Some confusion about the new sdwan routing feature...

Hi,

first of all, the migration from 17.5 to 18EAP1 works great. The complete system runs like before, but...

I got a lot of firewall rules, because i'm still testing SFOS for my UTM Customers at my site. After migration there are a lot of new NAT and SDWAN Routing rules linked with the original firewall rules, but i can't go from SDWAN-Rule to the corresponding FW-Rule and vice-versa.

1. Please make a "usable" (clickable) link, to reach the corresponding rules (FW, NAT, SDWAN). You call it linked rule, so it should be linked.

2. The migrated SDWAN Rules have all activated "Override gateway monitoring decision", wich means, if the primary gateway is down, all traffic will be lost in a blackhole. Don't do this please!

3. SFOS is a zone-based firewall. On all SDWAN Routes i have to choose a incoming Interface. If a want all "ssh+webadmin" traffic to go over my static ip, i had to add a sdwan route for every incoming interface. I have customers with more than 30 VLAN Interfaces + 40 Red's, so i need 70 SDWAN Rules? Your kidding!

4. What about the proxy traffic (system generated traffic)? Wich incoming interface should i use?

And, by the way:

5. I miss the "internet" object for selecting the traffic not in the routing table.

6. I need to disable/enable interfaces without deleting it.

7. Working with interfaces is a pain! On UTM i could move the interface configuration from 1GbE Port to 10GbE or LAG or make a VLAN interface. All only with a small downtime.

Most of my (UTM) customers have more than one internet connection and a lot of internal interfaces (lag, br, vlan etc.) Interface handling and routing is still not on UTM level.

 

Have a nice day!

 

Christian

(UTM + XG Architect, UTM Support Engineer)

Parents
  • Hi Christian,

     

    what i can say is, that SD-WAN PBR is not finished right now. 

    See "Whats new". https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-xg-firewall-key-new-features.pdf?cmp=26058

    EAP1 contains:

    SD-WAN Policy-based Routing Enhancements Policy-based routing gains added SD-WAN flexibility and more granular control. Routing can be defined through either the primary or a backup gateway WAN connection and can be configured for replay direction. Additionally, routing decisions are now decoupled from firewall rules and merged with SD-WAN policy-based routes, enabling more powerful and flexible configuration options in policy routes.

     

    EAP3 contains:

    SD-WAN Application Routing and Synchronized SD-WAN Optimized application routing and path selection is often an important objective in SD-WAN implementations – to ensure important business applications are routed over preferred WAN links. This release adds user and group application-based traffic selection criteria to XG Firewall’s SD-WAN routing configuration. Synchronized SD-WAN, a new Sophos Synchronized Security feature, offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can’t match.

     

    Maybe  can give more insights about EAP3 changes. 

    __________________________________________________________________________________________________________________

Reply
  • Hi Christian,

     

    what i can say is, that SD-WAN PBR is not finished right now. 

    See "Whats new". https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophos-xg-firewall-key-new-features.pdf?cmp=26058

    EAP1 contains:

    SD-WAN Policy-based Routing Enhancements Policy-based routing gains added SD-WAN flexibility and more granular control. Routing can be defined through either the primary or a backup gateway WAN connection and can be configured for replay direction. Additionally, routing decisions are now decoupled from firewall rules and merged with SD-WAN policy-based routes, enabling more powerful and flexible configuration options in policy routes.

     

    EAP3 contains:

    SD-WAN Application Routing and Synchronized SD-WAN Optimized application routing and path selection is often an important objective in SD-WAN implementations – to ensure important business applications are routed over preferred WAN links. This release adds user and group application-based traffic selection criteria to XG Firewall’s SD-WAN routing configuration. Synchronized SD-WAN, a new Sophos Synchronized Security feature, offers additional benefits with SD-WAN application routing. Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN routing policies. This provides a level of application routing control and reliability that other firewalls can’t match.

     

    Maybe  can give more insights about EAP3 changes. 

    __________________________________________________________________________________________________________________

Children
No Data