i have XG firewalls located in china and sometimes the latency of some links to sophos getting to slow so i dont get a resonse in time for example for live protetcionn
right now im trying to setup a SD WAN for all sophos services, but that it work well i would need to know which IP's i should monitor that SD-wan route can decide which is the best gateway.
would it be possible to get an IP list which i should probe for which service?
also at the moment i chose these destination networks.
It would be great if Sophos would offer default SD-Wan profiles in the next release to sophos services (cloud) to always communicate with sophos trough the fastest possible link as conectivity to sophos is super critical if you use Sophos firewal, sophos endpoint protection and so on.
Hello Moritz_Max ,
Thank you for reaching out to the community, the following link will guide you to choose between: "Traditional Settings For Primary and Backup Gateway:" and "New SD-WAN Profile Settings From v19 Onwards:" - Sophos Firewall: How to Choose The Gateway For A Firewall Rule v19
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
i know how to setup an SD wan, the question is what is the best setting for an SD Wan to route traffic to sophos.
1: Which destinations i should route?
2: which IP i should probe to check the gateway connection quality to Sophos?
Hey Moritz_Max ,
That strictly depends on your requirement, we have given two methods. with the New SD-WAN you can check the link status and the historical performance, enables performance-based SLA link selection and routing based on real-time packet loss, jitter and latency with zero-impact rerouting of application traffic when transitioning between links. Performance monitoring criteria includes jitter, latency and packet loss and can utilize multiple probe targets for PING and TCP probes. SD-WAN profiles automatically select the best link based on performance or according to your custom SLA policies that define specific values for maximum acceptable jitter, latency, or packet loss before re-routing over a better performing link.
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
please read my question.
this is specific to Sophos online services and you should know the needed destinations and best IP's.
In that case Moritz_Max - following covers it all Domains and ports to allow
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
ok these domains are helpful already.
But the problem is they are domain names. For the Health Check i can only enter an IP andres.
so i did ping that domain and used the ip address as Health check probe target.
3 pings, 3 different IP addresses.
That is not very helpful to establish a reliable SD Wan connection to Sophos.
of course with this number of Sophos Domains, it is not a feasible idea to keep a SD-WAN, I would suggest use the traditional method and prioritize the 443/80 traffic with the all the destination domains mentioned in the KBA above !!
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Let me put some thoughts into this question: We have the plans to include all Sophos used Domains into the object world of SFOS in the future. So all hosts / domains etc. are going to be created in the future released for Sophos resources. So you could create SD-WAN routes for those objects. Right now, you have to manually create them.
You find the resources in our Docs:
https://docs.sophos.com/central/Mobile/ctg/en-us/esg/Sophos-Mobile/concepts/ports_and_protocols.html
https://docs.sophos.com/central/ZTNA/startup/en-us/setup/Requirements/index.html#active-directory
(And depending on what you want to deploy maybe more).
You can create them via XML, if you want and redeploy them on multiple devices.
I did this for SFOS already: Sophos Firewall: XML Import for SFOS Default objects
So if you have the objects: SD-WAN profiles and the SLAs should not use each and every resource, it redirects. Likely a CDN offers the same performance like a host like google dns. Means: If you have a local resource (like a DNS), you can monitore those hosts for all used resources. A individual host monitoring is likely "to much" effort for the outcome. Means: If you query DNS and the CDN, the outcome is likely the same.
__________________________________________________________________________________________________________________