How to configure firewall rule and NAT rule on XG v18

Disclaimer: This information is posted as-is and the content should be referenced at your own risk 

I hope this post provides a simple guide for configuring firewall rule and NAT for LAN-to-WAN, LAN-to-VPN, and WAN-to-DMZ traffic.

More technical details can be found at

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallRules.html

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallNATRules.html

https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18

LAN-to-WAN traffic

Network plan:

internal computers --- Port1 [XG] Port2 --- Internet

XG firewall Port1 connects to internal computers, and Port2 connects to Internet.

To allow internal computers access Internet:

1. create a firewall rule to allow LAN to WAN traffic

  • source zone: LAN, the zone internal computers locates
  • source networks: Any, or specific internal subnet
  • Destination zone: WAN
  • Destination networks: Any

2. create NAT rule to apply Masquerading on LAN to WAN traffic

  • Original source: Any
  • Original destination: Any
  • SNAT: MASQ, or the preferred WAN IP for Masquearding
  • Inbound interface: Any
  • Outbound interface: Port2, the XG firewall WAN interface

Note: I recommend to set "Outbound interface" to WAN interface. If outbound interface is set to "Any", the NAT rule will be applied on LAN to VPN (LAN to DMZ) traffic, and stops LAN to VPN (LAN to DMZ) traffic.

LAN-to-VPN traffic

Network plan:

internal computers --- Port1 [XG] Port2 --- IPsec VPN --- [remote VPN gateway] --- remote VPN network

XG firewall Port1 connects to internal computers, and Port2 connects to Internet.

To allow internal computers access remote VPN network, just create a LAN to VPN firewall

  • source zone: LAN
  • source networks: 192.168.61.0/24, or any other local subnet configured in site-to-site IPsec VPN
  • Destination zone: VPN
  • Destination networks: 192.168.61.0/24, or any other remote VPN subnet configured in site-to-site IPsec VPN

You might need to create another firewall rule for VPN to LAN traffic.Please make sure there is no NAT rule applied to LAN to VPN traffic, unless NAT is necessary for local VPN network to reach remote VPN network.

WAN-to-DMZ traffic

Network plan:

external users --- Internet --- Port2 [XG] Port1 --- internal Exchange server

External users need to access HTTPS service on internal Exchange server by visiting XG firewall public IP.

XG firewall Port2 connects to Internet, and Port1 connects to internal Exchange server.

To allow the DNAT acess:

1. create a firewall rule to allow WAN to internal Exchange server traffic

  • source zone: WAN
  • source networks: Any, or specific IP addresses of all external users
  • Destination zone: DMZ, the zone internal Exchange server locates
  • Destination networks: XG firewall public IP visited by external users, in this scenario, it is IP address of WAN Port2
  • Services: HTTPS

 

 

2. create a DNAT rule 

  • Original source: Any, or specific IP addresses of all external users
  • Original destination: XG firewall public IP visited by external users, in this scenario, it is IP address of WAN Port2
  • DNAT: IP address of internal Exchange server

Enjoy