Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
I have followed the below document but it is 4 years old and was probably setup on an older version of Sophos Firewall, and I expect a few things may have changed.
(+) Sophos Firewall: HA (Active-Passive) deployment with Amazon Transit Gateway (TGW) in AWS - Recommended Reads - Sophos Firewall - Sophos Community
(I will be running a pair of firewalls but the notes below refer to just one being up)
I not sure how the Transit Gateway (TGW) was 4 years ago but today the TGW has 2 BGP ip's and the second session to the SFW is shown as down in the AWS console if you stick to the instructions above. I guess this is to be expected. I have tried to use similar BGP commands to "up" the second session but I've failed.
I'm trying to engage professional service via my account manager but struggling to get responses. I'm also struggling to find some good documentation. Below is why the second session is important
Transit Gateway Connect attachments and Transit Gateway Connect peers in Amazon VPC Transit Gateways - Amazon VPC
"A Transit Gateway Connect peer consists of two BGP peering sessions terminating on AWS-managed infrastructure. The two BGP peering sessions provide routing plane redundancy, ensuring that losing one BGP peering session does not impact your routing operation. The routing information received from both BGP sessions is accumulated for the given Connect peer. The two BGP peering sessions also protect against any AWS infrastructure operations such as routine maintenance, patching, hardware upgrades, and replacements. If your Connect peer is operating without the recommended dual BGP peering session configured for redundancy, it might experience a momentary loss of connectivity during AWS infrastructure operations. We strongly recommend that you configure both the BGP peering sessions on your Connect peer. If you have configured multiple Connect peers to support high availability on the appliance side, we recommend that you configure both the BGP peering sessions on each of your Connect peers."
The community document talks about route-maps , I have seen some notes saying that route-maps are no longer present V21 , they don't appear to be there in the Web Console however at the command line it seems they are.
Has anybody had any success in setting a SFW <-> TGW connect attachment connection and had both peering sessions showing as up in AWS ? Could you kindly give some tips on the BGP commands to achieve this ?
Thanks in advance.
