Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

SD-WAN profiles

You can use SD-WAN profiles to define an SD-WAN routing strategy across multiple gateways in your SD-WAN network. With two or more gateways configured in your network, you can use an SD-WAN profile to route traffic based on the availability or performance of the gateways. This approach optimizes the performance of your SD-WAN network and helps ensure continuity in the event of an ISP disruption.

Routing strategies

When configuring an SD-WAN profile, you add the configured gateways to the SD-WAN profile and list them in the order you want the firewall to evaluate them. The firewall uses a routing strategy to select a gateway. You can select First available gateway or Load balancing.

First available gateway

If you want to route traffic based on the availability of the gateways, select the First available gateway routing strategy. The firewall performs a health check on all the added gateways in the order you listed and selects the first available gateway.

Load balancing

You can select the Load balancing routing strategy to load-balance traffic among all the added gateways or all the gateways that meet the SLA if you turn on Service Level Agreement (SLA) for the profile. You must then select a load-balancing method:

  • Round-robin: The firewall load balances traffic among all gateways in the listed order. For example, if you have three gateways, the firewall sends the first request to the first gateway, the second request to the second gateway, the third request to the third gateway, and the fourth request again to the first gateway.
  • Session persistence type: Session persistence allows you to maintain the same gateway for the duration of a session. The firewall routes traffic through the same gateway based on either the source IP address, destination IP address, source and destination IP addresses, or connection for a single session. This is useful for session-critical applications, such as banking and shopping carts.

Gateway weights

You can assign weights to gateways to specify a distribution ratio for load-balancing traffic. The firewall distributes traffic to a gateway based on the weight you specify. Assign a weight to a gateway based on its capacity and resources. For example, if you have two gateways and you specify the weight as 3 for the first one and 1 for the second one, the firewall routes three out of four requests to the first gateway and one request to the second gateway.

Service Level Agreement

Turn on Service Level Agreement (SLA) to route traffic based on the performance of the gateways. An SLA includes the performance monitoring criteria. The firewall performs a health check and selects the best-performing gateway based on the criteria defined in the SLA. You can use one of the following SLAs:

  • Best quality: Selects the best-performing gateway based on the performance monitoring criteria you select (either latency, jitter, or packet loss). For example, if you select latency as the performance monitoring criteria, the firewall selects the gateway with the minimum latency. You can use this SLA for non-critical traffic. If you've selected the Load balancing routing strategy, the firewall load-balances only if two or more gateways are the best-performing gateways.

  • Custom SLA: Selects the best-performing gateway based on the maximum acceptable values you define for latency, jitter, and packet loss. If you've selected the Load balancing routing strategy, the firewall load-balances traffic among all the gateways that meet the SLA.

With the Best quality SLA, the firewall only looks for the best-performing gateway based on one criterion. Custom SLA ensures that the firewall selects the gateway that meets the specified performance levels for all performance criteria.

The firewall routes traffic through the first available gateway that meets the SLA. If no gateway meets the SLA, it uses the selected routing strategy (First available gateway or Load balancing).

Failback to the original gateway

When you're using the Best quality SLA, the firewall reroutes the traffic to the next available gateway after the one serving traffic previously goes down. When the first gateway is available again, traffic fails back to it only when the first gateway performs better than the one in use by the following margin:

SLA criteria Margin

When failback occurs

(Examples)

Latency 10 ms

Live gateway: 25 ms

First gateway: 15 ms

Jitter 5 ms

Live gateway: 12 ms

First gateway: 7 ms

This ensures that the firewall doesn't reroute traffic among gateways too often if the selected performance monitoring criteria have highly varying sensitivity.

There's no margin for packet loss. The firewall reroutes to a gateway with a better packet loss percentage.

Health check

Sophos Firewall uses a health check mechanism to monitor the health status of the configured gateways. Apart from the status of the gateways, the health check measures the latency, jitter, and packet loss across the gateways.

The firewall sends requests to host IP addresses (or probe targets) behind the gateways. It considers the gateways active if the hosts respond to health check probes. You can select a protocol, such as ping or TCP, to perform the health check. If a gateway fails the health check, it's removed from the selection algorithm. The firewall then reroutes traffic through the next available gateway or next available gateway that meets the SLA. When the gateway passes the health check, it's added back to the selection algorithm.

If you add two probe targets, the firewall probes the first target. If the first target doesn't respond, it probes the second target and continues to use this target for the health check as long as it responds. The firewall doesn't probe the first target even if it's ready to respond until the second target stops responding.

SD-WAN profile actions and status

The web admin console lists all the configured SD-WAN profiles on Routing > SD-WAN profiles.

You can see the following details for each SD-WAN profile:

Name: Shows the name of the profile along with its status, which can be as follows:

Icon showing profile is active. The profile is active and at least one gateway is available to process traffic.

Icon showing profile is inactive is down. The profile is inactive and no gateways are available to process traffic.

Gateway: Lists the gateways added to the profile.

Health check: Indicates if you've turned the health check on or off.

Status: You can do the following:

  • To monitor the real-time performance of the gateways, click Historical performance. See SD-WAN performance.

    Historical performance.

  • To see a summary of the configured settings, click Link status.

    Link status.

Manage: You can do the following:

  • To edit a profile, click Edit Edit button..
  • To delete a profile, click Delete Edit button..

Define an SD-WAN routing strategy for your network

To define an SD-WAN routing strategy for your network, you must do as follows:

  1. Add two or more gateways. See Add a gateway.
  2. Add an SD-WAN profile. See Add an SD-WAN profile.
  3. Add an SD-WAN route. See Add an SD-WAN route.

    Select the SD-WAN profile you created when you're adding an SD-WAN route.