Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall rule for traffic from host or network

My Sophos XG 330 HA pair is at our co-lo, and is the single ingress / egress point for our private network.

We have ~ 20 locations connected via basically MPLS, and are starting to add secondary connections (cellular) at each site.

The cellular service terminates on provider-managed Adtran routers. If MPLS goes down, the Adtran pushes traffic over to the cellular interface.

Cellular is connected back to the MPLS network via IPSec / GRE in the providers data center (again, managed by provider).

 

When my locations fail over to cellular, I want to permit only necessary traffic (a few subnets and a few FQDNs), and I'd like to manage this as a rule on my XG 330.

 

It seems like for this to work the XG would need to be able to look at the route the traffic took instead of the source of the traffic.

I considered, and this feels dirty, asking the provider to set a specific DSCP value on all traffic passed through the cellular interface. The issue I see here is that I don't see a way to specify DSCP markings as part of the source criteria.

 

Will the XG 330 support what I want to do?

If so, what type of rule am I looking at?



This thread was automatically locked due to age.
Parents Reply Children
No Data