Sophos XG: Guide for Failover configuration for WAN ports on XG

This article shows you how to configure Failover for two WANs on Sophos XG device. Thereby, it helps to support the main WAN when having problems, the remaining road will help the network in the enterprise to be maintained and operated continuously

This article will be configured according to the following network diagram:

How to configure

Step 1: Log in to Sophos XG by Admin account

Step 2: Configure 2 Ports to Sophos XG’s WAN port

  • Network -> Interfaces
  • Select the Port you want to configure to WAN
  • Enter information for Port

-> Click Save

  • You can configure the same configuration for the other site

Step 3: Configure Failover for WAN

  • Network -> WAN link manager

In the main WAN: Click Edit icon

  • Choose Active
  • Weight: 1

-> Click Save

In WAN Backup: Click Edit icon

  • In the Active This Gateway section: Select If -> Select main GW
  • In Action on activation: Select Inherit weight of the failed active gateway
  • In Action on fallback: Select Server new connections through restored gateway

-> Click Save

  • You can configure the same configuration for other site

Step 4: Create firewall rules for 2 sites that can ping each other

  • Firewall -> Click Add firewall rule -> User/network rule
  • Enter the name for the rule
  • In the Rule position: Select Top
  • In the Source zones: Select WAN
  • In the Source networks and devices: Select Any
  • In the Destination zones: Select LAN
  • In the Destination networks: Select Any
  • In the Services: Select ICMP

-> Click Save

Step 5: Check Ping and Tracert between two sites

Step 6: Check to try to remove the main WAN line to see if the system switches to Backup line

** If you have difficulty configuring Sophos products in VietNam, please contact us:

Hotline: 02862711677

Email: info@thegioifirewall.com

2 Comments

  1. You are playing a joke here, right? Are you REALLY saying you want us to create a firewall rule that will allow ICMP to traverse from the WAN to the LAN from anywhere? Seriously?

    Since your network drawing is highly improbable, and you want this firewall rule, I have to assume this is a big April Fools joke.

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.