This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN policies my experience so far

Hi folks,

I have been experimenting with the SD-WAN pouches since yesterday after Luk and Lucar kindly explained what i was doing wrong.

So far

1/. 1 policy working

2/. many attempts at creating two new policies covering different rules failed.

I had to do a restore after I broke something, not sure what.

What I have found is that the SD-WAN policies do not know how to handle ports like 8000, 5222. The SD-WAN policies do not have a problem handling HTTPS, HTTP and SIP.

If I delete the SD-WAN policy for 8000 and setup a linked NAT, traffic resumes, the same for the 5222 firewall rule.

Thoughts and suggestions. Am I expecting too much?

Ian

This thread was automatically locked due to age.

Parents

0 lferrara over 4 years ago

The new SD-WAN was implemented like another vendor did and to be honest having 3 separate menu for creating things is not Sophos-style. It does not mean that if the competition does in that way is the right way to do the things. This is the approach been used even for DNAT where the destination network is the WAN ip and not the server itself.

In my opinion SD-WAN in v18 could be improved by adding SD-WAN policies inside the Rules and Policies as a new Wizard (like BAR in v17) or by putting extra fields in the same Firewall rule.

This is "made simple" UI.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 4 years ago

The new SD-WAN was implemented like another vendor did and to be honest having 3 separate menu for creating things is not Sophos-style. It does not mean that if the competition does in that way is the right way to do the things. This is the approach been used even for DNAT where the destination network is the WAN ip and not the server itself.

In my opinion SD-WAN in v18 could be improved by adding SD-WAN policies inside the Rules and Policies as a new Wizard (like BAR in v17) or by putting extra fields in the same Firewall rule.

This is "made simple" UI.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 rfcat_vk over 4 years ago in reply to lferrara

Hi Luk, LuCar,

are you saying I need a NAT rule as well as an SD-WAN policy, that does not make sense from past posts on the subject.

Anyway, I have a working SD-WAN policy for my VoIP devices, no NAT rule.

With my streaming firewall rule the SD-WAN policy will pass the https and http traffic regardless of web proxy or DPI but fails the 8000. If I change the services to ANY, https and http pass but 8000 does not. Logviewer shows the packets leaving but never being answered. As soon as a NAT rule is created traffic passes and music flows.

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 EAP

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 4 years ago in reply to rfcat_vk

Lets recap this:

SNAT and SD-WAN Policy have no real relationship.

Both will be applied or not applied and services different purposes.

SD-WAN: Decide which Interface / route XG has to take.

(S)NAT: Decide, which IP to use.

If no SD-WAN applies, WAN Link Manager will be used (for Default route).

If no SNAT Rule applies, the IP will not be MASQ, therefore you will communicate with a Private IP.

Recommend to use the Default SNAT Rule as always.

This will cover the MASQ for all Traffic leaving all your WAN Interfaces.

No need for Linked NAT at all.

This rule will be automatically updated with all WAN Interfaces created on XG.

You now have to create a SD-WAN policy, if you want to create a "special routing Case". Like VOIP over A or B.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel