Update Networking/Sophos/Site-to-Site VPNs/IPSec/Automatic Tunnel Resetting.md
This commit is contained in:
@ -9,6 +9,31 @@
|
|||||||
### Configure Sophos XGS Firewall ACLs
|
### Configure Sophos XGS Firewall ACLs
|
||||||
You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s). At this stage, you need to log into your Sophos XGS Firewall. For this example, we will assume you can reach your firewall at https://172.16.16.16:4444 and log in as the administrator.
|
You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s). At this stage, you need to log into your Sophos XGS Firewall. For this example, we will assume you can reach your firewall at https://172.16.16.16:4444 and log in as the administrator.
|
||||||
|
|
||||||
|
### Create API Access Profile
|
||||||
|
You need to create a profile that the API User will leverage to issue commands to the firewall's VPN settings. Without this profile, the user may have either not enough, or too much access.
|
||||||
|
|
||||||
|
- Navigate to **System > Profiles > Device Access > "Add"**
|
||||||
|
- Profile Name: `VPNTunnelAPI`
|
||||||
|
- Check the radio box column named "**None**" to Deny all permissions to all areas of the firewall
|
||||||
|
- Expand the "**VPN**" section of the permission tree, and check the box for "**Read-Write**" next to "**Connect Tunnel**"
|
||||||
|
- Click the "**Save**" button to save the access profile
|
||||||
|
|
||||||
|
### Create API Access User
|
||||||
|
Now we need to make a user account that we will use inside the script to authenticate against the firewall using the previously-mentioned access profile
|
||||||
|
|
||||||
|
- Navigate to **Configure > Authentication > Users > "Add"**
|
||||||
|
- Name: `TunnelCheckerAPIUser`
|
||||||
|
- User Type: `Administrator`
|
||||||
|
- Profile: `VPNTunnelAPI`
|
||||||
|
- Password: `01_placeholder_PASSWORD_here_02`
|
||||||
|
- Group: `Open Group`
|
||||||
|
- Click the "**Save**" button to save the API user account
|
||||||
|
|
||||||
|
### Create Device Access ACL
|
||||||
|
Now we need to configure an ACL within the Firewall to allow API access from the specific server we will be using in the next section.
|
||||||
|
|
||||||
|
- Navigate to **Administration > Device Access > Local service ACL exception rule > "Add"**
|
||||||
|
|
||||||
## Server Environment
|
## Server Environment
|
||||||
### Choose a Server
|
### Choose a Server
|
||||||
It is important to choose a server/device that is able to communicate with the devices on the remote end of the tunnel. If it cannot ping the remote device(s), it will assume that the tunnel is offline and do an infinite loop of restarting the VPN tunnel.
|
It is important to choose a server/device that is able to communicate with the devices on the remote end of the tunnel. If it cannot ping the remote device(s), it will assume that the tunnel is offline and do an infinite loop of restarting the VPN tunnel.
|
||||||
|
Reference in New Issue
Block a user