Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 15828 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Policy routing with Active Directory

evargas

Hello:

I have 3 Wan interfaces 

firewall is sync with active directory with 3 groups

Hoe can i do:

Group1  -- to internet by WAN1 interface

Group2  -- to internet by WAN2 interface

Group3  -- to internet by WAN3 Interface

 

Why no link load balance ? 

Groups use their own resources

Other Date:

Groups are in the same network   



This thread was automatically locked due to age.
Parents
  • 0

    Create the following firewall rule:

    From LAN to WAN; match Group 1 users and select WAN as per your requirement

    The Primary Gateway is by default set to "WAN Link Load Balance"; just change that to the WAN you want your group to go through. You can also define a backup gateway or keep it to none in which case the traffic will be dropped if the primary goes down (and if you have no rules set up in the WAN link manager)

     

  • 0 in reply to Muhammad Osama

    I have a question:

    When user no match What is the firewall action ?

  • 0 in reply to evargas

    Pass to the next policy or Drop conection?

  • 0 in reply to evargas

    The firewall processes rule from top to bottom. So whenever it receives a packet its going to try processing it according to the list of rule and will stop processing further rules as soon as it hits a rule which fits the packet description. For example you have 4 rules: 1 for each of the three groups of users and the 4th rule is a deny all rule. Now lets suppose the firewall receives a packet from a user of group 2. Its going to look at the first rule which says only process if user matches from group 1. So the firewall moves on to the next rule which applies to our packet since it matches all the conditions (from LAN to WAN and matching group 2 user). The firewall is going to process the packet according to this rule and is not going to look at any of the other rules. Now lets suppose a packet comes from an unauthenticated user, then the firewall will look at rules 1,2 and 3 and none of them match since the user is unauthenticated, and its going to look at rule 4 which says if unauthenticated, then drop the packet and the firewall will drop the packet. Just know that this last rule is just an example. You can have the firewall do whatever you want to. You may have this last rule say if user is unauthenticated then have the traffic pass through this particular gateway and have this particular bandwidth allotted to it. If the packet does NOT match ANY rules in the firewall, the firewall will DROP the packet. So if you dont want the packet to be dropped have a rule stating otherwise. But please remember, such non-specific rules should always be at the bottom of the rule list, otherwise all traffic will hit be processed according to this allow all rule if placed at the very top.

  • 0 in reply to Muhammad Osama

    Hello  :

    My question if because in sophos SG series no support multiples rules.

    XG series filter rules by source and groups?

    Can you confirm if firewall XG series filter rules by source and group if user no match next to the second Rule.

  • 0 in reply to evargas

    Yes these set of rules will do the trick. It will filter rules based on source and group. 

Reply Children
No Data