Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Configure | 331

WAN Link Manager

A gateway routes traffic between the networks, and if the gateway fails, communication with an external network is not possible.

By default, the device supports only one gateway. However, to cope with gateway failure problems, the device provides an option to configure multiple gateways. But simply adding one more gateway is not an end to the problem.

Optimal utilization of all the gateways is also necessary. The device's WAN Link Manager provides link failure protection by detecting the dead gateway and switching over to an active link. It also offers a mechanism to balance traffic between various links.

At the time of deployment, you have configured the IP address for a default gateway through the Network

Configuration Wizard. You can change this configuration any time and configure additional gateways. You can use the WAN Link Manger to configure multiple gateways for load balancing and failover.

By default, all the gateways defined through the Network Configuration Wizard will be defined as “Active” gateway.

The device provides a powerful solution for routing and managing traffic across multiple Internet connections.

Designed to provide business continuity for an organization of any size, the WAN Link Manager optimizes the use of multiple Internet links, such as T1s, T3s, DSL and cable connections from one or multiple Internet service providers.

Capable of automatic failover in the event of link failure, it helps to assure that your network is always connected to the Internet.

It also gives you an option to configure multiple WAN interfaces to allow connecting your device to more than one

Internet service provider (ISP).

When you configure multiple external interfaces, you even have an option to control which interface an outgoing packet uses.

Load Balancing

Load balancing is a mechanism that permits to balance traffic between various links. It distributes traffic among various links, optimizing utilization of all the links to accelerate performance and cut operating costs. The device employs weighted round robin algorithm for load balancing to reach maximum utilization of the capacities across the various links.

Using link load balancing gives organizations the possibility to achieve:

• Traffic distribution that does not overburden any link

• Automatic ISP failover

• Improved user performance because of no downtime

• Increased bandwidth scalability

To achieve outbound traffic load balancing between multiple links:

• Configure links in active-active setup, defining gateways as Active

• Assign an appropriate weight to each gateway. Traffic is distributed across the links in proportion to the ratio of weights assigned to individual links.

How it works

Load balancing is determined by the load metric. The load metric is weight. Each link is assigned a relative weight and the device distributes traffic across links in proportion to the ratio of weights assigned to individual links. This weight determines how much traffic will pass through a particular link in relation to the other link(s).

The administrator can set the weight and define how the traffic will be directed to providers to best utilize their bandwidth investments. Weight can be selected based on:

• Link capacity (for links with different bandwidths)

• Link/Bandwidth cost (for links with varying costs)

A weighted load balancing feature enables network managers to optimize network traffic and balance the load between multiple links/interfaces.

| Configure | 332

Gateway failover

Gateway failover provides link failure protection so that when one link goes down; the traffic is switched over to the active link. This safeguard helps to provide uninterrupted, continuous Internet connectivity to users. The transition is seamless and transparent to the end user with no disruption in service and without downtime.

To achieve WAN failover between multiple links:

• Configure links in active-backup setup

• Define Active gateway/interface

• Define backup gateway/interface – Traffic through this link is routed only when the active interface is down

• Define failover rule

In the event of Internet link failure, the WAN Link Manager automatically sends traffic to available Internet connections without administrator intervention. If more than one link is configured as backup link, traffic is distributed among the links in the ratio of the weights assigned to them. On failover, the backup gateway can inherit the parent gateway’s (active gateway) weight or can be configured.

The transition from the dead link to the active link is based on the failover rule defined for the link. The failover rule specifies:

• how to check whether the link is active or dead

• what action to take when a link is not active

The failover rule has the form:

IF Condition 1 AND/OR Condition 2 then Action

Depending on the outcome of the condition, traffic is shifted to any other available gateway.

A ping rule is automatically created for every gateway. The device periodically sends the ping request to check health of the link and if link does not respond, traffic is automatically sent through another available link. The selection of the gateway and how much traffic is to be routed through each gateway depends on the number of configured active and backup gateways.

Gateway Failback

During a link failure, the device regularly checks the health of a given connection, assuring a fast reconnection as soon as the Internet service is restored. When the connection is restored and the gateway is up again, without the administrator’s intervention, traffic is again routed through the active gateway. In other words, the backup gateway fails back on the active gateway.

