Sophos Firewall Gateway Configuration Quiz

Questions and Answers

Which statement is true regarding the configuration of gateways on Sophos Firewall?

Email notifications can be triggered upon a change in gateway state. (correct)

A gateway can only be monitored by using manual checks.

If health monitoring is not enabled, the gateway is assumed to be unavailable.

Health monitoring is always enabled by default.

Which interface type is not supported for configuring gateways on Sophos Firewall?

GRE Tunnels (correct)

VLAN

LAG (Link Aggregation Group)

Bridge

What happens if health monitoring for a gateway is not enabled?

The gateway will not function.

The firewall will send alerts for the gateway.

Access to the gateway will be restricted.

The firewall will always assume the gateway is available. (correct)

Which of the following interface types is supported for both IPv4 and IPv6 gateways?

WWAN

Which option does NOT represent an action that can be taken when configuring a gateway?

Automatically assign static IP addresses.

What is the highest precedence for routing by default?

Static routes

Which command displays the current route precedence on the console?

system route_precedence show

If you want to change the routing precedence to prioritize SD-WAN policy routes over static routes, which command would you use?

system route_precedence set sdwan_policyroute static vpn

What can you do in the WAN link manager?

Modify existing WAN gateways

Which routing option has the lowest precedence by default?

VPN routes

In the gateway manager, what is a limitation compared to the WAN link manager?

Cannot create new gateways

Which command would you use to reset routing precedence to its default state?

system route_precedence set default

What is required to add a new WAN link to the Sophos Firewall?

Create a new interface

What is the role of fwmark in packet routing?

It helps in marking packets for specific routing policies.

Which routing table has the highest precedence?

VPN

What does the command 'ip route list table wanlink1' accomplish?

It displays the routing table associated with the wanlink1 gateway.

Which statement is correct regarding the routing policies and fwmark?

Packets marked for RTG cannot match PBR due to differing fwmarks.

Identify the correct statement regarding multilink routing.

Multilink routes can distribute traffic across multiple gateways.

What does the prohibit statement in a routing table imply?

It blocks specific routes from being used.

Which command would you use to examine how traffic is being routed?

ip rule list

In a routing table, what does the 'dev Port1' signify?

It indicates the device that can be used to send packets.

What primarily influences routing table decisions in SD-WAN routing?

Source and traffic type in addition to destination

Which of the following are elements for configuring SD-WAN routing on the Sophos Firewall?

Gateways and SD-WAN route rules

What is the purpose of synchronized SD-WAN in conjunction with application routing?

To enhance application identification reliability

How many gateways can be selected in an SD-WAN profile?

Up to 8 gateways

Which criteria can be used for determining the quality of a link in SD-WAN profiles?

Latency, jitter, or packet loss

What does the default service level agreement (SLA) in SD-WAN profiles select?

The gateway with the best quality link based on latency

What does network latency refer to?

The time taken for data to reach its destination

Which configuration allows seamless routing decisions across multiple gateways based on link performance?

SD-WAN profiles

What happens to a packet that matches an SD-WAN route upon arriving at the Sophos Firewall?

It is marked for later use.

What does NAT lookup on the Sophos Firewall affect?

Only the destination zone.

Which routing method is used when the traffic is destined for the WAN zone without matching PBR or RTG?

Multi Link Management (MLM).

In the Sophos Firewall routing table, what does fwmark denote?

A marking to influence routing lookups.

Which of the following options describes the function of SLU in the routing process?

Identifying system-generated traffic.

What is the priority of the NAT lookup in the routing precedence?

It is performed only after all routing decisions.

Which routing lookup occurs last when processing a packet?

NAT lookup.

When is the post-NAT zone marked during the routing process?

After the NAT lookup is completed.

If the pre-NAT IP addresses are not matched, what can happen next in the routing process?

The packet could still match a next-hop gateway.

What is the main purpose of Policy Based Routing (PBR) in the context of Sophos Firewall?

To select the routing path based on a marking.

What is a primary characteristic of custom gateways in terms of load balancing?

Custom gateways do not participate in load balancing.

In a single-arm deployment within AWS or Azure, what can a virtual WAN zone be used for?

To serve as the next-hop for all traffic.

What happens during VPN lookups when the WAN zone is marked through a gateway?

VPN lookups are disabled.

How can an administrator apply security rules in a single VPC deployment?

By applying policies based on zones.

Which traffic routing approach adds an extra layer of security in network configurations?

Routing east-west traffic through the firewall.

What should an admin consider when creating custom gateways regarding zones?

Any zone can be assigned except for VPN.

Which of the following is true regarding the application of custom gateway zones?

Custom gateway zones are ignored when SD-WAN route applies.

What is the primary purpose of a single-arm deployment in the context of firewall operation?

To direct all traffic through a single exit point.

Study Notes

Sophos Firewall Version 19.0v1

• Sophos Firewall version 19.0v1 is a security product.
• Copyright 2022 Sophos Limited.
• All rights reserved.
• No part of the document may be used or reproduced without permission.

