One of the great new features in XG Firewall v18 that we covered in Part 3 of this series is the new SD-WAN application and user-/group-based link selection capabilities. In this article, we’ll review how you can take advantage of those as a part of another new feature in XG Firewall v18: route-based IPsec VPN.
Route-based IPsec (RBVPN) in XG Firewall v18 enables truly dynamic IPsec site-to-site VPN tunnels. With RBVPN, network topology changes don’t impact VPN policy and you no longer need to modify VPN policies if networks are added or removed from your environment. This greatly simplifies VPN policy creation and management, especially in larger and more dynamic environments.
RBVPN provides full control over routing with support for static, dynamic (OSPF, BGP, RIP) and SD-WAN policy-based routes with RBVPN policies. RBVPN implementation in XG Firewall v18 also provides flexibility to set up more complex network address translation using the new NAT rule configuration such as VPN NAT overlap scenarios.
XG Firewall v18 also supports RBVPN tunnel interfaces for SD-WAN policy-based routes to support IPsec and MPLS co-existence with SD-WAN. This makes it possible to enable IPsec and MPLS (even on a non-WAN zone) to both be active at the same time, with options for load balancing on VPN tunnels as well.
RBVPN is a well-accepted industry standard and interoperates nicely with other vendors’ route-based VPN tunnels, making it easier to tunnel to Azure/AWS and other cloud providers. Ultimately, route-based VPN is the preferred choice for today’s dynamic networks.
Making the most of route-based IPsec VPN tunnels in XG Firewall
This video provides a great detailed look at how to set up route-based VPN in XG Firewall v18:
Then, you can take full advantage of the new Synchronized SD-WAN policy-based routing for your VPN traffic, with options for user, group, application, and even Synchronized Application Control-discovered app-based routing for your route-based VPN.
Synchronized SD-WAN leverages the added clarity and reliability of application identification that comes with the sharing of Synchronized Application Control information between Sophos-managed endpoints and XG Firewall. Synchronized Application Control can positively identify 100% of all networked applications, including evasive, encrypted, obscure, and custom applications – and now these previously unidentified applications can also be added to SD-WAN and VPN routing. This provides a level of application routing control and reliability that other firewalls can’t match.
To use Synchronized Application Control-discovered apps in your routing, when creating an application object for SD-WAN or VPN routing, you can select “Synchronized Application Control” from the Technology drop-down box as shown below to see all the relevant applications.