XGS 3300 wrong Gateway

Can you ping me the support access ID of this firewall? 

Hi LuCar Toni ,

We found the problem it's in the PGB config, we have filter rules in place, mandatory from the provider, that causing this problem.

We are in the proces of finding out what to do with the provider.

But you're welcome to have a look.

I'll PM you the SA ID and the case ID.

But you find the origin of the Default Route? 

Yes it's in the BGP route tabel:

Current configuration:

!

frr version 8.4.2

frr defaults traditional

!

hostname bgp

log stdout

!

!

!

router bgp 4200030937

bgp router-id x.x.x.x

bgp log-neighbor-changes

no bgp ebgp-requires-policy

no bgp hard-administrative-reset

no bgp graceful-restart notification

neighbor x.x.x.x remote-as 4200030921

neighbor x.x.x.x remote-as 4200030923

!

address-family ipv4 unicast

  network x.x.x.x/29

  neighbor y.y.y.y prefix-list aoa-import in

  neighbor y.y.y.y prefix-list aoa-export out

  neighbor z.z.z.z prefix-list aoa-import in

  neighbor z.z.z.z prefix-list aoa-export out

exit-address-family

!

exit

!

ip prefix-list aoa-import seq 10 permit 0.0.0.0/0

ip prefix-list aoa-import seq 20 deny 0.0.0.0/0 le 32

ip prefix-list aoa-export seq 10 permit x.x.x.x/29

ip prefix-list aoa-export seq 20 deny 0.0.0.0/0 le 32

!

!

!

line vty

no login

exit

!

If i remove the filter list the BGP breaks down. Not sure wat to do. 

Hi LuCar Toni ,

Is there anything you can recommend?

So basically, BGP is a static route in principle of routing stack.  Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR If you generate a SD-WAN Route, it will not hit, as your routing precedance is: static - sd-wan. 
That means, the default route from BGP will be always applied. 

You can change it to SD-wan - static, but then the SD-WAN to WAN route will always hit.  

You should be very careful about the usage of SD-WAN Routes with Destination Network ANY.

ANY means, it will be applied to ANY packet. You can also influence internal network traffic. I would rather recommend to move from ANY to Internetv4. 

So basically, BGP is a static route in principle of routing stack.  Sophos Firewall: Routing in Sophos Firewall with SD-WAN PBR If you generate a SD-WAN Route, it will not hit, as your routing precedance is: static - sd-wan. 
That means, the default route from BGP will be always applied. 

You can change it to SD-wan - static, but then the SD-WAN to WAN route will always hit.  

You should be very careful about the usage of SD-WAN Routes with Destination Network ANY.

ANY means, it will be applied to ANY packet. You can also influence internal network traffic. I would rather recommend to move from ANY to Internetv4. 

Hi LuCar Toni ,

I understand about internetV4 addresses, but can you recommend what to change on the BGP config? I want static to go first.

Cen you tel me how the default route is now configured and be changed?

The Default route is being pushed by your BGP. So you have to talk to your ISP to ask him about this one. But overall, what is your goal? Because this is quite common to push a default route. 

The goal is to have two routes, 1 on the BGP and one over the third isp.

Then create another static route to your third ISP. With metric, you can control when it should be used.

Keep in mind, you cannot load balancing with this way in any form. 

Hi LuCar Toni ,

Sophos Support want's me to change the Route preference to SD-WAN - STATIC, and then it should work. But I know I'm getting in to trouble that way with the any-any rules so I will change them to InternetV4 address groups and then schedule some off time to implement this.

As said: 

You have two different routing tables. The RFC World aka static routing. Static routing is bgp included.
If the static route gets a 0.0.0.0 Route, it will be used for everything. You can only "overwrite" it by using static routing with a lower metric, but then your BGP will never be used. 
static routing does not have any kind of "load balancing" between different interfaces. It is very - Static. 

SD-WAN gives you more freedom. But you should have internet-v4 destination routes, otherwise it will be used for "everything" - as you defined ANY.