RED devices and manual/split/standard mode - any actual videos or diagrams for us newbs?

Hello all,

Your friendly neighbourhood networking newb here. I'm attempting to avoid going through another 18 hours of no internet at head office (yay for nation wide outages) knocking out the other remote offices.  I know that REDs can't fail over to another UTM (unfortunately); however, I did come across Manual / split mode when digging into options.  This may all be temporary, I hope, as I'm closer to convincing the execs for a secondary fibre provider and as our present connections with UTMs in place will be upgrading to 1Gbps. I'm sourcing new UTMs (probably SG330's as they appear to handle VPN traffic the fastest) and will be able to move our older SG's to replace the REDs. As I'm a visual, hands on, learner, are there any videos or diagram examples out there for setting up manual/split?

Right now our setup is as follows (ignore the orange double arrows):

I would like the manual/split (orange double arrows) to happen when the tunnel to HQ goes down for the REDs, but only for IPV4 internet.  I'm guessing that at this point, the network at each site with the REDs in place are subject to only their "internal protections"?  As the HO and the REDs are on the same provider (also who may be the secondary at HQ eventually), if I get them to mesh the networks together, would it be possible to use the UTM there (UTM 2) as the failover instead? My best guess is no, as it wouldn't contain the configuration information for the REDs (even if they were created manually on this UTM)?

I'll be looking into SD-WAN or failover for UTMs shortly as well, so if there is any added reading recommended feel free to pass those along. Ultimately if I can convince TPTB to get a consultant to assist *cough*Bob*cough* with the swaps when they happen then of course I'll only need the material for learning. Slight smile

-Dave

  • Bonjour Dave,

    With a UTM-to-UTM RED tunnel, it's easy to accomplish what you want with Multipath rules and, possibly, additional firewall rules.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Dave,

    as you said, the easiest solution is to get a second connection from a different provider on HQ UTM1 and use this as failover in the REDs.

    We put for some customers a "central UTM-Cluster" in a professional housing center with highly redundant internet/power/ac. All REDs terminate there, including the HQ UTM via RED-tunnel same as all other VPNs.

    bye Josef

    BERGMANN engineering & consulting GmbH, Wien/Austria

  • (I never received the notifications for the replies, so sorry on the late acknowledgements! Thanks!)

    On a related question and having dug into the whole "SD-WAN" hype, with the best description being "Salesman Defined Wide Area Networking", would this also not be possible by creating a LAG (or NIC Bond), and having the second IP address listed in the RED config? With the potential upgrade of the UTMs here, and me wanting to redeploy the "old ones", is there a way to:

    A) Run or "convert" the UTMs into RED like devices without having to pay the UTM licensing costs?

    B) Have the UTMs act as HA devices AND active IPSec tunnels (basically if the new UTM fails, another UTM takes over as "master" for the other UTMs?  (I assume licensing would be different as well, even if the license has to be a full blown one, I'd be OK with paying for having the redundancy :) )

    C) I'm sneaking this in as it isn't totally RED related :) - however is there a way to export and import general configs /rules (web security, Intrusion Prevention etc) between UTMS with the same firmware versions?

    Y'all the best!

  • A) Convert the UTMs to XGs to get "free"site-to-site VPN.

    B) In an Active-Passive scenario, there is no additional licensing charge.  The devices must be nearly identical.

    C) You can't export a partial config except that you can make a backup with "Unique site data (license, passwords, certificates/keys, endpoints) and Administrative mail addresses" removed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks as usual Bob! I don't think our SG UTMs can be converted to XGs, sadly, as I believe they are REV 1s.  I assume we can mix SG and XG's? Any recommendations for a SG UTM (I never hold anyone to their suggestion if I follow through and blindly buy one, so no fear there) for less than 100 users, 5-8 remote sites (to account for tunnels) and supporting 1Gb fibre? Sites have connections from 100-500Mb fibre.