Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 1029 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 SD-WAN policy routing in dual ISP WAN - doubling fw rules for what?

SimoXGFW

Hi all,

I'm writing after a v17 to v18 migration, I have read and watched Sophos videos and I'm starting to get an idea of the main changes in the traffic management rules BUT, I wanted to be sure that I'm not missing something in the "concept" and to avoid mistakes in all the NAT - Firewall Rules and migrated SD-WAN Policy routing that now I have to workout to clean all this mess that is bumped up after the upgrade.

Please keep in consideration that I'm in a Active-Passive XG330 cluster scenario with dual ISP WAN ports. The main use of the second ISP is only as backup so, switching traffic when the main traffic goes down, with a lot of exceptions that I don't mention here but that's the main use.

The routing order is

SD-WAN

VPN routes

STATIC

The first main question for me is ( please tell me if I'm wrong ):

Do I have to replicate every firewall rule in the SD-WAN policy routing, if I need to manage link failover in it? 

EXAMPLE: 

LAN to WAN - Access to internet only with specific port list and other options ( IPS,etc)  that I want to failover from ISP1 to ISP2

Thanks in advance,

Simo



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey , Thanks for reaching out to Sophos Community.

    With v18 Firewall rules are decoupled from Gateway selection and NAT. Considering you've migrated configurations from v17.5 to v18, You'd be having the SD-WAN rules that are mapped to specific firewall rules (configured in v17.5). 

    You don't need to replicate each Firewall rule in the SD-WAN policy route. Since you only have two ISPs and the Primary ISP is serving all the traffic unless it goes down, You'll only need to add one SD-WAN Policy route, Define Source network, and the incoming Interface with Destination to ANY and select Active and Backup Gateways.

    Optionally, Since you've only 2 ISPs, You can change the gateway type to active or backup for the specific ISPs and don't make changes into SD-WAN Policy routes. Although this can become ambiguous if you decide to add a third ISP in the future :) 

  • 0 in reply to FormerMember

    Hi Davesh and thank you for the reply,

    I said that the main use of the ISP2 is as a backup link, not the only use.

    I need to force specific traffic of some firewall rules in reverse order, so normally on the backup link, and if the backup link goes down I need them to switch to the main link, and more I need to route some traffic ONLY through ISP1 or the other ISP2, what then?

    Generally speaking, If any of the customers aren't in the straight load balancing or failover configurato but got some specific traffic to handle, is my question still valid? Do I have to replicate exactly all the firewall rules to the SD-WAN policy routing ? 

    EDIT: I noticed you write about setting up gateways as active and backup. I already have this setup and I0ve always handled everything from the firewall policies before, do I have to setup both link as Active and mange them with SD-WAN policies?

    Best Regards,

    Simo

  • 0 in reply to SimoXGFW

    Try: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr

    Basically routing and other stuff are decoupled. Firewall, NAT etc. 

    Backup/Active interfaces are the last Ressource and are overwritten by Sd-WAN. 

  • 0 in reply to LuCar Toni

    Thanks and Ok for the Active / Backup concept, but what about specific Firewall rules that need to go only to one ISP , or reversed ISP preference ( first on ISP2 if fails ISP1 ) ? do I need to mirror them, even on the ports to avoid mistakes if the traffic match another rule?

  • 0 in reply to LuCar Toni

    Ok, let's say that I decide that my approach is to write SD-WAN rules with "any" ports to try to simplify things, the specific traffic can be caught in another newer rule, I cannot keep track I have 130 firewall rules. So if my approach is more "any" destination "any" ports I can simplify things, but if I want to be strict and I have a lot of firewall rules and I start cloning them to SD-WAN I could loose the track and I must be extremely precise every time I make a new rule, am I wrong in that? 

Reply
  • 0 in reply to LuCar Toni

    Ok, let's say that I decide that my approach is to write SD-WAN rules with "any" ports to try to simplify things, the specific traffic can be caught in another newer rule, I cannot keep track I have 130 firewall rules. So if my approach is more "any" destination "any" ports I can simplify things, but if I want to be strict and I have a lot of firewall rules and I start cloning them to SD-WAN I could loose the track and I must be extremely precise every time I make a new rule, am I wrong in that? 

Children
No Data