Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 4 answers
  • Subscribers 27 subscribers
  • Views 11895 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Manager - Template policy

stefanotoni

Hello, I am start to use Firewall Manager to manage three XG Firewall (XG1, XG2, XG3)

I am bit confused how to manage the firewall using the group. I found only skinny documentation....

I try to speak me better

I would like to manage the firewall using differente group

Group 1: XG1, XG2 --> peripheral firewall

Group 2: XG3 --> Central firewall

The group 1 need to have their own policy (network policy, ipsec policy)

The group 2 need to have their own policy (network policy, ipsec policy)

How to make it?

How to push policy?

I don't understand the difference between.

- Template Configuration --> Policy

- Device Configurarion --> Policy

Thank you



This thread was automatically locked due to age.
Parents
  • 0

    Hi Stefano,

    First you need to create two custom group Group1 and Group2.

    Now go to Device Configuration page ,select custom Group1, create policy for the Group1 and  push policy to Group devices.

    Same way go to Device Configuration page ,select custom Group2, create policy for the Group2 and  push policy to Group devices

    How to push policy --> Once policy is created ,it will open Set Schedule window ,check group devices are selected and click on save button to push the policy

    Difference between  Template Configuration --> Policy and - Device Configuration --> Policy :

    Identically both are used to push policy to XG devices.

    Device Configuration --> Policy option used to push only policy to specific device or group.

    Template Configuration --> Policy : In Template option user can configure Policy and all other configuration , push the same to device or device group.Template configuration is used to Create re-usable configuration templates useful to add new branch office with minimal time.

    Ravi

Reply
  • 0

    Hi Stefano,

    First you need to create two custom group Group1 and Group2.

    Now go to Device Configuration page ,select custom Group1, create policy for the Group1 and  push policy to Group devices.

    Same way go to Device Configuration page ,select custom Group2, create policy for the Group2 and  push policy to Group devices

    How to push policy --> Once policy is created ,it will open Set Schedule window ,check group devices are selected and click on save button to push the policy

    Difference between  Template Configuration --> Policy and - Device Configuration --> Policy :

    Identically both are used to push policy to XG devices.

    Device Configuration --> Policy option used to push only policy to specific device or group.

    Template Configuration --> Policy : In Template option user can configure Policy and all other configuration , push the same to device or device group.Template configuration is used to Create re-usable configuration templates useful to add new branch office with minimal time.

    Ravi

Children
  • 0 in reply to RaviPatel

    Ravi thank you!

    I have other question

    Group1: peripheral firewall, branch office

    FW1: Head Office

    Using Device Configuration, selecting 'Group1', then System --> VPN --> Ipsec

    I need to define a VPN Ipsec policy valid for every firewall belong to the same 'Group1'  to permit the VPN toward FW1

    I Click 'add'... End Poind Detail, how to define the Local interface?

    Actualy I see:

    Templated_Imported_Wan_Port3_0

    Templated_Imported_Wan_Port2_0

    Sincerely I don't known how is generated this two values. However if I want to use the same ipsec policy for every firewall belong to the same group Do I need to define port3 (es. MPLS link) and port2 (xDsl link) for every firewall? Can you explaine me?

    Thank you

  • 0 in reply to stefanotoni

    Hi Stefano,

    In your scenario ,first you need to create dynamic WAN interface with WAN zone then after you will get the same interface in local end point section of IPSec

    To Create Dynamic Interface go to System Management > Device Settings > Dynamic Objects >Interface.

    Ravi

     

  • 0 in reply to RaviPatel

    Perfect Ravi, however why I can't define the failover group via Firewall Manager, Device Configuration --> System --> VPN --> Ipsec?

    like describe in:

    community.sophos.com/.../123305

    Thank you

  • 0 in reply to stefanotoni

    Hi Stefano,

    It is limitation. Fail-over group configuration is not supported in SFM  IPSec configuration.

    Ravi

  • 0 in reply to RaviPatel

    Hello Ravi, I have about 20 branch offices that currently perfom an ipsec tunnel toward the head office

    Every firewalls (branch office and head office) have at least two isp link internet, this obviously to avoid that a single link failure put in down ths entire system

    Do you mean that to configure the failover ipsec I cannot use the SFM but I need to configure the functionality directly on every 21 XG-Firewall?

    Then you don't see the point of using the SFM, truly?

    Thank you

  • 0 in reply to stefanotoni

    Hi Stefano,

    You can configure the fail over group in IPSec configuration from SFM device level.Go to Device configuration and select the XG device ,go to IPSec configuration page.

    In SFM for Group level ,Fail Over group configuration is not supported because it create complexity in managing  IPSec tunnel of multiple XG devices.

    Ravi