Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG230 to RED-SDRED

Hello, good day, I hope you can help me, I have the following problem.
We have an XG230 that manages 10 RED15W, 1 RED50, and 3 SD-RED60, along with this firewall (XG230) a Fortinet brand firewall was implemented, but it is expected that both firewalls can see each other, that is, my computer that is on the Fortinet network at 192.168.1.x can reach the network of any RED (15W, 50, 60), and vice versa, that from any remote site with the RED I can reach my computer that is on the Fortinet network.
For this, an interface with the IP address 10.10.2.1 (LAN) is configured on the Fortinet
and in the same way, an interface with the IP address 10.10.2.254 (LAN) is configured on the Sophos
In the Sophos, I created the address. rule
source: lan-- fortinet network(10.10.2.0)
destination: lan-- remote sites(192.168.205.0....etc)
this rule does show me traffic and from my computer in the fortinet I can reach any computer that is in the RED(15w,50,60)
my problem is that from the remote sites I can't reach my computer in the fortinet, in the same way I have a rule that would be the opposite of the first one
source: lan-- remote sites(192.168.205.0....etc)
destination: lan-- fortinet network(10.10.2.0)
I already tried adding the hosts of each network instead of the networks that I created for each one and I still don't see traffic in this rule.
It should be noted that I have the networks configured as Standard divided and in the divided network I have added the Fortinet network that I created "10.10.2.0"
In the same way I left a network as standard unified and still I don't see traffic in the rule that I created only for this device, I have the networks in the LAN zone and only the unified one I put it in a different zone but still it doesn't show me traffic in the rule that I have only for this one.
Am I doing something wrong in a rule? Could you help me please



This thread was automatically locked due to age.
Parents
  • What I expect with the inverse rule is to be able to reach the Fortinet network from a remote site, this is because we have IP phones that connect to the switch that is in the Fortinet network, and when they cannot reach the network, the connection is not established.
    Thank you for your support

  • Did you setup routes in Fortinet firewall to the (V)LANS behind Sophos to reach those via 10.10.2.254 and vice versa a route in Sophos for 192.168.1.0/24 to be reached through Fortinet at 10.10.2.1?

    Besides firewall rules allowing traffic, both firewalls need to know about the networks protected behind the other firewall hence you need routes.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Maybe your PC works "oneway" because of a NAT rule in place?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello, I do have rules configured in the fortinet so that network 1 can reach the sophos network and vice versa so that everything that comes from the sophos network can reach the internal network of the fortinet (192.168.1.0).
    I also have a routing rule:
    destination ip 192.168.1.0
    gateway: 10.10.2.1
    interface: port 6-10.10.2.254

    I still can't ping any device on the fortinet network from the remote sites.

  • Hello, this is not the case since I can reach the remote sites network from any computer on the Fortinet network. Is the problem from the remote sites to the internal FTG network? Am I missing any routing rules? thank you

  • Hello Marcos,

    did you configure routes ON THE SOPHOS friewall as well, like suiggested?

    You always need both: routing rules and fw rules.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hello Marcos,

    did you configure routes ON THE SOPHOS friewall as well, like suiggested?

    You always need both: routing rules and fw rules.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children