Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 13 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 4064 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do allow Sophos XG itself failover to a backup ISP (SD-WAN policy routing)

shred

I currently have Sophos XG installed on a Qotom Q335G4 box with two ISPs, a primary and a backup for just a few devices. I have an SD-WAN policy route setup that allows this:

Everything works as expected but I also have email notifications setup in Sophos XG so I'll get an email when one of the ISP interfaces is down. However, when my primary ISP is down, I don't seem to get any emails until it comes back up. I'm assuming it's because Sophos XG itself is only using the primary ISP. Is there a way to allow the Sophos XG device itself to fail over to the backup ISP as well?



This thread was automatically locked due to age.
  • 0 in reply to shred

    Just to be sure: The SMTPS Service and the destination IP is correct? 

    If you connect from your PC to this, does it work and use the correct interface? Because it should also affect the clients behind XG. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes. When my primary ISP is down, I am able to successfully send emails out from my computer using Gmail just fine. As soon as I reconnect the primary ISP, I get the email from Sophos XG that my primary ISP was down. It seems like the email notifications from Sophos XG do not even attempt to use the backup ISP, despite the SD-WAN policy rule.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • 0 in reply to shred

    Beside i would recommend to use Central for Notification and Backups, this looks odd to me. You are using the Smarthost option i guess, not the MTA (own SMTP service). This service should consider the SD-WAN PBR table. What you can do: 

    Perform a conntrack -E | grep 465  

    Then send a Email (test?) to the gateway. 

    There should be some entries. In those entries you see a pbrid_dir0=0 pbrid_dir1=0  Both entries shows the selected PBR routes. 

    __________________________________________________________________________________________________________________

Unfiltered HTML