Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.
The post provides a simple guide for configuring firewall rule and NAT for LAN-to-WAN, LAN-to-VPN, WAN-to-DMZ traffic, and Full NAT.
More technical details can be found at
internal computers --- Port1 [Sophos Firewall] Port2 --- Internet
Sophos Firewall LAN interface Port1 connects to internal computers, and WAN interface Port2 connects to Internet.
To allow internal computers access Internet:
1. create a firewall rule to allow LAN to WAN traffic
2. create NAT rule to apply Masquerading on LAN to WAN traffic
When there are multiple WAN interfaces, we can use SD-WAN policy routing to specify primary gateway for LAN to WAN traffic.
Note: Primary/Backup gateway was removed from firewall rule in v18.0.
Assume Sophos Firewall has 2 WAN interfaces, Port2 and Port4, we need to specify Port2 as primary gateway for LAN to WAN traffic.
Go to webadmin > Routing > SD-WAN policy routing, add a new IPv4 SD-WAN policy route
Detail of those gateways can be checked on webadmin > Routing > Gateways
With above SD-WAN policy route is configured on Sophos Firewall,
internal computers --- Port1 [Sophos Firewall] Port2 --- IPsec VPN --- [remote VPN gateway] --- remote VPN network
To allow internal computers access remote VPN network, just create a LAN to VPN firewall
You might need to create another firewall rule for VPN to LAN traffic. Please make sure there is no NAT rule applied to LAN to VPN traffic, unless NAT is necessary for local VPN network to reach remote VPN network.
external users --- Internet --- Port2 [Sophos Firewall] Port1 --- internal Exchange server (in DMZ zone)
Sophos Firewall WAN interface Port2 connects to Internet, and DMZ interface Port1 connects to internal Exchange server.
External users need to access HTTPS service on internal Exchange server by visiting Sophos Firewall public IP.
To allow the DNAT access:
1. create a firewall rule to allow WAN to internal Exchange server traffic
2. create a DNAT rule
internal computer, 192.168.20.0/24 --- Port1 [Sophos Firewall] Port6 --- internal Exchange server (in DMZ zone), 192.168.15.15
Sophos Firewall LAN interface Port1 connects to internal computer, and DMZ interface Port6 connects to internal Exchange server.
Internal computers need to access HTTPS service on internal Exchange server via its public IP 10.176.200.58.
There are two steps:
1. create a firewall rule on top of list, to allow internal computers access the Exchange server
2. create a Full NAT rule on top of list
2021-02-12, added section "specify primary gateway"
2021-01-22, added Interface matching criteria in section "WAN-to-DMZ traffic".
2020-12-23, added "It is recommended to move the LAN to WAN NAT rule to bottom, otherwise, it can be applied on other traffic, and cause unexpected result" to section "LAN-to-WAN traffic".
2020-08-19, changed title, and removed it from top of list.
2020-07-22, first version.