Sophos Firewall Dynamic Routing PDF

Summary

This document provides a comprehensive guide to dynamic routing on Sophos Firewalls, covering various protocols such as RIP, OSPF, BGP, and PIM-SM. It also details the configuration process using both the CLI and WebAdmin interfaces.

Full Transcript

Dynamic Routing on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1535: Dynamic Routing on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Dynamic Routing on Sophos Firewall - 1
 Dynamic Routing on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure dynamic routing on ✓ Dynamic routing protocols
Sophos Firewall. ✓ Using the Firewall CLI

DURATION

7 minutes

In this chapter you will learn how to configure dynamic routing on Sophos Firewall.

Dynamic Routing on Sophos Firewall - 2
 Routing Protocols

RIP OSPF
Simple compared to other Most popular for private
protocols enterprise
Limited to smaller networks Scalable

BGP PIM-SM
Interior or exterior Multicast group routing
Very large networks or Internet SM is used for low volume of
subscribers

The Sophos Firewall supports four types of dynamic routing:
RIP, or routing information protocol
OSPF, or open shortest path first
BGP, or border gateway protocol
PIM-SM, or protocol independent multicast sparse mode

In this chapter we will cover the three unicast dynamic protocols supported by Sophos Firewall.

Dynamic Routing on Sophos Firewall - 3
 RIP (Routing Information Protocol)
Small network
Internal routing
WebAdmin or CLI configuration
Lan E

Lan B Lan C Lan D

The first routing protocol we are going to look at is RIP. RIP is most useful in small networks that
need or want dynamic routing in order to build their routing tables. RIP is a simple protocol that is
not optimized for medium or large environments and is often accused of generating a lot of traffic
if many devices exist.

However, for a small network, the simplicity of RIP makes it a viable option for dynamic routing.

Dynamic Routing on Sophos Firewall - 4
 CONFIGURE > Routing > RIP
RIP WebAdmin Configuration

RIP can be configured using either the CLI or through the WebAdmin. One method is not better
than the other as both will yield the same configuration.

For the GUI, in WebAdmin, start by navigating to CONFIGURE > Routing > RIP.

From here you can configure the global RIP settings for the device.

Dynamic Routing on Sophos Firewall - 5
 Adding RIP Networks

Further down the page you can add RIP networks. These are defined using the network and
netmask.

Dynamic Routing on Sophos Firewall - 6
 Override Interface Configuration

You can also override some of the global RIP configuration options by interface.

Dynamic Routing on Sophos Firewall - 7
 RIP CLI Configuration

Option 3

Option 1

All dynamic routing protocols are configured from the same section of the console.

From the main menu select option 3 for Route Configuration.

In the route management menu select option 1 for Configure Unicast Routing.

You can then select between RIP, OSPF and BGP.

Dynamic Routing on Sophos Firewall - 8
 RIP CLI Configuration
Enable RIP: rip>en
Switch to configuration mode: rip# configure terminal
Go to router config mode: rip(config)# router rip
Disable router config mode: rip(config-router)# no router rip
Choose RIP version: rip(config-router)# version
Add a network: rip(config-router)# network
Remove network: rip(config-router)# no network
Specify RIP neighbor: rip(config-router)# neighbor
Redistribute static routes: rip(config-router)# redistribute static
Save the configuration: write
See current RIP configuration: rip# show running config

If you are working in the CLI, a sample configuration can be seen here.
This will enable the RIP protocol
Set the RIP version
And add a network

Some additional commands that can be used to configure the RIP protocol can also be seen here.
These include commands to specify the RIP neighbors and to save and show the configuration.

Dynamic Routing on Sophos Firewall - 9
 OSPF (Open Shortest Path First)
Enterprise network
Internal routing
CLI or WebAdmin configuration

OSPF is suitable for any size private network from small to enterprise.

It is an efficient and scalable dynamic routing protocol that uses a single autonomous system to
build routing tables for an interior network.

It is perhaps the most widely used IGP in large enterprise networks due to the speed at which it
converges new routing structures when changes occur.

