Skip to content

Migrated SD-WAN routes

These route settings are migrated from 17.5, in which the route settings were configured in the firewall rules.

You must now specify routing policies in SD-WAN routing. Firewall rules no longer include routing settings. When you migrate from an earlier version, Sophos Firewall migrates the routing settings in firewall rules as Migrated SD-WAN policy routes. You can see them in the SD-WAN routing table. You can identify these migrated routes by the firewall rule ID and name.

To turn routing on or off for system-generated traffic and reply packets, go to the command-line interface.

Route precedence

During migration, Sophos Firewall retains the routing precedence you specified in the previous version. The default routing precedence in 17.5 and earlier versions is SD-WAN routes, VPN routes, then static routes.

Warning

Routing isn't linked to firewall rules any longer. So, migrated routes with Destination networks set to a WAN host or Any also apply to internal traffic, routing this traffic through the WAN gateway.

To allow internal traffic to directly reach internal destinations, go to the command-line interface and set the routing precedence with static routing before SD-WAN routing.

Tip

To take advantage of the SD-WAN route benefits, such as creating routing policies based on application objects, users, and groups, we recommend creating SD-WAN routes to replace the migrated routes.

Migrated route behavior

The following conditions apply to migrated routes:

  • Sophos Firewall automatically prefixes the firewall rule ID to the route name.
  • Sophos Firewall uses the firewall rule ID to match traffic with migrated routes.
  • Zones are not part of SD-WAN route settings. When more than one firewall rule specifies the same source and destination networks, but different zones, individual routes that correspond to the firewall rules are created.
  • You can't change the sequence of migrated routes since they correspond to the firewall rule sequence.
  • If you delete the firewall rule, the migrated route is deleted.
  • You can edit only the gateways and the gateway monitoring decision.

Tip

Make sure you take a backup of the current configuration before deleting the migrated routes.

Edit a migrated route

You can change the route name, primary and backup gateways, and the gateway monitoring decision.

  1. Go to Routing > SD-WAN routes.
  2. Under either IPv4 or IPv6, click Add.
  3. Enter a name.
  4. The firewall rule ID and name identify the rule that the route migrated from. Select the tooltip to see the rule’s source, destination, service, and action settings.

    Warning

    If your route precedence specifies SD-WAN routes before static routes and you set Destination networks to Any, Sophos Firewall applies the route to all (external and internal) traffic, forcing your internal sources to use the WAN gateway for internal destinations.

    This is likely to occur if you migrated from 17.5 or changed the default route precedence. To see the route precedence, go to the command-line interface and use the following command:

    console> system route_precedence show

    If you want the internal traffic (for example, internal hosts accessing internal devices and servers) to reach the internal network directly, set the routing precedence with static routing before SD-WAN routing on the command-line interface.

    Example: console> system route_precedence set static sdwan_policyroute vpn

  5. The gateway specified in the firewall rule becomes the primary gateway.

    If you delete the selected gateway, Sophos Firewall deletes the route and implements WAN link load balance to route traffic.

    If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, Sophos Firewall routes new connections through it. Existing connections continue to use the backup gateway.

  6. If you specified Backup gateway in the firewall rule, this gateway is used here.

    If you delete the selected gateway, Sophos Firewall sets the backup gateway to None.

  7. Route only through the specified gateways is selected during migration to replicate the behavior of the routes in the original firewall rules.

  8. Click Save.

How migrated SD-WAN routes work

Functionality Migrated SD-WAN routes
Firewall rules Migrated as independent rules and policies:
  • Firewall rules without routing settings.
  • Migrated NAT rules.
  • Migrated SD-WAN routes with the associated firewall rule ID and name.
Sophos Firewall uses the firewall rule ID to match traffic with migrated routes.
Firewall rules with the following settings:
  • Destination zones: LAN
  • No gateway
Migrated SD-WAN routes aren't created.
Firewall rules with the following settings:
  • Destination zones: WAN
  • WAN link load balance
Migrated SD-WAN routes aren't created. Evaluates other SD-WAN routes. If it doesn't find another matching route, it applies the default route (WAN link load balancing).
Zones in firewall rules Individual migrated SD-WAN routes are created when multiple firewall rules differ only in the source and destination zone criteria.
Sequence of migrated SD-WAN routes You can't change the sequence because these routes correspond to the firewall rule sequence.
Settings you can change in migrated SD-WAN routes Only routing parameters:
  • Primary gateway: Backup gateway
  • Override gateway monitoring decision
Migrated firewall rule is deleted The associated migrated SD-WAN route is deleted.
Routing precedence The routing precedence specified in the earlier version is migrated.

You may want to set it to the default precedence for 18.0 and later: Static route, SD-WAN route, VPN route.

More resources

Back to top