WAN Link Manager

The WAN Link Manager page displays a list of configured IPv4 and IPv6 gateways. The page also displays the status

Active or Deactive for each gateway and failover rule in case multiple gateways are configured. You can change the gateway parameters, change the gateway status, add or remove the failover rule, and view the data transfer passed through the gateway.

For the backup gateway, the weight is NA while for the active gateway, the configured weight is displayed.

Click the data transfer icon under the Manage column of the corresponding gateway to view the total data transferred through the gateway in graphical as well as in tabular form.

Gateway Failover Timeout Configuration

Gateway Failover Timeout

Configure the gateway failover timeout in seconds.

This is the time period the device waits before the gateway failover occurs.

Default: 60 seconds

| Configure | 333

Acceptable Range: 1 to 65535

Figure 329: Gateway Failover Timeout Configuration

Update Gateway Configuration

You can update the gateway configuration from this page.

1. Go to Configure > Network > WAN Link Manager, click the gateway's Name hyperlink or click the edit icon under the Manage column to edit its settings.

2. Enter the gateway details.

Name

Enter the name of the gateway.

IP Address

Enter the IP address assigned to the gateway.

Interface

Specify the IP address of the interface.

Type

Specify the type of the gateway.

Available Options: Active - Traffic will route through the active gateway(s). If more than one active gateway is configured then the traffic will be load balanced between these gateways depending on the weight assigned to the each gateway.Backup – A gateway used in an active/ passive setup, where traffic is routed through the backup gateway only when the active gateway is down.

Weight

Depending on the weight, the gateway is selected for load balancing. The device distributes traffic across links in proportion to the ratio of weights assigned to individual links.

This weight determines how much traffic will pass through a particular link relative to the other link(s).

Gateways can be assigned a weight from 1 to100.

Note: When multiple gateways are configured and one gateway goes down, the traffic is switched over to the available gateways according to the ratio of the weights assigned to the available gateways.

Default NAT Policy

Select the NAT policy to be used as default for a particular gateway.

By default, the MASQ NAT policy is configured.

Select None, if NAT should not be applied on that particular gateway.

Figure 330: Update Active Gateway Configuration

3. Enter the backup gateway details (Only available, if the type is Backup)

Activate This Gateway

Select gateway activation condition: automatically or manually.

Automatic failover

For automatic failover, activate the option If ... Active gateway fails.

From the dropdown list, specify when the backup gateway should take over from the active gateway. This takeover process will not require the administrator’s intervention.

Available Options:

• Specific Gateway - The dropdown list displays all configured gateways. The backup gateway will take over and traffic will be routed through the backup gateway only when the selected gateway fails.

• ANY – The backup gateway will take over and traffic will be routed through the backup gateway when any of the active gateway fails.

• ALL – The backup gateway will take over and traffic will be routed through the backup gateway when all the configured active gateways fail.

Manual failover

If you select Manually, the administrator will have to change the gateway manually when the active gateway fails.

Action on Activation

Configure weight for the backup gateway. The device distributes traffic across links in proportion to the ratio of weights assigned to individual link. This weight determines how much traffic will pass through a particular link relative to the other link.

Inherit weight of the failed active gateway

If this option is selected, the backup gateway will inherit the parent gateway’s (active gateway) weight

Use configured weight

If this option is selected, the weight specified in the Weight field will be used for the backup gateway.

| Configure | 334

| Configure | 335

Figure 331: Backup Gateway Details

4. Click Save.

The gateway details have been updated.

5. Configure the Failover Rules.

IF Then Condition

From the dropdown list, select the communication protocol, such as TCP or PING (ICMP). Select the protocol depending on the service to be tested on the host.

Port: For TCP communication, specify the port number for communication.

on IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.

Condition

• AND - All the conditions must be satisfied before the specified action is taken

• OR - At least one condition must be satisfied before the specified action is taken.

A request is sent to an IP address. If the IP address does not respond to the request, the device considers the IP address as unreachable.

Figure 332: Configure Failover Rules

6. Click Save.

The failover rule has been updated.

Add Failover Rule

You can add failover rule from this page.

