This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Static Routing Not working on SOPHOS XG Firewall.

Hi Sophos Community,

I am struggling to route traffic between two sophos over the Point to Point Connectivity as i am deploying my project in Eve Simulator but its not routing the traffic from the 10.10.0.5 PC towards the 192.168.3.30 Win Server and vice versa as shared in the Picture below. The WAN to LAN policy is sloted there as well  but the traffic is dropped on the Win Server portion of the Sophos while the same scenario is tested with the Cisco Routers and it is working properly. The Internet from both the WinServer Machine and From the 10.10.0.5 PC is working fine as we have gave Separate Internet connections on both the Sophos XG firewall.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Muhammad, Thanks for reaching out to Sophos Community.

    It appears that the traffic gets stuck on the XG nodes when pinged from either end. Make sure that both XGs have routing information to reach the remote end machines. 

    Ensure that there's no NAT happening in the entire routing. If Yes, then you'll need to adjust the routing accordingly. In GUI, Go to Diagnostics > Tools > route lookup and check the remote end's IP or Subnet.

    If everything seems proper, I suggest starting with taking a packet capture on any one of these XG devices for the destination address and seeing how traffic is handled by the firewall. Additionally, I would also recommend running a Wireshark capture on Router-2 (fa0/0 interface) and Router-3 (fa0/0 interface) within EVE as well. (Filter Wireshark capture with ICMP to clear the unnecessary traffic)

Reply
  • FormerMember
    0 FormerMember

    Hi Muhammad, Thanks for reaching out to Sophos Community.

    It appears that the traffic gets stuck on the XG nodes when pinged from either end. Make sure that both XGs have routing information to reach the remote end machines. 

    Ensure that there's no NAT happening in the entire routing. If Yes, then you'll need to adjust the routing accordingly. In GUI, Go to Diagnostics > Tools > route lookup and check the remote end's IP or Subnet.

    If everything seems proper, I suggest starting with taking a packet capture on any one of these XG devices for the destination address and seeing how traffic is handled by the firewall. Additionally, I would also recommend running a Wireshark capture on Router-2 (fa0/0 interface) and Router-3 (fa0/0 interface) within EVE as well. (Filter Wireshark capture with ICMP to clear the unnecessary traffic)

Children
  • The Routing is done on both the XG Firewall for remote subnets. I think some kind of NAT issue on the XG firewall but i dont know how to figure it out.

  • FormerMember
    0 FormerMember in reply to Muhammad Waqas1

    You can start with taking a destination-based Packet capture on GUI. It'll show matching Firewall and NAT rules.

    Also, check the routing precedence with the command --> system route_precedence show

    You can run this command through SSH (Option 4 > Console)

  • Ok i will let you know as my colleague is at home and our tapology is built on his system.

    Meanwhile we want to know what would be the Firewall Policy for the Transit traffic between two Sophos XG firewall.As our traffic is blocking when traffic is transiting on the 2nd Sophos XG FW going towards the LAN side of the interface.

    As we gave routes on 17.222 Sophos XG like 192.168.3.0/24 from port B with the Next Hop 10.77.55.2 as the Gateway for this showing Green in the gateway tab as well but no traffic is reaching when we ping from the 10.10.0.5 PC system as the trace is blocking on the 17.222 even after disabling the NAT rules.

    And Same is happening from the 192.168.3.30 PC towards the 10.10.0.5 VPC on the Sophos XG 17.221 with the same configuration.

  • FormerMember
    0 FormerMember in reply to Muhammad Waqas1
    Meanwhile we want to know what would be the Firewall Policy for the Transit traffic between two Sophos XG firewall.

    You need to check the zones both interfaces belong to and create a firewall rule accordingly. Make sure you take the GUI packet capture to see whether XG is forwarding the traffic or counts it in any kind of violation.

    I have replied to your DM as well :)