Hi there,
can someone please tell me where I can find the equivalent of Zyxel's Policy Route
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
Guest User!
You are not Sophos Staff.
Hi there,
can someone please tell me where I can find the equivalent of Zyxel's Policy Route
Hello Thierry MICHELS ,
Thank you for reaching out to the community, Please refer the following useful docs below:
1.) Sophos Firewall v19: How to Choose The Gateway For A Firewall Rule - Sophos Firewall v19: How to Choose The Gateway For A Firewall Rule
2.) SD-WAN policy routing - https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/index.html
3.) Add an SD-WAN policy route - https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyRouteAdd/index.html
With the help of the below command, you may verify the system-generated traffic SNAT details.
If no output which means no SNAT configured for system-generated traffic.
console> sh advanced-firewall
Below output will help on SNAT for system-generated traffic :
NAT policy for system originated traffic
---------------------
Destination Network Destination Netmask Interface SNAT IP
console>
Sophos XG Firewall: How to NAT Sophos Firewall generated traffic
https://support.sophos.com/support/s/article/KB-000035607?language=en_US
For delete, the command will be the same and in place of add, you may use del in the above KBA if you want to delete any existing system-generated NAT Rule.
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Thank you for your answer
I tried to add under Remote Subnet the new VLANs and corrected the Firewall rule, but it doesn't work.
The LAN_arosa connect green and the VLAN_Arosa stay red.
Thank you for the update, is VLAN_Arosa is also part of the local subnet in the remote site, can you confirm ? And also ensure the subnet is not conflicting with the LAN_Crans.
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Can you enable the strongswan service in debug with the following command:
On the CLI, select option 5. Device Management, then option 3. Advanced Shell.
#service strongswan:debug -ds nosync
And then collect the debug logs with the following command, [re-establish the tunnel by toggling off and on]
#tail -f /log/strongswan.log
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
You executed the wrong command for debug Thierry MICHELS use the complete command after the #
anyways, in the normal logs we can see, we are receiving invalid SPI [Security Parameter Index] please get it checked with the remote site's logs once...
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Yup, so please check the logs on the remote site to narrow down the situation !
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Global Support & Services
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.