Skip to content

Configure SD-WAN routes

You can use SD-WAN policies to route traffic from a branch office to the head office and to cloud applications using the MPLS network and ISP links.

Introduction

In this example, you create an SD-WAN policy to route traffic from the branch office to the servers in the head office using an existing MPLS network. You create another SD-WAN policy to route traffic from the sales team in the branch office LAN to cloud applications using ISP links. You also create firewall rules to allow traffic.

  • Route-1: Route traffic from the branch office to the web servers in the head office:
    • Create an SD-WAN route using MPLS-1 and MPLS-2.
  • Route-2: Route traffic from the sales team in the branch office LAN to cloud applications:
    • Create an application object for the applications used by the sales team, for example conferencing, lead management, VoIP, and storage and backup applications.
    • Create an SD-WAN policy to route branch office traffic to these cloud applications using the links, ISP-1 and ISP-2.
  • Create a firewall rule to allow traffic.

Network diagram: SD-WAN routing with gateway failover.

Creating an SD-WAN policy to route branch office traffic to servers in the head office (Route-1)

In this example, all the traffic from the LAN network 172.16.16.0/24 is routed through the primary gateway MPLS-1. MPLS-2 is the backup gateway.

  1. Go to Routing > SD-WAN routes.
  2. Click IPv4 or IPv6 and click Add.
  3. Specify the following settings:

    Name Description
    Name Enter a name.

    BO_to_HO_Servers
    Incoming interface Any
    Source network 172.16.16.0/24
    Destination network 192.168.1.0/24
    Primary gateway MPLS-1_10.10.11.1
    Backup gateway MPLS-2_10.10.12.2

Firewall rules: You must create a firewall rule to allow traffic from the specified source to the destination.

NAT rule: Source NAT rules aren't required for MPLS traffic.

SD-WAN route in the head office: You must create an SD-WAN policy on the Sophos Firewall device in the head office to route the reply packets generated for this route.

Creating a firewall rule to allow traffic from the branch office LAN to web servers in the head office

  1. Go to Rules and policies > Firewall rules.
  2. Select either IPv4 or IPv6, click Add firewall rule, and click New firewall rule.
  3. Specify the rule name and position. Specify the following settings:

    Name Description
    Source zones LAN
    Source networks and devices 172.16.16.0/24
    Destination zones MPLS_DMZ

    Created the MPLS network in the DMZ at the branch office.
    Destination networks 192.168.1.0/24
    Services Web_traffic

    In this example, this service includes TCP 80 and TCP 443 ports and protocols.

    Alternatively, you can specify the services in the SD-WAN route rather than in the firewall rule.
  4. Click Save.

Create an application object (Route-2)

Create an application object with cloud applications used by the sales team.

  1. Go to Applications > Application object and click Add.
  2. Enter a name for the application object, for example CloudApps_Sales.
  3. Select the applications. You can use the smart filter to list the applications you want. Alternatively, use the application profile lists or use the filter next to Name and select the applications.

    In this example, you selected Citrix GoToTraining, Citrix Online, SalesForce, Vonage, Whatsapp Call, Carbonite, DropBox File Upload, and OneDrive applications.

  4. Click Save.

Create an SD-WAN policy to route traffic to cloud applications (Route-2)

All the traffic from the LAN network 172.16.16.0/24 is routed through the primary gateway ISP-1. ISP-2 is the backup gateway.

  1. Go to Routing > SD-WAN routes.
  2. Click IPv4 or IPv6 and click Add.
  3. Specify the following settings:

    Name Description
    Name Enter a name.

    BO_to_CloudSalesApps
    Incoming interface Port3

    Port3 was configured for the LAN zone.
    Application object CloudApps_Sales
    Users or groups Sales_Team
    Primary gateway ISP-1_173.20.10.2
    Backup gateway ISP-2_9.8.10.2
  4. Click Save.

You must create a firewall rule to allow traffic from the specified source to the destination. The default source NAT rule performs the translation.

Create a firewall rule to allow branch office sales team to access cloud applications

  1. Go to Rules and policies > Firewall rules.
  2. Select either IPv4 or IPv6, click Add firewall rule, and click New firewall rule.
  3. Specify the rule name and position.
  4. Specify the following settings:

    Name Description
    Source zones LAN
    Source networks and devices 172.16.16.0/24
    Destination zones WAN
    Destination networks Any
    Services Any

    Note

    You don't need to specify users or groups in the firewall rule because you specified them in the SD-WAN route.

  5. Click Save.