[XG 18] SD-WAN policies ignored? SFOS 18.0.0 GA-Build354

I upgraded to SFOS 18.0.0 GA-Build354 yesterday morning.

Under SFOS 18.0.0 GA-Build339 SD-WAN policies worked fairly well, sending traffic through specific interfaces based on subnet, user, etc.

However, since I the vast majority of traffic is going to the Active WAN-link. Very little traffic is going to the Backup link, even though the policy specifies to use it for certain source addresses.

Anyone else seeing this?

  • Quick update: I changed the type of my secondary WAN-link from "backup" to "active" and I'm suddenly seeing traffic going to it.

    Can the SD-WAN policies not send traffic to a backup link?

  • In reply to Arie:

    I did not test it in Build 354, but there are no changes at all to SD-WAN. So assuming there is no change, it should not changed in the working process.

    Could you recover the old status with Backup Interface and show us your Sd-WAN Policy as a Screenshot?

    Please take a look at the Gateway as well - Is it online? 

  • In reply to LuCar Toni:

    I'll try to find some time over the weekend to revert.

    Yes - both gateways are show as "up".

  • In reply to LuCar Toni:

    I'm still wondering whether the SD-WAN policies will send traffic to a WAN-link that's been set to "backup" instead of "active".

  • In reply to LuCar Toni:

    On a related note, I've noticed that the log page often doesn't show the outgoing port. Is this intentional?

  • In reply to Arie:

    Should be - I am pretty sure, it does. 

  • In reply to LuCar Toni:

    Based on your reply I have done some more digging. Turns on that on my system shows ports only for connections that use a specific NAT-rule.

    I haven't touched my NAT-rules after upgrading from v17, aside from a couple that I created when I cloned some FW-rules. Guess I'll need to take a look at my NAT-rules.

  • In reply to Arie:

    Please be careful: SNAT will only applied after the routing decision is already made. So Basically XG looks at the SD-WAN Routing table, choose a Rule, goes to the NAT Table and takes the specific SNAT Rule, matching for the traffic. 

    Do you have migrated SD-WAN Rule or not? 

  • In reply to LuCar Toni:

    It's possible that SD-WAN was migrated from v17, but I'm not certain. Is there a way to tell?

    I do have a lot of NAT-rules that resulted from the migration.

  • In reply to Arie:


    you will see an SD-WAN rule for each migrated NAT which will be a linked NAT. You cannot edit the migrated SD-WAN rules, only delete.


  • In reply to rfcat_vk:

    Just to correct the statement.

    You will see migrated SD-WAN Rules for each Firewall rule, which had a selected Gateway. 

    Those rules can act differently to a self created sd-wan rule. 

    Sophos put some effort to improve the docs.sophos.com page.