Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAN Link Manager - What does Manual activation of gateway look like?

There is an option to set the gateway to be activated manually. 

 Is the process just to login to the firewall and change it from backup to active or is there something that becomes apparent when there is a gateway failure?

I checked this documentation:
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/Gateways/RoutingConfigureGatewayBalancing/index.html#configure-gateway-failover

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/WANLinkManager/NetworkGatewayDetailsEdit/index.html#gateway-detail



This thread was automatically locked due to age.
Parents
  • Hi  Yes your understanding is correct on this - Choose Manually to require manual activation. So one needs to log in and set it to Active from Backup with manual action.

    Reference - docs.sophos.com/.../index.html

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • Thank you  for you response. Since documentation does not define what the process looks like for manual activation, is the process to re-configure the settings so the backup is now active and the other is backup?  If so there is no point in configuring failover rules in the primary.

    This is an issue because in a portion of our 300ish firewalls, some with redundant ISPs are mis-configured as the tech's deploying take Sophos defaults which do nothing in the event of an ISP failure.  Sophos FW defaults to the gateway IP so failover will only happen if the terminal onsite fails, not if the ISP has an outage (like someone ran their car into a pedestal or dug up their fiber).

    I'm asking so I can write up a document so our L1s activate a backup connection if there's an after-hours issue. But it's as much work as having them read my SOP to setup up WAN Link Manager anyway so will just push them in that direction.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • You could also use SD-WAN rules to utilize the backup connection.

    Usually backup means: In case of default gateway usage, do NOT use a backup connection.

    You still can call a backup ISP with SD-WAN connections. Meaning, you can use a sd-wan rule like "HTTPS to WAN use SD-WAN backup" without the manual usage.

    Backup is more or less used for "charged" lines, as you do not want to reduce your data limit with youtube cat videos Slight smile

    __________________________________________________________________________________________________________________

Reply
  • You could also use SD-WAN rules to utilize the backup connection.

    Usually backup means: In case of default gateway usage, do NOT use a backup connection.

    You still can call a backup ISP with SD-WAN connections. Meaning, you can use a sd-wan rule like "HTTPS to WAN use SD-WAN backup" without the manual usage.

    Backup is more or less used for "charged" lines, as you do not want to reduce your data limit with youtube cat videos Slight smile

    __________________________________________________________________________________________________________________

Children
  • Oh, I like this answer. I leave both connections set to Active and the same weight and have the SD-WAN rules manage this. I can set First Available Gateway and the order of my preference to use their primary provider and if this fails, fall back to the alternate provider. Only negative I see is one can't set Session Persistence in the event traffic fails back, so might be problematic for shopping/banking apps. Session persistence only works for load balancing instead of First Available Gateway. But, maybe Load Balancing will do.  I'll play with this.  Thank you  .

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner