SD-WAN routing behavior
You can configure SD-WAN routes with SD-WAN profiles to reroute connections dynamically when a gateway becomes unavailable or doesn't meet the SLAs any longer.
You can use SD-WAN routes to route system-generated traffic and reply packets.
Rerouting connections
To implement zero-impact failover, rerouting traffic (reroute-connection) is turned on by default.
You can turn it on or off from the command-line console as follows:
| Options | CLI commands |
|---|---|
| Show rerouting status | show routing reroute-connection |
| Turn on rerouting | set routing reroute-connection enable |
| Turn off rerouting | set routing reroute-connection disable |
See Routing commands.
Rerouting SNAT connections
Sophos Firewall doesn't reroute masqueraded (MASQ) connections because they use the gateways listed on WAN link manager. When the gateway in use becomes unavailable, failover to another gateway on the list results in a change to the Translated source (gateway) IP address, and the connection drops.
The firewall reroutes SNAT connections when the IP address or range you specify for the Translated source maps to an IP pool. Gateways that don't belong to the IP pool aren't used in zero-impact failover.
Rerouting traffic for SNAT connections (reroute-snat-connection) is turned off by default. You can turn it on using the command-line interface (CLI).
| Options | CLI commands |
|---|---|
| Show the rerouting status for SNAT connections | show routing reroute-snat-connection |
| Turn on rerouting for SNAT connections | set routing reroute-snat-connection enable |
| Turn off rerouting for SNAT connections | set routing reroute-snat-connection disable |
See Routing commands.
System-generated traffic and reply packets
You can create SD-WAN routes and specify the gateways for system-generated traffic and reply packets. On the CLI, make sure you turn on routing for both.
Reply packets
Sophos Firewall enforces symmetric routing on WAN interfaces for reply packets. These packets use the same WAN interface as the original packets.
You can configure asymmetric routing for reply packets on non-WAN interfaces. For example, you can specify an interface other than the original traffic's interface for LAN to DMZ traffic.
Restriction
SD-WAN routes don't apply to reply packets if the original traffic uses the default route (WAN link load balance). The default route applies, and reply packets exit on the same interface they enter.
You can change the setting on the CLI. See Routing commands.
System-generated traffic
Select only the destination networks and services because the incoming interface and source networks remain unknown. For example, traffic related to services used by Sophos Firewall flows through different interfaces, depending on the type of service.
You can change the setting on the CLI. See Routing commands.
Note
System-generated RED traffic on UDP port 3410 is layer 2 traffic. So, SD-WAN routes don't apply to this traffic.