Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=PolicyRoutingManage

Managing SD-WAN routes

You can configure SD-WAN routes to dynamically route traffic through multiple gateways based on performance SLAs.

You can create IPv4 and IPv6 SD-WAN routes. You can optimize your WAN infrastructure, including MPLS, internet, LTE, and IPsec tunnel (XFRM) interfaces, routing outbound traffic based on users, groups, application objects, and network criteria, such as the incoming interface, source and destination networks, and services.

See User and application-based SD-WAN routes.

Zero-impact failover

Sophos Firewall delivers zero-impact failover, rerouting connections seamlessly based on the SD-WAN profile you select in an SD-WAN route. SD-WAN profiles allow you to assign up to eight gateways, configure SLAs for latency, jitter, and packet loss, and configure health check targets.

SD-WAN reroutes connections to the next available gateway seamlessly. Suppose the gateway currently processing traffic goes down or doesn't meet the SLA any longer. The firewall seamlessly reroutes traffic to the next available gateway without any disconnection or impact to service. See SD-WAN profiles.

The firewall reroutes traffic under the following conditions:

  • A gateway becomes unavailable or doesn't meet the SLA.
  • The primary gateway or a high-priority gateway becomes available.
  • If you edit the SD-WAN route or SD-WAN profile.
  • If the route precedence changes.

Actions

You can do the following to configure and manage SD-WAN routes:

  • To change the sequence of an SD-WAN route, drag and drop the route. Sophos Firewall evaluates routes in the order shown until it finds a match. Once it finds a match, it doesn't evaluate subsequent routes.
  • Click More options More options button. for the following actions:
    • To turn on or turn off a route, use the On or Off switch.
    • To edit a route, click Edit Edit button..
    • To clone a route, click Clone route at the bottom.
    • To reset the data transfer count, click Reset data transfer count.
    • To delete a route, click Delete.

SDWAN route actions and status.

Gateway status

Hover over the route's icon under Active to see the gateway status.

If you've selected SD-WAN profiles, the gateway statuses can be one of the following:

  • In use
  • Available
  • Unavailable
  • In use, but SLA isn't met
  • Available and SLA isn't met

If you've selected primary and backup gateways, the gateway statuses can be one of the following:

Icon showing gateway is active. One of the gateways is up, and the route is live.

Icon showing gateway is down. The gateway is down, and the route isn't live. Route only through specified gateways is off.

Icon showing gateway is down and override gateway monitoring is turned on. The gateway is down, and the route isn't live. Route only through specified gateways is on.

If the gateways you configure in the SD-WAN profile or the SD-WAN route aren't available, Sophos Firewall evaluates other SD-WAN routes. If it doesn't find another matching route, it applies the default route (WAN link load balancing), which load-balances traffic among the active WAN links. To see the active WAN links, go to Network > WAN link manager.

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.

You can see the route precedence on Routing > SD-WAN routes.

Route precedence.

See Routes and route precedence on Sophos Firewall.

How to see SD-WAN logs

SD-WAN logs show the health-check status and route changes triggered due to the health checks. SD-WAN logs include logs specific to an SD-WAN route, SD-WAN profile, and SD-WAN SLA.

To turn on SD-WAN logs, do as follows:

  1. Go to System services > Log settings.
  2. Select SD-WAN to turn on logs for the following:
    • SD-WAN profile
    • SD-WAN SLA
    • SD-WAN route

To see the SD-WAN logs, do as follows:

  1. Click Log viewer in the upper-right corner.

  2. Select SD-WAN in the module list.

    SD-WAN module.

To see the SD-WAN profile and route logs in the firewall logs, do as follows:

  1. Select Firewall in the module list.

  2. Click the expand button next to the list.

    SD-WAN log selection.

  3. Select the SD-WAN logs you want.

  4. Click Apply.

    SD-WAN log selection.