Sophos XG Firewall v18: How to Choose the gateway for a firewall rule

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Hi everyone,

With Sophos XG v18 update, there are some significant changes concerning the configuration on selecting a gateway. We will try to explain the changes from v17 to v18 in this article.

How it is in v17:

In v17, you choose the default gateway for the traffic going to the Internet or outside the XG in the same firewall rule configuration. This option was available under Firewall rule Advanced | NAT & routing.  

  1. For the part mentioned in the screenshot, we will specify the name of the firewall rule and other details regarding rule grouping and Action. Then we specify the Source zones, Source networks, and devices, During the Scheduled time, Destination zones, Destination networks, and Services. Please click on the help button if you're not sure why each option means.



  2. Now, for the rest of the Firewall rule, we can specify all different scanning and policies. Our focus for this article is NAT & routing. The first checkbox will enable masquerading and change the Source address of the traffic according to the interface it goes out from Sophos XG. Then the Primary Gateway is DHCP_Port2_GW and the Backup gateway is WAN link load balance.



  3. If configured as the above configuration, traffic will pass through WAN Port2 as long as Port2 is up. As soon as Port2 goes down, it will then be forwarded according to the WAN link load balance.

How it is in v18:

Now, let us focus on how we can create the same rule in v18. This is going to be a lot of screenshots but most of them will be set at their default value and you should change it according to your requirement when required. We will create a firewall rule to allow LAN to WAN traffic which should be passed through Port2 primarily and then from WAN link load balance if Port2 is down. 

  1. We will specify everything as mentioned in Step 1 for v17.



  2. Now, the next portion of the configuration is Add exclusion. You can use it to specify the criteria that you don't want to match for this rule. The firewall traverses the rule table further for the excluded criteria.



  3. Now the option Create linked NAT rule is one of the significant changes in v18.  When you click on that option, it will open a new box for Add NAT rule. If you create a NAT rule from this option, it will only apply to the traffic matching that specific firewall rule and there will be some options that are greyed out and you will not be able to change it. You will not be able to edit it in the NAT rule table where it is listed along with all Source NAT rules. Further, it is okay to NOT configure any NAT rule here. The only reason you should configure a NAT rule from here is to specifically link that NAT rule to this firewall rule only.

    Please note, XG Firewall applies firewall rules before it applies source NAT rules. If a NAT rule meets the matching criteria and is listed in the NAT rule table above the linked NAT rule, XG Firewall applies that rule and doesn’t look further for the linked rule. Meaning that regardless of linked or unlinked NAT rules, Sophos XG will always follow the top to bottom approach and select the NAT rule just as it does for the Firewall rule for the matching criteria.

  4. Please read this help page https://docs.sophos.com/nsg/sophos-firewall/18.0/releasenotes/en-us/nsg/sfos/releasenotes/rn_NATRulesEdit.html to understand all the options available in a NAT rule. You should be able to configure a linked NAT rule or by creating an unlinked NAT rule by browsing to PROTECT > Rules and policies > NAT rules.



  5. The remaining part is as shown in the screenshot below. You should select the options according to your requirements.



  6. Now, we will look into how we will send out the traffic from Sophos XG. There are a lot of granular controls available to route traffic out from a specific interface if it matches certain criteria. Please go through this help link if you want detailed information about how this works and what options you can configure http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/PolicyRouting.html

    For the sake of comparison with earlier v17, we will simply configure an SD-WAN policy that will behave exactly like the firewall rule mentioned for v17 earlier. Now, you can mention the LAN network as I have or you can keep it empty if you want. If you keep it empty, your internet going traffic will still be routed as configured under this policy. For a detailed explanation of each option, please check http://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/PolicyRoutingEdit.html.



    If configured as the above configuration, traffic will pass through WAN Port2 as long as Port2 is Up. As soon as Port2 goes down, it will then be forwarded according to the WAN link load balance.

I hope this article helps you understand the difference between v17 and v18. For more information, please check this video guide on YouTube.



Have a suggestion for a new video? Please visit our User Assistance forum on the Community to share your idea! https://community.sophos.com/community-chat/f/user-assistance-feedback.