Routes enable Sophos Firewall to forward traffic based on the criteria you specify.
You can configure SD-WAN, static, dynamic routes. Sophos Firewall creates VPN routes for IPsec traffic automatically.
Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.
To see the route precedence, do as follows:
CLI: Enter 4 for Device console, and enter the following command:
system route_precedence show
Web admin console: Go to Routing > SD-WAN routes.
The protocol, network, and route details are shown in the following table:
Set the routing precedence on the command-line interface.
|WAN link manager (default route)
|Fallback route if traffic doesn't match any configured route.
See also Route precedence in migrated routes.
Route precedence and VPN traffic
SSL VPN traffic
SSL VPN traffic belongs to static routes. Suppose you've configured an SSL VPN policy and an SD-WAN route with the destination set to your local network
If the route precedence is set to SD-WAN routes, followed by static routes and VPN routes, the firewall first tries to match the SD-WAN route. If it finds a matching route, remote users access the network using this route. The firewall implements the SSL VPN policy if it doesn't find a matching SD-WAN route.
However, if you want users to access the destination using SSL VPN irrespective of a matching SD-WAN route, you must set static route before SD-WAN route. Enter the following command:
system route_precedence set static sdwan_policyroute vpn
IPSec VPN traffic
system route_precedence command only prioritizes VPN routes over static routes for traffic to the WAN zone. If a static or local route sends traffic to a zone other than WAN, the firewall will route traffic using that static route and not the VPN. To route this traffic to the VPN, use the
ipsec_route command for policy-based VPNs with traffic selectors.
Here's an example:
system ipsec_route add net 192.168.1.0/255.255.255.0 tunnelname <tunnelname>
Pressing Tab twice after
tunnelname will show a list of available tunnels.