Skip to content

SD-WAN routing behavior

You can configure SD-WAN routes with SD-WAN profiles to reroute connections dynamically when a gateway becomes unavailable or doesn't meet the SLAs any longer.

You can use SD-WAN routes to route system-generated traffic and reply packets.

Rerouting connections

To implement zero-impact failover, rerouting traffic (reroute-connection) is turned on by default.

You can turn it on or off from the command-line console as follows:

Options CLI commands
Show rerouting status show routing reroute-connection
Turn on rerouting set routing reroute-connection enable
Turn off rerouting set routing reroute-connection disable

See Routing commands.

Rerouting SNAT connections

Sophos Firewall doesn't reroute masqueraded (MASQ) connections because they use the gateways listed on WAN link manager. When the gateway in use becomes unavailable, failover to another gateway on the list results in a change to the Translated source (gateway) IP address, and the connection drops.

The firewall reroutes SNAT connections when the IP address or range you specify for the Translated source maps to an IP pool. Gateways that don't belong to the IP pool aren't used in zero-impact failover.

Rerouting traffic for SNAT connections (reroute-snat-connection) is turned off by default. You can turn it on using the command-line interface (CLI).

Options CLI commands
Show the rerouting status for SNAT connections show routing reroute-snat-connection
Turn on rerouting for SNAT connections set routing reroute-snat-connection enable
Turn off rerouting for SNAT connections set routing reroute-snat-connection disable

See Routing commands.

System-generated traffic and reply packets

You can create SD-WAN routes and specify the gateways for system-generated traffic and reply packets. On the CLI, make sure you turn on routing for both.

Reply packets

Sophos Firewall enforces symmetric routing on WAN interfaces for reply packets. These packets use the same WAN interface as the original packets.

You can configure asymmetric routing for reply packets on non-WAN interfaces. For example, you can specify an interface other than the original traffic's interface for LAN to DMZ traffic.

Restriction

SD-WAN routes don't apply to reply packets if the original traffic uses the default route (WAN link load balance). The default route applies, and reply packets exit on the same interface they enter.

You can change the setting on the CLI. See Routing commands.

System-generated traffic

Select only the destination networks and services because the incoming interface and source networks remain unknown. For example, traffic related to services used by Sophos Firewall flows through different interfaces, depending on the type of service.

You can change the setting on the CLI. See Routing commands.

Note

System-generated RED traffic on UDP port 3410 is layer 2 traffic. So, SD-WAN routes don't apply to this traffic.

Back to top