We'd love to hear about it! Click here to go to the product suggestion community
try to build up my first solution with BGP and a I´m bit sad … some Things dont work.
Sophos XG as Gateway Firewall.
2 BGP Partner .. 2 Public Networks to announce. an 20 VLAN with private Networks behind the XG.
What ist working …
I got the BGP Working, i createt some dnat rules to bring the traffic from the local Network into the Internet.
What don´t work.
I can not Register the Sohos XG .. because it has no WAN Interface. ( ? )
I have build all as LAN Interfaces ..the 2 BGP Interfaces and the "real" Lan Interface.
If i want to Register the Sophos says .. "Register Server is not reachable".
I can also not ping a host into the Internet from Diagnosis of the XG.
From a Client with a privat IP that goes over the DNAT Rule .. everything works fine with Internet an ping.
I think the is a Basic "Default Route" missing .. but how can i set a Default route with BGP because i have no WAN Interface and only
virtual 2 Networks with public IP´s .
Is is necessary to set one of the physical Interfaces with a IP from the Public Pool ?
My Public Pool ist 195.37.XX.0/23 ..
My old Cisco Router had on one interface the IP 195.37.XX.1 and our Layer 3 Switch which terminated the VLANS had this IP as the Default route.
Now i want to terminate all VLAN´s on the Sophos XG .. ( it works) but how can i bring the public Network inside,
because we have some devices in our Network that Need a IP from the Public Pool (195.37.XX.0/23)
If you understand my litlle confuse Questions .. im very happy for every tip.
The Appliance need at least 1 WAN interface as Zone Type WAN.
As i read in your post, this seems to be the problem.
Can you link a screenshot of your interface config?
You should have 1 Interface (VLAN) at least as Type WAN.
Or (to work without a WAN interface) try to use the parent proxy in the routing tab. But would go with a WAN Interface.
Zone WAN is a preconfigured zone, which points all traffic for the appliance to the Internet.
Maybe you should get in touch with your partner or the distribution to get a small workshop regarding the zone concept / XG policy handling.
In reply to ManBearPig:
Here are some Screenshots .. perhaps you could advise how to define the wan interface ..
So i should define one of my public IP Adresses as a wan interface ?? .. but what is the gateway for that ???
Screensot with BGP Config and Config Network interfaces
In reply to Christian Kolbe:
So you dont have any WAN interface.
Would suggest at least one WAN interface.
The Gateway would be "the next hop" of your BGP route. I *think* you have to predefine this one. Do you know your next hope from XG WAN?
sorry .. i don´t understand you.
We are using BGP from Internet Provider .. behind the BGP Partnes is ... WWW
Here is my BGP config :
XG-Port 11 is BGP Port 1
I have tried several way..
i can not define a WAN Interface .. a wan Interface need a gateway into the same IP Range .. but with BGP you have
a bgp default route and the Announced networks are working with DNAT Rules ..
I can do everything with a lan client .. Internet and all the other but the XG itself dont go to registration site ....
Lets try something else. Please open 2 SSH consoles.
one with advanced Shell: tailf /log/licensing.log
One the other please a dump to the licensing server, which the appliance tries to connect.
tcpdump -ni any host (IP of the server) and port 443
Please share the output.
here are the Screenshots …
It´s very strange.
Yesterday i had already contact to a german Sophos Member of Helpdeskt Team … but he could´t help me,
because he had never installations with bgp ..
We have an other strange behaviour on the Machine .. from the console and from the gui you can ping Google 188.8.131.52 but no other Public IP ….
But from a Client behind a DNAT Rule .. everything works fine !!
Sound like a "routing" issue...
You see the traffic is going to the correct IP with 184.108.40.206 on Port11.
So next question: Port11 is your Potential interface to go to the internet?
But 220.127.116.11 seems to be the Appliance interface address, isnt it?
In my point of view, the appliance does the correct routing. But the neighbor of Port11 maybe does not NAT the traffic.
You say, you can ping Google? try ip r g 18.104.22.168 to see, which interface is used. Then do a tcpdump -ni any icmp and ping again.
Should the Appliance NAT anything? Do you have a Policy which NATs the Traffic?
of Course it´s a Routing issue but it´s only on the XG itself, a Client behind his nat rule works perfect.
it´s BGP …
Interface Port 11 and Port 10 are the BGP Endpoints ( Interface to Internet) ,
IP: 22.214.171.124 an IP 126.96.36.199
They have Partners, that are the next hops.. in BGP
IP 188.8.131.52 and 184.108.40.206
Technically 220.127.116.11 and 18.104.22.168 are the wan interfaces .. but you can not declare this as a wan interface because it has no Gateway. (that makes BGP)
We use this XG as a replacement of an older CISCO 3748 Border Router, i have checked the configuration of this cisco device .. he had also no Default Gateway !!
Some Screenschots :
Default DNAT Rule ( i use one Address 22.214.171.124 from the public pool for nat) (VLAN1 ) all the other VLAN´s have an own public Address for nat.
