XG Firewall v18 MR-5: Feedback and experiences

I want to save you some time: 

SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP). WAF is always TCP, so you can use SSLVPN UDP on the same Interface/IP. You can also use SSLVPN on TCP. There is no Interface selection in SSLVPN, it will be activated on every Interface. If there is a WAF/DNAT, it will overwrite the SSLVPN. 

SSLVPN (Sophos Connect) needs a User Portal settings. In XG, user portal and SSLVPN can share the same interface (Both TCP 443 for example). But User Portal runs on TCP and will block the WAF. So thats not possible to run on TCP443. 

About the Missing Heartbeat: The switches to setup this missing heartbeat config: 

I want to save you some time: 

SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP). WAF is always TCP, so you can use SSLVPN UDP on the same Interface/IP. You can also use SSLVPN on TCP. There is no Interface selection in SSLVPN, it will be activated on every Interface. If there is a WAF/DNAT, it will overwrite the SSLVPN. 

SSLVPN (Sophos Connect) needs a User Portal settings. In XG, user portal and SSLVPN can share the same interface (Both TCP 443 for example). But User Portal runs on TCP and will block the WAF. So thats not possible to run on TCP443. 

About the Missing Heartbeat: The switches to setup this missing heartbeat config: 

LuCar Toni said:

But not the same protocol (UDP/TCP).

Couldn't the Sophos Devs use the "port-share" parameter for OpenVPN? This would allow both WAF and SSLVPN to share the same TCP port.

Thats not possible. The Packet flow does not work in XG that way. WAF/DNAT will be first. Hence the Portshare would require to be implemented within the WAF (Kernel) to share this to the openVPN stack. OpenVPN port-share is a option, which will forward certain traffic to another instance. That would require a complete revamp of the architecture. 

Is there any reason that SSLVPN will be activated on every interface? Why is it not possible to use different external IPs for WAF and SSLVPN/User Portal, so that both can use 443 TCP on their own interface/IP?

SSLVPN + WAF is not the issue. It will work like you explained. Only the User Portal can cause issues, as it cannot be used in such deployments on 443. User Portal will blocked by the WAF and cannot be selected on a specific port. 

First Test on my home Firewall looks good. If there are no issues I will install the MR5 next week on our productive Firewalls. 

LuCar Toni said:

SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP).

From my experience on v18 MR5, you indeed can run both WAF and SSLVPN on TCP/443 - It all depends on the Interface where the WAF is located at.

Currently all my WAF's are located over a Internal (LAN) Interface, meanwhile there's no WAF Policies on my WAN Interface - this allows me to run SSLVPN on TCP/443 on my WAN Interface while maintaining all my Internal WAF Policies.

I've also tried out running WAF & SSLVPN on two WAN Interfaces on a lab setup, I've managed to host a WAF on my first Interface, and SSLVPN on the second one - both on TCP/443 without any issues.

A reminder, If you ever create a WAF Policy using HTTPS on TCP/443 - and also use SSLVPN with TCP/443 on the same interface, all connections to TCP/443 over that Interface will always reach the WAF first.

Its about the Interface/IP. If you have a alias on your interface, you can also run WAF and SSLVPN TCP on the same port. If you have only one IP and one Interface on WAN, you are likely to move to UDP+TCP.