SD-WAN Connection Groups

You can configure a VPN orchestrated SD-WAN network.

To configure your VPN orchestrated SD-WAN network, you create SD-WAN connection groups. Before you create your connection groups, you need to know the following:

  • You must choose firewalls with a Central Orchestration license and running Sophos Firewall 18.5 MR1 or later.
  • Firewalls that are in an SD-WAN connection group can't be used in other connection groups
  • To create a connection group, you need to choose at least two firewalls.

You can create and manage your connection groups in SD-WAN Connection Groups.

This page shows any changes you make to your connection groups. The details of any configuration changes for the firewalls in your groups are shown in Tasks Queue. See Tasks queue.

Create a connection group

To create a group, do as follows:

  1. Go to Firewall Management > SD-WAN Connection Groups.
    SD-WAN Connection Groups menu
  2. Click Create Connection Group.

    This opens the SD-WAN Connection Group creation assistant. The assistant takes you through creating a group.

    Create Connection group
  3. First, you select your firewalls. To do this, do as follows:
    1. Enter a name for the group.
    2. Optional Enter a description.
    3. Choose at least two firewalls.
    New SD-WAN Connection Group
  4. Click Next.
  5. Next, you add your resources. You can add multiple resources. You can also review any resources that you added earlier. To add resources, do as follows:
    1. Select the firewall with the resource that you want to share across the group.
    2. Enter the IP address or network range of the resource you want to share.
    3. Choose the service type and options.
    4. Turn on Automatically create firewall rules, if required.
    5. Turn on Limit access to authenticated users, if required.
    6. Turn on Configure Synchronized Security Heartbeat and set your options.

      For example, you can set Minimum Source HB permitted to GREEN and turn on Block clients with no heartbeat.

    7. Click Save to add the resource.
      SD-WAN Resources
    8. Click Next.
      We check your chosen configuration for any network conflicts. The table shows any network conflicts.
    Firewalls with network conflicts
  6. You need to fix any conflicts. Click Fix Conflict and try one of the following methods:
    • Turn the subnet on or off.
    • Attach a new NAT address to an existing subnet.
    • Attach a custom network to the firewall. Click Add Network to do this.
    • Choose a WAN link.
    • Choose a backup gateway.
    • Change the XFRM IP addresses.
    • Override a gateway address.

    For example, you can fix a name conflict by renaming. Or you can fix subnet conflicts by choosing NAT. Or you can override the gateway address to fix a conflict, as shown in the following image.

    Example of overriding a gateway address to fix a conflict
    Note If there is a network conflict for a resource-sharing firewall, you may need to choose different configurations for your subnets. You need to do this in Sophos Firewall. Or you can choose not to use the conflicting subnet in the group, in Sophos Central.
  7. After you've resolved your conflicts, click Save.

    This creates your group with your chosen firewalls. You can also see their status. The following image shows an example of a connection group.

    Example SD-WAN connection group

Edit a connection group

To edit a connection group, do as follows:

  1. Go to Firewall Management > SD-WAN Connection Groups.
  2. Click the name of the group you want to change.
  3. Use the SD-WAN Connection Group creation assistant to make your changes.

    For example, you change your resources or delete them.

  4. Click Save.

Delete a connection group

To delete a connection group, do as follows:

  1. Go to Firewall Management > SD-WAN Connection Groups.
  2. Click the group you want to delete and click the delete icon, Blue delete icon at the end of the row for the group.
    SD-WAN connection group deletion