Gemalter Industrietunnel Dagegen von Will Mu

Redundant connections for Sophos RED tunnels between XG(S) firewalls

By Andreas Walker 13 Aug, 2024

On Sophos RED endpoints, a primary and secondary IP address or hostname can be defined as peer. However, if a RED tunnel is set up between two Sophos XG(S) firewalls, only one IP address or host name can be defined on the client side. This means that redundancies in the WAN interfaces on the server side cannot be used. Multiple redundancies with weighting are possible using a surprisingly simple trick.

DNS, always DNS

The trick makes use of the fact that the RED tunnel resolves the configured host name via the firewall-internal DNS service. Instead of the actual remote peer, therefore, an internal host name (here in the example “hifish.red”) is used.

Configuration of the Client RED interface of a Sophos XGS firewall

In the DNS section, you enter the host name and then store the IP addresses with the corresponding weighting.

Configuration of the host entry with weighting on a Sophos XGS firewall

Restrictions and final considerations

Although redundancies can be formed very well in this way, the failback to the IP address with the lowest weighting does not work automatically. The client is therefore stuck to the IP with which the last communication with the server firewall took place. A workaround here is to temporarily deactivate the RED interface on the client firewall. When the connection is re-established, the IP with the lowest weight is chosen.

Another limitation is that the DNS server in the Sophos Firewall currently only supports A records. Therefore, only WAN interfaces with fixed publix IPs can be connected in this way. For remote stations with dynamic IPs, DynDNS services can be used if required. In environments with several RED tunnels, the use of a central, public DNS service can be easier to manage.

During tests, I also noticed that only the main IP address of a WAN interface can be used for RED uplinks. If you define several alias IPs on a WAN interface (e.g. with several fixed public IPs), these cannot be used for RED connections.

Andreas Walker completed an apprenticeship in gastronomy and worked in this industry for almost 15 years. In addition to his work in the hospitality industry, he built up a small IT company and supported small SMEs in IT projects in his spare time. Over time, he slipped into the IT of his employer and managed the site IT of a business hotel of the internationally active hotel chain IHG. In the summer of 2019, he graduated with an Advanced Federal Diploma of Higher Education in Information Technology. Since spring 2019, Andreas Walker is working for a local IT provider in the canton of Glarus as a system engineer, where he primarily supports SME customers.