Some confusion about the new sdwan routing feature...

Question

Hi, 
 first of all, the migration from 17.5 to 18EAP1 works great. The complete system runs like before, but... 
 I got a lot of firewall rules, because i'm still testing SFOS for my UTM Customers at my site. After migration there are a lot of new NAT and SDWAN Routing rules linked with the original firewall rules, but i can't go from SDWAN-Rule to the corresponding FW-Rule and vice-versa. 
 1. Please make a "usable" (clickable) link, to reach the corresponding rules (FW, NAT, SDWAN). You call it linked rule, so it should be linked. 
 2. The migrated SDWAN Rules have all activated "Override gateway monitoring decision", wich means, if the primary gateway is down, all traffic will be lost in a blackhole. Don't do this please! 
 3. SFOS is a zone-based firewall. On all SDWAN Routes i have to choose a incoming Interface. If a want all "ssh+webadmin" traffic to go over my static ip, i had to add a sdwan route for every incoming interface. I have customers with more than 30 VLAN Interfaces + 40 Red's, so i need 70 SDWAN Rules? Your kidding! 
 4. What about the proxy traffic (system generated traffic)? Wich incoming interface should i use? 
 And, by the way: 
 5. I miss the "internet" object for selecting the traffic not in the routing table. 
 6. I need to disable/enable interfaces without deleting it. 
 7. Working with interfaces is a pain! On UTM i could move the interface configuration from 1GbE Port to 10GbE or LAG or make a VLAN interface. All only with a small downtime. 
 Most of my (UTM) customers have more than one internet connection and a lot of internal interfaces (lag, br, vlan etc.) Interface handling and routing is still not on UTM level. 
 
 Have a nice day! 
 
 Christian 
 (UTM + XG Architect, UTM Support Engineer)

Bjoern Freiherr · Answer

Christian, 
 I support most of your concerns regarding SFOS v18! I'm glad to see you're facing similar issues, and hope that most of them will be resolved by the time we have v18 GA. 
 1. Great suggestion! 
 2. You probably noticed that those migrated SDWAN rules are supposed to be temporary for the upgrade path, but nothing you can actually create yourself later on. I started converting all of them into actual SDWAN rules and then deleting the migrated ones as they're bound to the firewall rules directly. BUT this also leads to the issue you described in 3. 
 3. I agree that the selectors are not sufficient! I also have an outbound rule for managing my clients remotely, using my static IP uplink rather than the dynamic one which is default for everything else. I actually used "United States" as the destination network which sort of does what you want in 5. ... unless your destinations are all over the world. All of the fields in SD WAN rules are not required. So you can leave the interface and the source network blank to apply to all traffic. BUT this also creates a HUGE risk of messing up the entire firewall to the point of being unusable and not even letting you manage it. I did this yesterday: 
 My goal was to force all regular traffic out the dynamic ISP interface so the firewall doesn't do any round-robin stuff with the 2nd interface that I just use for certain traffic via a static IP. I create a rule with no selectors, then choose the gateway I want. [:'(] BAD BAD BAD! That means even firewall generated traffic is included and EVERYTHING is routed out that gateway. Couldn't even manage the XG anymore. Had to console in, make a static route from advanced shell, change routing priority to get back in and delete the rule. What a pain! There's no SDWAN route management in the console of the XG! 
 4. Good question, i don't think there's a way to select this with the current setup 
 5. Agreed! How do we select internet traffic that's bound to an uplink interface? 
 6. Agreed! Long needed simple feature. Any other network device lets you enable and disable ports. 
 7. Agreed! we need to be able to just change the hardware interface for an existing interface configuration. That also goes for Bridge interfaces. I want to be able to remove a bridge by just unchecking all interfaces but one and have it put the config on that one remaining physical NIC. 
 
 Here are some of my other questions / concerns: 
 1. It might be useful to have some sort of check / requirements on SDWAN route selectors because it's too easy to break the entire firewall. 
 2. SDWAN routes need to be added to the console menu or command line so things can be configured or at least enabled/disable from there. 
 3. I'd like to see a clear guide of how the XG makes it's packet forwarding decision. What order do all these new things get applied in. I mean, I mostly get it, but others will likely not as the entire concept has been changed over previous versions. This includes: firewall rule, NAT rule, SD WAN policy, VPN routes, static routes, Gateway routes. 
 4. I also saw somewhere that you can do route based VPNs now? I don't really see any options for this. Wouldn't that require a tunnel interface that can be defined on each VPN? Maybe it's not part of the EAP yet...