Sophos XG Firewall: Integrate XG Firewall with Azure AD; Sophos XG Firewall v18 MR5 is Now Available! Sophos Firewall: v18.5 EOL Support for accesspoints; Sophos XG: XG as NTP server – workaround; Azure MFA NPS extension: The request was discarded by a third-party extension DLL file; Sophos XG Firewall: End of Support for RED 10 devices. XG Firewall v18 also supports RBVPN tunnel interfaces for SD-WAN policy-based routes to support IPsec and MPLS co-existence with SD-WAN. This makes it possible to enable IPsec and MPLS (even on a non-WAN zone) to both be active at the same time with options for load balancing on VPN tunnels as well.
Overview
Article configuring Nat Port for Panasonic switchboard equipment, so that outside the Internet can phone to the internal system
Here I use Panasonic VoIP switchboard
Sophos Xg Firewall V18 Mr3
Port Switchboard is 5060 but because port 5060 is a spam port, the switchboard will change port public to the outside is port 31303
Port Voice of the switchboard is the port range 16000 to 16500
Diagram
How to configure
Sophos Xg Firewall V18
- Login to Sophos XG by Admin account
- Go to SYSTEM -> Choose Hosts and services -> In IP Host -> Click Add New -> Create host SwitchboardDevice1 with IP (192.168.4.10)
- Create a host similar to SwitchboardDevice2 with the IP (192.168.4.11)
- Go to Services -> Click Add -> Create Service with UDP protocol with 31303
- Create service with UDP protocol with 16000 to 16511
- Go to Rules and policies -> Choose NAT rules -> Click Add NAT rule -> Choose New NAT rule
- Create NAT rule with 31303 port to IP of SwitchboardDevice1 (192.168.4.10)
- In Original source: Choose Any
- In Original destination: Choose Any
- In Original service: Choose Service which was created before (31303)
- In Translated source (SNAT): Choose Original
- In Translated destination (DNAT): Choose 192.168.4.10
- In Translated service (PAT): Choose Original
- In Inbound interface: Choose Any or Port WAN
- In Outbound interface: Choose Any or Switchboard port
-> Click Save
- Create NAT rule with 16000 to 16511 port to IP of SwitchboardDevice2 (192.168.4.11)
- In Original source: Choose Any
- In Original destination: Choose Any
- In Original service: Choose Service which was created before (16000:16511)
- In Translated source (SNAT): Choose Original
- In Translated destination (DNAT): Choose 192.168.4.11
- In Translated service (PAT): Choose Original
- In Inbound interface: Choose Any or Port WAN
- In Outbound interface: Choose Any or Switchboard port
-> Click Save
- Go to Firewall rules -> Click Add firewall rule -> Choose New firewall rule
- Enter name: Allow WAN to TongDai
- In Source zones: Choose WAN
- In Source networks and devices: Choose Any
- In Destination zones: Choose LAN
- In Destination networks: Choose 2 IP of switchboard (192.168.4.10 and 192.168.4.11)
- In Services: Choose 2 Service which was created before (31303 and 16500:16511)
-> Click Save
YOU MAY ALSO INTEREST
One of the great new features in XG Firewall v18 that we covered in Part 3 of this series is the new SD-WAN Application and User/ Group based link selection capabilities. In this article, we’ll review how you can take advantage of those as a part of another new feature in XG Firewall v18 – Route Based IPsec VPN.
Route Based IPsec (RBVPN) in XG Firewall v18 enables truly dynamic IPsec site-to-site VPN tunnels. With RBVPN, network topology changes do not impact VPN policy and you no longer need to modify VPN policies if networks are added or removed from your environment, greatly simplifying VPN policy creation and management, especially in larger and more dynamic environments.
RBVPN provides full control over routing with support for static, dynamic (OSPF, BGP, RIP) and SD-WAN policy-based routes with RBVPN policies. RBVPN implementation in XG Firewall v18 also provides flexibility to setup more complex network address translation using the new NAT rule configuration such as VPN NAT overlap scenarios.
XG Firewall v18 also supports RBVPN tunnel interfaces for SD-WAN policy-based routes to support IPsec and MPLS co-existence with SD-WAN. This makes it possible to enable IPsec and MPLS (even on a non-WAN zone) to both be active at the same time with options for load balancing on VPN tunnels as well.
RBVPN is a well-accepted industry standard and interoperates nicely with other vendor’s route-based VPN tunnels making it easier to tunnel to Azure/ AWS and other cloud providers. Ultimately, Route based VPN is the preferred choice for today’s dynamic networks.
Making the Most of Route-Based IPsec VPN Tunnels in XG Firewall
This video provides a great detailed look at how to setup route-based VPN in XG Firewall v18:
Route Based VPN in XG Firewall v18 from Sophos on Vimeo.
Then, you can take full advantage of the new Synchronized SD-WAN policy-based routing for your VPN traffic, with options for user, group, application, and even Synchronized Application Control discovered app based-routing for your route-based VPN.
Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications and now these previously unidentified applications can also be added to SD-WAN and VPN routing. This provides a level of application routing control and reliability that other firewalls can’t match.
To use Synchronized Application Control discovered apps in your routing, when creating an application object for SD-WAN or VPN routing, you can select “Synchronized Application Control” from the technology drop-down box as show below to see all the relevant applications.
Here’s a summary of the resources available to help you make the most of the new features in XG Firewall v18, including the new route-based VPN capabilities:
If you’re new to Sophos XG Firewall, learn more about the great benefits and features XG Firewall can deliver to your network.
Sophos Xg Firewall V18 Eap
Selling XG Firewall
On the Sophos partner portal, we provide you with a wealth of sales assets. You may filter the list of assets by selecting a category to narrow down the results. And don’t forget to check whether there is a sales promotion available for your region. It’s worth checking back from time to time to make sure you’re not missing out on a great opportunity!