Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
This article describes SD-WAN policy routing: Description and Configuration
SD-WAN policy routing allows you to implement routing decisions based on the policies that you specify. It enables you to override routing based on destination IP addresses and routing tables.
You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups. You can specify the primary and backup gateways to route the traffic through.
These policy routes allow you to specify gateway failover and failback, using a combination of connections, for example, MPLS, VPN, broadband. You can also route critical applications and bandwidth-sensitive traffic, such as VoIP through high-speed ISP links.
You can create IPv4 and IPv6 SD-WAN policy routes. You can also create policy routes for the reply packets of system-generated traffic on non-WAN zone interfaces. To turn routing on or off for system-generated traffic and reply packets, go to the command-line interface.
The following sections are covered:
Applies to the following Sophos products and versions
Sophos Firewall XG v18 GA
You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups.
You can specify the primary and backup gateways to route the traffic through.
Routing follows the precedence you specify on the command-line interface. The default routing precedence is static routes, SD-WAN policy routes, then VPN routes. The protocol, network, and route details are shown in the table below.
For reply packets, XG Firewall enforces symmetric routing for WAN interfaces. Reply packets use the same WAN interface as the original packets.
You can configure asymmetric routing for reply packets on non-WAN interfaces. Example: For LAN to DMZ traffic, you can specify a different interface for the reply packets. On the command-line interface, make sure you turn on routing for reply packets.
Static routes include the following:
Fallback route if traffic doesn't match any configured route.
You can see the routing precedence on the command-line interface or on the SD-WAN policy routing page on the web admin console.
1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
Type a name.
2. Select the traffic selector settings.
Application objects store the application's session details (protocol, destination port, and destination IP address) during the first session. XG Firewall uses the session details to match traffic with an SD-WAN routing policy for future sessions. When session details have been removed, or haven't yet been stored, XG Firewall doesn't apply policy-based routing.
The time to live (TTL) of application session details is 3600 seconds from the start of the session. If another session doesn't start within this period, the session details are purged.
When you restart XG Firewall, the session details of all application objects are purged.
System-generated traffic and reply packets: To create a policy route for system-generated traffic and reply packets on non-WAN zone interfaces, select only the destination networks and services. XG Firewall matches this traffic based on destination networks, since the source interface and network will remain unknown.
To see the routing status and turn routing on or off for system-generated traffic and reply packets, use the following CLI commands:
Show routing status
console> show routing sd-wan-policy-route system-generate-traffic
console> show routing sd-wan-policy-route reply-packet
Turn on routing
console> set routing sd-wan-policy-route system-generate-traffic enable
console> set routing sd-wan-policy-route reply-packet enable
Turn off routing
console> set routing sd-wan-policy-route system-generate-traffic disable
3. Specify the routing settings.
Primary gateway: Select the primary gateway to route traffic.
If you delete the selected gateway, XG Firewall will delete the policy route and implement WAN link load balance to route traffic.
If the primary gateway goes down, XG Firewall routes traffic through the backup gateway. When the primary gateway comes back up, traffic is routed through it.
Backup gateway: If you've configured more than one gateway, select the backup gateway. If you delete the selected gateway, the backup gateway will be set to None.
Override gateway monitoring decision: Select if you want to route traffic through the selected gateway even if the gateway is down.
4. Select Save
• To change the sequence of an SD-WAN policy route, drag and drop the route. XG Firewall evaluates policy routes from top to bottom until it finds a match. Once it finds a match, it doesn’t evaluate subsequent routes
• To turn on or turn off a route, use the Status switch
• To edit a route, click Edit
Primary or backup gateway is up and the policy route is live.
Gateway is down and the policy route isn’t live. Override gateway monitoring is off.
Gateway is down and override gateway monitoring is on.
Hover over the status icon to view the statuses of the primary and backup gateways and the override gateway monitoring setting.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.