Skip to content

SD-WAN policy routing

SD-WAN (software-defined wide area networking) policy routing allows you to implement routing decisions based on the policies that you specify.

It allows you to override routing based on destination IP addresses and routing tables.

You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups. You can specify the primary and backup gateways to route the traffic through.

If both gateways are unavailable, Sophos Firewall evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). The default route load-balances traffic among the active WAN links. For more details of active WAN links, go to Network > WAN link manager.

SD-WAN policy routes allow you to specify gateway failover and failback, using a combination of connections, for example, MPLS, VPN, and broadband. You can also route critical applications and bandwidth-sensitive traffic, such as VoIP through high-speed ISP links.

You can create IPv4 and IPv6 SD-WAN policy routes.

Application routing

SD-WAN policy routing can classify traffic based on applications, enabling you to specify policy routes based on the application type. You can select the primary and backup gateways based on the application objects you selected.

You can create application objects for web applications, micro apps such as Facebook Messenger, Synchronized Security applications (discovered on endpoint devices), custom applications, and application categories based on the classification parameters.

Use cases:

  • Route the individual applications of a web application through different gateways.

    For example, you can route Facebook games through a low-bandwidth ISP link and other Facebook apps through a high-bandwidth link.

  • Route critical applications through high-bandwidth ISP or MPLS links.

    To ensure failover to a specific link, you must specify the primary and backup gateways.

  • Route application traffic based on users.

  • Route application traffic to specific servers or routers.

How to configure application routing:

  1. Go to Applications > Application object. Create an application object based on your business and user priority.
  2. Go to Routing > SD-WAN policy routing.
  3. Under IPv4 SD-WAN policy route or IPv6 SD-WAN policy route, click Add.
  4. Add the application object you created and assign the primary and backup gateways.

How Sophos Firewall implements application routing:

  • For the first connection, Sophos Firewall implements an SD-WAN policy route based on the matching destination port and IP address, protocol, and the inbound interface. If it doesn't find a matching route, it applies the default route (WAN link load balance).
  • The DPI engine identifies the application and caches the classification decision.

    Based on the user's request, another application may take the original application's place within a single connection. For example, users may go to first and then start Facebook chat. If the change occurs after the original application is identified, the DPI engine makes a new classification decision.

  • The new classification decision applies to subsequent connections of the application traffic.

The time to live (TTL) for application session details is 3600 seconds from the start of the session. If another session doesn't start within this period, the session details are purged. When you restart Sophos Firewall, the session details of all application objects are purged. Subsequent connections using the application go through the implementation process listed above.

System-generated traffic and reply packets

You can create policy routes for system-generated traffic and reply packets. On the command-line interface, make sure you turn on routing for each of them individually.

Reply packets: Sophos Firewall enforces symmetric routing on WAN interfaces for reply packets. These packets use the same WAN interface as the original packets.

You can configure asymmetric routing for reply packets on non-WAN interfaces. For example, you can specify an interface other than the original traffic's interface for LAN to DMZ traffic.

System-generated traffic: Select only the destination networks and services because the source interface and network remain unknown. For example, services used by Sophos Firewall flow through different interfaces, depending on the type of service.


System-generated RED traffic on UDP port 3410 is layer 2 traffic. So, SD-WAN routes don't apply to this traffic.

To see the routing status and turn routing on or off for system-generated traffic and reply packets, use the following CLI commands.

Routing option CLI command
Show routing status show routing sd-wan-policy-route system-generate-traffic

show routing sd-wan-policy-route reply-packet
Turn on routing set routing sd-wan-policy-route system-generate-traffic enable

set routing sd-wan-policy-route reply-packet enable
Turn off routing set routing sd-wan-policy-route system-generate-traffic disable

set routing sd-wan-policy-route reply-packet disable

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static routes, SD-WAN policy routes, then VPN routes. The protocol, network, and route details are shown in the table below.

