Sophos Firewall V21 AWS deployment with VPC connect attachment to AWS transit gateway (BGP)

Question

I have followed the below document but it is 4 years old and was probably setup on an older version of Sophos Firewall, and I expect a few things may have changed. (+) Sophos Firewall: HA (Active-Passive) deployment with Amazon Transit Gateway (TGW) in AWS - Recommended Reads - Sophos Firewall - Sophos Community 
 (I will be running a pair of firewalls but the notes below refer to just one being up) I not sure how the Transit Gateway (TGW) was 4 years ago but today the TGW has 2 BGP ip's and the second session to the SFW is shown as down in the AWS console if you stick to the instructions above. I guess this is to be expected. I have tried to use similar BGP commands to "up" the second session but I've failed. I'm trying to engage professional service via my account manager but struggling to get responses. I'm also struggling to find some good documentation. Below is why the second session is important Transit Gateway Connect attachments and Transit Gateway Connect peers in Amazon VPC Transit Gateways - Amazon VPC "A Transit Gateway Connect peer consists of two BGP peering sessions terminating on AWS-managed infrastructure. The two BGP peering sessions provide routing plane redundancy, ensuring that losing one BGP peering session does not impact your routing operation. The routing information received from both BGP sessions is accumulated for the given Connect peer. The two BGP peering sessions also protect against any AWS infrastructure operations such as routine maintenance, patching, hardware upgrades, and replacements. If your Connect peer is operating without the recommended dual BGP peering session configured for redundancy, it might experience a momentary loss of connectivity during AWS infrastructure operations. We strongly recommend that you configure both the BGP peering sessions on your Connect peer. If you have configured multiple Connect peers to support high availability on the appliance side, we recommend that you configure both the BGP peering sessions on each of your Connect peers." The community document talks about route-maps , I have seen some notes saying that route-maps are no longer present V21 , they don't appear to be there in the Web Console however at the command line it seems they are. Has anybody had any success in setting a SFW <-> TGW connect attachment connection and had both peering sessions showing as up in AWS ? Could you kindly give some tips on the BGP commands to achieve this ? Thanks in advance.

xxxxxx · Answer

Here is some further info 
 For a single TGW connect peer in the AWS console I'm only able to get one Transit gateway BGP Status showing as "Up" , at a time 
 Transit gateway BGP 2 Status UP Transit gateway BGP 1 Status DOWN 
 Or 
 Transit gateway BGP 1 Status UP Transit gateway BGP 2 Status DOWN 
 At the he other end of the AWS TGW is a Sophos Firewall and I have used this document as a "GUIDE" 
 https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129071/sophos-firewall-ha-active-passive-deployment-with-amazon-transit-gateway-tgw-in-aws The diagram in the above document suggests 4 years ago there was only ever 1 BGP IP on the TGW side for each connect peer, but now there are two. 
 
 This is my BGP configuration on the Sophos Firewall 
 bgp> enable bgp# configure terminal bgp(config)# router bgp 64545 bgp(config-router)# show running-config 
 Current configuration: ! frr version 8.4.2 frr defaults traditional ! hostname bgp log stdout ! ! ! router bgp 64545 bgp router-id 10.141.53.10 bgp log-neighbor-changes no bgp ebgp-requires-policy no bgp hard-administrative-reset no bgp graceful-restart notification neighbor SFW01_PEER_GROUP peer-group neighbor SFW01_PEER_GROUP remote-as 64520 neighbor SFW01_PEER_GROUP ebgp-multihop 2 neighbor 169.254.111.2 peer-group SFW01_PEER_GROUP neighbor 169.254.111.3 peer-group SFW01_PEER_GROUP ! address-family ipv4 unicast neighbor SFW01_PEER_GROUP default-originate route-map primary-firewall neighbor SFW01_PEER_GROUP route-map primary-firewall out exit-address-family ! exit ! ! ! route-map primary-firewall permit 10 set as-path prepend 64545 exit ! ! line vty no login exit ! end bgp(config-router)# 
 With the below setting for the GRE tunnel , in the AWS console I can see "Transit gateway BGP 1 Status" as up and "BGP 2 Status" as down 
 sfw01 console > system gre tunnel add name TGW01 local-gw PortB remote-gw 172.20.21.27 local-ip 169.254.111.1 remote-ip 169.254.111.2 
 With this setting for the GRE tunnel , in the AWS console I can see "Transit gateway BGP 2 Status" as up "BGP 1 Status" as down 
 sfw01 console > system gre tunnel add name TGW01 local-gw PortB remote-gw 172.20.21.27 local-ip 169.254.111.1 remote-ip 169.254.111.3 
 I would have thought when defining the tunnel I could somehow specify remote-ip 169.254.111.3 and remote-ip 169.254.111.2 ( TGW two BGP ips) as indicated in the diagram below 
 docs.aws.amazon.com/.../transit-gateway-connect-peer.png 
 It may just be that the Sophos Firewall does not support 2 BGP ip's for the TGW side of the connect peer

Sophos Firewall V21 AWS deployment with VPC connect attachment to AWS transit gateway (BGP)

Top Replies