Skip to content

Edit gateway details

Change gateway details and create or edit failover rules for it.

Gateway detail

You can change the general details of the gateway, such as type and weight.

Option Description
IP address IP address of the gateway.
Interface IP address of the interface.
Type The method by which traffic is routed through the gateway. Choose Active to route traffic through the gateway. If you configure more than one active gateway, the traffic will be load balanced among the gateways according to the assigned weight. Choose Backup to route traffic through the gateway only when the active gateway is down.
Weight Priority of the gateway to be used for allocating traffic. This value determines how much traffic will pass through the link in relation to the other available links.

If you’ve selected type Backup, you can change the following backup gateway details:

Option Description
Activate this gateway The method by which the gateway is activated. Choose If any/all active gateway fails to activate this gateway automatically if any or all of the active gateways fail. Choose Manually to require manual activation.
Action on activation The method by which the firewall assigns weight to the gateway. Choose Inherit weight of the failed active gateway to use the weight of the failed active gateway to load balance the traffic among gateways. Choose Use configured weight to use the configured weight of the gateway.
Action on failback

The method by which the firewall takes action when the primary gateway is restored. Choose Serve new connections through restored gateway to route new connections through the primary gateway. The firewall continues to route existing connections through the backup gateway until they are disconnected or timed out.

Choose Serve all connections through restored gateway to re-establish existing connections and route all traffic through the primary gateway. It re-establishes connections for which you’ve specified the backup gateway, for example in an SD-WAN route, and continues to route them through the backup gateway, but not the primary gateway.

Note

Currently, the option to serve all connections through the restored gateway doesn't apply to SD-WAN routes. When Sophos Firewall matches traffic with SD-WAN routes, it serves only new connections through the restored gateway.

When it matches traffic with WAN link load balance, it serves all connections through the restored gateway if you've selected the option.

Failover rules

Specify the criteria to use to determine when to reroute traffic to another gateway. By default, the firewall uses ping to test the link. You can modify the default criteria and add criteria. Additional criteria are evaluated using AND.

  • To change the criteria, click Edit and specify a testing method, port, and IP address.
  • To add criteria, click Add and specify a testing method, port, and IP address.

Note

For WAN or ISP-based gateways, you must enter a well-known public IP address to ensure that failover works properly, such as 8.8.8.8 or 8.8.4.4. For custom gateways added for route-based VPN (RBVPN), RED, and MPLS interface types, you must enter an IP address behind the gateway to ensure that failover works properly.

More resources