Hi,
We are testing V18 in my LAB and I am confused with Firewall rule and Destination NAT policy. My configuration as like:
In the Firewall Rule, Why I need Destination HOST as "ANY". If I will choose a host IP in destination Host as my SSH server then this rule is not working. Is it a bug or some specific reason for the required "ANY" in the Destination HOST field?
I think the NAT tab has to be re-envisioned again. I agree with toni that multiple NAT rules are probably the best approach for the way NAT tab is setup. However, I also like the new capability to setup one NAT rule and use it as free floating rule that is applied to multiple firewall rule.
I think the best approach here would be the capability to attach multiple firewall rules to the one/same NAT rule. That way you can have one NAT rule that is used over and over but is still attached to the firewall rules. The NAT rule order wouldn't create additional complexity this way. The way we have everything setup right now, you basically want your firewall connected rules on top and then have a generic masquerade rule on bottom if you want your traffic natted without creating a NAT rule for each firewall rule.
This is very confusing to say the least. Why XG fixes one problem and creates multiple others in every version will always be a mystery to me.
Too complex for a simple nat rules ...
Before, done in 2-3 clicks ! Now, we can do more complex things, but for a standart nat rules, it's so complex !
SOPHOS, beware to keep your products simple to use !
Matthieu
I agree with Matthieu.
Sophos: if you are trying to copy from UTM, I would remember you that in DNAT on UTM9,
With automatic firewall rule:
In this way, from a single page (firewall tab) you can have under controls all the service open from/to other/between networks.
Anyway I created a proper thread on that:
https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues/115802/business-rule-against-new-firewall-rule---feedback with some personal feedback to improve the NAT/Firewall rule/WAF management under v18.
I like the new NAT (remembers me UTM) but some big changes must be implemented before go-live time.
Hi,
When you create firewall rule for NAT rule in which destination is translated, you would need to match Dst zone as the ultimate zone in which the traffic would terminate (that is mostly the local zone – DMZ or LAN). However, you would (want to) match against the original destination IP (WAN IP on XG), here’s why:
As we are moving to the new design, some confusion is bound to happen for existing users. We will soon support our veterans with detailed FAQs on community. Improvements in on-screen assistive text and online help is already in progress, along with the how-to-videos.
Thank you very much for evaluating v18 early access. Appreciate your support.
Hi,
Like it s an EAP, i hope that it will be better for the final release.
It s very important that reseller and customer don t loose the Easy to Use and intuitive usage ! It was a main reason to choose the product for a lot of customers... Do more thing will be interesting if what we already do stay simple to use. Otherwise, we will probably lost customers.
The current way (v18) is very confusing and not easy to understand. Do you have some screenshot of the new detailed design to share with us ?
Regards,
Matthieu
Yes, here we have Interactive training course on XG Firewall v18.0
Please refer: community.sophos.com/.../interactive-training-course-on-xg-firewall-v18-0
Hi,
Fully agree with Matthieu here, in its current state the firewall DNAT rule creation is no longer user friendly. Even if the user/administrator get it working it does not make sense and its just a case of getting things working with no flow or logic to it. The thinking behind it is very good but the configuration has to follow a logic.
As this is a EAP and feedback is being asked, hoping this will be revisited.
Thanks
My feedback was even deleted. Followed the firewall v18 nat training and does not saying more than explaining how to dnat now.
PMParth said:Thank you very much for evaluating v18 early access. Appreciate your support.
Stop deleting replies and keep them. No one is offensive here. We are users and our feedbacks keep you improving!
You have to take bad and good feedbacks.
Hope for a better collaboration from you.
Kind regards
Have to agree with Luk here. I have always supported sophos for not censoring the posts no matter how offensive. This new trend is quite alarming. This is a technical discussion and the users are expressing their concerns about the product. If this is not what you guys want to hear then change the beta (EAP) format to bug reports only with a generic form that the users fill out.
Frankly, v18 should have been called v17.6. I don't know why we got the impression from unknown sources that this is a complete rewrite of the underlying XG architecture. It is not a rewrite. Same old daemons doing same old stuff with a little more lipstick on the GUI end. The firewall has become completely bloated with 4GB being the minimum ram requirement. The load average on the appliance while idling is alarmingly high.
V18 is mostly an effort to streamline certain aspects that people found really confusing or were completely missing for unknown reason. NAT being one of them. Most people want a single SNAT rule where all internal traffic is natted to external interface. Very few people ever need DNATS and so on.
Before v18 SNAT was very limited in what it could accomplish and the rules were hidden from a user. Those rules are now shown on a different screen. Nobody wants to look at 50 corresponding SNAT rules. This is just not efficient. A call for redesign is not a dig at sophos but a request to make it easy for everyone NOT JUST SOPHOS EMPLOYEES or people that already understand iptables firewalls.
In any case, the alarming trend of comment deletion must STOP NOW. You guys are better than this.
