DISABLE BACK UP WAN | DYNAMIC IP

Hello there,

Thank you for contacting the Sophos Community.

If the Sophos Firewall is registered via Sophos Central, you can access it via Central and change the link.

I am not sure if I fully understand your requirements. Your client has a second WAN, but they don't want to use it. Except under which conditions?

If the main WAN link goes down and the Backup link is turned off, you can't access the device remotely.

Hello,

My concern is with the back up failover. Does it matter if it's a Dynamic IP? The client wants to shut the backup failover permanently.

How can we shut it down without having the the primary down?

Hello,

No, whether the Backup WAN is set to DHCP or Static doesn't matter.

I am still unclear about your second question, but if your customer doesn't want to use it, you can disconnect the Backup WAN interface, and nothing should happen to the Active WAN.

Regards,

My apologies. But this is what I have on the email

"Wes, I mentioned to Chris and I though he understood but maybe something was lost.  My concern is that if the failover ISP is on dynamic, that could prevent us being able to remotely get into the firewall to switch the failover to enable if the primary goes down – for cost reasons Brandy and Dave wanted the second WAN set to disable.  I am copying L3.  Next steps: please create a ticket created for Marj to review how the firewall and failover are setup.  Let’s make sure the current configuration would work and have her make recommendations.  I am not sure if firewall rules can be written to be resilient to an IP change on the WAN port.  We may need to push the client to get a static IP."

Let me know if that clears up the question.

For security reasons, we are deprecating our direct IP connection to WAN ports of installed client firewalls. 

Hello,

How do you currently access your customer's Firewall? Do you type the Static IP on your browser? Do you guys have some IPsec tunnel? Using Sophos Central? 

In any case, if you guys are remote, the Primary WAN goes down, and the Backup WAN is turned off, you won't be able to access the Firewall.

However, if you set the Backup WAN in Backup mode and select "Activate this gateway," if ANY Active gateway fails, it should only bring the Backup WAN online when the Primary goes down. Note: even in Backup mode, the line might still pass some traffic to which your client might be charged for.

If you access the device using the static IP, you could probably use DynamicDNS, and even if the primary goes down (but the WAN was set as Backup), then by entering the FQDN of the Firewall, you should be able to access the device. 

Or, as suggested before, using Sophos Central would be your safest and recommended option. 

But you would need the Second WAN set as Backup for any option. 

Other than that, I don't see a way you guys could access the device if the Primary WAN goes down and the Secondary WAN is disabled.

Regards,

Hello,

We are currently using it through Sophos Central. 

So deprecating our direct IP connection to WAN ports would be impossible? 

Is there any other work around on that?

Thank you for your consistent response. I appreciate it.

Hello,

We are currently using it through Sophos Central. 

So deprecating our direct IP connection to WAN ports would be impossible? 

Is there any other work around on that?

Thank you for your consistent response. I appreciate it.