Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
I upgraded to SFOS 18.0.0 GA-Build354 yesterday morning.
Under SFOS 18.0.0 GA-Build339 SD-WAN policies worked fairly well, sending traffic through specific interfaces based on subnet, user, etc.
However, since I the vast majority of traffic is going to the Active WAN-link. Very little traffic is going to the Backup link, even though the policy specifies to use it for certain source addresses.
Anyone else seeing this?
Quick update: I changed the type of my secondary WAN-link from "backup" to "active" and I'm suddenly seeing traffic going to it.
Can the SD-WAN policies not send traffic to a backup link?
In reply to Arie:
I did not test it in Build 354, but there are no changes at all to SD-WAN. So assuming there is no change, it should not changed in the working process.
Could you recover the old status with Backup Interface and show us your Sd-WAN Policy as a Screenshot?
Please take a look at the Gateway as well - Is it online?
In reply to LuCar Toni:
I'll try to find some time over the weekend to revert.
Yes - both gateways are show as "up".
I'm still wondering whether the SD-WAN policies will send traffic to a WAN-link that's been set to "backup" instead of "active".
On a related note, I've noticed that the log page often doesn't show the outgoing port. Is this intentional?
Should be - I am pretty sure, it does.
Based on your reply I have done some more digging. Turns on that on my system shows ports only for connections that use a specific NAT-rule.
I haven't touched my NAT-rules after upgrading from v17, aside from a couple that I created when I cloned some FW-rules. Guess I'll need to take a look at my NAT-rules.
Please be careful: SNAT will only applied after the routing decision is already made. So Basically XG looks at the SD-WAN Routing table, choose a Rule, goes to the NAT Table and takes the specific SNAT Rule, matching for the traffic.
Do you have migrated SD-WAN Rule or not?
It's possible that SD-WAN was migrated from v17, but I'm not certain. Is there a way to tell?
I do have a lot of NAT-rules that resulted from the migration.
you will see an SD-WAN rule for each migrated NAT which will be a linked NAT. You cannot edit the migrated SD-WAN rules, only delete.
In reply to rfcat_vk:
Just to correct the statement.
You will see migrated SD-WAN Rules for each Firewall rule, which had a selected Gateway.
Those rules can act differently to a self created sd-wan rule.
Sophos put some effort to improve the docs.sophos.com page.