Routes enable Sophos Firewall to forward traffic based on the criteria you specify.
You can configure SD-WAN, static, dynamic routes. Sophos Firewall creates VPN routes for IPsec traffic automatically.
Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.
To see the route precedence, do as follows:
CLI: Enter 4 for Device console, and enter the following command:
system route_precedence show
Web admin console: Go to Routing > SD-WAN routes.
The protocol, network, and route details are shown in the following table:
|Static routes include the following: |
VPN routes (only policy-based IPsec VPNs)
|Set the routing precedence on the command-line interface. |
|Default route (WAN link manager)||Fallback route if traffic doesn't match any configured route.|
See also Route precedence in migrated routes.
Routing SSL VPN traffic
SSL VPN traffic belongs to static routes. Suppose you've configured an SSL VPN policy and an SD-WAN route with the destination set to your local network
If the route precedence is set to SD-WAN routes, followed by static routes and VPN routes, the firewall first tries to match the SD-WAN route. If it finds a matching route, remote users access the network using this route. The firewall implements the SSL VPN policy if it doesn't find a matching SD-WAN route.
However, if you want users to access the destination using SSL VPN irrespective of a matching SD-WAN route, you must set static route before SD-WAN route. Enter the following command:
system route_precedence set static sdwan_policyroute vpn