Trademarks

• Sophos and the Sophos logo are registered trademarks of Sophos Limited.
• Other names, logos, and marks mentioned in the document may also be trademarks or registered trademarks of Sophos Limited, or their respective owners.

Document Disclaimer

• While reasonable care has been taken in its preparation, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy/
• The document is subject to change at any time without notice.

Sophos Limited Registration

• Sophos Limited is registered in England, number 2096520.
• The registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Routing Configuration on Sophos Firewall

• The chapter discusses how Sophos Firewall routes traffic, manages gateways, and configures SD-WAN profiles and routes.
• Recommended knowledge and experience is required for configuring static routes, creating gateways, and SD-WAN routes.
• The duration of the chapter is 27 minutes.

Routing

• Sophos Firewall supports multiple methods for controlling routing.
• These methods include static routes, SD-WAN routes, VPN routes, and health check routes/
• Static routes define the gateway based on the destination network. This includes directly connected networks, dynamic routing protocols, and SSL VPNs.
• SD-WAN routes make routing decisions based on traffic properties, like source, destination, and service.
• VPN routes are automatically created when policy-based IPsec VPN connections are established.
• Health check routes handle health probes independently of other routes.
• The default route selects the gateway based on WAN link manager configuration.

Packet Routing

• The Sophos Firewall applies routing rules in a specific order to packets.
• The Firewall initially checks if the packet matches an SD-WAN route and, if so, marks the packet for further processing.
• The full routing precedence is then traversed, marking the destination zone of the packet.
• NAT lookup is applied, and the destination zone is updated based on DNAT or Full NAT matches.
• Post-NAT zone and pre-NAT IP are used to match the packet in the firewall.
• SD-WAN routes, that have been migrated from v17.5, may be used for route lookups in some cases.
• If no PBR (Policy-Based Routing) or RTG (Route Through Gateway) match is found, the traffic is routed through MLM (Multi Link Management)
• Finally, a NAT lookup is performed.

Packet Routing Details (continued)

• There is an example of a routing table in Sophos Firewall
• The routing table shows how the Firewall uses a combination of source and FW (Firewall) Mark to lookup gateways.

Routing Policy

• Topics covered include traffic routed via local, static, dynamic, connected networks and WAN interface.
• Includes IP addresses associated with links.
• Traffic can be routed through gateways, which can be migrated SD-WAN routes.

Gateway Management

• There are two tools for managing gateways: WAN Link Manager, and Gateway Manager.
• WAN Link Manager lets you modify existing WAN gateways.
• Gateway Manager allows you to create gateways used to forward traffic to other networks.

WAN Link Manager

• The WAN Link Manager lets you configure internet gateways for support of failover and load balancing.
• Using failover, you can minimize the chance of service disruption. An active-backup configuration mitigates issues with link failure by redirecting traffic to other active links.
• Load balancing divides traffic across multiple links based on assigned weights. An active-active configuration is also possible.

Backup Gateway

• Backup gateways can be activated either manually or dynamically if an active gateway fails.
• The action on failback option controls session handling if the active gateway comes online.
• You can modify and configure settings, such as the weight or activation method.

SD-WAN Profiles

• SD-WAN Profiles are managed using CONFIGURE > Routing. (Up to 8 gateways can be configured)
• Custom gateways, such as route-based VPN gateways, can be included.
• The profiles let you define routing criteria according to link quality, including latency, jitter, and packet loss.
• There is a default SLA (Service Level Agreement) setting for selecting the gateway with the best quality link based on latency.

SD-WAN Logging

• The log viewer has an SD-WAN module for specific SD-WAN routing and health log entries.
• Each entry includes SD-WAN rule ID and name, both for the route request and the reply.

SD-WAN Routes

• SD-WAN routing influences routing table decisions, supporting advanced routing scenarios and next-hop/interface-based gateways.
• Gateways and SD-WAN routes are configured to apply routing through either the primary or backup gateway during connection. Configuration of Synchronous SD-WAN provides added benefits through Application Control and routing strategy optimization/

Gateway Manager

• The Gateway Manager lets you configure IPv4 and IPv6 gateway for use with SD-WAN routes.
• New gateways are usually added in CONFIGURE > Routing > Gateways.

Zones for Custom Gateways

• Zones can be assigned to Custom Gateways, allowing filtering of traffic and more flexibility.

Matching Reply Packets

• SD-WAN routes match reply packets in new Sophos Firewall installations but might not for upgrades.

Traffic Routing Rules

Details about how SD-WAN traffic rules apply for newer and older versions of the Sophos Firewall products are described throughout the document. Different methods for handling matching traffic and how firewall rules are applied.

Description

Test your knowledge on Sophos Firewall's gateway configuration. This quiz covers essential aspects such as supported interface types, health monitoring, and actions related to gateway setup. Perfect for network security professionals looking to sharpen their skills.