Is there any news if there will be FQDN support for SD-WAN probe?

This would allow to always use the best Gateway through SLA for each route/application.

Hi Prism,

Thank you for reaching out to Sophos Community.

Will further check your feedback with our Internal Team. Thank you

Hey  Prism  ,

Thank you for reaching out to the community, For Monitoring condition a IP address can only be added. 
FQDN is currently a FR !

Thanks for answering!

Since FQDN's support are a feature request, then what's the current best practice to monitor a service or application SLA with SD-WAN probes?

As example: Outlook, Microsoft Teams, Gmail or some other web site that doesn't have a static IPv4.

In general, you are trying to cover an additional use case, which is currently "not practical to do". As of today, Profiles are being used to monitor the "general availability of the link". This means, it is not aware of the application behind it. This will likely resolve most of the cases and work fine for most services. 

You want to build a service aware monitoring, which could potentially detect an outage. For example, SD-WAN Monitoring for Teams, so if Teams fails via one link, it could potentially failover. The point is, the situation, one service is "slow" or not available via one link and not the other are quite rare. Just some example: geo blocking, IP blacklisting, major ISP outage for a certain service(s). 

In general, if you start to monitor for example simply Google DNS on Port53, you would have a general knowledge about the current situation of the Link - You will not see, if the service Teams fails. But in most cases, the Service Teams will fail for every other peer as well (ISP2 etc.). Or if the ISP has a problem, the general monitoring of Google DNS will reflect this one. 

Long story short, there are plans to build a service to do this, but it is "not that important from my point of view" - as you will reflect the majority of cases with the general monitoring of the interface with one peer. 

LuCar Toni said:

Or if the ISP has a problem, the general monitoring of Google DNS will reflect this one. 

That's the theory, the reality is different.

I have two routes that send all OneDrive traffic (FQDN + App based) to WAN-1, the same WAN-1 yesterday had severe issues with OneDrive, such as high latency and packet loss.

While looking at the SD-WAN Profile which is monitoring 8.8.8.8 and 1.1.1.1 it showed no packet loss or latency increase for WAN-1.

What happened is, the ISP has having issues with mostly Microsoft traffic, but since there's no way to build a probe with FQDN, the Firewall kept sending OneDrive traffic to WAN-1 instead of changing to the secondary WAN that had no issues with It.

If Sophos Firewall had support for FQDN for probes, then this issue wouldn't exist in the first place, as the user would be able to build rules and profiles to get around it. Or use the lowest latency - best SLA for each service.

But in the end, this means, you have to create manually X Amount of profiles per Application. That is not a smart way to do. Sure - For your example, this works, but in the end a manual probing for X amount of Application is not applicable. 

And maybe i am wrong, but for my country, a ISP outage for a certain service is quite uncommon. How do you know, the other ISP did not have the same problem? 

LuCar Toni said:

How do you know, the other ISP did not have the same problem? 

I've created a separate route and monitored the traffic when the issue appeared.

This is quite common in my country, different ISP's can have drastic differences over the same service, ASN or IX.

LuCar Toni said:

That is not a smart way to do. Sure - For your example, this works, but in the end a manual probing for X amount of Application is not applicable. 

This is indeed not a smart way to do, but it's a workaround until SD-WAN receives better capabilities.

Also, thank you for answering!