You can use SD-WAN profiles to define an SD-WAN routing strategy across multiple gateways in your SD-WAN network. With two or more gateways configured in your network, you can use an SD-WAN profile to route traffic based on the availability or performance of the gateways. This approach optimizes the performance of your SD-WAN network and helps ensure continuity in the event of an ISP disruption.
When configuring an SD-WAN profile, you add the configured gateways to the SD-WAN profile and list them in the order you want the firewall to evaluate them. If you want to route traffic based on the availability of the gateways, select the First available gateway routing strategy. The firewall performs a health check on all the added gateways in the order you listed and selects the first available gateway.
Service Level Agreement (SLA)
If you select the SLA routing strategy, Sophos Firewall routes traffic based on the performance of the gateways using the specified SLA. An SLA includes the performance monitoring criteria. The firewall performs a health check and selects the best-performing gateway based on the criteria defined in the SLA. You can use one of the following SLAs:
- Best quality: Selects the best-performing gateway based on the performance monitoring criteria you select (either latency, jitter, or packet loss). For example, if you select latency as the performance monitoring criteria, the firewall selects the gateway with the minimum latency. You can use this SLA for non-critical traffic.
- Custom SLA: Selects the best-performing gateway based on the maximum acceptable values you define for latency, jitter, and packet loss.
With the Best quality SLA, the firewall only looks for the best-performing gateway based on one criterion. Custom SLA ensures that the firewall selects the gateway that meets the specified performance levels for all performance criteria.
The firewall routes traffic through the first available gateway that meets the SLA. If no gateway meets the SLA, it uses the default routing strategy (First available gateway).
Sophos Firewall uses a health check mechanism to monitor the health status of the configured gateways. Apart from the status of the gateways, the health check measures the latency, jitter, and packet loss across the gateways.
The firewall sends requests to host IP addresses (or probe targets) behind the gateways. It considers the gateways active if the hosts respond to health check probes. You can select a protocol, such as ping or TCP, to perform the health check. If a gateway fails the health check, it's removed from the selection algorithm. The firewall then reroutes traffic through the next available gateway or next available gateway that meets the SLA. When the gateway passes the health check, it's added back to the selection algorithm.
If you add two probe targets, the firewall probes the first target. If the first target doesn't respond, it probes the second target and continues to use this target for the health check as long as it responds. The firewall doesn't probe the first target even if it's ready to respond until the second target stops responding.
SD-WAN profile actions and status
The web admin console lists all the configured SD-WAN profiles on Routing > SD-WAN profiles.
You can see the following details for each SD-WAN profile:
Name: Shows the name of the profile along with its status, which can be as follows:
The profile is active and at least one gateway is available to process traffic.
The profile is inactive and no gateways are available to process traffic.
Gateway: Lists the gateways added to the profile.
Health check: Indicates if you've turned the health check on or off.
Status: You can do the following:
To monitor the real-time performance of the gateways, click Historical performance. See SD-WAN performance.
To see a summary of the configured settings, click Link status.
Manage: You can do the following:
- To edit a profile, click Edit .
- To delete a profile, click Delete .
Define an SD-WAN routing strategy for your network
To define an SD-WAN routing strategy for your network, you must do as follows: