Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 20 replies
  • Subscribers 41 subscribers
  • Views 4715 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-WAN policies my experience so far

rfcat_vk

Hi folks,

I have been experimenting with the SD-WAN pouches since yesterday after Luk and Lucar kindly explained what i was doing wrong.

So far

1/. 1 policy working

2/. many attempts at creating two new policies covering different rules failed.

I had to do a restore after I broke something, not sure what.

What I have found is that the SD-WAN policies do not know how to handle ports like 8000, 5222. The SD-WAN policies do not have a problem handling HTTPS, HTTP and SIP.

If I delete the SD-WAN policy for 8000 and setup a linked NAT, traffic resumes, the same for the 5222 firewall rule.

Thoughts and suggestions. Am I expecting too much?

Ian



This thread was automatically locked due to age.
Parents
  • 0

    https://www.youtube.com/watch?v=TolZsFNbBuM

    Watch the video for more info regarding SD-WAN.

    A proper KB should be published for SD-WAN ASAP

  • 0 in reply to lferrara

    Hi Luk,

    thank you for that link, very interesting. I cannot find where the troubleshooting tab is, but never mind I don't need it. Interesting how fields can be left empty in SD-WAN Policies and some of those tricks do not work in the Application selection field. While the video was very informative it did not to me anyway explain why certain ports will not work.

    I found why I was having performance issues when I first tried removing all the migrate Linked NAT rules, I was not aware of the migration created SD-WAN policies, having removed them and enabled the default NAT rule all is good.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to lferrara

    Could you please quickly review the new Online help? 

    http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

    Is something still unclear ? Question not answered? 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have read that recommended document, but not been able to apply all of it yet.

    Why I can't find though is if you have the generic NAT rule and then use SD-WAN policy, where is the traffic handled? Yes, I am aware of the processing order but that does not appear to cover NAT traffic?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Basically because NAT has nothing to do with SD-WAN PBR. 

    Its like saying NAT and Static routes has a relation. It has not. 

     

    XG will search for the correct route, regarding the three routing tables (VPN, SD-WAN, Static).  Then apply the NAT rule, which has to apply on this traffic.

     

    SD-WAN is for Internal and external traffic. 

    Internet Traffic and internal multipath traffic to another location. 

     

    You would have to apply NAT on the Internet traffic, but not the internal traffic. 

     

    SNAT will be applied right before leaving the Interface. PBR is earlier.

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    A summary.

    I changed the processing order and enabled the default NAT as per your suggestion.

    Now based on your answer above no traffic would ever be passed by the SD-WAN policy because the policy is below the NAT in processing order. This assumes the NAT is treated as static route?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    No-lets recap quickly.

    The Packet processing is a packet workflow.

    So basically a connection will go through each module. There are Firewall, there are DNAT, there are routing decisions and there is SNAT. 

    So each module will tell the connection, what to do. For example, the DNAT will change the paket, firewall is allowing the packet, the routing stack says, let this packet leave on WAN B and SNAT will tell the paket, to leave with following IP of PortB. 

    There is no relation between SNAT and SD-WAN at all. 

    If you have a the default Rule for MASQ (Default SNAT IPv4 and IPv6), this will take action for all packets, which leave your WAN interfaces, no matter why they leave the Packet. 

    If you do not have a Default Rule, instead a special MASQ rule, matching for this traffic (for example Port 25 and MASQ on a Alias), this will be take place before the packet leaves the interface. But you have to take care, that XG takes the correct Interface. 

     

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    Ian,

    can you share the rules of what your are trying to achieve?

    Also a tcpdump output or something that shows the packets is flowing incorrectly.

    Thanks

  • 0 in reply to lferrara

    Hi Luk,

    I have a PCAP only at this stage. I will need to setup the rules and policies again.

    2020-02-26 08:40:15
    Firewall
    • messageid="00001"
    • log_type="Firewall"
    • log_component="Firewall Rule"
    • log_subtype="Allowed"
    • status="Allow"
    • con_duration="190"
    • fw_rule_id="17"
    • nat_rule_id="0"
    • policy_type="2"
    • user="ipad"
    • user_group="IoT"
    • web_policy_id="1"
    • ips_policy_id="0"
    • appfilter_policy_id="0"
    • app_name=""
    • app_risk="0"
    • app_technology=""
    • app_category=""
    • vlan_id="0"
    • ether_type="Unknown (0x0000)"
    • bridge_name=""
    • bridge_display_name=""
    • in_interface="Port1"
    • in_display_interface="IoT LAN"
    • out_interface="Port4"
    • out_display_interface="BIGPOND WAN"
    • src_mac="
    • dst_mac=""
    • src_ip="192.168.3.23"
    • src_country="R1"
    • dst_ip="74.207.246.84"
    • dst_country="USA"
    • protocol="TCP"
    • src_port="54121"
    • dst_port="8000"
    • packets_sent="11"
    • packets_received="0"
    • bytes_sent="688"
    • bytes_received="0"
    • src_trans_ip=""
    • src_trans_port="0"
    • dst_trans_ip=""
    • dst_trans_port="0"
    • src_zone_type="LAN"
    • src_zone="LAN"
    • dst_zone_type="WAN"
    • dst_zone="WAN"
    • con_direction=""
    • con_event="Stop"
    • con_id="1079593472"
    • virt_con_id=""
    • hb_status="No Heartbeat"
    • message=""
    • appresolvedby="Signature"
    • app_is_cloud="0"

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Ian,

    based on your log, the firewall rule id 17 is not matching any NAT rule. Did you create a NAT rule before creating the SD-WAN policy?

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    this where I fail to understand. HTTP and HTTPS in the same firewall rule are processed where as port 8000 is. Why do you need a NAT as well as an SD-WAN policy when they both do NAT?

    Why do Need a NAT when the SD-WAN policy quite happily processes standard ports eg SIP, but not user created ports?

    I have watched the video and read the KBA.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Ian,

    please share firewall rule, nat and sd-wan configuration.

    I agree with you that this SD-WAN implementation is horrible! It is not Sophos style but other vendor style which I do not understand at all.

    In my opinion Sophos could have fixed the new SD-WAN by creating an additional wizard inside the Firewall Rule (like the old BAR) and create the SD-WAN policy with the linked NAT and hidden firewall rule.

    Easy to read. Now NAT, Firewall rules and SD-WAN are in separated menu and are not "linked" in a smart way! Users will get mad to understand between different windows why the traffic is going through one interface instead of another.

Reply
  • 0 in reply to rfcat_vk

    Ian,

    please share firewall rule, nat and sd-wan configuration.

    I agree with you that this SD-WAN implementation is horrible! It is not Sophos style but other vendor style which I do not understand at all.

    In my opinion Sophos could have fixed the new SD-WAN by creating an additional wizard inside the Firewall Rule (like the old BAR) and create the SD-WAN policy with the linked NAT and hidden firewall rule.

    Easy to read. Now NAT, Firewall rules and SD-WAN are in separated menu and are not "linked" in a smart way! Users will get mad to understand between different windows why the traffic is going through one interface instead of another.

Children
No Data
Unfiltered HTML