Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.
The post provides a simple guide for configuring firewall rule and NAT for LAN-to-WAN, LAN-to-VPN, WAN-to-DMZ traffic, and Full NAT.
More technical details can be found at
internal computers --- Port1 [Sophos Firewall] Port2 --- Internet
Sophos Firewall LAN interface Port1 connects to internal computers, and WAN interface Port2 connects to Internet.
To allow internal computers access Internet:
1. go to firewall webadmin > Rules and policies > Firewall rules, create a firewall rule to allow LAN to WAN traffic
2. go to firewall webadmin > Rules and policies > NAT rules, create NAT rule to apply Masquerading on LAN to WAN traffic
When there are multiple WAN interfaces, we can use SD-WAN policy routing to specify primary gateway for LAN to WAN traffic.
Note: Primary/Backup gateway was removed from firewall rule since v18.0.
Assume Sophos Firewall has 2 WAN interfaces, Port2 and Port3, we need to specify Port2 as primary gateway for LAN to WAN traffic.
1. Go to webadmin > Routing > SD-WAN policy routing, add a new IPv4 SD-WAN policy route
Detail of those gateways can be checked on webadmin > Routing > Gateways
2. Make sure the SD-WAN policy route doesn't interrupts other traffic:
Note: if Sophos Firewall was freshly installed from v18.5 IOS, there is an IP host group "Internet IPv4", which covers all Internet IPv4 address. We can use it as Destination network in the SD-WAN policy route to prevent interference with other routes, and no need to worry about route precedence, as screenshot below.
For Sophos Firewall upgraded from v18.0 or earlier version, we must manually create the IP host group "Internet IPv4", as per KBA Sophos Firewall: Auto-create an object for IPv4 internet addresses group
internal computers --- Port1 [Sophos Firewall] Port2 --- IPsec VPN --- [remote VPN gateway] --- remote VPN network
To allow internal computers access remote VPN network, just create a LAN to VPN firewall
You might need to create another firewall rule for VPN to LAN traffic. Please make sure there is no NAT rule applied to LAN to VPN traffic, unless NAT is necessary for local VPN network to reach remote VPN network.
external users --- Internet --- Port2 [Sophos Firewall] Port1 --- internal Exchange server (in DMZ zone)
Sophos Firewall WAN interface Port2 connects to Internet, and DMZ interface Port1 connects to internal Exchange server.
External users need to access HTTPS service on internal Exchange server by visiting Sophos Firewall public IP.
To allow the DNAT access:
1. create a firewall rule to allow WAN to internal Exchange server traffic
2. create a DNAT rule
internal computer, 192.168.20.0/24 --- Port1 [Sophos Firewall] Port6 --- internal Exchange server (in DMZ zone), 192.168.15.15
Sophos Firewall LAN interface Port1 connects to internal computer, and DMZ interface Port6 connects to internal Exchange server.
Internal computers need to access HTTPS service on internal Exchange server via its public IP 10.176.200.58.
There are two steps:
1. create a firewall rule on top of list, to allow internal computers access the Exchange server
2. create a Full NAT rule on top of list
2021-02-12, added section "specify primary gateway"
2021-01-22, added Interface matching criteria in section "WAN-to-DMZ traffic".
2020-12-23, updated section "LAN-to-WAN traffic".
2020-08-19, changed article subject
2020-07-22, first version.
I want the WAN to be able to access the entire DMZ network and full service without translating the IP, I have set it on the firewall rule but the ping is stuck on the DMZ gateway. is there a special NAT Rull? or there is still a configuration that I missed,explanation pleasethank you
That will only work if you real addresses in your DMZ. A firewall rule should work okay without a NAT.
XG115W - v19.5.1 mr-1 - Home
If a post solves your question please use the 'Verify Answer' button.
Could you please describe it more clearly
What is the network size in the DMZ? What is the address range in the DMZ?
size in the DMZ? /24 .address range in the DMZ? 12 Server
Are they real addresses as internet type or LAN type?
yes it's a WAN, and the sophos WAN is connected to a Mikrotik Local IP
Please provide a network drawing, your answer is a little confusing. I did not ask if it is a wan. I asked about actual addresses assigned to the lan.
Thank you. Is the mikrotik in bridge mode. You will need a Nat as well as a firewall rule to allow the traffic in. You could if you hav3 licence use WAF, depends on how many servers you have?ian
Mikrotik remains as a router, the IP assigned to sophos is a local IP, and on mikroting the routing has been set, sophos has successfully connected to all local networks on mikrotik but not vice versa.and currently my sophos license is no longer valid and still in the process for renewal,, does this have a big impact so that the firewall rull that I made don't work?
The firewall rules and NAT are basic licence features.
Firewall rule :- Source WAN, any network, destination DMZ, dmz network, services any, log.
NAT rule :- source WAN, any, destination DMZ, network any, masq, all services
I think should work.
not work, is there something missing?
The preferred method of attaching documents is through the insert function of the port you are preparing and using local documents, not on an external server.
Sorry, I can't show pictures directly, because in this forum, on the Insert Video/Image menu, I was directed to insert a link
When attaching documents you use insert file or a link for videos etc. not files stored on another server.
you need to rethink what you are trying to achieve, eg what s the use of the XG, why still use a router in front of the XG, you will end up with double nat’ed traffic which will be difficult to debug.