policy for LAN-Traffic (set inbound interface as LAN-interface, source network LAN-network)
    3. Add SD-WAN Policy for Guest-Traffic (set inbound interface as GUEST-interface, source network GUEST-network)
    4. Test:
      1. traceroute Internet from LAN is tunneled
      2. traceroute Internet from GUEST is not tunneld