Skip to content

What's new in SD-WAN policy routing in 18.0

A comparison of features and behavior of the routing settings in 17.5 and earlier with SD-WAN policy routing in 18.0.

Introduction

You can create SD-WAN policy routes for the following:

  • Application-based routes
  • User and group-based routes
  • System-generated traffic
  • Reply packets

Routing (17.5) vs SD-WAN policy routing (18.0)

  17.5 and earlier 18.0
Rules and policies that are required Firewall rules with routing and NAT settings.
  • Firewall rules without routing and NAT settings.
  • NAT rules
  • SD-WAN policy routing.
Primary and backup gateways Yes Yes
When the gateways go down Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). Based on the Override gateway monitoring decision:
  • Selected: The firewall drops the traffic.
  • Not selected: Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). The default route load-balances traffic among the active WAN links. Routing remains persistent.
When the primary gateway is deleted Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing).
Routing of internal traffic Applies the routing settings of the firewall rule with source and destination zones set to internal zones. Applies routing to all the zones in a network, including internal zones based on the destination networks.

If you create policy routes with Destination networks set to Any, Sophos Firewall also routes internal traffic to the WAN interface.

For details, see Troubleshooting.

How migrated SD-WAN policy routes work

Functionality Migrated SD-WAN policy routes
Firewall rules Migrated as independent rules and policies:
  • Firewall rules without routing settings.
  • Migrated NAT rules.
  • Migrated SD-WAN policy routes with the associated firewall rule ID and name.

Sophos Firewall uses the firewall rule ID to match traffic with migrated routes.
Firewall rules with the following settings:
  • Destination zones: LAN
  • No gateway
Migrated SD-WAN policy routes aren't created.
Firewall rules with the following settings:
  • Destination zones: WAN
  • WAN link load balance
Migrated SD-WAN policy routes aren't created. Evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing).
Zones in firewall rules Individual migrated SD-WAN policy routes are created when multiple firewall rules differ only in the source and destination zone criteria.
Sequence of migrated SD-WAN policy routes You can't change the sequence because these routes correspond to the firewall rule sequence.
Settings you can change in migrated SD-WAN policy routes Only routing parameters:
  • Primary gateway: Backup gateway
  • Override gateway monitoring decision
Migrated firewall rule is deleted The associated migrated SD-WAN policy route is deleted.
Routing precedence The routing precedence specified in the earlier version is migrated.

You may want to set it to the default precedence for 18.0: Static route, SD-WAN policy route, VPN route.

New functionality in SD-WAN policy routing

Functionality 18.0
Application-based routing Requires an active Web Protection License.

WAN link load balance: The first connection from an application is routed using the default route (WAN link load balance). The specified application-based route applies to subsequent connections, after Sophos Firewall learns the session details.

High availability: The cached application-based routing details are synchronized over the dedicated HA link using the multicast IP address 226.1.1.1 on port 4455.

Micro apps: Web proxy mode doesn't support application-based routing for micro apps. It supports only pattern applications and Synchronized Security applications. The DPI engine supports application-based routing for all applications, including micro apps.

To configure application-based routing, see How to configure SD-WAN policy routes.
Users and groups You can create SD-WAN policy routes based on users and groups.
System-generated traffic
  • You can create SD-WAN policy routes.
  • You can specify the gateways.
It requires a WAN interface.

SD-WAN policy routing is turned off by default. To turn it on, go to the command-line console.
Reply packets
  • You can create SD-WAN policy routes.
  • You can select a specific gateway. Reply packets can use a different route compared to the original route based on the specified gateway. You can specify primary and backup gateways.

SD-WAN policy routing is turned off by default. To turn it on, go to the command-line console.

More resources

Back to top