Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do allow Sophos XG itself failover to a backup ISP (SD-WAN policy routing)

I currently have Sophos XG installed on a Qotom Q335G4 box with two ISPs, a primary and a backup for just a few devices. I have an SD-WAN policy route setup that allows this:

Everything works as expected but I also have email notifications setup in Sophos XG so I'll get an email when one of the ISP interfaces is down. However, when my primary ISP is down, I don't seem to get any emails until it comes back up. I'm assuming it's because Sophos XG itself is only using the primary ISP. Is there a way to allow the Sophos XG device itself to fail over to the backup ISP as well?



This thread was automatically locked due to age.
Parents Reply Children
  • Thanks . I couldn’t find a way to use the WAN link manager to allow only certain devices on my network to utilize the backup ISP in the event of the primary ISP going down. Is there a way to do this? It looks like the only thing you can do with the WAN link manager is failover everything to the backup ISP, not specific devices or networks.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Thats correct - My assumption was, this is your only rule and if you use only one rule in SD-WAN you can switch to WAN link manager.

    But if you want to route certain devices etc. you should use the CLI switch and create a own rule. 

    The Rule for the own traffic with the switch needs to have source "ANY" but destination can be: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/DefaultAddressesAndPorts.html

    __________________________________________________________________________________________________________________

  • Ah sorry, I’m kind of mixing two questions here. Just to make sure I understand the answer to the original question correctly - if I want to allow system generated traffic (from Sophos XG) to failover to a backup ISP, I need to go into the console and use:

    set routing sd-wan-policy-route system-generate-traffic enable

    Now, since I’m using an SD-WAN policy to failover only specific devices on my network, do I need to add anything here to the “Source Destination” section? Or does the command I entered above in the console essentially create a separate SD-WAN policy routing for the system generated traffic (Sophos XG) itself that I just can’t see in the GUI?

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Let me enhance this setup a little bit. Currently, if this option is not enable, System own traffic will use the default gateway configuration (WAN link manager). For your other traffic, the appliance will use all applicable Sd-WAN PBR rules. 

    If you enable this option, the appliance will start to look for SD-WAN PBR rules as well. If there are none, it will fallback to the default gateway.

    To get the SD-WAN PBR routes applicable to your system own traffic, you need to specify a rule, which matches the own traffic. As the system generate this traffic, the traffic is generated by "ANY". This will on the other hand also hit for all devices. Therefore you need to find a way to match the traffic to something else. As it is known, which hosts the appliance try to reach, you can create a rule with ANY as Source and Destination the Sophos own services. This rule will start to match for the system own traffic.

    That is some busy work right now, to create all those objects. Thinking about this, i made this back in the day but are not able to find the XML anymore... But i will do this later and create a recommend read to create those objects with a XML (Import/export). 

    __________________________________________________________________________________________________________________

  • Ah okay - that makes sense. It’s unfortunate there’s no way to specify only traffic from the system (Sophos XG) itself. However, I only need the ability for Sophos XG email notifications to go out (really just to know if my primary ISP is down) which I have configured using a Gmail account via SMTPS. So what I’ve done is created a second SD-WAN policy with a Source Network of “Any” and set the Destinations Networks to “smtp.gmail.com” and Services to “465” (SMTPS port used by Gmail). I’ll have to test this out later just to make sure it works as intended. Appreciate the help !

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • __________________________________________________________________________________________________________________

  • Unfortunately this doesn't appear to work. The email notification that my primary ISP is down only goes out once the primary ISP is back up. What I'm trying to achieve is if the primary ISP goes down, Sophos XG sends the email using the backup ISP.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • After applying this rule, check the packet capture on the Firewall, which interface, firewall rule and which NAT rule is applied. It should work directly. 

    __________________________________________________________________________________________________________________

  • Unfortunately I'm not too familiar with packet capture. Is there perhaps an article somewhere that explains how to use it for just packets leaving the firewall itself?

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Just to be sure: The SMTPS Service and the destination IP is correct? 

    If you connect from your PC to this, does it work and use the correct interface? Because it should also affect the clients behind XG. 

    __________________________________________________________________________________________________________________