Route/Redirect specific traffic

Sohrab,

welcome to Sophos Community. Can you provide additional information? Put your network address, examples and more info on what you are trying to achieve.

We will help you.

Thanks

Dear Iferrara,

Thanks for your kind consideration.

Here I've attached the simplified diagram for the connectivity.

Each Sophos XG appliance would have two below connectivity, one would be define as LAN port with 192.168.x.x /24 and second port would be configured as WAN port with public IP address.

All user and service traffic should work normally and if permitted they should be permitted to connect to internet or web could be publish.

Only Sophos update traffic should go to the middle server with public IP address as well.

The middle server (VPS) could work as web-proxy, ssh-tunnel or VPN server.

Thanks for your kind help and support

Best regards

Perfect!

If you connect the other gateway to both XGs, create a Unicast route under Routing > Static routing where the traffic for Sophos Update Server uses the Gateway R IP (the Ip that XG see and not the other IP) using the port x on the XG.

Also create a proper Firewall Rule to allow traffic.

That's all!

Dear Iferrara,

Thanks for your kind help, I've checked the static (unicast) route and I've be grateful if you could kindly check if I get it right.

Just two more question:

1. what net mask should I use for static route.

2. what kind of firewall rule can I use to differentiate the Sophos update traffic generating from XG appliances.

Thanks for your kind help and support

Ok. for the static route.

Now you have to create a proper Firewall rule where you allow LAN users to go to Sophos Update Server where gateway is none.

Of course the Sophos Computers must use the Sophos Update Manager in their configuration to downlod new signature.

If you do not create a firewall rule, traffic will be blocked by default.

Dear lferrara,

If it's possible I'm looking for a way to direct the XG update traffic to the vps not users.

As for route, I tested the route and it's not accepted by the appliance.

Sohrab,

the Sophos Update Server is an internal server ? Sophos XG must update its signature from Internet.XG updates are different from Sophos Endpoint updates. There is no way to force the XG to update from another server. It must update from Internet.

Sohrab,

the Sophos Update Server is an internal server ? Sophos XG must update its signature from Internet.XG updates are different from Sophos Endpoint updates. There is no way to force the XG to update from another server. It must update from Internet.

Dear Iferrara

The Sophos Update Server is an internal server? No, it's what Sophos providing to everyone for updating their appliances.

Sophos XG must update its signature from Internet. The VPS is on the internet and that's why it providing public address so it'd be acting as gateway/proxy/hub between appliance which need update and Sophos update server.

Thanks for your kind help and support

Sohrab,

sorry if I missunderstood your question. If I am correct, you are talking about Sophos Firewall Manager as Sophos Update Manager, correct?

Only Sophos Firewall Manager is able to download and distribute Pattern and Firmware Updates to XG appliances.

Configure XG to connect to SFM and make sure "Content Distribution" is ticked.

You can configure your SFM under Administration > Central Management.

Sophos Update Manager is the old appliance used for Sophos UTM. SUM is not compatible with XG. You have to install and use SFM

I'd follow up to purchase the smallest version as we have only two nodes (XG Appliance) which also would work as Active-Active.

Thanks a lot for your kind help and support