How to configure firewall rule and NAT rule on Sophos XG v18

Disclaimer: This information is posted as-is and the content should be referenced at your own risk 

Overview

The post provides a simple guide for configuring firewall rule and NAT for LAN-to-WAN, LAN-to-VPN, and WAN-to-DMZ traffic.

More technical details can be found at

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallRules.html

https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallNATRules.html

https://community.sophos.com/products/xg-firewall/f/recommended-reads/116102/understanding-new-decoupled-nat-and-firewall-changes-in-v18

LAN-to-WAN traffic

Network plan:

internal computers --- Port1 [XG] Port2 --- Internet

XG firewall LAN interface Port1 connects to internal computers, and WAN interface Port2 connects to Internet.

To allow internal computers access Internet:

1. create a firewall rule to allow LAN to WAN traffic

  • source zone: LAN, the zone internal computers locates
  • source networks: Any, or specific internal subnet
  • Destination zone: WAN
  • Destination networks: Any

2. create NAT rule to apply Masquerading on LAN to WAN traffic

  • Original source: Any
  • Original destination: Any
  • SNAT: MASQ, or the preferred WAN IP for Masquearding
  • Inbound interface: Any
  • Outbound interface: Port2, the XG firewall WAN interface

Note:

  • I recommend to set "Outbound interface" to WAN interface. If outbound interface is set to "Any", the NAT rule will be applied on LAN to VPN (LAN to DMZ) traffic, and stops LAN to VPN (LAN to DMZ) traffic.
  • It is recommended to move the LAN to WAN NAT rule to bottom, otherwise, it can be applied on other traffic, and cause unexpected result.

Speicify primary gateway

When there are multiple WAN interfaces, we can use SD-WAN policy routing to speicify primary gateway for LAN to WAN traffic.

Note: Primary/Backup gateway is removed from firewall rule in v18.0.

Assume XG firewall has 2 WAN interfaces, Port2 and Port4, we need to specifiy Port2 as primary gateway for LAN to WAN traffic.

Go to XG webadmin > Routing > SD-WAN policy routing, add a new IPv4 SD-WAN policy route 

  • incoming interface: Port1, the LAN inteface
  • Source networks: 192.168.20.0/24, which is LAN subnet
  • Destination networks: Any
  • Services: Any
  • Application ojbect: Any
  • User or groups: Any
  • Primary gateway: Port2_GW, gateway of WAN interface Port2
  • Backup_gateway: Port4_GW, gateway WAN interface Port4

Detail of those gateways can be checked on XG webadmin > Routing > Gateways

Notes about SD-WAN policy route

With above SD-WAN policy route is configured on XG firewall,

  • If policy based site-to-site IPsec VPN is in use, and 192.168.20.0/24 is local VPN subnet, please make sure "VPN routes" is preferred over "SD-WAN policy routes", otherwise, 192.168.20.0/24 cannot access any remote VPN subnet.
  • If 192.168.20.0/24 needs to access another LAN network, for example, 192.168.21.0/24 via XG firewall, please make sure "static routes" is preferred over "SD-WAN policy routes", otherwise, 192.168.20.0/24 cannot access any other LAN network.
  • To check route precedence, please run the following command in XG firewall SSH terminal > Device Console:
    system route_precedence show
  • To change route precedence, please run Device Console command
    system route_precedence set
  • To make SD-WAN policy routes to be the least preferred, please run Device Console command
    system route_precedence set vpn static sdwan_policyroute
  • Make sure route precedence is configured to match your network requirement.

LAN-to-VPN traffic

Network plan:

internal computers --- Port1 [XG] Port2 --- IPsec VPN --- [remote VPN gateway] --- remote VPN network

XG firewall LAN interface Port1 connects to internal computers, and WAN interface Port2 connects to Internet.

To allow internal computers access remote VPN network, just create a LAN to VPN firewall

  • source zone: LAN
  • source networks: 192.168.61.0/24, or any other local subnet configured in site-to-site IPsec VPN
  • Destination zone: VPN
  • Destination networks: 192.168.61.0/24, or any other remote VPN subnet configured in site-to-site IPsec VPN

You might need to create another firewall rule for VPN to LAN traffic.Please make sure there is no NAT rule applied to LAN to VPN traffic, unless NAT is necessary for local VPN network to reach remote VPN network.

WAN-to-DMZ traffic

Network plan:

external users --- Internet --- Port2 [XG] Port1 --- internal Exchange server (in DMZ zone)

External users need to access HTTPS service on internal Exchange server by visiting XG firewall public IP.

XG firewall WAN interface Port2 connects to Internet, and DMZ interface Port1 connects to internal Exchange server.

To allow the DNAT access:

1. create a firewall rule to allow WAN to internal Exchange server traffic

  • source zone: WAN
  • source networks: Any, or specific IP addresses of all external users
  • Destination zone: DMZ, the zone internal Exchange server locates
  • Destination networks: XG firewall public IP visited by external users, in this scenario, it is IP address of WAN Port2
  • Services: HTTPS

 

 

2. create a DNAT rule 

  • Original source: Any, or specific IP addresses of all external users
  • Original destination: XG firewall public IP visited by external users, in this scenario, it is IP address of WAN Port2
  • Original service: HTTPS
  • DNAT: IP address of internal Exchange server
  • Interface matching criteria > Inbound interface: Port2. Inbound traffic arrives Port2 will be checked againist the DNAT rule. It is to prevent the DNAT rule from matching LAN-to-WAN, or LAN-to-DMZ traffic.

Note:

  • "Interface matching criteria > Outbound interface" needs to be Any in this setup.
  • If "Interface matching criteria > Outbound interface" is configured to Port1, the DNAT rule won't match inbound HTTPS traffic arriving Port2. 
  • "Interface matching criteria > Outbound interface" is normally configured in SNAT rule, where outbound interface is determined by routing before NAT.

DNAT rule

Enjoy 

 

Update history:

2021-02-12, added section "specify primary gateway"

2021-01-22, added Interface matching criteria in section "WAN-to-DMZ traffic".

2020-12-23, added "It is recommended to move the LAN to WAN NAT rule to bottom, otherwise, it can be applied on other traffic, and cause unexpected result" to section "LAN-to-WAN traffic".

2020-08-19, changed title, and removed it from top of list.

2020-07-22, first version.



added section "Specify primary gateway and "Notes about SD-WAN policy route"
[edited by: taowang at 10:51 AM (GMT -8) on 12 Feb 2021]