Sophos XG Firewall: How to create policy-based routes with firewall rules

The goal of the article

  • This article will show you how to create a policy routes to route user traffic by user, user group, server, or service.
  • We will create these policy routes using firewall rules and it will not affect routing rules in Routing> Policy Routing.

Configuration instruction

We will have the diagram as shown below

  • This article contains 3 examples of configuring policy-based routes:
  • User-based or Group-based Routing.
  • Service-based Routing.
  • Server-based Routing.

User-based or Group-based Routing

  • In this example we will configure all users’ internet traffic from the LAN area (all people in the LAN located in Group Marketing) routing through Gateway 1.
  • To configure, click Firewall> + Add Firewall Rule and enter the following parameters.
  • Name: Enter a rule name
  • Action: Accept
  • Source Zone: LAN
  • Source Networks and Devices: Any
  • Destination Zones: WAN
  • Destination Networks: Any
  • Services: Any
  • Match known users: Check
  • User or Groups: Marketing
  • Rewrite source address (Masquerading): Check
  • Primary Gateway: Select the gateway you wish this traffic to go out
  • Note: To view the Gateway name, go to Network> Interface> Click on Port Wan that we want to see the name.
  • Click Save.

Service-based routing

  • In this example we will create policy routes that route all traffic of the SMTP (email) service through the Gateway 1 port.
  • To configure, click Firewall> + Add Firewall Rule and enter the following parameters.
  • Name: Enter a rule name
  • Action: Accept
  • Source Zone: Lan
  • Source Networks and Devices: Any
  • Destination Zones: WAN
  • Destination Networks: Any
  • Services: SMTP
  • Match known users: Unchecked
  • Rewrite source address (Masquerading): Checked
  • Primary Gateway: Select the gateway you wish this traffic to go out

Server-based routing

  • In this example, we will configure all traffic from the Web Server routing through Gateway 2.
  • To configure, click Firewall> + Add Firewall Rule and enter the following parameters.
  • Name: Enter a rule name
  • Action: Accept
  • Source Zone: Lan
  • Source Networks and Devices: Web Server
  • Destination Zones: WAN
  • Destination Networks: Any
  • Services: Any
  • Match known users: Unchecked
  • Rewrite source address (Masquerading): Checked
  • Primary Gateway: Select the gateway you wish this traffic to go out

Be the first to comment

Leave a Reply

Your email address will not be published.


*