This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall Routes

Dears,

I have a sophos SG 330 firewall

I'm trying to reach a new test cloud subnet from my internal network,

a static route has been configured also on the core switch before starting to work on the SG box

I have performed the below configuration on SG BOX:

  • create new network object and assign the corresponding network ID
  • from Interface and routing I have navigated to static routing than cloned the existing route that is existing for the production environment on cloud and replace the object with new created one then I saved the configurations.
  • from my Network Protection tab I selected firewall option and allowed all traffic from the new subnet to the inside network and vise versa than I saved the configurations

as per my knowledge that should be enough to reach the destination network, however, the Servers on the destination networks are not reachable from any vlan inside my network, in addition to that I tried to traceroute the servers IP from a local workstation and the last point before network unreachability is the SG Box.

is this issue familiar?

can any one help me to solve it?

Best Regards in Advance



This thread was automatically locked due to age.
Parents
  • Ahlan Mohamad and welcome to the UTM Community!

    This is simpler with the UTM than with a classic firewall:

    • If the subnet you're trying to reach is public IPs on the Internet, you don't need to create a route.
    • You do need a firewall rule like 'Internal (Network) -> Any -> Internet IPv4 : Allow'
    • Since you're trying to receive responses from the public subnet, you don't need a firewall rule allowing those responses as the connection tracker takes care of allowing responses to requests sent from your internal network.
    • As Philipp says you will need a masquerading rule like 'Internal (Network) -> External'.

    You will also want to look at #2 and #2.1 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Ahlan Mohamad and welcome to the UTM Community!

    This is simpler with the UTM than with a classic firewall:

    • If the subnet you're trying to reach is public IPs on the Internet, you don't need to create a route.
    • You do need a firewall rule like 'Internal (Network) -> Any -> Internet IPv4 : Allow'
    • Since you're trying to receive responses from the public subnet, you don't need a firewall rule allowing those responses as the connection tracker takes care of allowing responses to requests sent from your internal network.
    • As Philipp says you will need a masquerading rule like 'Internal (Network) -> External'.

    You will also want to look at #2 and #2.1 in Rulz (last updated 2021-02-16).

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data