Sophos XG SFOS v18 EAP3 - Bridge Mode in Multi Vlan Enviroment

Hi,

I am attempting to setup XG in L2 bridge mode on a multi tagged VLAN LAG link between switch infrastructure and the main routing firewall equipment (The trunk from the switches to the main routing firewall). It is only for trying Sophos XG security features like: Synchronized Security, Sandbox, AntiMalware, Web Filter, Application Filter, HTTPS Inspection. It is no real production environment. How do I properly create this L2 bridge? I am not sure about zones and tagged VLAN Sophos interfaces assignment. And correct firewall rule for DHCP request pass the SOPHOS XG L2 bridge. In the end, I will only test security functions on one of the VLANs. Other VLANs should not be affected. IP addresses are assigned from the original main routing firewall, which host DHCP server for all my VLANs.

I'm not successful yet...

Thank you for your help.

Radovan J.

Parents
  • Hi,

    it looks like I can setup bridge (with multiple tagged VLANs), but only IPv4 PING, DNS and DHCP traffic can pass. I didn't succeed with normal web traffic. I get connection error. Even if I create an ANY-ANY-ALLOW-ANY firewall rule to let everything pass. My XG is deployed in mixed mode (routing + L2 bridge +TAP/Discover mode).

    Radovan J.

  • Hello Radovan,

    We have discussed below in PM.

    SFOS bridge interface will take routing decision on below two conditions.

    1. When client’s gateway IP is bridge IP. (Irrespective of ‘Enable routing on this bridge pair’ configuration)
    2. When ‘Enable routing on this bridge pair’ is enabled on bridge interface. (Irrespective of  client’s gateway IP configuration)

     When client’s gateway IP is not bridge IP and routing is not enforced on bridge interface then SFOS will not make routing decision and will forward at L2 level as per firewall rule configuration.

    when firewall rule is configured with any web policy or web filtering features then system must have WAN interface configured, either gateway on bridge interface or any other system WAN interface.

    Request you to modify the configuration accordingly.

    Thank you,

    Jekin

Reply
  • Hello Radovan,

    We have discussed below in PM.

    SFOS bridge interface will take routing decision on below two conditions.

    1. When client’s gateway IP is bridge IP. (Irrespective of ‘Enable routing on this bridge pair’ configuration)
    2. When ‘Enable routing on this bridge pair’ is enabled on bridge interface. (Irrespective of  client’s gateway IP configuration)

     When client’s gateway IP is not bridge IP and routing is not enforced on bridge interface then SFOS will not make routing decision and will forward at L2 level as per firewall rule configuration.

    when firewall rule is configured with any web policy or web filtering features then system must have WAN interface configured, either gateway on bridge interface or any other system WAN interface.

    Request you to modify the configuration accordingly.

    Thank you,

    Jekin

Children
No Data