Hi, With SophoSG, it was possible to use objects (host, subnet, etc.) in static routes. In XGS, this is no longer possible. SDWAN routes and gateways should solve this problem. But this is not possible for 2 reasons: Case 07078419: if you create an SDWAN route to a supercope (e.g. 10.0.0.0/8), it overwrites directly connected networks. So you have to use a simple static route. If SD-WAN route is set before static route, a matching SD-WAN route is applied to directly connected network traffic. Static routes include directly connected networks. Change the route precedence placing static route before SD-WAN route on the CLI. https://doc.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyRoutingTroubleshooting/index.html#routing-and-connection-issues Case 04648590 : If you route via SDWAN, IPSpoofing blocks traffic from unknown networks. Static routes are therefore required. SD-WAN configurations are not routes, are just like firewall rules, so that they support objects and services. Routes are instead restricted to the networks and this information is used by Spoof Protection as well: if the route is configured to interface Port1 and the packet arrives on Port1 it's fine, otherwise it will be blocked. I understand that the learning curve could be different on XG, but the support of objects in the static route configuration has to be considered as a feature request. You can instead consider the routes as a lower layer and the SD_WAN policy as an upprer layer in case you have multiple routes to the same destination (for routing decision based on preference). You can also use SD_WAN without any route, but in this case Spoof protection checks are not satisfied. It would be preferable to be able to use either : Solution A : SDWAN routes instead of static routes (to take advantage of objects (gateway and network, host,...) ) Solution B : Objects (gateway and network, host, etc.) in static routes. Nice to have your feedback on this subject. Thomas

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need evolution on Static Route / SDWAN : objets Gateway, network, host

ThomasS1 7 months ago

Hi,

With SophoSG, it was possible to use objects (host, subnet, etc.) in static routes.

In XGS, this is no longer possible.

SDWAN routes and gateways should solve this problem. But this is not possible for 2 reasons:

Case 07078419: if you create an SDWAN route to a supercope (e.g. 10.0.0.0/8), it overwrites directly connected networks. So you have to use a simple static route.
- If SD-WAN route is set before static route, a matching SD-WAN route is applied to directly connected network traffic. Static routes include directly connected networks.
- Change the route precedence placing static route before SD-WAN route on the CLI.
- https://doc.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyRoutingTroubleshooting/index.html#routing-and-connection-issues
Case 04648590 : If you route via SDWAN, IPSpoofing blocks traffic from unknown networks. Static routes are therefore required.
- SD-WAN configurations are not routes, are just like firewall rules, so that they support objects and services.
- Routes are instead restricted to the networks and this information is used by Spoof Protection as well: if the route is configured to interface Port1 and the packet arrives on Port1 it's fine, otherwise it will be blocked.
- I understand that the learning curve could be different on XG, but the support of objects in the static route configuration has to be considered as a feature request.
- You can instead consider the routes as a lower layer and the SD_WAN policy as an upprer layer in case you have multiple routes to the same destination (for routing decision based on preference).
- You can also use SD_WAN without any route, but in this case Spoof protection checks are not satisfied.

It would be preferable to be able to use either :

Solution A : SDWAN routes instead of static routes (to take advantage of objects (gateway and network, host,...) )
Solution B : Objects (gateway and network, host, etc.) in static routes.

Nice to have your feedback on this subject.

Thomas

This thread was automatically locked due to age.

0 LuCar Toni 7 months ago

I dont understand your point in Case 1.

So: Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR

Which means: SD-WAN Routing is doing routing for matching traffic. If you decide to use "matching traffic" it will overwrite everything, even something, which is directly connected.

So if you have a Rule, which includes "ANY" it can happen.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 ThomasS1 6 months ago in reply to LuCar Toni
Hello Toni

in the first case (you talk about Case 07078419 not ?) :

I have port8 on my XGS with multiples VLAN.

All VLAN are little subnet, exemple :

Native on XGS port8 : 10.10.0.0/24

VLAN 5 : port8.5 : 10.10.5.0/24

VLAN 6 : port8.6 : 10.10.6.0/24

VLAN 7 : port8.7 : 10.10.7.0/24

etc

This port is connect to a global network 10.0.0.0/8 through the 10.10.0.254 router. So I want to do a SDWAN route to network 10.0.0.0/8 with gateway 10.10.0.254 (exemple) on port8.

But when I have this SDWAN rule activate, TCPDUMP show traffic to VLAN subnet not delivered on vlan interface (exemple port8.5 for 10.10.5.1) but delivered on port8 (native subnet 10.10.0.0/24).

Sorry my english is not so good. But Kenny France Sophos Support team can explain clearly.

When I add a static route to 10.0.0.0/8 it is working well.

But it should be very better to use SDWAN with objet and gateway status icons.
Cancel
Vote Up 0 Vote Down

Cancel