Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I have a behavior I don't know how to solve.
Your help will be really appreciated :).
My Sophos XG is the default gateway, DGXG (192.168.0.250), for my subnet LAN1. My LAN1 is deployed between 2 sites using a fibre.
DGXG is connected to the WAN1
I can connect on every devices on the LAN1.
On this LAN1 I have another gateway, ZXG (192.168.0.10), that is connected to another DMZ1 network,
From LAN1 if we want to reach DMZ we need to use ZXG.
I created one route static (policy route as well) on the XG firewall, but we can not reach the servers on DMZ1.
To reach this servers I had to put a persistent route on the device in LAN1.
Do you have any ideas of waht could be done to make it working as expected without adding persistent route on workstations?
Thanks for your help.
Best regards, Maxime
Why not remove all your routes and do it with a firewall rule, you must know the destination IP address range?
In reply to rfcat_vk:
Thanks for your response.
I did not try that one.
I know the destination subnet.
So you mean changing the primary gateway in the advanced setting of the firewall network rule?
good idea, I will give it a try tomorrow.
Hell I tried to do a firewall rule with a gateway but this did not work either.
Do you have another idea?
Best Regards, Maxime
In reply to max.mo:
Either method mentioned should work, however each gateway or device needs to know the routes on each end.
I did this while migrating to Sophos from Sonicwall.
Maybe I am missing something, can you sketch it out?
where does your rule sit in the list of rules?
Please post a copy of your rule.
Which firewall rule is blocking the traffic?
My rule is on top of the top and there is no blocking traffic :
There was hit to the rule :
the other gateway device is a sonicwall. WE replaced a sonicwall by one sophos but there is still one sonicwall on the other side.
I will try to sketch it out today.
Maybe it was blocked with XG as asymmetric route.
Only one way pass through XG will be blocked as asymmetric route.
If you can't change the network structure, you may bypass asymmetric routing on XG with following command.
set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.0.0 source_netmask 255.255.255.0 dest_network 192.168.X.0 dest_netmask 255.255.255.0
set advanced-firewall bypass-stateful-firewall-config add source_network 192.168.X.0 source_netmask 255.255.255.0 dest_network 192.168.X.0 dest_netmask 255.255.255.0
In reply to ShunzeLee:
Thanks a lot !
I completed your post with https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/79041/troubleshooting-guide-for-xg.
I think it solved my case.
I need to do more tests to be sure :)
I hope that works for you, but I would have thought an MASQ on your outgoing gateway is required?
I can confirm that worked perfectly .
No need to use a MASQ.
Enjoy your weekend.