1. Go to Configure > Network > WAN Link Manager, click the gateway's Name hyperlink or click the edit icon under the Manage column and click Add under the Failover Rules section.

2. Configure the failover rules.

IF Then Condition

From the dropdown list, select the communication protocol, such as TCP or PING (ICMP). Select the protocol depending on the service to be tested on the host.

Port: For TCP communication, specify the port number for communication.

on IP Address: Specify the IP address of the computer or the network device which is permanently running or most reliable.

Condition

• AND - All the conditions must be satisfied before the specified action is taken

• OR - At least one condition must be satisfied before the specified action is taken.

A request is sent to an IP address. If the IP address does not respond to the request, the device considers the IP address as unreachable.

| Configure | 336

Figure 333: Configure Failover Rules

3. Click Save.

The failover rule has been added.

Network Traffic Report for Default Gateway

Click the data transfer icon under the Manage column of the corresponding gateway to view the total data transferred through the gateway in graphical as well as in tabular form.

Network Traffic Report for Default Gateway

Period

From the available options, select the period for the report of the network traffic that passed through the gateway.

Available Options:

• Weekly

• Monthly

• Custom

The graph displays the upload, download and total data transfer through the gateway.

• X-axis: Date (depending on the period selected)

• Y-axis: KB/MB/GB used

Legend

• Orange Color – Upload Network Traffic (MB)

• Purple Color – Download Network Traffic (MB)

• Green Color – Total Network Traffic (MB)

Note: When the selected period is Custom, then the user can select to view data of not more than the last six (06) months. At one time, only thirty (30) days data will be displayed.

| Configure | 337

Figure 334: Network Transfer Report

DNS

Use this page to configure the DNS settings of the device.

The DNS server is configured at the time of installation. You can add additional DNS servers to which the device can connect for name resolution. If multiple DNS are defined, they are queried in the order as they are entered.

Note: You can also view and manage the DNS server status on the Monitor & Analyze > Diagnostics >

Services page.

Sophos XG Firewall supports static DNS host entry where the device acts as a DNS Name Server that provides the requesting client with 'A' records to resolve their requested URL.

You can manually add static DNS host entries for a particular domain name. Sophos XG Firewall checks DNS host entries for the requested domain name. If the domain name requested by the user matches the DNS host entry then the device performs DNS resolution and replies to the client with the IP address found in the static DNS host entry. DNS requests do not need to be redirected to the Local/Authoritative DNS server any longer. This facilitates faster data transfer and avoids multiple DNS resolution cycles for every client request. You can also add multiple IP addresses for a single website hosted behind Sophos XG Firewall.

When you want external domains names to be resolved through internal DNS servers in your network, you can add

DNS request routes to such servers. This will decrease the Internet traffic over the network and speed up DNS client requests as queries will not be forwarded outside the network. Also, DNS information would be less exposed on the

Internet thus enhancing security.

IPv4

Obtain DNS from DHCP

Click to override the device DNS with the DNS address received from the DHCP server.

The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.

Obtain DNS from PPPoE

Click to override the device DNS with the DNS address received from the PPPoE server.

The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.

Static DNS

Select to provide a static IPv4 DNS server address.

A maximum of three static DNS IPv4 addresses can be provided.

| Configure | 338

Figure 335: IPv4 DNS Settings

IPv6

Obtain DNS from DHCP

Click to override the device DNS with the DNS address received from the DHCP server.

The option is available if enabled from the Network Configuration Wizard or if a DHCP interface is configured.

Static DNS

Select to provide a static IPv6 DNS server address.

A maximum of three static DNS IPv6 addresses can be provided.

Figure 336: IPv6 DNS Settings

DNS Query Configuration

Choose server based on incoming requests record type

Select to choose the DNS server to be used for resolving the domain name on the basis of the incoming requests record type. Incoming request can be of A or AAAA type.

Choose IPv6 DNS server over IPv4

Select to first choose the IPv6 DNS server for resolving the DNS and then the IPv4 DNS server.

If both IPv6 and IPv4 DNS servers are configured, then it first selects the IPv6 DNS server for all requests followed by the IPv4 DNS server.

Choose IPv4 DNS server over IPv6

Select to first choose the IPv4 DNS server for resolving the DNS and then the IPv6 DNS server.

