Skip to content

Configure SD-WAN policy routes

You can use SD-WAN policies to route traffic from a branch office to the head office and to cloud applications using the MPLS network and ISP links.

Introduction

In this example, you create an SD-WAN policy to route traffic from the branch office to the servers in the head office using an existing MPLS network. You create another SD-WAN policy to route traffic from the sales team in the branch office LAN to cloud applications using ISP links. You also create firewall rules to allow traffic.

  • Route-1: Route traffic from the branch office to the web servers in the head office:
    • Create an SD-WAN policy route using MPLS-1 and MPLS-2.
  • Route-2: Route traffic from the sales team in the branch office LAN to cloud applications:
    • Create an application object for the applications used by the sales team, for example conferencing, lead management, VoIP, and storage and backup applications.
    • Create an SD-WAN policy to route branch office traffic to these cloud applications using the links, ISP-1 and ISP-2.
  • Create a firewall rule to allow traffic.

Network diagram: SD-WAN routing with gateway failover

Creating an SD-WAN policy to route branch office traffic to servers in the head office (Route-1)

In this example, all the traffic from the LAN network 172.16.16.0/24 is routed through the primary gateway MPLS-1. MPLS-2 is the backup gateway.

  1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
  2. Specify the following settings:

    Name Description
    Name Enter a name.

    BO_to_HO_Servers
    Incoming interface Any
    Source network 172.16.16.0/24
    Destination network 192.168.1.0/24
    Primary gateway MPLS-1_10.10.11.1
    Backup gateway MPLS-2_10.10.12.2

Firewall rules: You need to create a firewall rule to allow traffic from the specified source to the destination.

NAT rule: Source NAT rules aren't required for MPLS traffic.

SD-WAN policy route in the head office: You must create an SD-WAN policy on the Sophos Firewall device in the head office to route the reply packets generated for this route.

Creating a firewall rule to allow traffic from the branch office LAN to web servers in the head office

  1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and position. Specify the following settings:

    Name Description
    Source zones LAN
    Source networks and devices 172.16.16.0/24
    Destination zones MPLS_DMZ

    Created the MPLS network in the DMZ at the branch office.
    Destination networks 192.168.1.0/24
    Services Web_traffic

    In this example, this service includes TCP 80 and TCP 443 ports and protocols.

    Alternatively, you can specify the services in the SD-WAN policy route rather than in the firewall rule.
  3. Click Save.

Create an application object (Route-2)

Create an application object with cloud applications used by the sales team.

  1. Go to Applications > Application object and click Add.
  2. Enter a name for the application object, for example CloudApps_Sales.
  3. Select the applications. You can use the smart filter to list the applications you want. Alternatively, use the application profile lists or use the filter next to Name and select the applications.

    In this example, you selected Citrix GoToTraining, Citrix Online, SalesForce, Vonage, Whatsapp Call, Carbonite, DropBox File Upload, and OneDrive applications.

  4. Click Save.

Create an SD-WAN policy to route traffic to cloud applications (Route-2)

All the traffic from the LAN network 172.16.16.0/24 is routed through the primary gateway ISP-1. ISP-2 is the backup gateway.

  1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
  2. Specify the following settings:

    Name Description
    Name Enter a name.

    BO_to_CloudSalesApps
    Incoming interface Port3

    Port3 was configured for the LAN zone.
    Application object CloudApps_Sales
    Users or groups Sales_Team
    Primary gateway ISP-1_173.20.10.2
    Backup gateway ISP-2_9.8.10.2
  3. Click Save.

You need to create a firewall rule to allow traffic from the specified source to the destination. The default source NAT rule performs the translation.

Create a firewall rule to allow branch office sales team to access cloud applications

  1. Go to Rules and policies > Firewall rules. Select protocol IPv4 or IPv6 and select Add firewall rule. Select New firewall rule.
  2. Specify the rule name and position.
  3. Specify the following settings:

    Name Description
    Source zones LAN
    Source networks and devices 172.16.16.0/24
    Destination zones WAN
    Destination networks Any
    Services Any

    Note

    You don't need to specify users or groups in the firewall rule because you specified them in the SD-WAN policy route.

  4. Click Save.

More resources

Back to top