This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SD-Wan to communicate with Sophos central / live protection

i have XG firewalls located in china and sometimes the latency of some links to sophos getting to slow so i dont get a resonse in time for example for live protetcionn

right now im trying to setup a SD WAN for all sophos services, but that it work well i would need to know which IP's i should monitor that SD-wan route can decide which is the best gateway.

would it be possible to get an IP list which i should probe for which service?
also at the moment i chose these destination networks.

It would be great if Sophos would offer default SD-Wan profiles in the next release to sophos services (cloud) to always communicate with sophos trough the fastest possible link as conectivity to sophos is super critical if you use Sophos firewal, sophos endpoint protection and so on.

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 2 years ago in reply to Moritz_Max +1 suggested

In that case Moritz_Max - following covers it all Domains and ports to allow

0 Vivek Jagad over 2 years ago

Hello Moritz_Max ,

Thank you for reaching out to the community, the following link will guide you to choose between: "Traditional Settings For Primary and Backup Gateway:" and "New SD-WAN Profile Settings From v19 Onwards:" - Sophos Firewall: How to Choose The Gateway For A Firewall Rule v19

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
- 0 Moritz_Max over 2 years ago in reply to Vivek Jagad
  
  i know how to setup an SD wan, the question is what is the best setting for an SD Wan to route traffic to sophos.
  1: Which destinations i should route?
  2: which IP i should probe to check the gateway connection quality to Sophos?
  - 0 Vivek Jagad over 2 years ago in reply to Moritz_Max
    
    Hey Moritz_Max ,
    
    That strictly depends on your requirement, we have given two methods. with the New SD-WAN you can check the link status and the historical performance, enables performance-based SLA link selection and routing based on real-time packet loss, jitter and latency with zero-impact rerouting of application traffic when transitioning between links. Performance monitoring criteria includes jitter, latency and packet loss and can utilize multiple probe targets for PING and TCP probes. SD-WAN profiles automatically select the best link based on performance or according to your custom SLA policies that define specific values for maximum acceptable jitter, latency, or packet loss before re-routing over a better performing link.
    
    Thanks & Regards,
    _______________________________________________________________
    
    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
    
    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case | Security Advisories
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.
  - 0 Moritz_Max over 2 years ago in reply to Vivek Jagad
    
    please read my question.
    this is specific to Sophos online services and you should know the needed destinations and best IP's.
  - 0 Vivek Jagad over 2 years ago in reply to Moritz_Max
    
    In that case Moritz_Max - following covers it all Domains and ports to allow
    
    Thanks & Regards,
    _______________________________________________________________
    
    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
    
    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case | Security Advisories
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.
  - 0 Moritz_Max over 2 years ago in reply to Vivek Jagad
    
    ok these domains are helpful already.
    But the problem is they are domain names. For the Health Check i can only enter an IP andres.
    
    so i did ping that domain and used the ip address as Health check probe target.
    
    3 pings, 3 different IP addresses.
    That is not very helpful to establish a reliable SD Wan connection to Sophos.
  - 0 Vivek Jagad over 2 years ago in reply to Moritz_Max
    
    of course with this number of Sophos Domains, it is not a feasible idea to keep a SD-WAN, I would suggest use the traditional method and prioritize the 443/80 traffic with the all the destination domains mentioned in the KBA above !!
    
    Thanks & Regards,
    _______________________________________________________________
    
    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
    
    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case | Security Advisories
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.
0 LuCar Toni over 2 years ago

Let me put some thoughts into this question: We have the plans to include all Sophos used Domains into the object world of SFOS in the future. So all hosts / domains etc. are going to be created in the future released for Sophos resources. So you could create SD-WAN routes for those objects. Right now, you have to manually create them.

You find the resources in our Docs:

https://docs.sophos.com/central/Customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html

https://docs.sophos.com/central/Customer/wireless/en-us/central/Customer/concepts/WirelessAboutSophosCentralWireless.html

https://docs.sophos.com/central/Customer/help/en-us/ManageYourProducts/Switches/SwitchesOverview/TLSScanningExclusionsRequiredForRegistration/index.html

https://docs.sophos.com/central/Mobile/ctg/en-us/esg/Sophos-Mobile/concepts/ports_and_protocols.html

https://docs.sophos.com/central/ZTNA/startup/en-us/setup/Requirements/index.html#active-directory

(And depending on what you want to deploy maybe more).

You can create them via XML, if you want and redeploy them on multiple devices.

I did this for SFOS already: Sophos Firewall: XML Import for SFOS Default objects

So if you have the objects: SD-WAN profiles and the SLAs should not use each and every resource, it redirects. Likely a CDN offers the same performance like a host like google dns. Means: If you have a local resource (like a DNS), you can monitore those hosts for all used resources. A individual host monitoring is likely "to much" effort for the outcome. Means: If you query DNS and the CDN, the outcome is likely the same.

__________________________________________________________________________________________________________________