If both IPv6 and IPv4 DNS servers are configured, then it first selects the IPv4 DNS server for all requests followed by the IPv6 DNS server.

Choose IPv6 if request originator address is IPv6, else IPv4

Select to choose the IPv6 DNS server if a request is received from an IPv6 source or choose the

IPv4 DNS server, if a request is received from an IPv4 source.

Apply

Click to save the configuration.

Test Name Lookup

Click and provide an IP address or host name for testing the connectivity with the DNS server.

| Configure | 339

Figure 337: DNS Query Configuration

DNS Host Entry

The DNS Host Entry section displays the list of all the configured host entries. You can filter the list based on the host/domain name. This section provides the option to add, update, or delete entries.

DNS Request Route

This section displays a list of all the configured DNS request routes. You can filter the list based on the name or the target. Additionally, you can add, update and delete routes.

Add DNS Host Entry

The Add DNS Host Enry page allows you to create and manage DNS host entries.

1. Go to Configure > Network > DNS and click Add under DNS Host Entry section.

2. Enter the host entry details.

Host/Domain Name

Provide a fully qualified domain name (FQDN) for the host/domain.

Address

Enter the address details for the host entry.

Entry Type

Select the DNS host entry type.

Available Options:

• Manual – Enter the IP address for the host manually

• Interface IP – Configure an interface as host

IP Address

Specify the IP address of the host/domain or select an interface IP depending on the option selected for the entry type.

Maximum entries per host: 8

Time to Live (seconds)

Specify the TTL in seconds.

Default: 60 seconds

Weight

Specify the weight for load balancing the traffic. The device distributes traffic across the links in proportion to the ratio of weights assigned to individual links.

This weight determines how much traffic will pass through a particular link relative to the other link(s).

Default: 1

Publish on WAN

Enable to publish the DNS host entry on WAN.

Default: Disabled

Reverse DNS Lookup

Reverse DNS lookup is the resolution of an IP address to its designated domain name. Enable to allow reverse DNS lookup.

Note: If there are multiple hosts resolving to the same IP address then Reverse DNS

Lookup can only be configured for one of the IP addresses.

• Only A, AAAA, and PTR type of DNS records are supported.

• Address (A) record points a hostname to an IP address and returns a 32-bit IPv4 address.

• AAAA record points a hostname to an IP address and returns a 128-bit IPv6 address.

• Pointer records (PTR) are just the reverse of A records and are used for reverse lookups. They map the IP address to a hostname.

• Maximum DNS entries supported: 1024

• If the device interface is used as a DNS in the client system then a query is sent to the configured DNS servers prior to querying the ROOT severs.

| Configure | 340

Figure 338: DNS Host Entry

3. Click Save.

The DNS host entry has been created and appears on the DNS page.

Add DNS Request Route

This page allows you to configure DNS Request routes to internal DNS servers.

1. Go to Configure > Network > DNS and click Add under DNS Request Route section.

2. Enter DNS request route details.

Host/Domain Name

Specify the domain for which you want to use the internal DNS server.

Target Servers

Select a DNS server(s) to resolve the domain specified above.

You can also add IP address to the DNS from this page by entering it in the entry field. Up to eight

IP addresses can be added.

| Configure | 341

Figure 339: Add DNS Request Route

3. Click Save.

The DNS request route has been created and appears on the DNS page.

DHCP

The DHCP section allows you to configure DHCP for your network.

On a network, the dynamic host configuration protocol (DHCP) automatically assigns IP addresses to the hosts on a network, thus reducing the administrator’s configuration task. Instead of requiring administrators to assign, track and change (when necessary) IP addresses for every host on a network, DHCP settles it automatically. Furthermore,

DHCP ensures that duplicate addresses are not used.

The DHCP section covers the following topics:

Server

The device acts as a DHCP server: it assigns a unique IP address to a host and releases the address when the host leaves and re-joins the network. Each time, when the host connects to the network, it can have another IP address. In other words, the device provides a mechanism for allocating the IP address dynamically so that addresses can be reused.

An interface having static IP assignment can also act as a DHCP server. You can disable or change this DHCP server configuration. You can configure IPv4 and IPv6 DHCP servers.

