We are in the middle of a SD-WAN deployment. In our design we have branch offices with firewalls that connect into our SD-WAN vendors device. We connect to the SD-WAN device with a private IP of 10.255.x.x and it will route the traffic based on its network destination. Either to another branch location or up to a network based firewall.
What I am seeing with the Sophos devices is from the network based firewall side all traffic is coming from the Sophos IP that is connected to the SD-WAN device. This limits our ability to restrict internet destined traffic based on the underlying subnets in the branch location. So is there a way to turn off NAT and allow the internet destined traffic going to the network based firewall to see the underlying network?
This is a rough diagram
Sophos(10.255.x.2) -->SD-WANDevice(10.255.x.1)-->MPLS-->Networkbased Firewall or another Branch site.
One other question has been to take the firewall out of the equation all together. I am hesitant to do this because we still like the IDS\IPS and deep packet inspection of the firewall over using the SD-WAN device, which will only do stateless firewalling. Also, unknown to us the design does not have multipath capability to get out on the internet. Meaning if the MPLS circuit goes down, internet ceases to function. Meaning we will in a fail situation require internet destined traffic to go straight out the SD-WAN device.
Opinions on if we should chuck the firewalls and if there is a way to drop NAT?
This thread was automatically locked due to age.
