Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.
The post provides a simple guide for configuring firewall rule and NAT for LAN-to-WAN, LAN-to-VPN, WAN-to-DMZ traffic, and Full NAT.
More technical details can be found at
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/FirewallRules/index.html
docs.sophos.com/.../index.html
https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18
Network plan:
internal computers --- Port1 [Sophos Firewall] Port2 --- Internet
Sophos Firewall LAN interface Port1 connects to internal computers, and WAN interface Port2 connects to Internet.
To allow internal computers access Internet:
1. go to firewall webadmin > Rules and policies > Firewall rules, create a firewall rule to allow LAN to WAN traffic
2. go to firewall webadmin > Rules and policies > NAT rules, create NAT rule to apply Masquerading on LAN to WAN traffic
Note:
When there are multiple WAN interfaces, we can use SD-WAN policy routing to specify primary gateway for LAN to WAN traffic.
Note: Primary/Backup gateway was removed from firewall rule since v18.0.
Assume Sophos Firewall has 2 WAN interfaces, Port2 and Port3, we need to specify Port2 as primary gateway for LAN to WAN traffic.
1. Go to webadmin > Routing > SD-WAN policy routing, add a new IPv4 SD-WAN policy route
Detail of those gateways can be checked on webadmin > Routing > Gateways
2. Make sure the SD-WAN policy route doesn't interrupts other traffic:
Note: if Sophos Firewall was freshly installed from v18.5 IOS, there is an IP host group "Internet IPv4", which covers all Internet IPv4 address. We can use it as Destination network in the SD-WAN policy route to prevent interference with other routes, and no need to worry about route precedence, as screenshot below.
For Sophos Firewall upgraded from v18.0 or earlier version, we must manually create the IP host group "Internet IPv4", as per KBA Sophos Firewall: Auto-create an object for IPv4 internet addresses group
internal computers --- Port1 [Sophos Firewall] Port2 --- IPsec VPN --- [remote VPN gateway] --- remote VPN network
To allow internal computers access remote VPN network, just create a LAN to VPN firewall
You might need to create another firewall rule for VPN to LAN traffic. Please make sure there is no NAT rule applied to LAN to VPN traffic, unless NAT is necessary for local VPN network to reach remote VPN network.
external users --- Internet --- Port2 [Sophos Firewall] Port1 --- internal Exchange server (in DMZ zone)
Sophos Firewall WAN interface Port2 connects to Internet, and DMZ interface Port1 connects to internal Exchange server.
External users need to access HTTPS service on internal Exchange server by visiting Sophos Firewall public IP.
To allow the DNAT access:
1. create a firewall rule to allow WAN to internal Exchange server traffic
2. create a DNAT rule
internal computer, 192.168.20.0/24 --- Port1 [Sophos Firewall] Port6 --- internal Exchange server (in DMZ zone), 192.168.15.15
Sophos Firewall LAN interface Port1 connects to internal computer, and DMZ interface Port6 connects to internal Exchange server.
Internal computers need to access HTTPS service on internal Exchange server via its public IP 10.176.200.58.
There are two steps:
1. create a firewall rule on top of list, to allow internal computers access the Exchange server
2. create a Full NAT rule on top of list
Enjoy.
2022-08-25
2022-05-31
2021-08-19
2021-02-12, added section "specify primary gateway"
2021-01-22, added Interface matching criteria in section "WAN-to-DMZ traffic".
2020-12-23, updated section "LAN-to-WAN traffic".
2020-08-19, changed article subject
2020-07-22, first version.
Mikrotik remains as a router, the IP assigned to sophos is a local IP, and on mikroting the routing has been set, sophos has successfully connected to all local networks on mikrotik but not vice versa.and currently my sophos license is no longer valid and still in the process for renewal,, does this have a big impact so that the firewall rull that I made don't work?
The firewall rules and NAT are basic licence features.
Firewall rule :- Source WAN, any network, destination DMZ, dmz network, services any, log.
NAT rule :- source WAN, any, destination DMZ, network any, masq, all services
I think should work.
Ian
XG115W - v19.5 GA - Home
Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA
If a post solves your question please use the 'Verify Answer' button.
my server is private and can only be accessed from outside via sophos vpn and mikrotik vpn as optional if sophos vpn is not accessible to the user
Hi,
please make up your mind what it is you are actually trying to achieve> You changed your requirements from the initial posting in this thread.
You will need different rules for each scenario you talked about in your most recent post.
not work, is there something missing?
The preferred method of attaching documents is through the insert function of the port you are preparing and using local documents, not on an external server.
ian
this is just information that later my server will be accessed including through a vpn made on sophos and a vpn made on mikrotik via a Sophos WAN line.The main focus of the problem remains where I want to make all local IPs on Mikrotik able to connect to the Sophos DMZ which means I have to set the right permissions between the WAN Port and DMZ Port on Sophos.
sorry if my language is not good because i use google translate to translate my indonesian language
Sorry, I can't show pictures directly, because in this forum, on the Insert Video/Image menu, I was directed to insert a link
When attaching documents you use insert file or a link for videos etc. not files stored on another server.
you need to rethink what you are trying to achieve, eg what s the use of the XG, why still use a router in front of the XG, you will end up with double nat’ed traffic which will be difficult to debug.