Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-SDWAN-group-create

Create an SD-WAN connection group

Before you create a connection group, you need to know the following:

  • You must select firewalls with a Central Orchestration license on SFOS 18.5 MR1 or later.
  • Firewalls that are in an SD-WAN connection group can't be used in other connection groups.
  • You must choose at least two firewalls to create a connection group.

Note

If you create an SD-WAN connection group with shared resources and participating networks, the firewall creates two similar SD-WAN routes. One is for the shared resources and the other for the participating networks.

To create a connection group, do as follows:

  1. Go to My Products > Firewall Management > SD-WAN Connection Groups.

  2. Click Create Connection Group.

    This opens the SD-WAN Connection Group creation assistant. The assistant takes you through creating a group.

    Create Connection group.

  3. First, you select your firewalls. To do this, do as follows:

    1. Enter a name for the group.
    2. Optional: Enter a description.
    3. Choose at least two firewalls.

    Here's an example:

    New SD-WAN Connection Group.

  4. Click Next.

  5. Add your resources. You can add multiple resources. You can also review any resources that you added earlier. To add resources, do as follows:

    1. Select the firewall with the resource that you want to share across the group.
    2. Enter the IP address or network range of the resource you want to share.
    3. Choose the service type and options.
    4. Turn on Automatically create firewall rules, if required.
    5. Turn on Limit access to authenticated users, if required.

    6. Turn on Configure Synchronized Security Heartbeat and set your options.

      For example, you can set Minimum Source HB permitted to GREEN and turn on Block clients with no heartbeat.

    7. Click Save to add the resource.

      Here's an example:

      SD-WAN Resources.

    8. Click Next. We check your chosen configuration for any network conflicts. The table shows any network conflicts.

      Here's an example:

    Firewalls with network conflicts.

  6. You need to fix any conflicts. Click Fix Conflict and try one of the following methods:

    • Turn the subnet on or off.
    • Attach a new NAT address to an existing subnet.
    • Attach a custom network to the firewall. Click Add Network to do this.
    • Choose a WAN link.
    • Choose a backup gateway.
    • Override a gateway address.

    For example, you can fix a name conflict by renaming the resources that show conflicts. Or you can fix subnet conflicts by choosing NAT. Or you can override the gateway address to fix a conflict, as shown in the following image.

    Example of overriding a gateway address to fix a conflict.

    If you select Override a gateway address, you can enter a wildcard (*) address in Public IP or FQDN for selected WAN link if the remote gateway is a responder firewall and runs SFOS 20.0 or later.

    Note

    If there is a network conflict for a resource-sharing firewall, you may need to choose different configurations for your subnets. You do this in Sophos Firewall. Alternatively, in Sophos Central you can choose not to use the conflicting subnet in the group.

  7. After you've resolved your conflicts, click Save.

    This creates your group with your chosen firewalls. You can also see their status. The following image shows an example of a connection group.

    Example SD-WAN connection group.