as Application Service Provider we have several UTM connected to internet uplinks via dedicated transfer (somewhat called "glue") /29 network, then a pool of public IP, on which our Virtual Hosts are mapped to, is routed behind the public IP of the UTM WAN interface (which belongs to the glue network).
The above configuration is pretty standard. Other vendors, for example Checkpoint, do not require any Alias or proxy arp configuration. Packet routed to the WAN interface are captured by the firewall engine and processed accordingly security and NAT rules.
It seems that Sophos UTM require Additional Address configuration for each and every IP to be captured and processed even if these IPs belong to a subnet that is already routed to the WAN IP.
How these additional address should be configured, specifically:
1) can the entire Virtual Hosts subnet, let's say /24 be configured as a single item or each IP need to be added one by one?
2) How the network mask has to be defined?
The official documentation says nothing abut this and I have found here discrepant information: /32, the mask of the WAN interface (which is not relevant in our case), the mask of the subnet of IP routed behind the WAN, ...
Thank you in advance for clarification.
_lele_
This thread was automatically locked due to age.
Quote