Deployment Suggestion:
Deploy Sophos UTM as bridge mix mode
Customer constrain and concern:
1.All branch user segment is same with IPVN router e.g 16.61.201.x
2.Public http is manage separately from internal network
3.Short of manpower to manage branch which around 100 and required minimum downtime or configuration for the firewall.
Customer Enquiry:
1.What is the different between bridge & route mode.
2.Does any lost on features if they implement bridge mix mode since they purchase full guard license such as QoS, Multipath Rule & WAF.
The goal is to configure bridge mode to help user maintain simple deployment with high level security since they subscribe to full guard license and short of manpower to oversee the operation at branch if the firewall down any user without IT knowledge will able to swap and bypass the firewall.
However they also have requirement to maintain 2 gateway for failover http access if internal user not able to connect back through IPVPN which im not sure multipath & Qos is applicable in bridge mode. Thanks[H]
PS MPLS is expensive and can be replaced by RED technology.
Disagree with you somewhat on that statement Bob. [:)]
RED can usually replace MPLS, but not always. RED will always be limited by the Hub & Spoke design and the internet path between locations whereas MPLS is usually on a separate backbone with performance guarantees and topology options.
RED is certainly cheaper then MPLS and for most types of traffic, makes sense. The fact we have two RED sites with four more on the way, but only one MPLS line, kinda illustrates my point. Most of our traffic doesn't need the guarantee's MPLS offers.
MPLS gives you more flexibility in how you setup your WAN and depending on your needs, the provider can do some amazing things with MPLS that you can't do with RED. I've seen MPLS offered where the provider will offer reduced rates for bulk traffic that isn't latency sensitive.
MPLS also offers a more flexible topology so you can run the MPLS lines in hub & spoke, full mesh, partial mesh, whatever you need. With full mesh & OSPF or EIGRP, you can route internet traffic through HQ but maintain a secondary site so if HQ goes offline, you can reroute the internet through the secondary site. Ditto with internal servers.
Thanks, Drew, for taking the time to be precise. I agree that the ability of the provider to do QoS inside their network is an advantage of MPLS that can be difficult to match - but I would guess that even VoIP would be fine in most cases. In this case, since both sites will have a UTM, a combination of IPsec and RED tunnels over a faster connection could be better and cheaper. I bet it's cheaper to put a UTM in each site than to pay for MPLS, and that would offer the same mesh opportunities as MPLS. Once there are more than a few sites, I agree that it's probably worth paying for MPLS to offload the admin overhead.
Azwanarif, you're correct that QoS won't work on a bridged interface. I don't know how to use Multipath rules to automatically send HTTP traffic to an alternate Uplink interface with Web Filtering in Full Transparent mode.
In this situation, I would recommend NOT using Full Transparent with bridged interfaces. If their IPVPN goes down, there would be a quick failover to the other line for the HTTP traffic. Using Uplink Monitoring, it also would be possible to enable a site-to-site IPsec VPN to the other site over the ADSL connection.
If they are concerned about the UTM failing, then I would recommend a Hot-Standby unit with power and UPS on a different circuit. A full-mesh networking setup with LAGs as in the picture below would make the setup even more robust.
