Guest User!

You are not Sophos Staff.

Thread Info
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 1569 views
  • Users 0 members are here
Options
Suggested

How to configure WAF over an IPsec Site-to-Site

Shweta

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes the steps to enable connectivity to the non-connected subnets (in LAN or DMZ zone) of WAF server, also happen to be the IPSec gateway, to the remote Web Server via Site to Site IPSec connection.

 

What to do

Configure WAF by referring to Sophos XG Firewall: WAF configuration guide.  

Configure the IPsec site to site  by referring to Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

Once the configuration is set, you would need to check if the XG Firewall's physical interface IP address on the LAN/DMZ  is included in the IPsec allowed networks.

Because, by default, the connection from WAF server (XG Firewall on Site B) to Web Server (behind XG Firewall on Site A) would be routed through the WAN interface IP, which is not routed trough the IPsec connection, you need to add the XG Firewall's LAN/DMZ IP address (192.168.0.1) to the allowed networks in the IPsec connection, so it would add this IP address in the IPsec route and use it as a source IP to connect to the Web Server via the IPsec connection.

To verify which IP address is used to communicate with the Web Server from  XG Firewall in site B (where the WAF is configured), run the following command in the Advance Shell. 

ip route get <Web-server address>

In this example scenario, the Web Server's IP is 192.168.4.10 and 192.168.0.1 is the LAN interface IP on the WAF configured XG Firewall on site B. 

ip route get 192.168.4.10

The output is:

192.168.4.10 dev ipsec0 table 220 src 192.168.0.1 uid 0

Otherwise if the local interface IP is not added to the allowed network for IPsec connection, then the route will point to the WAN interface IP which is not routed through the IPsec. 

ip route get 192.168.4.10

The output is: 

192.168.4.10 dev ipsec0 table 220 src 1.1.1.1 uid 0

Related information

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your feedback! https://community.sophos.com/community-chat/f/user-assistance-feedback



Updated Disclaimer
[edited by: Erick Jan at 1:54 PM (GMT -7) on 17 Apr 2023]
Unfiltered HTML