Skip to content

SD-WAN policy routing

Software-defined WAN (SD-WAN) adds a layer of software intelligence to your WAN infrastructure.

You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups. You can specify the primary and backup gateways to route the traffic through.

If both gateways are unavailable, Sophos Firewall evaluates other SD-WAN policy routes. If it doesn't find another matching policy route, it applies the default route (WAN link load balancing). The default route load-balances traffic among the active WAN links. For more details of active WAN links, go to Network > WAN link manager.

SD-WAN policy routes allow you to specify gateway failover and failback, using a combination of connections, for example MPLS, VPN, and broadband. You can also route critical applications and bandwidth-sensitive traffic, such as VoIP through high-speed ISP links.

You can create IPv4 and IPv6 SD-WAN policy routes.

Actions

You can do the following to configure and manage SD-WAN routes:

  • To change the sequence of an SD-WAN route, drag and drop the route. Sophos Firewall evaluates routes in the order shown until it finds a match. Once it finds a match, it doesn't evaluate subsequent routes.
  • Click More options More options button for the following actions:
    • To turn on or turn off a route, use the On or Off switch.
    • To edit a route, click Edit Edit button.
    • To clone a route, click Clone Clone button.
    • To delete a route, click Delete.

Gateway status

Hover over the route's icon under Active to see the gateway status.

Icon showing gateway is active The primary or backup gateway is up, and the policy route is live.

Icon showing gateway is down The gateways are down, and the policy route isn't live. Route only through specified gateways is off.

Icon showing gateway is down and override gateway monitoring is turned on The gateways are down, and the policy route isn't live. Route only through specified gateways is on.

If the gateways you configure in the SD-WAN route aren't available, Sophos Firewall evaluates other SD-WAN routes. If it doesn't find another matching route, it applies the default route (WAN link load balancing), which load-balances traffic among the active WAN links. To see the active WAN links, go to Network > WAN link manager.

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.

You can see the route precedence on Routing > SD-WAN routes.

Route precedence

See Routes and route precedence on Sophos Firewall.