XG Firewall v18 MR-5: Feedback and experiences

Top Replies

  • The classification process is still broken - ntp, Imaps.

    Is there any reason at all on why the Firewall can't detect NTP traffic as Its own application?

    Creating a application signature…

Parents
  • I want to save you some time: 

    SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP). WAF is always TCP, so you can use SSLVPN UDP on the same Interface/IP. You can also use SSLVPN on TCP. There is no Interface selection in SSLVPN, it will be activated on every Interface. If there is a WAF/DNAT, it will overwrite the SSLVPN. 

    SSLVPN (Sophos Connect) needs a User Portal settings. In XG, user portal and SSLVPN can share the same interface (Both TCP 443 for example). But User Portal runs on TCP and will block the WAF. So thats not possible to run on TCP443. 

    About the Missing Heartbeat: The switches to setup this missing heartbeat config: 

    console> system synchronized-security
    delay-missing-heartbeat-detection      suppress-missing-heartbeat-to-central
    console> system synchronized-security delay-missing-heartbeat-detection show
    60
    console> system synchronized-security suppress-missing-heartbeat-to-central show
    0  

    __________________________________________________________________________________________________________________

Reply
  • I want to save you some time: 

    SSLVPN + WAF Portsharing: You can share the port of the SSLVPN and the WAF on 443. But not the same protocol (UDP/TCP). WAF is always TCP, so you can use SSLVPN UDP on the same Interface/IP. You can also use SSLVPN on TCP. There is no Interface selection in SSLVPN, it will be activated on every Interface. If there is a WAF/DNAT, it will overwrite the SSLVPN. 

    SSLVPN (Sophos Connect) needs a User Portal settings. In XG, user portal and SSLVPN can share the same interface (Both TCP 443 for example). But User Portal runs on TCP and will block the WAF. So thats not possible to run on TCP443. 

    About the Missing Heartbeat: The switches to setup this missing heartbeat config: 

    console> system synchronized-security
    delay-missing-heartbeat-detection      suppress-missing-heartbeat-to-central
    console> system synchronized-security delay-missing-heartbeat-detection show
    60
    console> system synchronized-security suppress-missing-heartbeat-to-central show
    0  

    __________________________________________________________________________________________________________________

Children