Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Subscribers 42 subscribers
  • Views 10402 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V17 to V18 Migration - Specific Gateway

VikenNajarian

Hello,

 

I tested the V18 this weekend during hours, and I'm sure I'm missing something for my actual rules from V17 to be the same on V18...

 

I watched the videos of NAT explained in V18, and read the KB, but I must be dumb I don't know... and I can't figure out to have the same thing on V18...

Here are screenshots of my V17 rules

First, this is the rule #1, with specific VLANs to access the Internet with specific services from specific gateway " WAN link load balance"

Second, this is the rule #15 with VLAN100 accessing the internet with all ports and all destinations, with specific gateway "ADSL"

 

Then, we can see that the #15 rule is on the top and will be asked first by the firewall rules, and the #1 is bottom.

 

I tested to do the same on V18, and tried to tweak the SD-WAN thing to use specific gateway, but it routes all the traffic even if this is not internet ( Ie VLAN 1 to VLAN 10 RDP are routed to default internet gateway which is dumb because this is internal traffic...)

So can someone explain me the exact way to have the 2 same rules I had in v17 for V18?

Thank you.

Regards.



This thread was automatically locked due to age.
Parents
  • 0

    I tried that too, but then suddenly I couldn't reach many internal servers because he wanted to direct all (also internal) of the traffic to the outside.

    I think the problem is that new SD-WAN rules cannot be linked to a firewall rule, as it was the case with the migrated SD-WAN rules.

    I have to test even more next weekend, I am now back to 17.5.9 everything went as it should.

  • 0 in reply to TimFranken

    Yes this is the exact same problem I have !!!

     

    The migrated SD-WAN rules work well, because they are linked to firewall rules.

     

    And when we create new SD-WAN rules, we cannot link them to firewall rules, and when we try to reach internal servers the traffic is redirected to the outside instead of going on internal servers!!!

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • +2 in reply to VikenNajarian

    Change the Routing Precedence to Static - VPN - SD-WAN, will resolve your issues. 

    https://community.sophos.com/kb/en-us/123610

    console> system route_precedence set static vpn sdwan_policyroute
    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. VPN routes
    3. SD-WAN policy routes

     

    Let me put some more context into this answer. 

    (The online help gets some updates about this as well).

     

    There are basically three different routing modules, which can take place. Static Routing (Static route, OSPF, BGP,), VPN Routing (Policy Based IPsec), SD-WAN Routing. 

    If you current settings are "PBR, Static, VPN", XG will use the matching PBR and route the traffic no matter what. 

    Because you are using ANY in certain scenarios, this could lead to issues. 

    For example, You want to route all Internet Traffic of Host A to Gateway 1. You will choose ANY for Destination. 

    This route will be applied for ANY Destination Traffic, even internal Traffic. 

     

    This can be resolved by using Static Routing as the first selector. Static Routing will cover the internal traffic and everything internal will be applied as usual. 

    If the Host A will now reach something, which cannot be resolved by static routing, PBR routing will be asked to look for a route. 

    Therefore PBR will be used for ANY. 

     

    This kind of information is currently in development for the Online Help to give a smooth transmission. 

     

    Hope it helps. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok, thanks i will try it next weekend.

  • 0 in reply to LuCar Toni

    I created a new VM on v17, restored a backup from a custommer's firewall, and migrated it to v18.

     

    I just created a new SD-WAN rule saying that all the trafic from the 192.168.1.250 must pass from the 2nd gateway.
    I try a ping to 192.168.169.251 (diffrent vm on another interface from the xg) and it doesn't answer because in the tracertoute we can see that it tries to pass the traffic from the 2nd gateway (internet) instead of using the internal link...


    So this is the exact same issue that I had yesterday on my production environment. What should I do now to use static route and making it working ?

     

    Here are some screenshots:

     

     

     

    as we can see on this screenshot, it tries to go through the 172.16.16.254 (internet gateway) when I traceroute to the 192.168.169.251 internal IP...

     

    Then in the static routing panel I don't understand what should I create to make the internal traffic working again.

     

    Thanks

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • +3 in reply to VikenNajarian

    Sorry, didnt add the way this precedence.

    https://community.sophos.com/kb/en-us/123610

    console> system route_precedence set static vpn sdwan_policyroute
    console> system route_precedence show
    Routing Precedence:
    1. Static routes
    2. VPN routes
    3. SD-WAN policy routes

    Will add this to the answer above. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok thank you, once the static routes set in 1st position, I can ping the 192.168.169.251 again.

    So the routing issue is resolved in my case.

     

    Remains the SFM problem, and the SNMP monitoring problem.

    And the way that creating a simple rule is now more long and complicated because we have to switch between 3 windows, but this is not an issue, just a lower quality of UI in my opinion.

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to VikenNajarian

    Now that this "issue" is resolved, what about my SFM issue ?

     

    SFM should be compatible with V18 firewalls but in fact, not yet...

     

    Any news about that ?

    Viken

    XG Certified Architect

    Sophos Gold Partner - Reseller from Lyon, France

  • 0 in reply to VikenNajarian

    Viken,

    please open a new thread. One question per thread!

    Thanks

  • 0 in reply to LuCar Toni

    LuCar Toni said:

    Change the Routing Precedence to Static - VPN - SD-WAN, will resolve your issues. 

    https://community.sophos.com/kb/en-us/123610



    Thanks LuCar Toni! I spent whole day on this. After changes suggested by you it works perfectly! It should be definitely pointed somewhere in the documentation!

     

    EDIT: To avoid problems with routing from/to Sophos Connect Clients I set the routing precedence order like below:

    console> system route_precedence set vpn static sdwan_policyroute

    console> system route_precedence show

    Routing Precedence:
    1.  VPN routes
    2.  Static routes
    3.  SD-WAN policy routes

  • 0 in reply to MarekDalke

    Could you please quickly review the new Online help? 

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

    Is something still unclear ? Question not answered? 

     

    __________________________________________________________________________________________________________________

Reply Children
Unfiltered HTML