This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multipath to another UTM?

I'm planning on multipathing to another UTM like so:

SITE A UTM interface B (WAN 2) > SITE B UTM interface C (SITE A UTM) > NAT > INTERNET

So, the question is:

where to apply the firewall rules?

1. At SITE A interface and a) allow all traffic or b) limit access here
2. At SITE B interface and a) allow all traffic or b) limit access here

My preference would be at SITE B where the natting will take place as this keeps it uniform with most things. 
I'd simply allow all traffic that enters SITE A interface A (going to SITE B UTM) to flow

So the multipath traffic would be filtered 50/50 at SITE A & SITE B

Any downsides to this?



This thread was automatically locked due to age.
Parents
  • Wow..... this starts getting complicated. I've got it up and running but there's countless things to take into account ie authentication, proxies, fw rules

    It's flaming complex and I'm only halfway there as I have to provide the same in reverse.

  • Quick question then...... if the traffic is using the web proxy at the first UTM (internal), should I send it into the proxy at the second UTM (edge) or just directly out to the net?

  • Sorry, Louis, but I don't understand what you are trying to accomplish nor what you've configured to address it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    it actually in another thread but this was a seperate question which I'm hoping might act as a reference for somebody trying the same in the future.

    52 sites all connected via MPLS.
    2 of the above sites are our main central sites (one primary and one failover)
    Each of the above 2 main sites has a UTM cluster with a 50mb/50mb internet breakout
    The above 2 main sites are also directly connected via a 1g PtP which is used for replication etc and are about 150km apart in geographical distance.

    Now down this 1g link, I've created another 2 vlans to take internet bound traffic
    Vlan A = SITE A UTM 2nd WAN > SITE B 2nd LAN
    Vlan B = SITE B UTM 2nd WAN > SITE A 2nd LAN

    (I've called them WAN's and LAN's above to signify inside and outside for simplicity but they are just interfaces to me)

    If we concentrate on SITE A (rather than both sites as they are a mirror of each other)

    Internet bound traffic enters SITE A from the other 50 remote sites and it's internet is balanced between its UTM WAN 1 (internet ISP A) and it's WAN 2 (1g link to SITE B UTM) > SITE B UTM WAN 1 (ISP B)

    It's actually working very well at the moment. Now picture traffic coming in from the remote sites. Internet bound traffic uses the SITE A web proxy before leaving the UTM at that site. 50% goes to the internet, 50% goes to SITE B UTM via 1g link.
    Am I better to send this traffic through the SITE B UTM web proxy again before going to the internet SITE B WAN 1(ISP B) or just sending it directly out ie no proxy. Bear in mind, the traffic has already been authenticated, proxied etc at SITE A

    Currently I have it using the web proxy at SITE B (so traffic from SITE A is being proxied twice) although I don't do any authenication for this interface as it's already been done at SITE A. I suppose I'm getting 2 layers of protection here ie SITE A proxy and SITE B proxy before hitting the internet and the performance hit is minimal.

    Im about to embark on the lower routing which will finish this off. So that is SITE A incoming connection goes offline, the reverse happens ie traffic enters SITE B and is also load balanced between SITE B and SITE A UTM's via the 1g link. Obviously, if SITE A goes offline completely, everything will flow into SITE B and internet traffic will only leave via SITE B UTM

    It starts to get a little complex once you have QoS enabled, web proxy rules etc and it's basically a need to keep both sites UTM's configured the same with proxy authentication etc only occurring on certain interfaces etc

  • You're right that this requires some complexity, Louis.  I did this for a client in Maryland that's also a UTM installer and needed some specialized help.  I wouldn't proxy the traffic twice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It's working well at the moment in one direction. It will be early next year by the time I get the underlying routing in and fully tested. But I'm happy at the moment.

    With regards to the SITE B UTM, I was just thinking of allowing an any/any rule which would allow all traffic coming from SITE A UTM to traverse it. This simplifies things as the authentication, QoS, NAT etc is all done at SITE A UTM.

    Obviously, when I get the underlying routing and redundancy in for the network, the whole thing will flip round and SITE B will do the authentication etc with SITE A UTM just doing a pass through. It will be a really good setup when done and offer us a fair bit of network redundancy/failover.

  • With 9.4, U.T.M. web proxy with https inspection will reject connection to U.T.M. W.A.F because of the included root certificate.  I think 9.5 proxy will ignore the root, so no problem will occur.  

    If you encounter this, the workaround is to bypass https inspection for the WAF site.  May not apply at all to your configuration, or might be part of the muddle that you alluded to as already solved.

Reply
  • With 9.4, U.T.M. web proxy with https inspection will reject connection to U.T.M. W.A.F because of the included root certificate.  I think 9.5 proxy will ignore the root, so no problem will occur.  

    If you encounter this, the workaround is to bypass https inspection for the WAF site.  May not apply at all to your configuration, or might be part of the muddle that you alluded to as already solved.

Children
No Data