Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 1939 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Using SD-WAN and XFRM to route System Generated Traffic like CFR to another location

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

In some situations, we want to route traffic from an Appliance not over the internet but to another firewall and then to the internet. For this use case, SD-WAN Routes were created. We can use the same approach to route all traffic a firewall generates to another firewall. In this recommended read, we’ll reroute the traffic of CFR(Central Firewall Reporting) to another firewall. 

How it works

We’ll use two Firewalls and an existing XFRM Tunnel (Route Based VPN). You can use MPLS as well; it’s a similar approach. We’ll create an SD-WAN Route for the specific traffic on both firewalls and allow the traffic with a matching Firewall Rule. 

Central Datacenter

CFR uses the data center you choose by creating the data center. You find your Sophos Central Datacenter here: https://support.sophos.com/support/s/article/KB-000044836?language=en_US
CFR uses the same data center but in S3. 

Sophos has different URLs for each Datacenter: 

  • tf-pre-signed-url-eu-central-1-prod-firewall-bucket.s3.eu-central-1.amazonaws.com
  • tf-pre-signed-url-eu-west-1-prod-firewall-bucket.s3.eu-west-1.amazonaws.com
  • tf-pre-signed-url-us-west-2-prod-firewall-bucket.s3.us-west-2.amazonaws.com
  • tf-pre-signed-url-us-east-2-prod-firewall-bucket.s3.us-east-2.amazonaws.com
  • tf-pre-signed-url-ap-south-1-prod-firewall-bucket.s3.ap-south-1.amazonaws.com
  • tf-pre-signed-url-ap-northeast-1-prod-firewall-bucket.s3.ap-northeast-1.amazonaws.com
  • tf-pre-signed-url-ca-central-1-prod-firewall-bucket.s3.ca-central-1.amazonaws.com
  • tf-pre-signed-url-sa-east-1-prod-firewall-bucket.s3.sa-east-1.amazonaws.com
  • tf-pre-signed-url-ap-southeast-2-prod-firewall-bucket.s3.ap-southeast-2.amazonaws.com

In our example, we’re working with the Frankfurt/Germany data center, EU-Central-1. 

SD-WAN Rule 

Our first step is the SD-WAN Route on the Device. We want to reroute the Traffic to the tunnel. 
The rule is quite simple. We’re using SD-WAN Routes to route everything into a Gateway Route: 

We’re working with a Wildcard; you can also create an Object like above. 

Firewall Rule 

On the other Firewall, we need to allow this Traffic to flow to WAN. In this example, we have a simple VPN to WAN Rule. You can/should adjust this to your needs. You can also create the same objects. 

SD-WAN CLI Configs

Two different CLI Configs could affect your success: Reply Packets and System-Generated Traffic.

 https://doc.sophos.com/nsg/sophos-firewall/19.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANRoutes/RoutingSDWANRoutesBehavior/index.html#reply-packets

First: Reply Packets, which means if the packet on the second firewall comes back, it needs its route or uses the route back. 
Second: System-Generated Traffic, meaning the SD-WAN Routes will be considered for Traffic generated by SFOS itself (which we want in this case). 



Revamped RR Corrected Grammar Added Horizontal Lines
[edited by: Erick Jan at 3:52 AM (GMT -7) on 6 Oct 2023]
Unfiltered HTML