Scheduled maintenance on Saturday, August 8th from 7am to 10am (UTC). Licensing registrations and key activations will be unavailable during this period. More info here.
We'd love to hear about it! Click here to go to the product suggestion community
I have a doubt about how to achieve the same thing that could be done in the past with v17 and I'm struggling with v18
Basically, I have 2 WANs, one for everything and the other one for X special thing and cannot be used for anything else, so bot have to be active and cannot be fail-over'd between them. Also,a MPLS which connects to a remote office and if that fails, a Policy-based VPN that provides connectivity.
In v17 to achieve that, it would require
In v18 (from what I have seen) there's no option to only choose one WAN. What comes to my mind is:
The last one is the only possible solution that I have come to realistically doing. But what if I NEED Policy-Based VPN?
Any ideas how to achieve the same thing on v18 that could be done on v17? Any help is appreciated.
Hi Antonio Cienfuegos
Thank you for reaching out to the Community!
I would request you to review the following recommended read: https://community.sophos.com/products/xg-firewall/f/recommended-reads/118888/sophos-xg-firewall-v18-how-to-choose-the-gateway-for-a-firewall-rule.
In reply to H_Patel:
Thanks for your answer, I just finished reading the article and according to it, It recommends the same thing that I stated in my points:
The problem with that is that in case the MPLS goes down, all trafic will go to the GW and broke the VPN Failover. If I switch the route precedende to have VPN first, it will never go through the MPLS unless I create an static route that takes precedencce first, but loses the ability to monitor the MPLS through PBR.
And using Linked NATs brokes the idea to decouple NATs from rules and even Sophos recommends using them only for migrating purposes.
So, any ideas?
You can set the other Interface as Backup. This is actually "0" in terms of Load Balancing. Backup Interfaces will only be used in case of calling by some process. Like PBR, like Static Route.
There are certain scenario, which are not perfectly fine reproducible right now, as you will mix different scenarios.
As Sophos tries to push the VTI Technology, it will help in this case.
The Policy based VPN routing options are limited as the Static option.
Wrote some points about this here:
As you could place the default route on Backup, you could actually rebuild most of this quite easily.