Cisco BGP Config have adapted it to XG .. without any filter rules
it´s a Problem special related to BGP Implementation and Routing but i can not find any Person on Sophos Germany that has the neccessary Knowledge
about working with BGP and Sophos XG. :-(
So - We are talking about traffic, which is leaving the correct interface with the correct ip address.
Maybe this is a BGP config issue?
I mean, how can you know, the traffic is not dropped on the next station or the bgp config is not correct? Seems to be correct on XG site. How can you decide, it is a XG issue? The dump seems to be fine according to your information.
So lets check the dump again - We are sending the Sync. But there is no response.
Try a telnet from a Client behind the DNAT(i am a little bit confused about the DNAT, you mean SNAT isnt it?) and dump it.
Then try to find the related pattern. Which IP is used from the client and which from the XG itself.
In your Policy is a "NAT_1.." SNAT Policy. Which IP is it?
Maybe you need a SNAT Rule for the Sys Traffic:
your tip with the KB12299 seems the right direction, i will try it tommorow.
BGP is not the Standard that´s why i´m Looking intense for a guy with more practical experience.
With BGP you have announced Networks behind the BGP Partners... in my Situation it is the 126.96.36.199/23 Network.
So i have 512 public addresses between the BGP Network und my corparate Network.
Thats why i have a SNAT Rule .. that all the traffic come from lan goes to anywhere will use one of my public IP´s for NAT.
in my standard Rule it´s the 188.8.131.52 .
If you make a WWW.whatismyip.com from a Client then you will see the 184.108.40.206 and not one of the BGP Address.
But it seems that this rule is not applying to traffic generated from the XG.
I also can not send mails from the XG for config changes and reports.. i think it´s the same Problem.
bgp config is not correct? Seems to be correct on XG site. How can you decide, it is a XG issue
of Course .. everything is possible but why is all working from a Client behind the XG ? and only from the XG itself it works not ?
and BGP Configuration is absolutely simple, it´s nearly impossible to make Errors ..
You have 2 interfaces with ip Addresses .. you have 2 Partners und 2 Secrets .. the BGP Config are 8 Lines ..and it´t absolutely the same as on the old cisco device.
Here can you find all FQDNs, XG is using for all modules.
many THX for the TIP .. that worked for me.
I can now ping every host which i have configured over this rule..
"set advanced-firewall sys-traffic-nat"
I can ping the registrary server for europe
i made an entry for licensing server / sophos.com / my mail server for status reports ..
But unfortanly i´m not able to register the first XG ...
We have 2 XG310 here for HA Pairing ...
I have preregistered both systems over my sophos partner account and both !! Systems appear under the correct customer Sophos ID
When i now start on the regsitration screen and put in the Mail Address of the Customer Sophos ID .. then come the message
"The Device is already registered "
If the Account is correct (yes it is ) i should only "synchronise the licence" over ADMINISTRATION LICENCING
But i can not synchronise because there ist only the link for the first time registration .. when i click it .. it ask for the sophos id ..
and again .. the device is already registered .
How can a manually force a licence sync over the console or SSH Shell ?? is there a way ??
Curious ... on the second XG .. the HA Partner .. all works fine .. i could login with the sophos ID .. then it also said that this device
is already registered but after next login .. the device war registered and i could perform HA Configuration for the second device.
The second device i configured with a lan port port of primary device as WAN .. so it was a standard network client and i got not the issues with
bgp .. we will build a Active Passive HA .. and switch cables if primary Sophos will fail ...
Seems to be an issue in the HA Setup.
The License is applied on Appliance A.
Appliance B has no license.
If you go to Appliance B and build up the HA or Appliance B was not able to sync while installation, this can cause this issue.
Would suggest to disable the HA and bridge the Appliance B via Appliance A to the Internet. Then enable the license and sync everything. And build up HA again.
If you disable HA, all Ports except Administration and HA Port will be disabled.
So you can use a Free Port on Appliance A and patch Appliance B there. Go the the Appliance B Webadmin, configure the free Port as WAN and Gateway is Appliance A.
Build a Policy on Appliance A to use the correct NAT.
And disable everything afterwards and enable HA again.
Sounds "complicated" - Is a 10 min work.
NO … i think it´s not an HA Failure .. because the Problem was prior to switch ON the second appliance. ( Hours ago)
and i could not make any HA Configuration on the first appliance .. because it is not registered :-)
The second appliance was connected as you described it.. and on this way it synced perfect.
Both Appliances are on the customer ID …
The First appliance with the BGP Config will ask for the Sophos ID .. and when i give the correct addres .. it say . Device is already registered .. you have to sync appliance ..
But i can not sync over the gui beacause there is only the "First Registration link active"
Look to the Screenshos.
I think it´s the same Problem we had Prior to contact the licensing Server and to make Connections from the appliance itself . .but now i Need some more IP´s from a
sync Server ??
Is there a way to use this command :
set advanced-firewall sys-traffic-nat add Destination
I could only put in single IP ´s there .. on which way i can say that all the traffic from the System itself ??