Skip to content
Last update: 2021-10-15

Add an SD-WAN policy route

You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups.

You can specify the primary and backup gateways to route the traffic through.

  1. Go to Routing > SD-WAN policy routing. Scroll down to IPv4 or IPv6 SD-WAN policy route and select Add.
  2. Enter a name.
  3. Select the traffic selector settings.

    Name Description
    Incoming interface Select the interface through which traffic specified in this route enters Sophos Firewall.

    Deleting the interface also deletes the policy route.
    DSCP marking Select the level of DSCP marking to match incoming packets for priority. For details, see DSCP Value.

    Expedited forwarding (EF): Priority queuing that ensures low delay and low packet loss. Suitable for real-time services.

    Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns packets a higher priority than best-effort.

    Class selector (CS): Backward compatibility with network devices that use IP precedence in type of service.
    Source networks and Destination networks Select from the list or create new ones.

    You can add an IP address, range or list, a network, an FQDN or FQDN group, or other address objects.
    Services Select a service or create a new one to specify the type of traffic to route. Services are a combination of ports and protocols. For example, you can specify services for HTTP protocol with TCP port 80 and HTTPS protocol with TCP port 443.
    Application object Specify the application objects.

    Use this to route certain application objects through the specified gateways. For example, you can route VoIP applications through a specific gateway.

    Sophos Firewall uses the details of the first session to match traffic with an SD-WAN routing policy for future sessions. The time to live (TTL) for application session details is 3600 seconds from the start of the session. If another session doesn't start within this period, the session details are purged. For details, see SD-WAN policy routing.
    Users or groups Specify the users and user groups.
  4. Specify the routing settings.

    Name Description
    Primary gateway Select the primary gateway to route traffic.

    If you delete the selected gateway, Sophos Firewall will delete the policy route and implement WAN link load balance to route traffic.

    If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, Sophos Firewall routes new connections through it. Existing connections continue to use the backup gateway.
    Backup gateway If you've configured more than one gateway, select the backup gateway.

    If you delete the selected gateway, Sophos Firewall sets the backup gateway to None.
    Override gateway monitoring decision Select if you want to route traffic through the selected gateway, even if the gateway is down.
  5. Click Save.

More resources

Back to top