Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 12138 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFM behind XG with VPN?

Mike Carpio

Hello,

 

I just setup 4 XG firewalls across 4 sites.  All 4 sites are connected via VPN tunnels through the XG firewalls.  I have installed SFM at one site behind an XG.  Does it need a public IP to be able to talk to the 3 other XGs or should it work fine via the VPN tunnels?  All 4 XGs are on SFOS 16.05.5 MR-5 and the SFM is on SFMOS 16.05.0 GA.  Only the XG that is in the same site as the SFM is showing up in device discovery.

 

Thanks,

Mike



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mike,

     Does it need a public IP to be able to talk to the 3 other XGs or should it work fine via the VPN tunnels?

    --> It is not compulsory to have public ip on XG devices to talk to SFM but connectivity between  SFM and XG device should be there via VPN tunnels.

    XG devices must be able to send heartbeat packets to SFM on heartbeat port configured on Central Management page of XG.

    Ravi

  • 0 in reply to RaviPatel

    None of the XGs themselves in the remote sites can ping the SFM using the diagnostic ping tool from within the XG but local and remote workstations can be pinged through the VPN tunnels.  All the XG devices have public IPs on their WAN port since they act as gateways for all the sites.  The SFM does not have a public IP.

  • 0 in reply to Mike Carpio

    Mike,

    try to ping remote XG from SFM itself. You do not need public IP on SFM and using VPN is recommended. Make sure on SFM you configured the default gateway. Also, make sure that XG are able to reach SFM lan interfaces using tcp 4444 and 443 or 6514 (syslog port).

    Use tcpdump from SFM.

    Let us know.

    Thanks

Reply
  • 0 in reply to Mike Carpio

    Mike,

    try to ping remote XG from SFM itself. You do not need public IP on SFM and using VPN is recommended. Make sure on SFM you configured the default gateway. Also, make sure that XG are able to reach SFM lan interfaces using tcp 4444 and 443 or 6514 (syslog port).

    Use tcpdump from SFM.

    Let us know.

    Thanks

Children
  • 0 in reply to lferrara

    Sorry for the delay in this response.

     

    From the SFM in Diagnostics / Tools I can ping the remote XGs' internal IPs as well as other devices in the remote networks.

    From the remote XGs in Diagnostics / Tools I CANNOT ping the SFM nor can I ping any remote XGs' internal IPs.  In fact the remote XGs cannot ping any devices that are remote to it.  Remote devices though have no issue pinging anything remote to them including the other XGs.

    Do I need to specifically make a rule or something to allow the XGs to ping devices in the remote sites?  I don't recall if I had mentioned it before but the site-to-site VPN tunnels are IPsec if that makes any difference.

     

    Thanks!

  • 0 in reply to Mike Carpio

    Good day Mike,

    I have had a similar issue and have successfully resolved by following this thread.

    https://community.sophos.com/kb/en-us/123334

    Kindly use Method 2.

    Cheers!