Skip to content
Last update: 2022-03-11

Migrated SD-WAN policy routes

These route settings are migrated from versions earlier than SFOS 18.0, in which firewall rules contained route settings.

You can change the route name, primary and backup gateways, and the gateway monitoring decision.

  1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 Migrated SD-WAN policy route and click Add.
  2. Enter a name.
  3. The firewall rule ID and name identify the rule that the route migrated from. Select the tooltip to see the rule’s source, destination, service, and action settings.


    If your route precedence specifies SD-WAN policy routes before static routes and you set Destination networks to Any, Sophos Firewall applies the policy route to all (external and internal) traffic, forcing your internal sources to use the WAN gateway for internal destinations.

    This is likely to occur if you migrated from an earlier version to 18.0 or changed the default route precedence. To see the route precedence, go to the command-line interface and use the following command:

    console> system route_precedence show

    If you want the internal traffic (for example, internal hosts accessing internal devices and servers) to reach the internal network directly, set the routing precedence with static routing before SD-WAN policy routing on the command-line interface.

    Example: console> system route_precedence set static sdwan_policyroute vpn

  4. The gateway specified in the firewall rule becomes the primary gateway.

    If you delete the selected gateway, Sophos Firewall will delete the policy route and implement WAN link load balance to route traffic.

    If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, Sophos Firewall routes new connections through it. Existing connections continue to use the backup gateway.

  5. If you specified Backup gateway in the firewall rule, this gateway is used here.

    If you delete the selected gateway, Sophos Firewall sets the backup gateway to None.

  6. Override gateway monitoring decision is selected during migration to replicate the behavior of the routes in the original firewall rules.

    Click Save.

More resources

Back to top