Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 932 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Schedules in Routing

Curtis Sophos

Hi,  This is my first time asking a question, so please bear with me.

Sophos obsoleted my XG 105 which is running 17.5.  So I bought an XGS 107 now running 18.5.

In 17.5 you could specify a firewall rule to take affect at scheduled times.  My set up looked like:

LAN1: Internal

WAN2: HughesNet Residential (02:00-08:00 50GB Bonus Bytes, 15GB Anytime per month)

WAN3: HughesNet Business (08:00-18:00 30GB Bonus Bytes, 10GB Anytime per month)

So individual firewall rules would take affect at different times of the day and different days of the week (for 18:00-02:00).  This was all good because the NAT and Routing were part of the Firewall rules.

On 18.5 the NAT and Routing are separate.  The Firewall rule can still link to a NAT, but the Firewall can't link to a Route.  If you migrate from 17.5 to 18.0, Routing links are created, but I can't migrate the XG 105 past 17.5, so I am hand entering all the rules because another WAN was just added:

WAN4: SpaceX Starlink (5.5 minutes Bonus Bytes (unlimited), then 30 seconds nothing; cycle repeats every 94 minute orbit; this will get better, but when they put on the data cap, it will be like a third HughesNet, just lower latency)

I can't figure out a way to create a link from a Firewall rule to a Route.  I don't think this is the long term clean way of doing things.  Since Routing doesn't include a Schedule, I can't schedule the Route.  There are a lot of reasons to send data to each different satellite (also via a port Alias), or to get the status from each satellites' modem (or PoE brick).  I tried marking each packet in Firewall with DSCP, to see if the Routing could identify it, but that didn't work.  All WANs are either Active or a Backup at different times of the day.

Was this functionality purposely removed?  What am I missing?



This thread was automatically locked due to age.
Parents
  • +1

    Hi  Thank you for reaching out to Sophos community team. As we have decoupled SD-WAN policy route from firewall rules in v18; And SD-WAN doesn’t have feature of scheduled time as a matching criteria, this specific scenario may not possible in v18.

    If you already have v17.x scheduled rule and if you migrate appliance configuration to v18, it keeps working as expected.

    As of now you may raise a feature  request on Ideas Portal to add  scheduled time in SD WAN Rule.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Reply
  • +1

    Hi  Thank you for reaching out to Sophos community team. As we have decoupled SD-WAN policy route from firewall rules in v18; And SD-WAN doesn’t have feature of scheduled time as a matching criteria, this specific scenario may not possible in v18.

    If you already have v17.x scheduled rule and if you migrate appliance configuration to v18, it keeps working as expected.

    As of now you may raise a feature  request on Ideas Portal to add  scheduled time in SD WAN Rule.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

Children
  • 0 in reply to Vishal_R

    Hi,

    Please reread my problem.

    How can I upgrade my XG 105 to 18.5 (thus migrate and have future threat subscriptions)?

    How can I downgrade my XGS 107 to 17.5 (so I can add the old rules, then remigrate every time I have to make a change)?

    There is no migration path!  This is a bug, not a Request For Enhancement.  What's the workaround?

    Thanks

  • 0 in reply to Curtis Sophos

    Its not a Bug. Its a removed feature for now, as it will be replaced in the future by something more dynamic. Therefore SFOS will get with the next major release more flexible SD-WAN Features as jitter etc. Also scheduling of WAN connections are attached to this. 

    You cannot downgrade the rules, this was removed from now and cannot be enabled as of today. 

    The issue came up after decoupling stuff like NAT and Firewall and Routing. This part actually left some stuff not be configurable today. 

    A bug would be an unexpected Software behavior. This is a in between feature development, which causes this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hi,

    Decoupling the Firewall, NAT, and Routing is the correct thing to do.

    Adding back the missing feature(s) and adding even more features in the next major release is really good news.

    (note: the Routing migration could have been handled the same way as the NAT links)

    Viewing products' architecture and migration from the customers' point of view is the only way to build a great company.  The definition of "bug" has always been and always will be in the eye of the beholder.  Today I'm a customer.

    I look forward to v19.0 and beyond!

Unfiltered HTML