Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 20293 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rules for internal LANS

SteveHart

We have recently purchased a Sophos UTM and I'm in the process of setting it up to replace our existing Juniper firewall. I'm new to Sophos and hopefully this is a simple question.

We have 5 different sites in our company's network. Each building has its own subnet. Our internet provider links our sites together through an MPLS solution. All internet traffic is routed through 1 site. We're replacing the Juniper at that main site with a Sophos UTM. All of our internal traffic from 5 subnets routes through a single interface on the firewall. I've labeled the internal port "LAN" and the external "Internet". We currently have manual routing rules in place to route traffic to all of the internal subnets through the LAN port and I will be setting those up on the UTM, as well.

Juniper uses the "zone" concept to make it very easy to set up firewall rules based on interfaces. ie All traffic from this interface to that interface-allow. If I want to allow traffic for a certain service from all internal subnets to the Internet, what's the best way to do that?



This thread was automatically locked due to age.
  • 0
    I'm not sure if I've understood your infrastructure: you have 5 sites/subnets which are all routet to one site/subnet. And there is the Juniper/Sophos device with ONE LAN interface, which routet all the traffic between the 5 sites/subnet and the internet?

    So you have to create different VLAN interfaces for each subnet on the LAN interface, which you can also use in the firewall ruleset. After creating the VLAN interfaces you should have also the network definition for that VLAN available in the firewall. Therefore you can create which services are allowed to/from the different subnet and the internet.
  • 0
    Do you need VLANs or just network definitions? There are no VLANS in place on the Juniper.
  • 0 in reply to SteveHart
    If the UTM should do the routing between the different sites / subnet, the UTM needs one IP in every subnet. Therefore you will need VLANs. Otherwise you have not the possibility to define 5 different IP addresses on the one LAN interface of the UTM.

    If another device do the routing between the sites / subnets, and your UTM is only the exit to the Internet, then you can work with network definitions.
  • 0
    Thanks Jas Man, that helps a lot. Our ISP is providing the inter-site routing, so we only need one IP on the UTM.

    Now, as an example, if I want to add a wide open outbound rule from the 4 LANS to the internet, but with no access to other LANs, I'm figuring that I...

    Create a network definition for each of the 4 LANs
    Create a network group containing the 4 LANs
    Add a firewall rule from Source "LAN network group", service "Any", Destination ???, "Allow"

    I'm not sure what goes in the Destination box. If I'm understanding correctly "Any" will allow access between LANs, which we don't want.
  • 0 in reply to SteveHart

    Yup, destination "Any" allows also the internal communication.

    There is a object called "Internet IPv4". This defines all external IP addresses and that is what you will need as destination.

  • 0 in reply to SteveHart
    Yup, destination "Any" allows also the internal communication.

    There is a object called "Internet IPv4". This defines all external IP addresses and that is what you will need as destination.

    (Not sure if my first try of answering was successful. My browser showed only a white page after trying to edit my answer)
  • 0 in reply to Jas Man
    Thanks again. I think biggest hurdle in this transition is that Sophos and Juniper do everything COMPLETELY differently.