Some confusion about the new sdwan routing feature...

Hi,

first of all, the migration from 17.5 to 18EAP1 works great. The complete system runs like before, but...

I got a lot of firewall rules, because i'm still testing SFOS for my UTM Customers at my site. After migration there are a lot of new NAT and SDWAN Routing rules linked with the original firewall rules, but i can't go from SDWAN-Rule to the corresponding FW-Rule and vice-versa.

1. Please make a "usable" (clickable) link, to reach the corresponding rules (FW, NAT, SDWAN). You call it linked rule, so it should be linked.

2. The migrated SDWAN Rules have all activated "Override gateway monitoring decision", wich means, if the primary gateway is down, all traffic will be lost in a blackhole. Don't do this please!

3. SFOS is a zone-based firewall. On all SDWAN Routes i have to choose a incoming Interface. If a want all "ssh+webadmin" traffic to go over my static ip, i had to add a sdwan route for every incoming interface. I have customers with more than 30 VLAN Interfaces + 40 Red's, so i need 70 SDWAN Rules? Your kidding!

4. What about the proxy traffic (system generated traffic)? Wich incoming interface should i use?

And, by the way:

5. I miss the "internet" object for selecting the traffic not in the routing table.

6. I need to disable/enable interfaces without deleting it.

7. Working with interfaces is a pain! On UTM i could move the interface configuration from 1GbE Port to 10GbE or LAG or make a VLAN interface. All only with a small downtime.

Most of my (UTM) customers have more than one internet connection and a lot of internal interfaces (lag, br, vlan etc.) Interface handling and routing is still not on UTM level.

 

Have a nice day!

 

Christian

(UTM + XG Architect, UTM Support Engineer)

  • Hi Christian,

     

    what i can say is, that SD-WAN PBR is not finished right now. 

    See "Whats new". https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-xg-firewall-key-new-features.pdf?cmp=26058

    EAP1 contains:

    SD-WAN Policy-based Routing Enhancements Policy-based routing gains added SD-WAN flexibility and more granular control. Routing can be defined through either the primary or a backup gateway WAN connection and can be configured for replay direction. Additionally, routing decisions are now decoupled from firewall rules and merged with SD-WAN policy-based routes, enabling more powerful and flexible configuration options in policy routes.

     

    EAP3 contains:

    SD-WAN Application Routing and Synchronized SD-WAN Optimized application routing and path selection is often an important objective in SD-WAN implementations – to ensure important business applications are routed over preferred WAN links. This release adds user and group application-based traffic selection criteria to XG Firewall’s SD-WAN routing configuration. Synchronized SD-WAN, a new Sophos Synchronized Security feature, offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can’t match.

     

    Maybe  can give more insights about EAP3 changes. 

  • Christian,

    I support most of your concerns regarding SFOS v18! I'm glad to see you're facing similar issues, and hope that most of them will be resolved by the time we have v18 GA.

    1. Great suggestion!

    2. You probably noticed that those migrated SDWAN rules are supposed to be temporary for the upgrade path, but nothing you can actually create yourself later on. I started converting all of them into actual SDWAN rules and then deleting the migrated ones as they're bound to the firewall rules directly. BUT this also leads to the issue you described in 3.

    3. I agree that the selectors are not sufficient! I also have an outbound rule for managing my clients remotely, using my static IP uplink rather than the dynamic one which is default for everything else. I actually used "United States" as the destination network which sort of does what you want in 5. ... unless your destinations are all over the world. All of the fields in SD WAN rules are not required. So you can leave the interface and the source network blank to apply to all traffic. BUT this also creates a HUGE risk of messing up the entire firewall to the point of being unusable and not even letting you manage it. I did this yesterday:

    My goal was to force all regular traffic out the dynamic ISP interface so the firewall doesn't do any round-robin stuff with the 2nd interface that I just use for certain traffic via a static IP. I create a rule with no selectors, then choose the gateway I want. Crying BAD BAD BAD! That means even firewall generated traffic is included and EVERYTHING is routed out that gateway. Couldn't even manage the XG anymore. Had to console in, make a static route from advanced shell, change routing priority to get back in and delete the rule. What a pain! There's no SDWAN route management in the console of the XG!

    4. Good question, i don't think there's a way to select this with the current setup

    5. Agreed! How do we select internet traffic that's bound to an uplink interface?

    6. Agreed! Long needed simple feature. Any other network device lets you enable and disable ports.

    7. Agreed! we need to be able to just change the hardware interface for an existing interface configuration. That also goes for Bridge interfaces. I want to be able to remove a bridge by just unchecking all interfaces but one and have it put the config on that one remaining physical NIC.

     

    Here are some of my other questions / concerns:

    1. It might be useful to have some sort of check / requirements on SDWAN route selectors because it's too easy to break the entire firewall.

    2. SDWAN routes need to be added to the console menu or command line so things can be configured or at least enabled/disable from there.

    3. I'd like to see a clear guide of how the XG makes it's packet forwarding decision. What order do all these new things get applied in. I mean, I mostly get it, but others will likely not as the entire concept has been changed over previous versions. This includes: firewall rule, NAT rule, SD WAN policy, VPN routes, static routes, Gateway routes.

    4. I also saw somewhere that you can do route based VPNs now? I don't really see any options for this. Wouldn't that require a tunnel interface that can be defined on each VPN? Maybe it's not part of the EAP yet...

     

  • In reply to Bjoern Freiherr:

    Btw i found another issue with sdwan routing in EAP1:

    If i build a rule:

    Incoming IF: Internal

    Dest: Any

    Primary GW: Router 1

    Backup GW: Router 2

    so every traffic is routed through Router 1, but i can't reach the Transit 2 network nor Router 2.

    If Provider 1 is offline, i can't reach the Router 1 to check what's the problem is.

    So the "INTERNET" object would be very very helpful.

     

    Christian

     

  • In reply to Christian Sievers:

    and by the way:

    • There should be the possibility to switch sdwan routes on and off.
    • Routes are applied in order from top to down, but i can't see or define the rule number during creation.

    Why invent the wheel again? Look at the SG:

    • Build the rule with number or top/button
    • Rule is applied, but turned off and must be turned on by admin
    • Make a "real" object selection window with a substring search option. I only see 5 of 200 objects and have to scroll like a monkey to select a network object. I don't need drag and drop with rule orders, i need drag and drop with network objects!

     

    Christian

  • In reply to Christian Sievers:

    All good observations, I hope someone from Sophos is reading this too ;)

     

    In the meantime, what I've done on my end for the missing "Internet" object:

    Create a country group and simply add all countries into it, call it "Internet" or "All Countries" and apply it to your SD WAN rules. Seems to work for me.

     

    I had a similar issue like yours before I did this where I couldn't even get traffic crossing between two LANs because the SD WAN rule would always send it our the WAN interface. Now that's no longer an issue luckily.