Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: How to prioritize the traffic via SD-WAN for the applications

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

With the new SD-WAN introduction, we can prioritize the traffic for applications such as Teams, Zoom,
Google meet. etc. You can follow the KBA - How to Choose the Gateway for A Firewall Rule. Here we’ll learn how to configure an SD-WAN rule for the applications.

SD-WAN Application Object configurations

Step1: Add new Application Object

Go to CONFIGURE > Routing > SD-WAN policy routes > IPv4 SD-WAN policy route > Add
Under PROTECT > Applications>Application Object > Add  > Input Object Name 

Here, you either filter with the category you want to allow or by selecting specific Application with the help of a smart filter. Kindly refer to the screenshot below:

Category

Smart Filter


Step2: Choosing a Gateway

You can mention the desired local network under the source network. You can also mention explicit services under the services section. Under the Routing section, you can set the desired gateway from the available WAN links. Kindly see KB on How to Choose Gateway.




Step3: SD-WAN Policy Routing

CONFIGURE > Routing > SD-WAN policy routing; you’ll be able to see the precedence
            By default, the precedence is set to - static, SD-WAN, and then VPN routes.



Step4: Show Route Precedence 

On the CLI, select option 4. Device Console

  •  To check the route precedence
    #system route_precedence show
  • To change the precedence and have sd-wan as first
    #system route_precedence set sdwan_policyroute static vpn

How to Choose the Gateway for A Firewall Rule

I hope this article has helped you achieve your requirements!




Edited TAGs
[edited by: Raphael Alganes at 7:49 AM (GMT -7) on 17 Sep 2024]
Parents
  • Is there any news if there will be FQDN support for SD-WAN probe?

    This would allow to always use the best Gateway through SLA for each route/application.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • Hey    ,

    Thank you for reaching out to the community, For Monitoring condition a IP address can only be added. 
    FQDN is currently a FR !

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for answering!

    Since FQDN's support are a feature request, then what's the current best practice to monitor a service or application SLA with SD-WAN probes?

    As example: Outlook, Microsoft Teams, Gmail or some other web site that doesn't have a static IPv4.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • In general, you are trying to cover an additional use case, which is currently "not practical to do". As of today, Profiles are being used to monitor the "general availability of the link". This means, it is not aware of the application behind it. This will likely resolve most of the cases and work fine for most services. 

    You want to build a service aware monitoring, which could potentially detect an outage. For example, SD-WAN Monitoring for Teams, so if Teams fails via one link, it could potentially failover. The point is, the situation, one service is "slow" or not available via one link and not the other are quite rare. Just some example: geo blocking, IP blacklisting, major ISP outage for a certain service(s). 

    In general, if you start to monitor for example simply Google DNS on Port53, you would have a general knowledge about the current situation of the Link - You will not see, if the service Teams fails. But in most cases, the Service Teams will fail for every other peer as well (ISP2 etc.). Or if the ISP has a problem, the general monitoring of Google DNS will reflect this one. 

    Long story short, there are plans to build a service to do this, but it is "not that important from my point of view" - as you will reflect the majority of cases with the general monitoring of the interface with one peer. 

    __________________________________________________________________________________________________________________

Reply
  • In general, you are trying to cover an additional use case, which is currently "not practical to do". As of today, Profiles are being used to monitor the "general availability of the link". This means, it is not aware of the application behind it. This will likely resolve most of the cases and work fine for most services. 

    You want to build a service aware monitoring, which could potentially detect an outage. For example, SD-WAN Monitoring for Teams, so if Teams fails via one link, it could potentially failover. The point is, the situation, one service is "slow" or not available via one link and not the other are quite rare. Just some example: geo blocking, IP blacklisting, major ISP outage for a certain service(s). 

    In general, if you start to monitor for example simply Google DNS on Port53, you would have a general knowledge about the current situation of the Link - You will not see, if the service Teams fails. But in most cases, the Service Teams will fail for every other peer as well (ISP2 etc.). Or if the ISP has a problem, the general monitoring of Google DNS will reflect this one. 

    Long story short, there are plans to build a service to do this, but it is "not that important from my point of view" - as you will reflect the majority of cases with the general monitoring of the interface with one peer. 

    __________________________________________________________________________________________________________________

Children
  • Or if the ISP has a problem, the general monitoring of Google DNS will reflect this one. 

    That's the theory, the reality is different.

    I have two routes that send all OneDrive traffic (FQDN + App based) to WAN-1, the same WAN-1 yesterday had severe issues with OneDrive, such as high latency and packet loss.

    While looking at the SD-WAN Profile which is monitoring 8.8.8.8 and 1.1.1.1 it showed no packet loss or latency increase for WAN-1.

    What happened is, the ISP has having issues with mostly Microsoft traffic, but since there's no way to build a probe with FQDN, the Firewall kept sending OneDrive traffic to WAN-1 instead of changing to the secondary WAN that had no issues with It.

    If Sophos Firewall had support for FQDN for probes, then this issue wouldn't exist in the first place, as the user would be able to build rules and profiles to get around it. Or use the lowest latency - best SLA for each service.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • But in the end, this means, you have to create manually X Amount of profiles per Application. That is not a smart way to do. Sure - For your example, this works, but in the end a manual probing for X amount of Application is not applicable. 

    And maybe i am wrong, but for my country, a ISP outage for a certain service is quite uncommon. How do you know, the other ISP did not have the same problem? 

    __________________________________________________________________________________________________________________

  • How do you know, the other ISP did not have the same problem? 

    I've created a separate route and monitored the traffic when the issue appeared.

    This is quite common in my country, different ISP's can have drastic differences over the same service, ASN or IX.

    That is not a smart way to do. Sure - For your example, this works, but in the end a manual probing for X amount of Application is not applicable. 

    This is indeed not a smart way to do, but it's a workaround until SD-WAN receives better capabilities.

    Also, thank you for answering!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home