Skip to content
Last update: 2022-06-03


Routes enable Sophos Firewall to forward traffic based on the criteria you specify.

You can configure SD-WAN, static, dynamic routes. Sophos Firewall creates VPN routes for IPsec traffic automatically.

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.

To see the route precedence, do as follows:

  • CLI: Enter 4 for Device console, and enter the following command:

    system route_precedence show

  • Web admin console: Go to Routing > SD-WAN routes.

    Route precedence

The protocol, network, and route details are shown in the following table:

Routes Routing precedence
Static routes include the following:
  • Directly connected networks
  • Dynamic routing protocols
  • Unicast routes
  • SSL VPN connections
SD-WAN routes
VPN routes (only policy-based IPsec VPNs)
Set the routing precedence on the command-line interface.

Example: system route_precedence set static sdwan_policyroute vpn
Default route (WAN link manager) Fallback route if traffic doesn't match any configured route.

See also Route precedence in migrated routes.

Routing SSL VPN traffic

SSL VPN traffic belongs to static routes. Suppose you've configured an SSL VPN policy and an SD-WAN route with the destination set to your local network

If the route precedence is set to SD-WAN routes, followed by static routes and VPN routes, the firewall first tries to match the SD-WAN route. If it finds a matching route, remote users access the network using this route. The firewall implements the SSL VPN policy if it doesn't find a matching SD-WAN route.

However, if you want users to access the destination using SSL VPN irrespective of a matching SD-WAN route, you must set static route before SD-WAN route. Enter the following command:

system route_precedence set static sdwan_policyroute vpn

Back to top