Sophos Firewall Version 19.0v1 Overview

Questions and Answers

What is a consequence of a packet being marked for RTG?

• It will prevent matching with PBR. (correct)
• It is assigned the highest precedence.
• It will bypass the full route precedence.
• It can match multiple routing policies.

Which routing table is given the highest precedence when marking with fwmark?

• VPN routing table (correct)
• RTG routing table
• static routing table
• multilink routing table

How are routing policies defined in the routing table based on fwmark?

• By the source address only.
• By using restrictions on protocols.
• By defining routes for various networks.
• By associating them with specific lookup tables. (correct)

What command would you use to view the routing table associated with a specific gateway?

ip route list table (C)

What metric is associated with the prohibit default route in the routing table?

Metric 1 (C)

What does a jitter measurement of five milliseconds indicate in terms of network latency?

Latency varies and is not stable. (C)

Which of the following is NOT a criterion that can be included in a custom SLA configuration?

Throughput (C)

What must be entered when configuring TCP as a probe target in health checks?

The port number for the probe target. (B)

How can you define the recommended SLA values for different traffic types?

By hovering over the information icon. (B)

What determines the first SLA verdict in SD-WAN monitoring?

The total time taken equal to the SLA sample size multiplied by the interval. (D)

What happens when an SLA is enabled for an SD-WAN profile?

The health check cannot be disabled. (A)

What is the default SLA sample size for determining link performance in SD-WAN?

30 (B)

How many consecutive responses are required for the firewall to determine that a link is up again?

5 (C)

Which of the following metrics is NOT monitored by the SD-WAN performance graphs?

Uptime (B)

What does the SD-WAN log viewer include for each log entry?

SD-WAN rule ID and name for the route request and reply. (A)

What occurs after a packet arrives at the Sophos Firewall if it matches an SD-WAN route?

The packet is marked for later processing and the destination zone is identified. (B)

In which scenario does the Sophos Firewall mark a packet for Multi Link Management (MLM)?

If the traffic is destined for the WAN zone and no Policy Based Route (PBR) or Route Through Gateway (RTG) is matched. (D)

What is the role of NAT lookup in the packet processing flow within the Sophos Firewall?

To update the destination zone if a DNAT or Full NAT rule is matched. (B)

Which of the following is NOT indicated as a method for matching a route through a gateway in the Sophos Firewall?

Default routing (B)

What determines the order in which a packet is processed in the routing precedence of the Sophos Firewall?

The gateway configurations listed in the routing table. (B)

Flashcards

PBR

A route that is based on an SD-WAN policy.

RTG

A route that is used to send traffic to a specific gateway, often defined in firewall rules.

MLM

A technique for load balancing traffic across multiple active gateways.

Routing Table

A table used to define the rules for how traffic should be routed on a network.

Routing Precedence

The order of priority for applying different routing rules. Rules higher on the table take precedence over those lower on the table.

fwmark

A unique identifier assigned to packets by the operating system, allowing for selective routing based on specific factors.

Routing Policies

Policies that define how packets are routed, allowing for multiple routing decisions based on factors like source IP or fwmark.

Lookup

A specific combination of routing information used to determine how a packet is sent.

fwmark based Routing

A technique for routing packets based on the fwmark, enabling prioritizing or separating traffic flows.

SLA Sample Size

The number of consecutive checks (probes) used to determine the health of a link in an SD-WAN profile.

Probe Interval

The time interval between consecutive checks used to monitor link health in an SD-WAN profile.

Consecutive Failures for Down Link

Determines how many consecutive unsuccessful checks are required to declare a link as down in an SD-WAN profile.

Consecutive Responses for Up Link

The number of consecutive successful checks required for a link to be considered up after being down in an SD-WAN profile.

SD-WAN Monitoring Graphs

Provides graphical monitoring of SD-WAN performance metrics like latency, jitter and packet loss.

Jitter

A measure of how much the latency of a network connection varies over time. Zero milliseconds indicates a consistent latency, while higher values indicate more fluctuation.

Packet Loss

The percentage of data packets that fail to reach their destination. A higher packet loss rate indicates a less reliable network connection.

Service Level Agreement (SLA)

A set of customizable rules used to define the quality of a network connection based on measures like latency, jitter, and packet loss.

Health Check

A test used to monitor the health and responsiveness of a network connection. It can be done using either Ping or TCP protocol.

SD-WAN Profile

A dedicated network configuration that optimizes traffic flow and performance over multiple internet connections.

