Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-SDWAN-profiles

SD-WAN profiles

You can create SD-WAN profiles on the firewalls in your SD-WAN connection groups in Sophos Central.

You can use SD-WAN profiles to define an SD-WAN routing strategy across gateways in your SD-WAN network. You can route traffic based on the availability or performance of the gateways. This optimizes the performance of your SD-WAN network and adds resilience against ISP disruption.

Note

Sophos Central supports SD-WAN profiles on Sophos Firewall 19.0 and later.

Note

SD-WAN profiles don't work if the XFRM interface's IP address isn't in the /30 subnet. If it isn't, the Migrate option appears next to the firewall. Click it to migrate all IP addresses of the tunnel to the /30 subnet. The IP addresses are assigned from the IP address pools 10.252.0.0/15 and 10.254.0.0/16. Once the migration finishes, a message appears indicating that the migration is complete.

Service level agreement

A Service Level Agreement (SLA) allows you to route traffic based on the performance of the gateways. An SLA includes performance monitoring criteria. The firewall does a health check and selects the best-performing gateway based on the criteria defined in the SLA. You can use one of the following SLAs:

  • Best quality: Selects the best-performing gateway based on the performance monitoring criteria you select (either latency, jitter, or packet loss). For example, if you select latency as the performance monitoring criteria, the firewall selects the gateway with the minimum latency. You can use this SLA for non-critical traffic. This is the default SLA strategy and applies to any firewall you establish a VPN tunnel with.
  • Custom SLA: Selects the best-performing gateway based on the maximum acceptable values you define for latency, jitter, and packet loss. Use this strategy to override the default SLA strategy. This SLA applies to a specific firewall you want to establish a VPN tunnel with.

With the Best quality SLA, the firewall only looks for the best-performing gateway based on one criterion. Custom SLA ensures the firewall selects the gateway that meets the specified performance levels for all criteria.

If no gateway meets the SLA, the firewall routes traffic through the first available gateway.

Create an SD-WAN profile

To create an SD-WAN profile, do as follows:

  1. Go to My Products > Firewall Management > SD-WAN Connection Groups and click the connection group where you want to create an SD-WAN profile.
  2. In the SD-WAN Connection Group creation assistant, go to Configure Networks.
  3. Click Details/Edit for the firewall where you want to create an SD-WAN profile.
  4. On the firewall page, select SD-WAN profile.

  5. Select a backup gateway.

    Sophos Central automatically creates a gateway to establish a VPN tunnel. For the backup gateway, select a gateway that exists in the firewall. The firewall then routes traffic through the first available or best-performing gateway.

  6. Select one of the following routing strategies:

    Restriction

    This option appears on Sophos Firewall 19.5 and later.

    • First available gateway: Use this to route traffic based on the availability of the gateways. The firewall does a health check on all the added gateways in the order you listed and selects the first available gateway.

    • Load balancing: Use this to load-balance traffic among all the added gateways or gateways that meet the SLA. Select a load-balancing method:

      • Round-robin: Use this to load-balance traffic among all gateways in the listed order. For example, if you have three gateways, the firewall sends the first request to the first gateway, the second request to the second gateway, the third request to the third gateway, and the fourth request again to the first gateway.
      • Session persistence type: Use this to maintain the same gateway for the duration of a session based on the persistence type you select (Source IP address, Destination IP address, Source and destination IP addresses, or Connection).

  7. Turn on Service Level Agreement (SLA) and select one of the following performance monitoring criteria:

    • Latency: Selects the gateway with minimum latency.
    • Jitter: Selects the gateway with minimum jitter.
    • Packet loss: Selects the gateway with minimum packet loss.

    If you don't turn on Service Level Agreement (SLA), the firewall routes traffic through the first available gateway.

    SLA settings.

  8. Specify the Health check settings for Default (Any firewall) as follows:

    1. Protocol: Protocol for checking the gateway's status. You can select either Ping or TCP.

    2. Probe target IP address: IP address of a host device (probe target) behind the gateway. You can add two probe targets.

      Sophos Firewall sends requests to host IP addresses behind the gateway. It considers the gateway active if the hosts respond to health check probes.

      Note

      If the IP address of the probe target is a public IP address, you must create a firewall rule allowing traffic from the VPN zone to the WAN zone on the destination firewall.

    3. Port: Port number on which you want to send the health check probes.

    4. (Optional) Custom SLA: Turn on to route traffic through the best-performing gateway based on the custom values you define for the following:

      • Latency: Maximum acceptable latency in milliseconds.
      • Jitter: Maximum acceptable jitter in milliseconds.
      • Packet loss: Maximum acceptable packet loss in percentage points.

      Note

      If you turn on Custom SLA, the firewall overrides the Best quality SLA strategy.

  9. (Optional) Click Add probe target to specify the health check settings for a specific firewall. Do as follows:

    1. In Destination firewall, select the firewall.
    2. Repeat step 8.

    Here's an example:

    Health check settings for a firewall.

  10. Specify the following health check settings:

    1. Interval between checks: Time interval between probes for the health check.
    2. Response time-out: The gateway must respond within this time to be considered active.
    3. Deactivate gateway after: Number of consecutive attempts to probe the gateway's health. Sophos Firewall considers the gateway unreachable if the gateway doesn't respond to these attempts.
    4. Activate gateway after: Number of consecutive responses after which Sophos Firewall can consider a link as active.
    5. Sample size for SLA: Number of probe samples to be collected to determine the average performance of a gateway.

  11. Click Save and click Finish.