This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS XG86 Issue with SDWAN Routing

Hi to all Sophos Experts!

I would like to share my experience with my SOPHOS XG86 Firewall. I tried to create a new firewall policy after updating the firmware to v18. I did some test and I encountered a weird issue with routing wherein when I selected "Any" in the "Destination Networks" in SD-WAN Policy routing. The PC IP Address I assigned to the said Routing Policy cannot connect to the internet. When I tried to specify my local subnet in the "Destination Networks" 192.168.100.0/24 the said PC was able to access the internet. It is a bit weird since in our main firewall XG310 with the "Any" option it is working.

Does anyone here have any idea what is wrong with my setup.

Below are some sample screenshot.

Below is my NAT Policy

Thanks

rodneyaltam

This thread was automatically locked due to age.

Top Replies

Rodney Altamera over 3 years ago in reply to FormerMember +1 suggested

Hi Yash Kothari, I tested using the suggestion of emmosophos, now working. Thanks again for your immediate support. We greatly appreciate your fast response. rodney

Parents

0 emmosophos over 3 years ago

Hello Rodney,

Thank you for contacting the Sophos Community.

If you do a packet capture in the GUI what do you see when the computer tries to access the internet or a Ping?

What is the Matching criteria in the NAT rule?

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rodney Altamera over 3 years ago in reply to emmosophos

Hi Emmanuel,

Sorry for the late response. I checked this and it goes to the Test FW Rule. The problem it is not going thru PLDT (Primary ISP). The problem it is routing thru the DCTECH(backup ISP). It is weird since on my Sophos XG310 this kind of issue doesn't exist.

Thanks.

Rodney
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 3 years ago in reply to Rodney Altamera

Hello Rodney,

Thank you for the screenshot.

Can you share a screenshot of your NAT rule configuration?

Regard

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Rodney Altamera

Just adding on what Emmanuel has said.

In NAT rule please ensure that you have added both WAN interface or ANY under outbound interface.

Or you can also create a NAT rule with TEST-PC101 source.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FormerMember over 3 years ago in reply to Rodney Altamera

Just adding on what Emmanuel has said.

In NAT rule please ensure that you have added both WAN interface or ANY under outbound interface.

Or you can also create a NAT rule with TEST-PC101 source.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Rodney Altamera over 3 years ago in reply to FormerMember

Hi Yash Kothari,

Good day. Yes I'll post the screenshot for the NAT rules.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Rodney Altamera

Thank you for posting a snapshot. The configuration seems ok.

Request to perform the following steps to further investigate the reported behavior.

================================================

==> Enable "TEST FW-RULE" SD-WAN policy route configured with 'PLDT-ISP' as a primary gateway and set Destination networks as 'ANY'.

==> Login to SSH > 5. Device Management > 3. Advanced Shell and run the below command.

18.0.4 MR-4# conntrack -E | grep -e '163.53.76.86'

==> Initiate a ping from 'TEST-PC101' machine to 163.53.76.86 IP address with below command.

C:\Windows\system32> ping -n 1 163.53.76.86

================================================

==> Request to perform the above steps again with Destination networks as '100(192.168.100.0/24)' in SD-WAN policy route.

================================================

Share both SSH session output here or via PM.

1. Destination networks as 'ANY':

conntrack output:

2. Destination networks as '100(192.168.100.0/24)':

conntrack output:
Cancel
Vote Up 0 Vote Down

Cancel
0 Rodney Altamera over 3 years ago in reply to FormerMember

Hi Yash Kothari,

I tested using the suggestion of emmosophos, now working. Thanks again for your immediate support. We greatly appreciate your fast response.

rodney
Cancel
Vote Up +1 Vote Down

Cancel