Using the Server section, you can configure and manage DHCP servers on the device. It displays a list of all configured DHCP servers, and you can filter the list based on the IP family.

Note:

| Configure | 342

• The device cannot act as DHCPv6 server and DHCPv6 relay agent simultaneously.

• DHCPv4 Server and DHCPv4 Relay cannot be configured using the same Interface.

Relay

Deploying DHCP in a single segment network is easy. All DHCP messages are IP broadcast messages, and therefore all the computers on the segment can listen and respond to these broadcasts. But things get complicated when there is more than one subnet on the network. The reason is that the DHCP broadcast messages do not cross the router interfaces by default. The DHCP relay agent makes it possible to place DHCP clients and DHCP servers on different networks. The relay agent allows DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or from a server which is not located on the local subnet. If the DHCP relay agent is not configured, clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet.

Using the Relay section, you can configure and manage DHCP relay agents on the device. It displays a list of all interfaces configured as a relay agent, and you can filter the list based on the relay agent name and the IP family.

Lease

The device acting as a DHCP server assigns or leases an IP address from an address pool to a host DHCP client. The

IP address is leased for a determined period of time or until the client relinquishes the address. The IPv4/IPv6 Lease section displays a list of all IPv4 and IPv6 addresses leased dynamically, and you can filter the lists based on the leased IP, or the client's physical address.

IPv4 Lease

For each IPv4 address, the list displays the following:

• Leased IP address

• Leased start and end time

• Client physical address

• Client host name

• Lease type

IPv6 Lease

For each leased IPv6 address the list displays the following:

• Leased IP address

• Leased start and end time

• Client physical address

• DUID

Related information

Configure DHCP Options

Configure Interface as DHCPv4 Server

This page describes how to configure an interface as DHCP server for IPv4.

1. Go to Configure > Network > DHCP, click Add in the Server section and select IPv4 using the default filter.

2. Specify the General Settings details.

Name

Enter a name to identify the DHCPv4 server uniquely.

Interface

Select an interface to set it as DHCPv4 server. DHCP service can be configured on a virtual interface but not on an interface alias.

Note: DHCPv4 Server and DHCPv4 Relay cannot be configured using the same

Interface.

Dynamic IP Lease

Specify the range of IP addresses from which the DHCP server must assign an IP address to the clients and set a subnet mask for the IP address range. You can configure multiple IP ranges for the same interface. Furthermore, you can provide multiple IP ranges for the DHCP server.

Click and to add or delete a range.

Static IP MAC Mapping

If you want to assign specific IP addresses to some or all clients permanently, you can define static

MAC address-to-IP address mappings. To define a MAC-IP mapping, you should know the MAC address of the client’s network card. The MAC address is usually specified in hexadecimal digits separated by colons (for example, 00:08:76:16:BC:21). Specify the host name, the MAC address and the IP address. You can provide multiple MAC-IP mappings for the DHCP server.

Use and to add or delete a MAC-IP mapping.

Subnet Mask

Select a subnet mask for the server.

Domain Name

Specify the domain name that the DHCP server will assign to the DHCP clients.

Gateway

Use this option to apply an interface IP as gateway.

Specify the IP address to be used as default gateway or select Use Interface IP as Gateway to use the IP address entered for Interface

Default Lease Time

Specify the default lease time.

Acceptable range: 1 to 43200 minutes (30 days)

Default: 1440 minutes

Max Lease Time

Specify the maximum lease time. The DHCP client must ask the DHCP server for new settings after the specified maximum lease time has expired.

Acceptable range: 1 to 43200 minutes (30 days)

Default: 2880 minutes

Conflict Detection

Enable IP conflict detection to check the IP address before leasing. If enabled, the already leased IP address will not be leased again.

| Configure | 343

Figure 340: General Settings

3. Specify the DNS Server details.

Use Device’s DNS Settings

Click to use the device's DNS server. In this case, the first two configured DNS will be used.

If not enabled, provide a primary and secondary DNS to be used.

Primary DNS (available only if Use Device' DNS Settings is disabled)

Specify the IP address of the primary DNS server.

Secondary DNS (available only if Use Device' DNS Settings is disabled)

Specify the IP address of the secondary DNS server.