Study Notes

Sophos Firewall Version 19.0v1

• Sophos Firewall version 19.0v1 is a product.
• This version includes April 2022 updates.

Copyright and Use Restrictions

• Copyright 2022 Sophos Limited. All rights reserved.
• No parts of this document can be used without Sophos's prior consent.
• Sophos and the Sophos logo are registered trademarks of Sophos Limited.
• Other mentioned trademarks and logos may belong to other Sophos entities or their respective owners.

Document Disclaimer

• Sophos has taken reasonable care in preparing this document.
• Sophos makes no explicit or implicit warranties, or representations about content completeness or accuracy.
• Changes to the document are possible at any time.
• Sophos Limited is registered in England with number 2096520.
• The registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Routing Configuration

• Sophos Firewall routes traffic, manages gateways, and configures SD-WAN profiles and routes.

Recommended Knowledge and Experience

• Configuring static routes
• Creating gateways and SD-WAN routes

Duration

• 27 minutes

Routing

• Sophos Firewall supports multiple methods for controlling routing:
  • Static routes
  • SD-WAN routes
  • VPN routes
  • Health check routes
  • Default route

Packet Routing

• Packet routing procedure on Sophos Firewall.
• Steps include checks for SD-WAN routes, applying full routing precedence, NAT lookup, and destination zone update

Packet Routing (continued)

• Firewall rule matching is done on the post-NAT zone and pre-NAT IP.
• SD-WAN routes created from gateways in firewall rules (v17.5 onward) will be migrated.

Packet Routing (continued 2)

• If WAN traffic does not match PBR or RTG, it is marked for MLM (multi-link management).
• MLM is based on load balancing across active gateways.
• Packets then traverse full routing based on precedence.
• Finally, a NAT lookup occurs.

Routing Table Example

• Routing table example on Sophos Firewall, showcasing source and fwmark used to lookup gateways.

Routing Policies

• Using ip rule list and ip route list table commands for navigating routing table tree to identify traffic routes.

Setting Routing Precedence

• By default, static routing has highest priority within the system.
• System route_precedence command can modify priority if necessary.

Gateway Management

• Two tools for gateway management: WAN Link Manager and Gateway Manager.
• WAN Link Manager: Configures pre-existing WAN gateways. It does not allow the creation of new WAN links.
• Gateway Manager: Creates gateways to forward traffic to other networks. WAN gateways usually automatically create upon WAN link interface creation.

WAN Link Manager

• Minimizes the chance of service disruptions ensures connectivity to the Internet using active-backup configuration.
• Identifies the health of dead links and reroutes traffic once restored.
• Optimizes connectivity using load balancing by distributing traffic among various links.
• Active-active configuration is possible for load balancing.

Backup Gateway

• Backup gateways can be activated manually or automatically if the primary gateway fails.
• The backup gateway can inherit the active gateway weight, or use a configured weight.
• It is possible to specify whether new connections use the restored gateway or force all connections, including prior ones, through the restored gateway.

WAN Link Manager Failover Rules

• Configure failover rules to test gateway availability (PING or TCP connections).
• Multiple rules can be used for failover tests.

SD-WAN Profiles

• SD-WAN Profiles are configured to use in various circumstances to route, such as for best quality routing.
• They ensure optimized network performance.

SD-WAN Profile Settings

• Define performance criteria for SD-WAN (latency, jitter, packet loss).
• Allow for customizing the SLA (Service Level Agreement).

SD-WAN Profiles and Diagnostics

• Monitor SD-WAN performance using monitored graphs of latency, jitter, and packet loss for gateways.
• Graph views can be configured to show data over time intervals

SD-WAN Logging

• Sophos Firewall logs provide SD-WAN specific details, including the rule ID and name, for both the route request and reply. .

SD-WAN Routes

• Support for various routing scenarios.
• Use next-hop and interface-based gateways.
• Configure using gateway hosts and routes rules.
• Apply criteria such as user, group, application for traffic selection.
• SD-WAN profiles to select the gateway based on link quality.

SD-WAN Route Configuration

• Defining source, destination, and services for SD-WAN to be routed consistently.

Matching Reply Packets

• SD-WAN route behaviour can differ in new and upgraded Sophos Firewall installations.

Zones for Custom Gateways

• Creation of virtual WAN zones on custom gateways is useful (e.g. for AWS or Azure environments).
• They can accommodate multiple custom gateways.
• Specific security rules can be applied to traffic accordingly.