Routes Routing precedence
Static routes include the following:
  • Directly connected networks
  • Dynamic routing protocols
  • Unicast routes
  • SSL VPN connections
SD-WAN policy routes
VPN routes (only policy-based IPsec VPNs)
Set the routing precedence on the command-line interface.

Example: system route_precedence set static sdwan_policyroute vpn
Default route (WAN link manager) Fallback route if traffic doesn't match any configured route.

Routing settings: Internet and internal traffic

To create an SD-WAN policy route for internet traffic, you can set Destination networks to a WAN host or to Any.

If traffic doesn't match any SD-WAN policy route, Sophos Firewall applies the settings specified in the WAN link manager.


If your route precedence specifies SD-WAN policy routes before static routes and you set Destination networks to Any, Sophos Firewall applies the policy route to all (external and internal) traffic, forcing your internal sources to use the WAN gateway for internal destinations.

This is likely to occur if you migrated from an earlier version to 18.0 or changed the default route precedence. To see the route precedence, go to the command-line interface and use the following command:

system route_precedence show

If you want the internal traffic (for example, internal hosts accessing internal devices and servers) to reach the internal network directly, set the routing precedence with static routing before SD-WAN policy routing on the command-line interface.


system route_precedence set static sdwan_policyroute vpn

Now, Sophos Firewall applies the static routes before it applies the SD-WAN policy-based routes. Internal traffic is forwarded directly to the internal destination.


You can see the routing precedence on the command-line interface or the SD-WAN policy routing page on the web admin console.

Policy route actions and gateway status

  • To change the sequence of an SD-WAN policy route, drag and drop the route. Sophos Firewall evaluates policy routes in the order shown until it finds a match. Once it finds a match, it doesn't evaluate subsequent routes.
  • To turn on or turn off a route, use the Status switch.
  • To edit a route, click Edit Edit button.

Gateway status:

Icon showing gateway is active The primary or backup gateway is up, and the policy route is live.

Icon showing gateway is down The gateway is down, and the policy route isn't live. Override gateway monitoring is off.

Icon showing gateway is down and override gateway monitoring is turned on The gateway is down, and override gateway monitoring is on.

Hover over the status icon to view the statuses of the primary and backup gateways and the override gateway monitoring setting.

Migrated IPv4 and IPv6 policy routes

In SFOS 18.0 and later versions, you need to specify routing policies in SD-WAN policy routing. Firewall rules no longer include routing settings. When you migrate from an earlier version, Sophos Firewall migrates the routing settings in firewall rules as Migrated SD-WAN policy routes. You can see them in the SD-WAN policy routing table. You can identify these migrated policy routes by the firewall rule ID and name.

To turn routing on or off for system-generated traffic and reply packets, go to the command-line interface.

Route precedence

During migration, Sophos Firewall retains the routing precedence you specified in the previous version. The default routing precedence in versions earlier than 18.0 is SD-WAN policy routes, VPN routes, then static routes.


Because routing is not linked to firewall rules in 18.0, migrated policy routes with Destination networks set to a WAN host or Any also apply to internal traffic, routing this traffic through the WAN gateway.

To allow internal traffic to directly reach internal destinations, go to the command-line interface and set the routing precedence with static routing before SD-WAN policy routing.


To take advantage of the SD-WAN policy route benefits, such as creating routing policies based on application objects, users, and groups, we recommend creating SD-WAN policy routes to replace the migrated routes.

The following rules apply to migrated routes:

  • Sophos Firewall automatically prefixes the firewall rule ID to the policy route name.
  • Sophos Firewall uses the firewall rule ID to match traffic with migrated routes.
  • Zones are not part of SD-WAN policy route settings. When more than one firewall rule specifies the same source and destination networks, but different zones, individual policy routes that correspond to the firewall rules are created.
  • You can't change the sequence of migrated policy routes since they correspond to the firewall rule sequence.
  • If you delete the firewall rule, the migrated policy route is deleted.
  • You can edit only the gateways and the gateway monitoring decision.


Make sure you take a backup of the current configuration before deleting the migrated policy routes.

More resources

Back to top