How to configure SD-WAN on Sophos Firewall

1.The purpose of the article

The article shows how to configure using SD-WAN to configure application routing to follow a specified internet path by the user.

2.Diagram

Details:

  • There are 2 lines connecting to Sophos Firewall and running Load Balancing, ISP line 2 is connecting to Port 2 of Sophos Firewall with IP 192.168.2.103.
  • ISP line 2 is connecting to Sophos firewall at Port 3 with IP 192.168.2.117.
  • Port 1 will be in the LAN zone of the Sophos firewall with IP 10.145.41.1/24 and configured with DHCP to allocate IPs.
  • Finally 2 laptops in the LAN.
  • Laptop 1 has IP 10.145.41.53/24, authenticated captive portal by user1.
  • Laptop 2 has IP 10,145.41.51/24, authenticated captive portal by user2.

3.Scenario

We will configure SD-WAN so that when a user on laptop 1 is authenticated by user1 using the Skype application, the traffic of this application will go to the internet using ISP 1.

Similarly, we will configure SD-WAN so that when a user on laptop 2 is authenticated by user2 using the Telegram application, the traffic of this application will go to the internet using ISP 2.

4.Step to take

  • Create profile for LAN subnet.
  • Create SD-WAN policy routing for user 1.
  • Create SD-WAN policy routing for user 2.
  • Result.

5.Configuration

5.1.Create profile for LAN subnet

To create, go to Hosts and services > click Add and create with the following parameters:

  • Name*: Local.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.145.41.0 – Subnet /24(255.255.255.0)
  • Click Save.

5.2.Create SD-WAN policy routing for user 1

To create it, go to CONFIGURE > Routing > SD-WAN policy routing > click Add.

Create with the following parameters:

  • Name*: Routing_User1_For_Skype
  • Incoming interface: Select Sophos’ LAN port as Port1-10.145.41.1.
  • Source networks: Select the profile of Sophos’ LAN layer as Local.
  • Destination networks: select Any
  • Services: Select Any
  • Application object: Click Add new item and uncheck Any.
  • Click Create New > Create application object panel appears.
  • Object Name*: Skype
  • Check Select individual application.
  • In the Name column, click the hourglass icon and type Skype in the Filter panel.
  • Click Apply.
  • Check the Skype application and click Save.
  • User and groups: select user1@learningit.xyz.
  • Primary gateway: Select the WAN port you want the service to run on, here will choose ISP 1.
  • Backup gateway: Select another WAN port that you want to fail over for the primary WAN (if not in use, leave it blank).
  • Click Save.

5.3.Create SD-WAN policy routing for user 2

To create it, go to CONFIGURE > Routing > SD-WAN policy routing > click Add.

Create with the following parameters:

  • Name*: Routing_User2_For_Telegram
  • Incoming interface: Select Sophos LAN port as Port1-10.145.41.1.
  • Source networks: Select the profile of Sophos’ LAN subnet as Local.
  • Destination networks: select Any
  • Services: Select Any
  • Application object: Click Add new item and uncheck Any.
  • Click Create New > Create application object panel appears.
  • Object Name*: Skype
  • Check Select individual application.
  • In the Name column click on the hourglass icon and type Telegram in the Filter panel.
  • Click Apply.
  • Tick the Telegram app and click Save.
  • User and groups: select user2@learningit.xyz.
  • Primary gateway: Select the WAN port you want the service to run on, here will choose ISP 2.
  • Backup gateway: Select another WAN port that you want to fail over for the primary WAN (if not in use, leave it blank).
  • Click Save.

5.4.Result

We will use 2 applications Skype and Telegram to check the results.

On laptop 1 has authenticated captive portal with user 1 to access the internet.

Use the Skype app to make phone calls.

Then go to Log Viewer of Sophos Firewall to check.

To enter Log Viewer log in to the admin page and click Log viewer.

Initially in Log viewer there will be no column application.

To display this column click on the Add columm icon and select Application then click Apply.

Then click Add filter, in the Field select Username and enter user1 in the Value box to see only user1’s log.

As a result, we can see that laptop 1 with IP 10,145.41.53 is authenticated by user 1 and when using the Skype application, the traffic of this application has followed ISP 1 ie Port 2 on Sophos Firewall.

Similar to laptop 2, we will also authenticate the captive portal with user 2 to access the internet.

Use the Telegram app to make a phone call.

Then go to Log Viewer to check.

As a result, we see that laptop 2 with IP 10,145.41.51 is authenticated by user2 when using Telegram, the traffic of this application will follow ISP 2 ie Port 3.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.