Skip to content

Configure gateway load balancing and failover

Configure Sophos Firewall for load balancing and failover for multiple ISP uplinks based on the number of WAN ports available on the appliance.

Introduction

If you have more than one ISP link, you can terminate each link on a physical WAN interface. The firewall sends traffic to the ISP link through the gateway configured for the link.

You can configure a gateway as active or backup.

  • Active-active: Sophos Firewall balances traffic among the active gateways. By default, it adds a new gateway as an active gateway. So, load balancing automatically occurs between the existing and newly added ISP links. Sophos Firewall uses a weighted round-robin algorithm for load balancing, distributing traffic among the ISP links based on the weight specified for the links.
  • Active-backup: You configure one or more gateways as backup gateways. When an active gateway goes down, traffic fails over to an available backup gateway.

Load balancing and failover are supported both for IPv4 and IPv6 traffic. You can use two IPv4 gateways or two IPv6 gateways.

The network diagram shows that one ISP link is terminated on Port B, and Port D is an unbound port. The following instructions show how to terminate another ISP uplink on Port D.

Example network diagram showing gateway load balancing.

Add a new gateway

You need to configure an unbound physical port. This example uses PortD throughout.

To add a new gateway, do as follows:

  1. Go to Network > Interface.
  2. Select an unbound port and click it to edit its settings.

    New interface created for an unbound physical port.

  3. Enter the following information for your new interface:

    • Network zone: Select WAN.
    • IPv4 configuration: Turn on if appropriate.
    • IP assignment
    • IPv4/Network mask
    • Gateway name
    • Gateway ID
  4. Click Save.

    Example settings for PortD:

    Example settings for a gateway.

    The gateway is added to the list of gateways.

Configure load balancing

You need to configure the load balancing for your new gateway.

Sophos Firewall adds a new gateway as an active gateway. Load balancing is automatically enabled between existing and new links.

Sophos Firewall uses a weighted round-robin algorithm for load balancing. This assigns a weight to a link. Sophos Firewall distributes traffic among the links in proportion to the weight assigned to them.

To assign a weight to a link:

  1. Go to Network > WAN link manager.

    Edit the gateway.

    Edit PortD gateway:

    Edit the gateway.

  2. Enter a weight.

    Example weight for PortD:

    Specify a weight for the example gateway.

Configure gateway failover

You can set up gateway failover in both active-active and active-backup configurations.

In an active-active setup, if any of the active gateways fail, the traffic is redirected to the other active gateway. You can specify failover conditions to indicate how the failed gateway should be detected. When you add a gateway, Sophos Firewall adds a default failover rule: If Sophos Firewall can't ping the recently added gateway IP address, the gateway is considered down.

Default failover rule.

During a link failure incident, Sophos Firewall regularly checks the health of the connection so that it can restore the connection faster when the internet service is restored. When the connection is restored and the gateway is up again, the traffic is rerouted through the active gateway automatically.

Sophos Firewall notifies administrators by email about all changes in gateway status. You can also see this in the log viewer.

In an active-backup setup, if an active gateway fails, you must redirect the traffic to a backup gateway.

To set up gateway failover, choose whether to configure failover conditions or redirect to a backup gateway.

  • To configure failover conditions, do as follows:

    1. Click Add to add a new failover rule. You can also edit an existing rule.
    2. Enter the details for the rule.

      This screenshot shows an example rule. The rule states that if Sophos Firewall can't ping the gateway IP address, 172.16.16.15, or establish a TCP connection on port 80 to 4.2.2.2, the gateway is considered down.

      Example settings for failover rule.

      Note

      For WAN or ISP-based gateways, you must enter a well-known public IP address to ensure that failover works properly, such as 8.8.8.8 or 8.8.4.4. For custom gateways added for route-based VPN (RBVPN), RED, and MPLS interface types, you must enter an IP address behind the gateway to ensure that failover works properly.

  • To redirect the traffic to a backup gateway, do as follows:

    1. Go to Network > WAN link manager.
    2. Edit the gateway.

      Edit the PortD gateway:

      Edit the gateway.

    3. Select Backup as the type.

    4. Set the gateway to start if any active gateway fails.
    5. Set it to inherit the weight from the failed gateway.

      Example backup settings for Port D:

      Backup gateway settings for Port D.

    6. Click Save. If an active gateway fails, the backup gateway is activated and inherits the weight of the failed gateway.

More resources