Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 946 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG with ZScaler GRE Tunnel

Daniel James3

I am looking to use Zscaler for our clients to secure internet traffic the same whether they are sat in the office or at home.

Initially I thought I could just install the client on the endpoints and not have to worry about a GRE tunnel, however when on VPN, Zscaler stops access to internal resources as it tries to send the connections via Zscaler which has no access.

So the next stop is configuring a GRE tunnel for people in the office and on VPN, and setting the application to disable itself if it detects that users are on these networks.

Looking into setting up a GRE tunnel on the Sophos devices doesn't seem very straight forward, I have 2x subnets for clients that I want to forward to Zscaler but I wanted to be able to decide what traffic is routed. I can't seem to see a way to do this as policy based routing doesn't seem to be enabled for GRE?

An example would be, we have some SQL servers in Azure that only allow access from our static outbound IP, so we would want to exclude these from the GRE tunnel.

Has anyone got a similar setup on a Sophos XG and could point me in the right direction please?



This thread was automatically locked due to age.
Parents
  • 0

    Hello ,

    Thank you for reaching out to the community, please refer the Sophos Firewall: Configure a GRE tunnel - https://support.sophos.com/support/s/article/KB-000035813?language=en_US
    In case if you have any doubts and stuck please feel to revert here !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi Vivek, I have read through the documentation but it looks like we can only configure a static route via GRE?

    How do these work with other static routes between interfaces on the Sophos XG already?

    I need to be able to configure the outbound WAN connections to route via the GRE tunnel, but I want to be able to add in exceptions. I can't see any priority for the GRE tunnel routes?

    As an example here are 3 rules I would want to have

    192.168.10.x > wan - route via GRE Tunnel

    192.168.10.x > 192.168.12.x - Route via interface on Sophos configured via static route

    192.168.10.x > 31.141.31.32 - NAT via outbound WAN interface

  • 0 in reply to Daniel James3

    In this case you can try the following: 

    Local Networks
    The LAN Segment definition that your Sophos is protecting  (ie.  "LAN" (192.168.10.x)
    WAN/OUTSIDE IP of your local Sophos
    IP of GRE TUNNEL Sophos side

    Remote Networks
    WAN IP of your Remote Device [Zscaler]
    IP address of Other end of GRE Tunne [Zscaler Remote end]
    Remote Subnets that you need to talk to

    You shouldn't need to add an GRE routes or IPSEC routes via the CLI (just setup the GRE Tunnel from CLI and that is it)

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Sorry if I am being a bit dense, but how would it then decide what traffic to route via the GRE tunnel then? Does it create the tunnel as a gateway that I can then use for SD-WAN rules? or Would I just configure NATing via the local remote subnet?

Reply Children
Unfiltered HTML