Multiple port Destination/Host Network: is it possible?

Hello everyone. I'm new to the Sophos Firewall structure but there is something really simple that it's making me scratch my head.

This is my cenario: there are 2 internet providers on Port2 and Port3 respectively, mainly used for failover purposes (when one is down the other must take place), and both have dynamic IP addresses.

When I set up a business rule to allow an user to access an internal server, I must choose a Destination/Host and it's usually chosen a single interface Port and, therefore, only a single internet provider is used to make this connection to the internal server.

However, if the main internet provider fails, the user accessing from the outside will lose it's connection, since he will always connect on that specific port (usually behind a Dynamic DNS). And since that I can't use the same Dynamic DNS for both providers..?

Now my question: is there a way to make both ports configured so it will always be available to the outside users independently if internet provider #1 or #2 is active? The only way I thought it could be done is cloning all business rules and setting a different Port on each, but this seems... wrong... :(

What's your advice on this? Or I should rethink the way my users connects to the internal servers?

Thanks a lot!

  • Hi Mate,

     

    You made the correct configuration to clone the business rule you have. The hierarchy will determine who's public ip is the primary. The priority or the first to read is on the TOP.

     

    Warm Regards, 

  • Hi Mate,

     

    You made the correct configuration to clone the business rule you have. The hierarchy will determine who's public ip is the primary. The priority or the first to read is on the TOP.

  • In reply to Deo Angelo Lim:

    Thanks for the reply Deo. But this is really the only way? I can't believe I can configure a IP list, a IP range but not 2 ports. :/

  • Hello,

    Ip failover works only for network rule and not for business rule which is a Dnat rule.If the users connect to internal servers using fqdn, you may check with your dns service provider for ip failover subscription package.

  • You can create a standard user/network Firewall Rule just for the server IP, service, or application your using from the Zone with the server to both WAN ports

    If you want true failover, you need to have two XG Firewalls.  Attach one firewall to each Internet Provider.  Set them up the same way.  You can set one up and copy the configuration file of one firewall to the other.  Then you can link the two Firewalls together in the default active-active.  When they are both up, the network can use them equally.  If one fails, all traffic goes to the working firewall automatically.

    Once you have this working, you have two options for remote connections:

    1. You can use a third part remote connector such as Team Viewer or GotoMeeting between the server and the outside client.  You must make sure the service/application can go through both firewalls.

    2. You can map an IP/port for the server connection (using the same rule on both firewalls).  Different techniques are available such as DMZ or a Firewall Rule just for the server IP, service, or application.