Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only use a second gateway (i.e. backup ISP) for a specific device?

I'm looking to add a backup cellular ISP service to my home network such that in the event my primary ISP is down, Sophos XG will use the backup cellular ISP. However, I really only want to use the backup cellular ISP to maintain internet connectivity for certain devices and not everything on my network. Is there any way to do this with Sophos XG?



This thread was automatically locked due to age.
  • After reading the SD-WAN policy routing help section several times, watching this video and experimenting with my setup, it seems having an SD-WAN policy route set to 'Any' for all of the traffic selector options (e.g. source networks, destination networks, etc.) is not required with the following assumptions:

    • Primary gateway has no 'Failover rules' specified.
    • Backup gateway is set to a 'Type' of 'Backup' and 'Activate this gateway' is set to 'Manually'.
    • Routing precedence is set to the default for Sophos XG v18 to Static routes, SD-WAN policy routes and VPN routes (this must be changed if you upgraded from Sophos XG v17).

    Based on this setup, your backup gateway should not be used when your primary gateway is down. Again, the goal is to only use a backup gateway for certain devices when the primary gateway is down.

    To use the backup gateway for a specific application, device, network, etc., you must create an SD-WAN policy route as desired (e.g. 'Source networks' set to your device static IP address), and set the 'Primary gateway' and 'Backup gateway'.

    For a device that isn't associated with a SD-WAN policy route, it will simply use the static routes then jump to the default route (WAN link manager). However, the default route in this case should only allow the primary gateway to be utilized since we didn't specify the backup to be used. For any device that does have an SD-WAN policy route, it will first use the static routes followed by the created SD-WAN policy route which specifics it can use either the primary gateway or backup gateway, so in the event the primary gateway goes down, only these device(s) will use the backup gateway.

    Would be great to get confirmation from one of you smart Sophos XG folks if the above is accurate. Slight smile

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/