Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Schedules in Routing

Curtis Sophos

Hi,  This is my first time asking a question, so please bear with me.

Sophos obsoleted my XG 105 which is running 17.5.  So I bought an XGS 107 now running 18.5.

In 17.5 you could specify a firewall rule to take affect at scheduled times.  My set up looked like:

LAN1: Internal

WAN2: HughesNet Residential (02:00-08:00 50GB Bonus Bytes, 15GB Anytime per month)

WAN3: HughesNet Business (08:00-18:00 30GB Bonus Bytes, 10GB Anytime per month)

So individual firewall rules would take affect at different times of the day and different days of the week (for 18:00-02:00).  This was all good because the NAT and Routing were part of the Firewall rules.

On 18.5 the NAT and Routing are separate.  The Firewall rule can still link to a NAT, but the Firewall can't link to a Route.  If you migrate from 17.5 to 18.0, Routing links are created, but I can't migrate the XG 105 past 17.5, so I am hand entering all the rules because another WAN was just added:

WAN4: SpaceX Starlink (5.5 minutes Bonus Bytes (unlimited), then 30 seconds nothing; cycle repeats every 94 minute orbit; this will get better, but when they put on the data cap, it will be like a third HughesNet, just lower latency)

I can't figure out a way to create a link from a Firewall rule to a Route.  I don't think this is the long term clean way of doing things.  Since Routing doesn't include a Schedule, I can't schedule the Route.  There are a lot of reasons to send data to each different satellite (also via a port Alias), or to get the status from each satellites' modem (or PoE brick).  I tried marking each packet in Firewall with DSCP, to see if the Routing could identify it, but that didn't work.  All WANs are either Active or a Backup at different times of the day.

Was this functionality purposely removed?  What am I missing?



This thread was automatically locked due to age.
  • +1

    Hi  Thank you for reaching out to Sophos community team. As we have decoupled SD-WAN policy route from firewall rules in v18; And SD-WAN doesn’t have feature of scheduled time as a matching criteria, this specific scenario may not possible in v18.

    If you already have v17.x scheduled rule and if you migrate appliance configuration to v18, it keeps working as expected.

    As of now you may raise a feature  request on Ideas Portal to add  scheduled time in SD WAN Rule.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    Hi,

    Please reread my problem.

    How can I upgrade my XG 105 to 18.5 (thus migrate and have future threat subscriptions)?

    How can I downgrade my XGS 107 to 17.5 (so I can add the old rules, then remigrate every time I have to make a change)?

    There is no migration path!  This is a bug, not a Request For Enhancement.  What's the workaround?

    Thanks

  • 0

    While its not the best option and its not something "native", you can always create an script that modifies the routing table and creates/erases routes based on time/date and apply those changes on API calls.

    It might sound daunting, but its not. Just need an stable server that can run the scheduled task or keep the script running in the background. 

    Yeah, it would be good if instead the functionality was there, but like it happened from Cyberoam -> Sophos or UTM -> Sophos, you'll see that some funcionalitties were cut without any reason (besides the implicit "This might take way lot effor/development and not too much people is using it so *** it" reason.

  • 0 in reply to Curtis Sophos

    Its not a Bug. Its a removed feature for now, as it will be replaced in the future by something more dynamic. Therefore SFOS will get with the next major release more flexible SD-WAN Features as jitter etc. Also scheduling of WAN connections are attached to this. 

    You cannot downgrade the rules, this was removed from now and cannot be enabled as of today. 

    The issue came up after decoupling stuff like NAT and Firewall and Routing. This part actually left some stuff not be configurable today. 

    A bug would be an unexpected Software behavior. This is a in between feature development, which causes this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    Decoupling the Firewall, NAT, and Routing is the correct thing to do.

    Adding back the missing feature(s) and adding even more features in the next major release is really good news.

    (note: the Routing migration could have been handled the same way as the NAT links)

    Viewing products' architecture and migration from the customers' point of view is the only way to build a great company.  The definition of "bug" has always been and always will be in the eye of the beholder.  Today I'm a customer.

    I look forward to v19.0 and beyond!

  • 0

    Routers sometimes are in need of reboots to keep them running properly. One thing to check if your are doing this daily is your channel settings. Try a different one. Perhaps you have something in common with something nearby. Maybe moving the router to a different spot will help as you may be near something it doesn't like.

    Outside of this a timer plugged into the wall, or a built in timer on a schedule is not a bad idea at all if it does not interfere with anything.

    --Edit uPnP is fine to be enabled if you have devices or other things on your network that need access. It will automatically configure the ports for for and make things discoverable. I like it when my cloud drives show up in my tv automatically. yay. Unless by enabling uPnp you allowed access to an exploitable device on your network, I would say you are safe with leaving that on.

    MyBalanceNow

Unfiltered HTML