The new feature is very welcomed. It would be great if the options were given for NAT Loopback and reflexive NAT, instead of just creating them. They are not needed everytime that wizard is run.
Mike
The new feature is very welcomed. It would be great if the options were given for NAT Loopback and reflexive NAT, instead of just creating them. They are not needed everytime that wizard is run.
Mike
I agree with this, also another thing - currently It's not possible to create a Service with "Server Access Assistant (DNAT)", It only gives you the option to select an already created one.
Thanks,
If a post solves your question use the 'Verify Answer' button.
Ryzen 5600U + I226-V (KVM) v21 GA @ Home
Sophos ZTNA (KVM) @ Home
Good part about those 2 rules, they most likely will not break anything.
Administrators most likely will not use the Wizard, if they know, what they want to archive (my estimation).
So basically Administrators with little knowledge about XG will use the Helper to get their configuration done. And maybe they dont care about the three rules additional rules.
A Admin of a Bigger setup will not use the Wizard? What are your thoughts about this?
It is like the VPN Wizard. In the product for years, but i never saw anybody using it (from my perspective as a person working every day with XG).
I would rather use the manual step.
Great feedback anyways! PMParth
__________________________________________________________________________________________________________________
I see administrators using the wizard, even on larger systems because Sophos does not follow industry standards when it comes to firewall rules and NAT for DNAT configs.
Sophos uses the WAN interface as the destination network which makes no sense.
If you have an engineer that works with ASA's, Palo's, Sonicwall's, etc, and they also have to work on a Sophos XG, they will definitely use the wizard because the XG DNAT firewall rules are setup against the logic we have always used.
I agree with Michael on the destination zone which should be where the server resides.
I would also suggest for the DNAT to:
What do you think? Put like or add your comments.
Hello luk,
yes, of course, all your comments are justified.
I would also like to remind the warning from Prism. It is really illogical when the wizard does not allow you to create the necessary network service definitions. So what an adminstrator will do - exit the wizard, create a service and reopen the wizard! Really how logical, right?
LuCar Toni , why Sophos developed this wizard? Because immediately after the release of v18 EAP1, we shouted that creating DNAT rules is illogical and non-intuitive? But again, the developers did not spend enough time on it, just what is absolutely necessary, whether they leave us alone? And again we see the result ...
I apologize for being sarcastic again, but it forces me to do by the quality of your development.
Regards
alda
Thanks Luk and alda alda for the comments. Luk and I have had many conversations off the forums about the progress of Sophos. We both want it to be the best firewall but comments from Sophos staff questioning real world environments, doesn't make me feel as if they really listen sometimes.
Don't get me wrong, they have done a good job with v18, but as we all know, it is where v16 should have been.
I think we have all done a great job trying to tell Sophos what is needed and what the industry does. Unfortunately, they don't always hear us or implement what is needed.
Honestly what I am requesting, would only reduce their support calls but alda said it best, they do the minimum to get it out and that is all.
LuCar Toni we all appreciate you being on here and your knowledge but you are always the first one to say "why would you do it that way" just because Sophos can't do it or picks some way that makes no sense. You really need to understand the situation better before saying this is how it should be and look how the OP used to do it with another manufacture. We are all trying to help shape a better product. I have commented on multiple post were the OP is trying to do something that a Sonicwall, WG, PA, etc would do and you always question doing it that way. The Sophos way is not always the right way.
Every manufacture does it differently. When Sophos goes against the industry, expect people in the forum to complain and bring it up. Please understand, most of the partners manage multiple manufacturers products and it makes life easier when companies follow the same patterns. The firewall rule in the post is a perfect example.
Mike
I agree with Michael 100%. Sophos is trying to sell the same item numbers as other vendors do and they try to "copy" and do the same things as the others. DNAT is one example. I do not like the approach to edit the NAT instead of editing the firewall rule if I need to add a new host or edit the destination host. It will be a mess for auditors to audit XG on what is the configurations.
We asked to Sophos to improve XG and make sure to look like SG but on some things they are not following that way. v18 is a nice and better version and I think that most of the users and my customers will be migrated to XG v18 but DNAT is not what customers are expecting to find and understand. How it is implemented does not have sense at all.
We are experts here and we give you guys constructive feedbacks to improve the product and to be the number one on the market.
If customers and users will complain about the DNAT we will see a new thread or features changing in the next major release (v18.5+).
For the moment, v18 is a nice step forward (apart logging and reporting).
MichaelBolton said:
v18 implements more standard and industry common NAT design. With v18, XG Firewall’s enterprise NAT capability and configuration flow is now at par with other competitive players. In fact, change of old NAT design (coupled with firewall rule) has been one of the top pain points of our partners managing multiple manufacturer products. It was almost impossible to migrate competitor's deployment onto XG firewall in v17.x and earlier. With the enterprise NAT design, that pain point is now resolved.
I spoke to Luk lferrara and alda alda earlier on how we are now inline with the industry.
Happy to discuss the same with you, please PM me.
Thank you.
Hello PMParth,
I think that the DNAT wizard is far from finished and functional. However, if you implement the following features recommended by lferrara and Prism, its utility value will be considerably greater.
- have a larger windows
- allow you to create the necessary network service definitions
- make sure logging is enabled by default (while it is not)
- ask if the rule needs to be enabled after the creation
- ask for an IPS rule to be attached
- change the name to "Create DNAT Wizard"
I hope others in this forum will vote for the implementation of the above features in the DNAT wizard.
Regards
alda
Hello PMParth,
I think that the DNAT wizard is far from finished and functional. However, if you implement the following features recommended by lferrara and Prism, its utility value will be considerably greater.
- have a larger windows
- allow you to create the necessary network service definitions
- make sure logging is enabled by default (while it is not)
- ask if the rule needs to be enabled after the creation
- ask for an IPS rule to be attached
- change the name to "Create DNAT Wizard"
I hope others in this forum will vote for the implementation of the above features in the DNAT wizard.
Regards
alda
PMParth I have no issues with the new NAT design. It is a welcomed changed. What I said was the firewall rule was not industry standard with other manufacturers.
The point of this post was to request additional features to be added to the wizard to be on par with the other manufacturers out there. Alda created a great list to add along with my original request.