Figure 341: DNS Server details

4. Specify WINS Server details.

Primary WINS Server

Specify the IP address of the primary WINS server.

Secondary WINS Server

| Configure | 344

| Configure | 345

Specify the IP address of the secondary WINS server.

Figure 342: WINS Server details

5. Click Save.

Related information

Configure DHCP Options

Configure Interface as DHCPv6 Server

This page describes how to configure an interface as DHCP server for IPv6.

1. Go to Configure > Network > DHCP, click Add in the Server section and select IPv6 using the default filter.

2. Specify the General Settings details.

Name

Enter a name to identify the DHCPv6 server uniquely.

Interface

Select an interface to set it as DHCPv6 server. DHCP service can be configured on a virtual interface but not on an interface alias.

Dynamic IP Lease

Specify the range of IPv6 addresses from which the DHCP server must assign an IP address to the clients and set a subnet mask for the IPv6 address range. You can configure multiple IPv6 range for the same interface.

Furthermore, you can provide multiple IP ranged for the DHCP server.

Click and to add and delete a range.

Static IP DUID Mapping

If you want to assign specific IP addresses to some or all clients permanently, you can define static

DUID address-to-IP address mappings. To define DUID-IP mapping, you should know the DHCP

Unique Identifier (DUID) of the client. The DUID address is usually specified in groups of two hexadecimal digits separated by colons.

*Each DHCP client and server has a DUID. DHCP servers use DUIDs to identify clients for the selection of configuration parameters. DHCP clients use DUIDs to identify a server in messages where a server needs to be identified.

Specify the host name, DUID and the IP address. You can provide multiple DUID-IP mappings for the DHCP server.

Click and to add or delete a DUID-IP mapping.

Preferred Time

Specify the preferred time.

Acceptable range: 1 to 43200 minutes (30 days)

Default: 540 minutes

Note: Preferred time should be less than valid time.

Valid Time

Specify the valid time.

Acceptable range: 1 to 43200 minutes (30 days)

Default: 720 minutes

Figure 343: General Settings

3. Specify the DNS Server details.

Use Device’s DNS Settings

Click to use the device's DNS server. In this case, the first two configured DNS will be used.

If not enabled, provide a primary and secondary DNS to be used.

Primary DNS (available only if Use Device' DNS Settings is disabled)

Specify the IPv6 address of the primary DNS server.

Secondary DNS (available only if Use Device' DNS Settings is disabled)

Specify the IPv6 address of the secondary DNS server.

Figure 344: DNS Server details

4. Click Save.

Related information

Configure DHCP Options

* RFC 3315 (Dynamic Host Configuration Protocol for IPv6 (DHCPv6)

Add DHCP Relay Configuration

This page describes how to configure an interface as DHCP relay agent.

1. Go to Configure > Network > DHCP and click Add in the Relay section.

2. Enter the DHCP relay configuration details.

Name

Provide a name to identify the DHCP relay agent.

| Configure | 346

IP Family

Select the IP family for the DHCP relay agent.

Available Options:

• IPv4

• IPv6

Interface

Select an interface on which your client network is configured. Device listens for DHCP queries on this interface and is used to forward packets between client and server.

Interfaces having a static IP assignment can act as a DHCP relay agent.

The DHCP relay agent can be configured on a virtual interface but not on an interface alias.

Note:

• The device cannot act as DHCPv6 server and DHCPv6 relay agent simultaneously.

• DHCPv4 Server and DHCPv4 Relay cannot be configured using the same

Interface.

DHCP Server IP

Specify the DHCP server IP address. You can also configure multiple DHCP servers. This facilitates deploying DHCP servers in high availability environment. The DHCP relay will forward packets to all configured DHCP servers, and the active server will serve the request. In case the active server goes down, the backup server serves the request. The DHCP server takes care of leasing the IP address to a client.

Maximum DHCP servers configurable per DHCP relay: 8

Relay through IPSec (Only availabe if IP family is IPv4)

Select to relay DHCP messages through an IPSec VPN tunnel.

| Configure | 347

Figure 345: Add DHCP Relay Configuration

3. Click Save.

The DHCP relay agent has been created and appears on the DHCP page.