Sophos Firewall Version 19.0v1 Overview

Questions and Answers

What is a consequence of a packet being marked for RTG?

It will prevent matching with PBR. (correct)

It is assigned the highest precedence.

It will bypass the full route precedence.

It can match multiple routing policies.

Which routing table is given the highest precedence when marking with fwmark?

VPN routing table (correct)

RTG routing table

static routing table

multilink routing table

How are routing policies defined in the routing table based on fwmark?

By the source address only.

By using restrictions on protocols.

By defining routes for various networks.

By associating them with specific lookup tables. (correct)

What command would you use to view the routing table associated with a specific gateway?

ip route list table

What metric is associated with the prohibit default route in the routing table?

Metric 1

What does a jitter measurement of five milliseconds indicate in terms of network latency?

Latency varies and is not stable.

Which of the following is NOT a criterion that can be included in a custom SLA configuration?

Throughput

What must be entered when configuring TCP as a probe target in health checks?

The port number for the probe target.

How can you define the recommended SLA values for different traffic types?

By hovering over the information icon.

What determines the first SLA verdict in SD-WAN monitoring?

The total time taken equal to the SLA sample size multiplied by the interval.

What happens when an SLA is enabled for an SD-WAN profile?

The health check cannot be disabled.

What is the default SLA sample size for determining link performance in SD-WAN?

30

How many consecutive responses are required for the firewall to determine that a link is up again?

5

Which of the following metrics is NOT monitored by the SD-WAN performance graphs?

Uptime

What does the SD-WAN log viewer include for each log entry?

SD-WAN rule ID and name for the route request and reply.

What occurs after a packet arrives at the Sophos Firewall if it matches an SD-WAN route?

The packet is marked for later processing and the destination zone is identified.

In which scenario does the Sophos Firewall mark a packet for Multi Link Management (MLM)?

If the traffic is destined for the WAN zone and no Policy Based Route (PBR) or Route Through Gateway (RTG) is matched.

What is the role of NAT lookup in the packet processing flow within the Sophos Firewall?

To update the destination zone if a DNAT or Full NAT rule is matched.

Which of the following is NOT indicated as a method for matching a route through a gateway in the Sophos Firewall?

Default routing

What determines the order in which a packet is processed in the routing precedence of the Sophos Firewall?

The gateway configurations listed in the routing table.

Study Notes

Sophos Firewall Version 19.0v1

• Sophos Firewall version 19.0v1 is a product.
• This version includes April 2022 updates.

Copyright and Use Restrictions

• Copyright 2022 Sophos Limited. All rights reserved.
• No parts of this document can be used without Sophos's prior consent.
• Sophos and the Sophos logo are registered trademarks of Sophos Limited.
• Other mentioned trademarks and logos may belong to other Sophos entities or their respective owners.

Document Disclaimer

• Sophos has taken reasonable care in preparing this document.
• Sophos makes no explicit or implicit warranties, or representations about content completeness or accuracy.
• Changes to the document are possible at any time.
• Sophos Limited is registered in England with number 2096520.
• The registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Routing Configuration

• Sophos Firewall routes traffic, manages gateways, and configures SD-WAN profiles and routes.

Recommended Knowledge and Experience

• Configuring static routes
• Creating gateways and SD-WAN routes

Duration

• 27 minutes

Routing

• Sophos Firewall supports multiple methods for controlling routing:
  • Static routes
  • SD-WAN routes
  • VPN routes
  • Health check routes
  • Default route

Packet Routing

• Packet routing procedure on Sophos Firewall.
• Steps include checks for SD-WAN routes, applying full routing precedence, NAT lookup, and destination zone update

Packet Routing (continued)

• Firewall rule matching is done on the post-NAT zone and pre-NAT IP.
• SD-WAN routes created from gateways in firewall rules (v17.5 onward) will be migrated.

Packet Routing (continued 2)

• If WAN traffic does not match PBR or RTG, it is marked for MLM (multi-link management).
• MLM is based on load balancing across active gateways.
• Packets then traverse full routing based on precedence.
• Finally, a NAT lookup occurs.

Routing Table Example

• Routing table example on Sophos Firewall, showcasing source and fwmark used to lookup gateways.

Routing Policies

• Using ip rule list and ip route list table commands for navigating routing table tree to identify traffic routes.

Setting Routing Precedence

• By default, static routing has highest priority within the system.
• System route_precedence command can modify priority if necessary.

Gateway Management

• Two tools for gateway management: WAN Link Manager and Gateway Manager.
• WAN Link Manager: Configures pre-existing WAN gateways. It does not allow the creation of new WAN links.
• Gateway Manager: Creates gateways to forward traffic to other networks. WAN gateways usually automatically create upon WAN link interface creation.

WAN Link Manager

• Minimizes the chance of service disruptions ensures connectivity to the Internet using active-backup configuration.
• Identifies the health of dead links and reroutes traffic once restored.
• Optimizes connectivity using load balancing by distributing traffic among various links.
• Active-active configuration is possible for load balancing.

Backup Gateway

• Backup gateways can be activated manually or automatically if the primary gateway fails.
• The backup gateway can inherit the active gateway weight, or use a configured weight.
• It is possible to specify whether new connections use the restored gateway or force all connections, including prior ones, through the restored gateway.

WAN Link Manager Failover Rules

• Configure failover rules to test gateway availability (PING or TCP connections).
• Multiple rules can be used for failover tests.

SD-WAN Profiles

• SD-WAN Profiles are configured to use in various circumstances to route, such as for best quality routing.
• They ensure optimized network performance.

SD-WAN Profile Settings

• Define performance criteria for SD-WAN (latency, jitter, packet loss).
• Allow for customizing the SLA (Service Level Agreement).

SD-WAN Profiles and Diagnostics

• Monitor SD-WAN performance using monitored graphs of latency, jitter, and packet loss for gateways.
• Graph views can be configured to show data over time intervals

SD-WAN Logging

• Sophos Firewall logs provide SD-WAN specific details, including the rule ID and name, for both the route request and reply. .

SD-WAN Routes

• Support for various routing scenarios.
• Use next-hop and interface-based gateways.
• Configure using gateway hosts and routes rules.
• Apply criteria such as user, group, application for traffic selection.
• SD-WAN profiles to select the gateway based on link quality.

SD-WAN Route Configuration

• Defining source, destination, and services for SD-WAN to be routed consistently.

Matching Reply Packets

• SD-WAN route behaviour can differ in new and upgraded Sophos Firewall installations.

Zones for Custom Gateways

• Creation of virtual WAN zones on custom gateways is useful (e.g. for AWS or Azure environments).
• They can accommodate multiple custom gateways.
• Specific security rules can be applied to traffic accordingly.

Description

This quiz covers the features and updates of Sophos Firewall version 19.0v1, including information on copyright, use restrictions, and advanced routing configuration. It provides insights into the product's legal disclaimers and operational specifics. Perfect for IT professionals looking to understand this firewall version better.