Need some ESX XG setup guidance regarding networking

Hi, I am new to XG having been a long time SG user, and due to problems getting XG to install on the old SG box bare metal, I have installed it on a new ESX 6.7 box I setup.

I need some guidance from someone who already has XG running on ESX regarding how to setup the virtual networking.

My ESX box has 5 Nics, the onboard Nic and a 4 port Intel Nic card.

I am hoping that someone who has a similar setup can tell me (or better show me with screen shots) how they have the vswitchs and port groups setup for their XG VM, and how this is configured in XG to make use of this network setup. I would like to use all 4 ports of the Nic card as a switch to XG, so I can dedicate certain ports to different subnets, same as I had it on SG. 

Thanks in advance to who ever can guide me on this.

  • As far as i know - You can basically use the same VMware / ESXi Configuration for both platforms. 

    There should not be any different. 

    Did you already download / import the ESX template? 

    There is an documentation about this:

    https://docs.sophos.com/nsg/sophos-firewall/v16057/PDF/Sophos%20Firewall%20Virtual%20Appliance%20Getting%20Started%20Guide.pdf

    Also important to know. For activation, you should use Port1 as LAN (172.16.16.16) and Port2 as WAN. 

  • I have to resurrect this thread, sorry.

     

    I'm missing some best practices in implementing Sophos XG with regards to what is asked above.  What happened was that my use case was to use it as a proxy, not firewall (as I already have a physical firewall).  However, when I implemented it, ALL my other VM traffic went through Sophos, which isn't what I wanted.

     

    I am assuming for a "good" implementation I would need to separate the the WAN and LAN ports into different VLANS?  Or different vswitches at a minimum?

  • In reply to Alex Tien:

    Best Practices  are hard to archive in VM´s because basically everybody has different setups. 

    And everything is different per different Hypervisor. 

     

     

    How should XG scan / act as a proxy? Direct? So the Client uses a WPAD(PAC) to reach XG? 

    Or Default Gateway? In this scenario, all traffic will reach XG. 

  • In reply to LuCar Toni:

    Hi,

    I planned XG to act as a reverse proxy, so from the outside the servers would only know the proxy IP.  However, when I deployed this model I had an unexpected side effect - all my VM traffic went through the proxy and was blocked (since there was no FW rules setup).  That's why I'm looking to see if any configuration guide exists for VMware.

     

    Note - the WAN and LAN ports were in the same subnet.  This is the normal setup for load balancer/proxy configurations, but I guess it doesn't work for Firewall/WAF/Proxy combo.

  • In reply to Alex Tien:

    Alex,

    as a explicit proxy, you only need the lan interface. Did you configure XG in routing mode or bridge?

    Is the XG on a dedicated vswitch or with the other machines?

  • In reply to lferrara:

    Hi,

    The vendor told me WAN and LAN has to be running.  It was initially configured in bridged mode and I got MAC address flapping.  Now it's configured in routing mode but I still have FW denial issues.

     

    It's currently configured in the same vDS with other machines because there are no best practice guides.  I am seriously considering deploying another vDS and VLAN for XG FW.

  • In reply to Alex Tien:

    Alex,

    I never tried to use XG as explicit proxy on VMWare but theorically you need only one NIC, the LAN port.

    Once the LAN is up and the default gateway on the LAN is configured, configure the DNS on XG and you should be able to update XG patterns and register the license.

    Configure XG as explicit proxy and you are ready to go. These are the steps that I would perform.

  • In reply to lferrara:

    Thanks!  I will try this.