With the new SD-WAN Policy Based Routing (PBR) feature, the Sophos XG Firewall will be able to do some new things. As this feature could be new to certain people, I wanted to use this post to provide more detail as to what you can expect by using SD-WAN PBR.
I will use PBR as a shortcut for SD-WAN Policy Based Routing. Most content is found in the online help:
Routing in general is a mechanism to find a way/path to a certain destination. For example it is the Google maps of packet flow. If you want to go to your Destination B, starting on Point A, it will give you a path to get to B. There are certain definitions on routing, specified on different RFC´s. RFC1058, RFC1812 etc. I do not want to get into that, as this will be to much, but keep in mind, there are standards about how the path is decided between A and B.
Now lets take a look at Sophos XG Firewall. The decision making process of getting between A to B is made by the Routing stack. XG Firewall has actually 3 different tables to select the route.
Lets say, you have Google maps, Bing maps and Apple maps. Each could have the same or different results of getting you to Destination B. In detail those tables are called SD-WAN PBR, Static and VPN. There is a fallback map just in case all three do not have a result, called Default route.
Static routes include the following:
Set the routing precedence on the command-line interface.
Example: console> system route_precedence set static sdwan_policyroute vpn
SD-WAN policy routes
VPN routes (only policy-based IPsec VPNs)
Default route (WAN link manager)
Fallback route if traffic doesn't match any configured route.
As there are three different tables, you can decide which table should have a higher priority - called Route Precedence. Route precedence will lookup all three tables for a matching route and use the first matching. You can take all three tables together and XG will go from top to bottom until it finds a matching route. If not, it will fall into the default route and uses the default gateway.
Lets get into the interesting part: PBR
Do you need PBR for your setup? Maybe – Maybe not. Depends on your goal and your setup.
SD-Network / SD-WAN has some interesting concepts of using this techniques to resolve issues, which were there for many years. I am not going to deep into those use cases, as this would be to much to write.
Lets get back to the XG Firewall concept. Looking at the Rules in XG, you properly already notice, you can use the object "ANY". Using a "Destination: ANY" could match more than you actually want.
Putting this into place, I would advice to be careful of using ANY Object, if you can avoid this. But sometimes, you cannot avoid using ANY.
There are two switches on CLI for PBR.
System-generated traffic and reply packets
Both switches have different "default configuration". So if you start from V17.5, both are disabled.
Questions? Let me know if I missed something and I will update the thread.
In case of MTA (SMTP), i can recommend this page:
Added: System-generated traffic and reply packets
The SD-WAN still lacks tiles: especially in selecting the best route based on some metrics that can no longer reside on weight, but for example on latency, Jitter, packet loss... which, for example, Fortinet already implements in their SD-WAN.... I would hope to find these features in a future version of SFOS....
Thats still a feature release. watch out for upcoming releases.
Honestly, Sophos is totally delayed in launching these basic SD-WAN features like SLA-Performance. The other manufacturers are already worrying about features much more advanced than those that should be part of their homework when Sophos launched "SD-WAN" The Sophos Customer was simply looking at other manufacturers displaying their diverse SD- WAN while sophos spends months and months to launch improvements to its SD-WAN. it is regrettable.
If I do have two WAN connections and want to nail down some traffic to specific lines, I need to configure the routing precedence to have PBR least priority and will have to configure some "ANY"-Rules (like in the SMTP exmple). But what if I need at the same time some PBR on the LAN side? This will require me to give PBR a priority above "Static" to work. But then the "WAN-Any-Rules" break my internal traffic...
What is the correct configuration to
a) have traffic engineering on multiple WAN lines and
b) have PBR for LAN overwriting static routes
at the *same time*?
Can you explain with an real example?
Example: HQ: XG with 2 WAN lines, L3 routing switch on the LAN side; several satellite gateways connected via VPN and riverbed WAN accelerators
- Some PBR on the WAN inks is required (eg. eMail preferred on one line, web surfing on the other)
- On the LAN side we need source-based routing to route return packet over the riverbeds to avoid asymmetric routing (WAN acceleration doesn't work anymore in that case)
Other Example is during Migrations with several default gateways (old/new firewalls and L3 switch on the LAN). These situation sometimes last several months (migrate a lot of 3rd party VPNs to the new firewall). There is also source-based routing needed to have all packets on the "correct" firewall.
So in both cases I have to decide between WAN link selection works well ("system route_precedence set static sdwan_policyroute vpn" or "system route_precedence set static vpn sdwan_policyroute") or i can have source-based routing on the LAN ("system route_precedence set sdwan_policyroute static vpn" or "system route_precedence set sdwan_policyroute vpn static")
system route_precedence set static sdwan_policyroute vpn is my favorite... you can check this. https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/RoutingSDWANPolicyRouting.html#concept_pms_d3b_5v__q5b_zym_g3b>
But it depends from case to case and there is no standard rule unfortunately ..SD-WAN in theory was designed to make choices on which WAN interface to use based on the type of traffic then the concept was extended ...Static routes (but also dynamic routing protocols) are usually used when not dealing with traffic selection.Therefore everything that I cannot build through the SD-WAN Policy I define using static routes ...In your case, on the other hand, you use PBR to also manage traffic on the LAN, so unfortunately you have to give priority to SD-WAN routes, and then to static routes.Define everything in the static routes, in order to predict the default behavior, and insert the exceptions in the PBRs.For the VPN part it depends on whether the Sophos XG terminates the VPNs or not.If it ends you will have to put the vpn routing table before the static routes.
I realize that it is not easy to make but must be studied