bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Networking/Sophos/Site-to-Site VPNs/IPSec/Automatic Tunnel Resetting.md

Browse Source
This commit is contained in:
Nicole Rappe
2024-09-12 20:20:16 -06:00
parent 6affa2fb38
commit b31d132dea
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
Networking/Sophos/Site-to-Site VPNs/IPSec/Automatic Tunnel Resetting.md
View File

@ -9,6 +9,31 @@
### Configure Sophos XGS Firewall ACLs ### Configure Sophos XGS Firewall ACLs
You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s). At this stage, you need to log into your Sophos XGS Firewall. For this example, we will assume you can reach your firewall at https://172.16.16.16:4444 and log in as the administrator. You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s). At this stage, you need to log into your Sophos XGS Firewall. For this example, we will assume you can reach your firewall at https://172.16.16.16:4444 and log in as the administrator.
### Create API Access Profile
You need to create a profile that the API User will leverage to issue commands to the firewall's VPN settings. Without this profile, the user may have either not enough, or too much access.
- Navigate to **System > Profiles > Device Access > "Add"**
- Profile Name: `VPNTunnelAPI`
- Check the radio box column named "**None**" to Deny all permissions to all areas of the firewall
- Expand the "**VPN**" section of the permission tree, and check the box for "**Read-Write**" next to "**Connect Tunnel**"
- Click the "**Save**" button to save the access profile
### Create API Access User
Now we need to make a user account that we will use inside the script to authenticate against the firewall using the previously-mentioned access profile
- Navigate to **Configure > Authentication > Users > "Add"**
- Name: `TunnelCheckerAPIUser`
- User Type: `Administrator`
- Profile: `VPNTunnelAPI`
- Password: `01_placeholder_PASSWORD_here_02`
- Group: `Open Group`
- Click the "**Save**" button to save the API user account
### Create Device Access ACL
Now we need to configure an ACL within the Firewall to allow API access from the specific server we will be using in the next section.
- Navigate to **Administration > Device Access > Local service ACL exception rule > "Add"**
## Server Environment ## Server Environment
### Choose a Server ### Choose a Server
It is important to choose a server/device that is able to communicate with the devices on the remote end of the tunnel. If it cannot ping the remote device(s), it will assume that the tunnel is offline and do an infinite loop of restarting the VPN tunnel. It is important to choose a server/device that is able to communicate with the devices on the remote end of the tunnel. If it cannot ping the remote device(s), it will assume that the tunnel is offline and do an infinite loop of restarting the VPN tunnel.