Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Subscribers 42 subscribers
  • Views 10405 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V17 to V18 Migration - Specific Gateway

VikenNajarian

Hello,

 

I tested the V18 this weekend during hours, and I'm sure I'm missing something for my actual rules from V17 to be the same on V18...

 

I watched the videos of NAT explained in V18, and read the KB, but I must be dumb I don't know... and I can't figure out to have the same thing on V18...

Here are screenshots of my V17 rules

First, this is the rule #1, with specific VLANs to access the Internet with specific services from specific gateway " WAN link load balance"

Second, this is the rule #15 with VLAN100 accessing the internet with all ports and all destinations, with specific gateway "ADSL"

 

Then, we can see that the #15 rule is on the top and will be asked first by the firewall rules, and the #1 is bottom.

 

I tested to do the same on V18, and tried to tweak the SD-WAN thing to use specific gateway, but it routes all the traffic even if this is not internet ( Ie VLAN 1 to VLAN 10 RDP are routed to default internet gateway which is dumb because this is internal traffic...)

So can someone explain me the exact way to have the 2 same rules I had in v17 for V18?

Thank you.

Regards.



This thread was automatically locked due to age.
  • 0

    Viken,

    can you share the SD-WAN rules?

    To be honest I prefer the old method of choosing which gateway to use for each firewall rule. Now you need to move between 3 windows (Firewall, NAT and SD-WAN).

  • 0 in reply to lferrara

    Luciano,

     

    I rolled back to 17.5.9 when I saw this was so different and I couldn't do the same things I'm doing on XG since 2016 that I'm using and managing ~50 Sophos XG firewalls.

     

    I think I will create a lab VM, and will restore my v17.5.9 backup on it, then I will migrate it to v18, and I will take a screenshot of the SD-WAN rules to show you what I did yesterday on the production environment.

     

    And to be honest too, the hours testing V18 with the 3 windows Firewall rules, Nat and SD-WAN, I hated it, and I prefer much more the V17 way to manage the firewall rules. But well...


    Thank you.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to VikenNajarian

    Ok Viken, let us know.

    NAT on XG v18- was not an Enterprise NAT at all, so the NAT tab was needed. For the load balancing and gateway selection straight away on the Firewall rule was very useful and simple to use.

    I fully agree with this. And if you deal with SSL/TLS encryption, more windows are needed! The new features are nice but a better UI arrangement could be done.

  • 0 in reply to VikenNajarian

    Maybe i can help.

    Basic configuration: Having one default SNAT Rule (Which the system generate for you). Should be enough for basic configurations. If you want to DNAT / SNAT some specific stuff, you can create the rule, if you want. You can delete all the other NAT rules after the Migration to V18. (Called Clean up). But it will work without any changes. 

    Basic SD-WAN Configuration: You could use WAN Link Manager for the basic configuration. Having two Interfaces: Load Balance or Active - Backup Interface can be choosen for all connection via WAN Link Manager. If you want to be more specific, you would create additional SD-WAN Policies like: All Port 25 to Destination ANY through Gateway 1. 

     

    You can do actually everything you want to. But, as Luk pointed out, currently you will have to do some additional work like creating a separate rule. There is some more work by Sophos in progress to get this process more straight forward. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello and thank you for your help.

    The thing is that for my VoIP services,  the VLAN100 must pass from the ADSL gateway 24/7 with no failover ( rule #15)

    And my other vlans going to the internet with http, https, rdp and other ports, must use the wan link load balance with the "OTB_BPINFO" called gateway in active, and the ADSL in backup. (rule #1)

    I have many other rules, using only one or other gateway, with different combination of source IP, destination IP or FQDN, and services, and I think I have to create the rules on the SD-WAN panel but I don't understand how to use it.

    When I migrated from v17 to V18, the rules have been automatically migrated into the rules, nat, and SD-WAN panels, but I'm just trying to understand how to create new rules for future deployments which will using the same features that the ones I got actually with specific gateways.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to VikenNajarian

    I agree with you Viken.

    A test before moving the production from v17 to v18 is high recommended.

    Let us know how your tests go.

    Thanks

  • 0 in reply to lferrara

    Actually, one of the prio one topic is to migrate every configuration to V18. So actually everything should continue to work after migration. But sometimes the configuration could be confusing.

     

    Rule 15 could be easily created in SD-WAN. You could work with the Interface or with the Source Network. 

    Do you know the destination Network? If so, you could use it in the SD-WAN Rule as well as Service. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    If the destination is "all internet" how can we configure that in the sd-wan?

     

    because if we let it on "any", it will use the sd-wan route even if we want to go on internal ressource and not on internet.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to lferrara

    I have a XG135W and the scenario to restore it on a virtual machine is not compatible...

    So I'm unable to test it on a test environment...

    I noticed two other problems when I migrated to v18. The SFM (Sophos Firewall Manager) (latest version 17.1.2) could not manage the firewall in v18, even if we have downloaded the compatibility management pack. When we select the firewall, and click OK, nothing happens.

    And I'm monitoring my firewall with PRTG by SNMP, and using the same MIBs, the CPU and MEMORY monitoring doesn't work anymore, like there is a problem with the MIB or I don't know...

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to VikenNajarian

    VikenNajarian said:

    And I'm monitoring my firewall with PRTG by SNMP, and using the same MIBs, the CPU and MEMORY monitoring doesn't work anymore, like there is a problem with the MIB or I don't know...

    This issue has been reported already on another thread. It seems that there are some bugs in the new MIB. I cannot find the thread...

Unfiltered HTML