Zitat von
mpca am 26. Februar 2021, 21:38 Uhr
community.sophos.com/products/xg-firewal...y-like-functionality
The new NAT engine in V18 provides a high degree of flexibility when it comes to solving some interesting network problems. I don't know if it has been shared here or not, but you can use NAT to achieve NTP proxy like functionality. A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:
- Firewall has at least 2 interfaces, LAN and WAN. LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
- Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'. In this regard, the default gateway and NTP destination use the same address on your clients.
- The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.
To make this work, create a NAT policy like the following:
- Original Source: Any host (or LAN subnets)
- Original Service: NTP
- Original Destination: XG LAN IP address
- Translated Source: Masqueraded (this is your WAN IP)
- Translated Service: Original service
- Translated Destination: pool.ntp.org (or pick NTP server of your liking)
- Inbound Interface: Lan
- Outbound Interface: ANY
Naturally, you can create variations of this NAT policy, based on your network configuration and the location of the NTP server.
In the new XG V18 architecture training course, there are a few more examples demonstrating how to control NTP and DNS traffic. I encourage you to check out the training material as it provides more in-depth knowledge of the new V18 features.
community.sophos.com/products/xg-firewal...y-like-functionality
The new NAT engine in V18 provides a high degree of flexibility when it comes to solving some interesting network problems. I don't know if it has been shared here or not, but you can use NAT to achieve NTP proxy like functionality. A standard use case seen is that clients would like to use the IP address of the firewall as the NTP server. Consider this as an example environment:
- Firewall has at least 2 interfaces, LAN and WAN. LAN interface has an RFC1918 address, and the WAN interface utilizes a public address.
- Clients behind the firewall would like to use the LAN interface IP as the NTP 'server'. In this regard, the default gateway and NTP destination use the same address on your clients.
- The NTP server you want to sync with is external to the organization, e.g. pool.ntp.org.
To make this work, create a NAT policy like the following:
- Original Source: Any host (or LAN subnets)
- Original Service: NTP
- Original Destination: XG LAN IP address
- Translated Source: Masqueraded (this is your WAN IP)
- Translated Service: Original service
- Translated Destination: pool.ntp.org (or pick NTP server of your liking)
- Inbound Interface: Lan
- Outbound Interface: ANY
Naturally, you can create variations of this NAT policy, based on your network configuration and the location of the NTP server.
In the new XG V18 architecture training course, there are a few more examples demonstrating how to control NTP and DNS traffic. I encourage you to check out the training material as it provides more in-depth knowledge of the new V18 features.
