Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR

Disclaimer: A lot of the content below was written in V18.0. The online help of V20+ is maybe a better source of content. https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/index.html 

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Routing in Sophos Firewall

With the new SD-WAN Policy Based Routing (PBR) feature, the Sophos Firewall will be able to do some new things. As this feature could be new to certain people, I wanted to use this post to provide more detail as to what you can expect by using SD-WAN PBR.

I will use PBR as a shortcut for SD-WAN Policy Based Routing. Most content is found in the online help:

Routing in general is a mechanism to find a way/path to a certain destination. For example it is the Google maps of packet flow. If you want to go to your Destination B, starting on Point A, it will give you a path to get to B. There are certain definitions on routing, specified on different RFC´s. RFC1058, RFC1812 etc. I do not want to get into that, as this will be to much, but keep in mind, there are standards about how the path is decided between A and B.

Now lets take a look at Sophos Firewall. The decision making process of getting between A to B is made by the Routing stack. Sophos Firewall Firewall has actually 3 different tables to select the route.

Lets say, you have Google maps, Bing maps and Apple maps. Each could have the same or different results of getting you to Destination B. In detail those tables are called SD-WAN PBR, Static and VPN. There is a fallback map just in case all three do not have a result, called Default route.

Static routes include the following:

  • Directly connected networks
  • Dynamic routing protocols
  • Unicast routes

Set the routing precedence on the command-line interface.

Example: console> system route_precedence set static sdwan_policyroute vpn

SD-WAN policy routes

VPN routes (only policy-based IPsec VPNs)

Default route (WAN link manager)

Fallback route if traffic doesn't match any configured route.

 

As there are three different tables, you can decide which table should have a higher priority - called Route Precedence. Route precedence will lookup all three tables for a matching route and use the first matching. You can take all three tables together and Sophos Firewall will go from top to bottom until it finds a matching route. If not, it will fall into the default route and uses the default gateway.

Lets get into the interesting part: PBR

  • As you can define a PBR rule, you can actually get rid of all the standard routing behavior. The standard routing behavior is still there, called Static Routing, but you maybe want to do create some special cases. As you can actually break standard behavior, you can build rules, which can solve complex scenarios.
  • At this point, you may can see, that PBR has absolutely no impact on NAT or Firewalling. Those modules are other decision making processes (allowing or translating a packet). PBR is only for routing - hence you could need a NAT rule in additional to a PBR rule. Or you need to allow this packet, even if there is a PBR rule in the first place.

Do you need PBR for your setup? Maybe – Maybe not. Depends on your goal and your setup.

  • With one Default Gateway, it is probably not needed
  • If you have two different paths to a branch office, it gets interesting. Because if you think of the route, it does not matter how you get to B, as long you arrive at your destination.
    • Same for PBR. Asymmetrical routing was a nightmare for many network engineers for many years. But there are some benefits of using this. 

SD-Network / SD-WAN has some interesting concepts of using this techniques to resolve issues, which were there for many years. I am not going to deep into those use cases, as this would be to much to write. 

Lets get back to the Sophos Firewall concept. Looking at the Rules in Sophos Firewall, you properly already notice, you can use the object "ANY". Using a "Destination: ANY" could match more than you actually want.

  • For example: If you do not know the destination of your traffic, you can point in the PBR rule to "ANY".
  • Thinking about this scenario, lets put a rule with:
    1. Source: ANY, Destination: ANY, Service: ANY
    2. Put this priority first
      • What will Sophos Firewall do? It will route ALL traffic to your wanted destination - No matter what. No matter if you have this client internal connected etc.
      • As I mentioned early - this feature does not play on the rules of routing anymore. 

Putting this into place, I would advice to be careful of using ANY Object, if you can avoid this. But sometimes, you cannot avoid using ANY.

There are two switches on CLI for PBR. 

System-generated traffic and reply packets

See: https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/RoutingSDWANRoutesBehavior/index.html

System-Generated Traffic

  • System-Generated Traffic is a specific switch for traffic, which has no original. 
    • Examples like: Proxy traffic, System Updates, Firmware updates, Pattern Updates, etc. 
  • Sometimes you want to route this traffic via a specific interface and not the Default Gateway. So you have to enable this switch, to force Sophos Firewall to use a specific Interface for its "own traffic". 

reply packets

  • Reply Packets is much more complex and we are going into the SD-WAN Story in this switch. 
  • What we can do is actually creating asymmetric routing - One of the nightmares of most network administrators. Asymmetric routing in principle means, we are sending the initial packet over interface A and get the reply back on interface B. Or we are getting a reply on A and send the response back to interface B. This breaks likely the network state of most products and generally speaking "does not work". But one of the good points in SD-WAN is, that you want to do that. You do not want to "pin" certain connections to one interface, instead you want to get the packet as fast as possible to the destination. 
  • So what does reply packet means? We can tell Sophos Firewall, to use PBR rules on the connection initial packets and stick the connection to a interface. OR we can tell Sophos Firewall to consider the PBR rules for EVERY packet it sees. No matter what the initial interface was in the first place. 
    • This option can cause some issues, for example: Your reply packets will be forwarded to WAN, if you forget to create a SD-WAN Rule "back to the origin". 

Both switches have different "default configuration". So if you start from V17.5, both are disabled.

 

Questions? Let me know if I missed something and I will update the thread.

______________________________________________________________________________________________________________________________________



Added Hint.
[bearbeitet von: LuCar Toni um 9:58 PM (GMT -7) am 21 Mar 2024]