Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Thread Info
  • Replies 8 replies
  • Subscribers 14 subscribers
  • Views 18085 views
  • Users 0 members are here
Options
Suggested

Sophos UTM: best practice for uplink balancing and multipath rules

taowang

Note: Please contact Sophos Professional Services if you require direct assistance with your specific environment.

Overview

This article focuses on best practices to configure Uplink Balancing and Multipath Rules for 2 or more WAN links.

Thanks to @BAlfson for great explanation about default multipath rule.

Basic setup

To distribute traffic evenly on 2 WAN links,

  1. Go to Interfaces & Routing > Interfaces > Uplink Balancing, enable Uplink Balancing.
  2. You don't have to create the following multipath rule, but you should know it is the default applied when traffic doesn't qualify for any multipath rule.
    Go to Interfaces & Routing > Interfaces > Multipath Rules, create a multipath rule with
    Source: an internal network
    Itf. Persistence: By Connection
    Balanced to: Uplink Intefacees

    Note: Like all ordered (numbered) lists in UTM, once a rule applies, no subsequent rules are considered.



  3. Go to Network Protection > NAT > Masquerading, create a masquearding rule with "Interface: Uplink interfaces". If no such masquearding rule, UTM might choose wrong WAN interface for outbound traffic.

Internal network uses a specific WAN interface for outbound traffic

  1. Enable Uplink Balancing, and create a masquerading rule with "Interface: Uplink interfaces" for the internal network as above
  2. Create a multipath rule with
    Source: the internal network
    Itf. Persistence: By Interface
    Bind interface: the WAN interface designated for the internal network
    Skip rule on interface error: checked, so that traffic will be sent out from another up WAN interface if bind interface is down.

WAN interface serves only one host

Target: WAN interface "WAN_200_225" is only used by 192.168.10.9 to access Internet, no other internal host/network can use it to access Internet.

  1. Enable Uplink Balancing, and create a masquerading rule with "Interface: Uplink interfaces" for the internal network as above
  2. Create a multipath rule, set
    Source: host definition of 192.168.10.9
    Itf. Persistence: By Interface
    Bind interface: WAN_200_225
    Skip rule on interface error: checked
  3. Edit schedule of uplink balancing
  4. Change weight of interface "WAN_200_225" to 0, so that it won't be used by other multipath rule configured with "Itf. Persistence: Connection/Source/Destination"

Load traffic on specific WAN interfaces

Assume UTM has 3 WAN interfaces, traffic from an internal network needs to be loaded on 2 WAN interfaces only.

  1. Enable Uplink Balancing, and create a masquerading rule with "Interface: Uplink interfaces" for the internal network as above
  2. Create an interface group contains those 2 WAN interfaces, in UTM webadmin > Interfaces & Routing > Interfaces > Interfaces > New Interface… > Type: Group
  3. Go to Interfaces & Routing > Multipath Rules, create a multipath rule, configure 
    Source: the internal network
    Itf. Persistence: By connection
    In Advanced Settings, set Balanced to:  the interface group

Technical KBA for reference

Sophos UTM: Uplink Balancing and Multipath rule, support.sophos.com/.../KB-000034635



Updated with default multipath rule, suggested by BAlfson
[edited by: taowang at 3:38 AM (GMT -8) on 7 Nov 2020]
[edited by: FloSupport at 1:05 AM (GMT -7) on 8 Jun 2021]
Unfiltered HTML