Sophos XG Firewall: System Generated Traffic

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

There are couple of question, which URLs (FQDN), IPs and Ports are used by Sophos XG Firewalls.

Here is a overview of all URLs and Ports. https://community.sophos.com/kb/en-us/126576

This traffic is system generated Traffic, which means, the traffic is not generated by some Client behind XG. So it follows its own way to the internet. Most likely via the Default Gateway, configured in the WAN zone. 

You can force XG to use another interface for this kind of traffic. 

The limitation here is, it is only working with IP addresses. 

This also works fine with IPsec.

(For example STAS is system generated Traffic, so you would have to use this rule)

 

Another approach is to use a Parent Proxy. XG pattern updates uses the parent Proxy. 

 

In a multi-WAN concept, the XG will follow one of the active WAN Connections (gateways). 

So you could consider to select one interface as "active" and one as "backup". 

  • (Beware: backup is still online and can be used in all firewall policies).

 

Best practice from my point of view would be: Select one interface as active, the other as backup. Selecting the backup interface in certain firewall policies, as needed. 

PS: This will be resolved via Policy-Based-Routing in V18. 



Added Tags
[edited by: Erick Jan at 3:01 AM (GMT -7) on 28 Sep 2022]
Parents
  • Can the webproxy traffic (XG used as webproxy by clients) be considered as system generated traffic? How would it look like when I´d like to route Webproxy traffic from XG via another gateway than the default gateway? Can this be achieved somehow?

  • Web Traffic is a special case and is aware of its original source. So it is not a system generated traffic. 

    You can route a specific Network / User / Service(443/80) to a specific WAN interface. 

    __________________________________________________________________________________________________________________

Reply
  • Web Traffic is a special case and is aware of its original source. So it is not a system generated traffic. 

    You can route a specific Network / User / Service(443/80) to a specific WAN interface. 

    __________________________________________________________________________________________________________________

Children
  • Great, thanks, I managed to achieve this with using a SD-WAN Policy, it is working fine.

    Is there an howto article somewhere, how to change the routing for System-generated traffic like smtp and red services? Think off, that these service should use another route... Can this be achieved through SD-Wan aswell?

    Thanks.