Skip to content

Add an SD-WAN policy route

You can route traffic based on SD-WAN policy routing criteria, such as the incoming interface, source and destination networks, services, application objects, users, and user groups.

You can specify the primary and backup gateways to route the traffic through.

  1. Go to Routing > SD-WAN policy routing.
  2. Under either IPv4 SD-WAN policy route or IPv6 SD-WAN policy route, click Add.
  3. Enter a name.
  4. Select the Incoming interface.

    The firewall matches the route with traffic entering this interface for the specified criteria. You can also select a tunnel (XFRM) interface with local and remote subnets set to Any. Deleting the interface also deletes the policy route.

  5. Select the level of DSCP marking to match incoming packets for priority.

    • Expedited forwarding (EF): Priority queuing ensures low delay and packet loss. Suitable for real-time services.
    • Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns packets a higher priority than best-effort.
    • Class selector (CS): Backward compatibility with network devices that use IP precedence in the type of service.
  6. Select the Source networks.

  7. Select the Destination networks.

    To send traffic to public IP addresses, we recommend that you don't select Any. Click Add new item, clear Any, and search for internet. Select the default IPv4 host group (Internet IPv4 group) or the default IP host ranges, such as Internet IPv4 (1-9).


    If you set the route precedence to SD-WAN routes before static routes and set the SD-WAN Destination networks to Any, Sophos Firewall applies the SD-WAN route to all (external and internal) traffic. This forces your internal sources to use the WAN gateway for internal destinations.

  8. Select a Service, for example HTTPS.

  9. Select the Application objects.

    For example, if you select VoIP applications, Sophos Firewall uses this SD-WAN route to route this traffic.


    Sophos Firewall uses the details of the first session to match traffic with an SD-WAN route for future sessions. The time to live (TTL) for application session details is 3600 seconds from the start of the session. If another session doesn't start within this period, the session details are purged. See Application-based SD-WAN routes.

  10. Select the Users or groups.

  11. Select the Primary gateway and the Backup gateway.

    If you delete the backup gateway, Sophos Firewall sets the backup gateway to None. If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, Sophos Firewall routes new connections through it. Existing connections continue to use the backup gateway.

    If you delete the primary gateway, Sophos Firewall deletes the route and implements the default route (WAN link load balance), which load-balances traffic among the active WAN links.

  12. Select Route only through specified gateways if you want to route traffic only using the gateways specified in this route. If these gateways are unreachable, Sophos Firewall drops the traffic.

    If you clear the checkbox and the gateways are down, the firewall evaluates other SD-WAN routes. If it doesn't find another matching route, it applies the default route.

  13. Click Save.

More resources