Skip to content

SD-WAN profiles

You can use SD-WAN profiles to define an SD-WAN routing strategy across multiple gateways in your SD-WAN network. With two or more gateways configured in your network, you can use an SD-WAN profile to route traffic based on the availability or performance of the gateways. This approach optimizes the performance of your SD-WAN network and helps ensure continuity in the event of an ISP disruption.

When configuring an SD-WAN profile, you add the configured gateways to the SD-WAN profile and list them in the order you want the firewall to evaluate them. If you want to route traffic based on the availability of the gateways, select the First available gateway routing strategy. The firewall performs a health check on all the added gateways in the order you listed and selects the first available gateway.

Service Level Agreement (SLA)

If you select the SLA routing strategy, Sophos Firewall routes traffic based on the performance of the gateways using the specified SLA. An SLA includes the performance monitoring criteria. The firewall performs a health check and selects the best-performing gateway based on the criteria defined in the SLA. You can use one of the following SLAs:

  • Best quality: Selects the best-performing gateway based on the performance monitoring criteria you select (either latency, jitter, or packet loss). For example, if you select latency as the performance monitoring criteria, the firewall selects the gateway with the minimum latency. You can use this SLA for non-critical traffic.
  • Custom SLA: Selects the best-performing gateway based on the maximum acceptable values you define for latency, jitter, and packet loss.

With the Best quality SLA, the firewall only looks for the best-performing gateway based on one criterion. Custom SLA ensures that the firewall selects the gateway that meets the specified performance levels for all performance criteria.

The firewall routes traffic through the first available gateway that meets the SLA. If no gateway meets the SLA, it uses the default routing strategy (First available gateway).

Failback to the original gateway

When you're using the Best quality SLA, the firewall reroutes the traffic to the next available gateway after the one serving traffic previously goes down. When the first gateway is available again, traffic fails back to it only when the first gateway performs better than the one in use by the following margin:

SLA criteria Margin

When failback occurs


Latency 10 ms

Live gateway: 25 ms

First gateway: 15 ms

Jitter 5 ms

Live gateway: 12 ms

First gateway: 7 ms

This ensures that the firewall doesn't reroute traffic among gateways too often if the selected performance monitoring criteria have highly varying sensitivity.

There's no margin for packet loss. The firewall reroutes to a gateway with a better packet loss percentage.

Health check

Sophos Firewall uses a health check mechanism to monitor the health status of the configured gateways. Apart from the status of the gateways, the health check measures the latency, jitter, and packet loss across the gateways.

The firewall sends requests to host IP addresses (or probe targets) behind the gateways. It considers the gateways active if the hosts respond to health check probes. You can select a protocol, such as ping or TCP, to perform the health check. If a gateway fails the health check, it's removed from the selection algorithm. The firewall then reroutes traffic through the next available gateway or next available gateway that meets the SLA. When the gateway passes the health check, it's added back to the selection algorithm.

If you add two probe targets, the firewall probes the first target. If the first target doesn't respond, it probes the second target and continues to use this target for the health check as long as it responds. The firewall doesn't probe the first target even if it's ready to respond until the second target stops responding.

SD-WAN profile actions and status

The web admin console lists all the configured SD-WAN profiles on Routing > SD-WAN profiles.

You can see the following details for each SD-WAN profile:

Name: Shows the name of the profile along with its status, which can be as follows:

Icon showing profile is active. The profile is active and at least one gateway is available to process traffic.

Icon showing profile is inactive is down. The profile is inactive and no gateways are available to process traffic.

Gateway: Lists the gateways added to the profile.

Health check: Indicates if you've turned the health check on or off.

Status: You can do the following:

  • To monitor the real-time performance of the gateways, click Historical performance. See SD-WAN performance.

    Historical performance.

  • To see a summary of the configured settings, click Link status.

    Link status.

Manage: You can do the following:

  • To edit a profile, click Edit Edit button..
  • To delete a profile, click Delete Edit button..

Define an SD-WAN routing strategy for your network

To define an SD-WAN routing strategy for your network, you must do as follows:

  1. Add two or more gateways. See Add a gateway.
  2. Add an SD-WAN profile. See Add an SD-WAN profile.
  3. Add an SD-WAN route. See Add an SD-WAN route.

    Select the SD-WAN profile you created when you're adding an SD-WAN route.