Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 786 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Did I get the SD-WAN policies right ?

J Thai

Hello everyone,

I am running Sophos XG (Home) v18.5 MR4 with dual-WAN in failover mode. I will soon be changing it to load-balancing globally. However, I would like to set the SDWAN policies for these 2 scenarios as exceptions to this change:

  1. Some certain apps in my Home Wifi VLAN subnet should only connect to the WAN interfaces as if in failover mode. Here is its policy:


  2. The subnet VLAN for my NAS should only be connecting to the Internet via WAN 1 only. No failover or load-balancing should be allowed on it. Here is its policy:


Below is my routing precedence. It seems legit and proper:

I am having some questions on this:

  1. Have I got the SD-WAN policies right ?
  2. Should I tick the 'Override gateway monitoring decision' box? What is it for?
  3. Is the reason why I can not set an SD-WAN policy for my VPN interface because it has already been one of the routing precedences (#3 in the console)?
  4. I want very fast access on my NAS subnet regardless whether I am on VPN or not, which DSCF marking should I assign to its SD-WAN policy ?
     

Thank you very much in advance guys.



This thread was automatically locked due to age.
  • 0

    You should change your Destination to Internetv4, if you want to reflect WAN traffic. Do not use ANY in this scenario. 

    Better do the upgrade to V19.0 MR1 first and then use V19.0 SD-WAN Routing. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks a lot buddy.

    Does it look correct now ? #Port1 & #Port2 are my WAN ports. 

    J Thai said:
    • Should I tick the 'Override gateway monitoring decision' box? What is it for?
    • Is the reason why I can not set an SD-WAN policy for my VPN interface because it has already been one of the routing precedences (#3 in the console)?
    • I want very fast access on my NAS subnet regardless whether I am on VPN or not, which DSCF marking should I assign to its SD-WAN policy ?

    How about te other 3 questions of mine here, buddy ?

    Thank you again.

  • 0 in reply to J Thai

    V19.0 will bring a new object (Internetv4), which you can use for routing. Those #Port will not work. 

    Override gateway should essentially not be important for you.

    SD-WAN Policies can use every gateway, you configure in the firewall. A Gateway can be everything behind a interface (XFRM, static interface or MPLS etc.). Policy based VPN cannot be a gateway. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok so for the sake of safety, I am better off not assigning those Destination Networks to the ports, thus not establishing an sdwan pilicy and hence not yet changing my dual-wan loadout from failover to load-balancing.

    I would like to ask more on Sophos Firewall v19 now:

    1. I am running v18.5 MR4, how can I update to v19 (MR1) ? The update function does not notice any new versions.

    2. Can sdwan in v19 be applied to websites ? (i.e. under a load-balancing wan layout, banking websites should be accessed as if failover so that the IP address does not change too often.

    3. Are there any pdf files or video clips for sysadmins consisting of in-depth tutorials on changes from v18(.5) to v19 for the ease of migration ?

    Thanks buddy. 

  • 0 in reply to J Thai

    Hi J Thai,

    For questions 1 and 3, kindly check the video tutorial on "how to upgrade and download the firmware".

    https://soph.so/bMSPgY

    Or kindly go to mysophos portal  https://sophos.com/mysophos > Log in with your Mysophos Account > Network Protection > Firmware Updates > Enter Serial Number and you’ll get a list of firmware

    For question 2. For a better understanding of  v19 SD-WAN capabilities kindly see the video link: https://soph.so/hcf1Ye

    Other information needed, kindly see below:

    *Best Practice for firmware upgrade:https://soph.so/9i9uI0

    *Release Note:https://soph.so/N1RIR7

    *SSL VPN change on v19:https://soph.so/UMVPH5

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML