SD-WAN policy routing

SD-WAN (software-defined wide area networking) policy routing allows you to implement routing decisions based on the policies that you specify.

You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups. You can specify the primary and backup gateways to route the traffic through.

If both gateways are unavailable, XG Firewall evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). The default route load balances traffic among the active WAN links. For more details of active WAN links, go to Network > WAN link manager.

SD-WAN policy routes allow you to specify gateway failover and failback, using a combination of connections, for example, MPLS, VPN, and broadband. You can also route critical applications and bandwidth-sensitive traffic, such as VoIP through high-speed ISP links.

You can create IPv4 and IPv6 SD-WAN policy routes.

Application routing

SD-WAN policy routing can classify traffic based on applications, enabling you to specify policy routes based on the application type. You can select the primary and backup gateways based on the application objects you selected.

You can create application objects for web applications, micro apps such as Facebook Messenger, Synchronized Security applications (discovered on endpoint devices), custom applications, and application categories based on the classification parameters.

Use cases:

  • Route the individual applications of a web application through different gateways.

    For example, you can route Facebook games through a low-bandwidth ISP link and other Facebook apps through a high-bandwidth link.

  • Route critical applications through high-bandwidth ISP or MPLS links.

    To ensure failover to a specific link, you must specify the primary and backup gateways.

  • Route application traffic based on users.
  • Route application traffic to specific servers or routers.

How to configure application routing:

  1. Go to Applications > Application object. Create an application object based on your business and user priority.
  2. Add an SD-WAN policy route and assign the primary and backup gateways.

How XG Firewall implements application routing:

  • For the first connection, XG Firewall implements an SD-WAN policy route based on the matching destination port and IP address, protocol, and the inbound interface. If it doesn't find a matching route, it applies the default route (WAN link load balance).
  • The DPI engine identifies the application and caches the classification decision.

    Based on the user's request, another application may take the original application's place within a single connection. For example, users may go to facebook.com first and then start Facebook chat. If the change occurs after the original application is identified, the DPI engine makes a new classification decision.

  • The new classification decision applies to subsequent connections of the application traffic.

The time to live (TTL) for application session details is 3600 seconds from the start of the session. If another session doesn't start within this period, the session details are purged. When you restart XG Firewall, the session details of all application objects are purged. Subsequent connections using the application go through the implementation process listed above.

System-generated traffic and reply packets

You can create policy routes for system-generated traffic and reply packets. On the command-line interface, make sure you turn on routing for each of them independently.

You can configure asymmetric routing for reply packets, specifying an interface other than the interface used by the original traffic.

For system-generated traffic, select only the destination networks and services because the source interface and network remain unknown. For example, services used by XG Firewall flow through different interfaces, depending on the type of service.

To see the routing status and turn routing on or off for system-generated traffic and reply packets, use the following CLI commands.

Routing option

CLI command

Show routing status

console> show routing sd-wan-policy-route system-generate-traffic

console> show routing sd-wan-policy-route reply-packet

Turn on routing

console> set routing sd-wan-policy-route system-generate-traffic enable

console> set routing sd-wan-policy-route reply-packet enable

Turn off routing

console> set routing sd-wan-policy-route system-generate-traffic disable

console> set routing sd-wan-policy-route reply-packet disable

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static routes, SD-WAN policy routes, then VPN routes. The protocol, network, and route details are shown in the table below.

Routes

Routing precedence

Static routes include the following:

  • Directly connected networks
  • Dynamic routing protocols
  • Unicast routes

Set the routing precedence on the command-line interface.

Example: console> system route_precedence set static sdwan_policyroute vpn

SD-WAN policy routes

VPN routes (only policy-based IPsec VPNs)

Default route (WAN link manager)

Fallback route if traffic doesn't match any configured route.

Routing settings: Internet and internal traffic

To create an SD-WAN policy route for internet traffic, you can set Destination networks to a WAN host or to Any.

If traffic doesn't match any SD-WAN policy route, XG Firewall applies the settings specified in the WAN link manager.

Caution If your route precedence specifies SD-WAN policy routes before static routes and you set Destination networks to Any, XG Firewall applies the policy route to all (external and internal) traffic, forcing your internal sources to use the WAN gateway for internal destinations.

This is likely to occur if you migrated from an earlier version to 18.0 or changed the default route precedence. To see the route precedence, go to the command-line interface and use the following command:

console> system route_precedence show

If you want the internal traffic (for example, internal hosts accessing internal devices and servers) to reach the internal network directly, set the routing precedence with static routing before SD-WAN policy routing on the command-line interface.

Example: console> system route_precedence set static sdwan_policyroute vpn

Now, XG Firewall applies the static routes before it applies the SD-WAN policy-based routes. Internal traffic is forwarded directly to the internal destination.
Tip You can see the routing precedence on the command-line interface or the SD-WAN policy routing page on the web admin console.

Policy route actions and gateway status

  • To change the sequence of an SD-WAN policy route, drag and drop the route. XG Firewall evaluates policy routes in the order shown until it finds a match. Once it finds a match, it doesn't evaluate subsequent routes.
  • To turn on or turn off a route, use the Status switch.
  • To edit a route, click Edit Edit button.

Gateway status:

Active indicator The primary or backup gateway is up, and the policy route is live.

Inactive indicator The gateway is down, and the policy route isn't live. Override gateway monitoring is off.

Partial indicator The gateway is down, and override gateway monitoring is on.

Hover over the status icon to view the statuses of the primary and backup gateways and the override gateway monitoring setting.

Migrated IPv4 and IPv6 policy routes

In SFOS 18.0 and later versions, you need to specify routing policies in SD-WAN policy routing. Firewall rules no longer include routing settings. When you migrate from an earlier version, XG Firewall migrates the routing settings in firewall rules as Migrated SD-WAN policy routes. You can see them in the SD-WAN policy routing table. You can identify these migrated policy routes by the firewall rule ID and name.

To turn routing on or off for system-generated traffic and reply packets, go to the command-line interface.

Route precedence

During migration, XG Firewall retains the routing precedence you specified in the previous version. The default routing precedence in versions earlier than 18.0 is SD-WAN policy routes, VPN routes, then static routes.

Caution Because routing is not linked to firewall rules in 18.0, migrated policy routes with Destination networks set to a WAN host or Any also apply to internal traffic, routing this traffic through the WAN gateway.

To allow internal traffic to directly reach internal destinations, go to the command-line interface and set the routing precedence with static routing before SD-WAN policy routing.

Tip To take advantage of the SD-WAN policy route benefits, such as creating routing policies based on application objects, users, and groups, we recommend creating SD-WAN policy routes to replace the migrated routes.

The following rules apply to migrated routes:

  • XG Firewall automatically prefixes the firewall rule ID to the policy route name.
  • XG Firewall uses the firewall rule ID to match traffic with migrated routes.
  • Zones are not part of SD-WAN policy route settings. When more than one firewall rule specifies the same source and destination networks, but different zones, individual policy routes that correspond to the firewall rules are created.
  • You can't change the sequence of migrated policy routes since they correspond to the firewall rule sequence.
  • If you delete the firewall rule, the migrated policy route is deleted.
  • You can edit only the gateways and the gateway monitoring decision.
Tip Make sure you take a backup of the current configuration before deleting the migrated policy routes.