Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to setup XG Firewall as RED device in "Unified Mode"

As suggested by Sophos, we bought some XG 86 to use them as RED-Devices for connecting branch offices. In some branch offices, we added licenses, yet, and operate them in transparent mode - hence, all internal network traffic is tunneled. But in some branch offices we do not have much traffic and want to operate them in unified mode - hence, in addition to internal traffic all traffic for mail, internet and so forth should be secured by tunneling to the head office.

The configuration steps for transparent/split mode are shown in several how-tos, but not for the case of unified mode. Can someone explain the basic steps to be done?

For sure, I can route all traffic by a default route to the head office, but that does not succeed. I expect there is a smoother way by using Firewall-/NAT-rules and maybe a special Gateway.

Configuration: Head Office: XG 135, RED Firewall Server; Branch Office: XG 86, RED Firewall Client



This thread was automatically locked due to age.
  • Thank you very much LuCar Toni, second solution(SD-WAN) is working fine and is what I've been searching for.

    In short:

    • I tried the default route 0.0.0.0 before but that didn't work - don't know why.
    • SD-WAN configuration works fine and I can also split GUEST-Traffic to not to be tunneled over head-office

    For interested ones - here the simple steps:

    1. Add the RED Interface as a Gateway (Routing -> Gateway) with the appropriate zone, in my case LAN-Zone
    2. Add SD-WAN Policy for LAN-Traffic (set inbound interface as LAN-interface, source network LAN-network)
    3. Add SD-WAN Policy for Guest-Traffic (set inbound interface as GUEST-interface, source network GUEST-network)
    4. Test:
      1. traceroute Internet from LAN is tunneled
      2. traceroute Internet from GUEST is not tunneld
  • You will simply use routing to get this done. If you create a 0.0.0.0 static route on the XG86 and move everything through the tunnel, it will act as a standard unified mode appliance. It will route everything through the tunnel.

    If you want to specify a more granular design, you will move to sd-wan Policy based routing. There you can createa aroute based on IP or service. 

    __________________________________________________________________________________________________________________