Skip to content

Use SD-WAN routes for WAF

You can use SD-WAN routes to route traffic to a web server protected by web server protection (WAF) in a remote network.

  • Scenario


    This example is based on the following deployment:

    • A website protected by WAF is published on Port1 (WAN) over TCP port 8080.
    • Sophos Firewall and the remote firewall are connected through route-based IPsec VPN.
    • The web server behind the remote firewall can be reached through the gw6 gateway.

Network diagram

WAF SD WAN route network diagram.

Requirements

Make sure you have the following configurations:

Configure gateway object

You must configure a gateway object for the gateway where the remote web server can be reached. To configure a gateway object, do as follows:

  1. Go to Routing > Gateways.
  2. Under IPv4 gateway, click Add.
  3. Enter a name. This example uses gw6.
  4. Under Gateway IP, enter the remote gateway's IP address. This example uses 10.12.13.2.
  5. Under Interface, select the interface of the gateway. This example uses xfrm1-10.12.13.1.
  6. Under Monitoring condition, enter the IP address of a host device behind the gateway. This example uses 10.12.13.2.

For more information, see Add a gateway.

WAF SD-WAN route gateway.

Configure SD-WAN route

To configure an SD-WAN route, do as follows:

  1. Go to Routing > SD-WAN routes.
  2. Select IPv4 and click Add.
  3. Enter a name. This example uses SD-WAN WAF.
  4. Under Destination networks, remove Any and select the WAN interface on which the web server can be reached. This example uses #Port1.
  5. Under Services, remove Any and select the service object for the port on which the web server can be reached. This example uses TCP 8080.

    If the web server's external TCP port is different from the internal TCP port, you must use the external TCP port in the SD-WAN route.

    WAF SD-WAN route traffic selector.

  6. Under Link selection settings, select Primary and Backup gateways.

  7. Under Primary gateway, select the gateway on which the web server can be reached. This example uses gw6.

    WAF SD-WAN route link selection.

  8. Click Save.

Route to multiple web servers

To route traffic to multiple web servers, you can do as follows:

  • Use the same SD-WAN route if the servers use the same gateway but different TCP ports or WAN IP addresses. Add these ports to the SD-WAN route's services and WAN IP addresses to the destination networks.
  • Use different SD-WAN routes if the servers use different gateways.