Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to create and switch on/off IP interfaces

Chris69

Hello,

I still try to preconfigure the XGS for migration from SG.

L2TP, IPSEC-VPN with RADIUS and AD-auth is working.

IPSEC tunnel to our branch is fine.

Now I want to preconfigure all public IPs and their DNAT/SNAT rules.

Actually I am stuck while trying to add all our public IPv4 addresses into the XGS while the SG is still running with all these IPs in use.

I cannot find any way to preconfigure all these needed IPs:

On SG I can add additional addresses,

+ switch them on and off

+ set comments to them (whether they are in use for which purpose ore they are free to use)

+ can sort them by different ways

+ klick on "i" to see where these objects are in use

On XGS I cannot find any of this very basic functionality and more worse: There is not even an opportunity to switch off a physical interface at all. And NO, there is no item "switch on/off" in "menu" like described in the official Sophos tutorial

https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/index.html 

So the question is:

How can I add all IPs and rules and keep them switched OFF until I move from SG to XGS?

What I tried:

I tried to configure another (Port4) interface for zone "WAN" with no active connection and began to add Port:1 - but unfortunately only the first 3 aliases are visible every added alias behind No3 will disappear into Nirwana.

Meanwhile I switched from Safari to Edge browser and there is a small scroll bar and all these IPs are mixed in an unpredictable order- very messy to look for one of a dozen IPs but hey, I should be happy to see something at all.

But some minutes after I began to add IPs the external WAN IP on Port2 became unavailable.

OK, so I deleted them all - and configured Port4 from scratch within an unused zone - but the same happens with Port2.

OK, so I began to add them all with the intention to ignore for this hour the state of Port2 and to switch Port4 after creation of all IPs to zone "none".

But WTF? By simply adding Port4 to zone "none" ALL my alias IPs were gone. There is no hint like: "Switching this port to zone none will kill hours of work! Are you sure to do so?"

So please, Sophos, give me advice on how to do this with the same functionality like on SG. Unfortunately your own documentation is not right in this point.

Thank you - Chris



This thread was automatically locked due to age.
  • 0

    Interface On/Off is not implemented in SFOS yet. This is something for the next upcoming Feature Release. 

    __________________________________________________________________________________________________________________

    • 0 in reply to LuCar Toni

      OK, I do understand that the described feature is vaporware only.

      But how should I prepare the XGS with IPs, DNAT, SNAT a.s.o.? What is best practise beside from doing everything completely offline via management interface?

      PS: Doing it offline would be not a very good option:

      A) while configuring further a colleague is testing all the VPN-possibilities for different users/devices/policies, the userportal features with different rights a.s.o. and

      B) the XGS is 300km away from me

      • 0 in reply to Chris69

        OK, I found out that it is standard POSIX:

        >ifconfig Port3 down / up

        does the trick. The GUI shows the interface state correctly and I can ad IP addresses to a interface to a disabled Port.

        I don´t know what the special problem is to "implement" that command into the GUI.

        Unfortunately there is no standard etc/sysconfig/ or /etc/network/ to add all IPs and settings in one place instead of clicking a hundred times. Maybe someone can tell me where network configuration files are stored or maybe I will find out by myself...

        And if there is somebody out there who knows how to switch On and Off VLANS - that would be very nice to know, too.

        • 0 in reply to Chris69

          I will open up a case with Sophos -

          We have a hundred IPv4 addresses and we are used to switch them Off an On on different gateways in the same network for reasons.

          With SG: No problem

          Wit the all brand new super-duper XGS: No way at all.

          Add comments to virt. IPs where they are used for as a living documentation:

          With SG: No problem

          Wit the all brand new super-duper XGS: No way at all.

          Klick on "i" to see if and when where this IP is used:

          With SG: No problem

          Wit the all brand new super-duper XGS: No in a straight forward way.

          Sort virt. IPs for easier finding & administration

          With SG: No problem

          Wit the all brand new super-duper XGS: No way at all. Instead you will see only 3 IPs and with browsers which XGS doesn´t like there is no way at all to administer more than the first 3 virt.IPs- there never will appear a scrollbar in that little tiny postal stamp sized field. 

          Did Sophos ever made any UI/UX tests with sysadmins?

          This is really not the way one wants to work. 

          So eater there is a better solution for a scenario like ours - or we have to try give that new hotness "XGS" back, stay with SG as long as possible and than move to something.

          PS: Of course I could create for every single public IP a firewall rule to drop all - with comments - to switch that rule ON/OFF if needed - but 

          a) this does not disable the IP itself and therefore it is not a solution with another GW in the same network and

          b) why should I create manually again a hundred IPs which I already have created?

          c) I always have to remember to do that when I create a new NAT setting.

          Why so complicated? 

          • 0 in reply to Chris69

            You have now following options: 

            You can wait for the next release, which implement this option for interfaces.

            You can extend the UTM and consider a migration in the next months/years.

            You can contact a Sophos Partner to assist with this migration, as Sophos Partners are doing that all day. 

            __________________________________________________________________________________________________________________

            • 0 in reply to LuCar Toni

              Thank you for your reply,  

              Since last night I feel like I already have decided for point No.2 on your list.

              I am still working with a Sophos partner who has done more than one migration and who shares under the palm of your hand my frustration. 

              Will the next release include switching on and off alias interfaces or only physical ports via GUI?

              When will it be released for sure?

              Please don't take the following personally:

              I am working with Sophos products since 15 years and when there is one thing I learned during that time then it is this:

              The phrase "wait for the next release, which implement this option" is as mandatory as the weather forecast for next year. This is explicit not sarcasm but experience and it is not Sophos only behavior, e.g. Microsoft Azure is much worse in not fulfilling the promises the gave in so called roadmaps.

              E.g. look here or  here

              Maybe this can explain my scepticism - it is definitely not meant in a bad way!

              So have a good day - 

              Cheers - Chris

              • 0 in reply to Chris69

                It will only include physical Interfaces, not Alias interfaces. 

                Where to use feature is included in SFOSv20 as well for the first phase. 

                The release plan is for this year. No exact ETA. 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  OK, thank you, good to know.