Dynamic Routing on Sophos Firewall - 10
 CONFIGURE > Routing > OSPF
OSPF WebAdmin Configuration

Like configuring RIP, OSPF can also be configured using the CLI from the console of the Sophos
Firewall or by using the WebAdmin.

In the WebAdmin, navigate to CONFIGURE > Routing > OSPF.

From here, the router ID can be set, and several advanced global settings can also be configured.

Dynamic Routing on Sophos Firewall - 11
 OSPF Networks and Areas

In the WebAdmin, there are options to add networks and areas to the OSPF configuration.

Some of the same options can also be seen in the sample OSPF configuration steps for the CLI.

Dynamic Routing on Sophos Firewall - 12
 Override Interface Configuration

Like RIP, OSPF allows you to override some of the global configuration settings for specific
interfaces.

Dynamic Routing on Sophos Firewall - 13
 OSPF CLI Configuration
Example OSPF CLI configuration
Enable OSPF:
ospf> en
Switch to configuration mode:
ospf# configure terminal
Go to router config mode:
ospf(config)# router ospf
Disable router config mode:
ospf(config-router)# no router ospf
Add a network:
ospf(config-router)# network
Remove network:
ospf(config-router)# no network

Some of the same options can also be seen in the sample OSPF configuration steps for the CLI.
Here are some example commands you will need for configuring OSPF via the CLI.

Dynamic Routing on Sophos Firewall - 14
 BGP (Border Gateway Protocol)
Very large networks or Internet
Internal or external routing
CLI or WebAdmin configuration

BGP is efficient for very large networks that can be used for either internal routing, iBGP, or
external routing, eBGP. External routing is not dependent on using BGP for internal routing.

BGP is commonly used for sharing routes between autonomous systems on the Internet, for
example between Internet service providers (ISPs).

Dynamic Routing on Sophos Firewall - 15
 CONFIGURE > Routing > BGP
BGP Global Configuration

BGP has simple configuration.

You assign an ID to the router, usually the IP address, and assign an AS, or autonomous system ID.

Dynamic Routing on Sophos Firewall - 16
 BGP Neighbors and Networks

Add the other routers to share the routes with as neighbors and add the networks that are
accessible via this router.

Dynamic Routing on Sophos Firewall - 17
 BGP CLI Configuration
bgp> enable
bgp#
clear Reset functions
configure Configuration from vty interface
copy Copy configuration
debug Debugging functions (see also 'undebug')
disable Turn off privileged mode command
echo Echo a message back to the vty
end End current mode and change to enable mode.
exit Exit current mode and down to previous mode
help Description of the interactive help system
list Print command list
logmsg Send a message to enabled logging destinations
no Negate a command or set its defaults
quit Exit current mode and down to previous mode
show Show running system information
terminal Set terminal line parameters
undebug Disable debugging functions (see also 'debug')
who Display who is on vty
write Write running configuration to memory, network, or terminal
bgp#

Here you can see the commands for configuring BGP via the CLI.

Dynamic Routing on Sophos Firewall - 18
 CONFIGURE > Routing > Routing information
Routing Information

You can view the routing summary and information in the GUI. To do this:

Log onto the admin console and navigate to CONFIGURE > Routing > Routing information.

Here you can view information on RIP, OSPF, BGP, and PIM-SM.

In the example here we are showing the BGP routes.

Dynamic Routing on Sophos Firewall - 19
 Chapter Review

Sophos Firewall supports RIP, OSPF, BGP, and PIM-SM as dynamic routing protocols

Dynamic routing protocols can be configured either in the web admin or via the console

You can view detailed information for configured dynamic routing can be viewed in the
web admin on the Routing information tab

Here are the three main things you learned in this chapter.

Sophos Firewall supports RIP, OSPF, BGP, and PIM-SM as dynamic routing protocols.

Dynamic routing protocols can be configured either in the web admin or via the console.

You can view detailed information for configured dynamic routing can be viewed in the web admin
on the Routing information tab.

Dynamic Routing on Sophos Firewall - 22
Dynamic Routing on Sophos Firewall - 23