Routing

Routes enable Sophos Firewall to forward traffic based on the criteria you specify.

You can configure SD-WAN, static, dynamic routes. Sophos Firewall creates VPN routes for IPsec traffic automatically.

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.

To see the route precedence, do as follows:

CLI: Enter 4 for Device console, and enter the following command:

system route_precedence show
Web admin console: Go to Routing > SD-WAN routes.

The protocol, network, and route details are shown in the following table:

Routes Routing precedence

Static routes:

Directly connected networks
Unicast routes
Dynamic routes
SSL VPN connections

SD-WAN routes

VPN routes:

Automatically created at the backend for policy-based IPsec VPNs.
Includes routes specified using the ipsec_route command on the CLI.

Set the routing precedence on the command-line interface.

Example: system route_precedence set static sdwan_policyroute vpn

WAN link manager (default route) Fallback route if traffic doesn't match any configured route.

Routing SSL VPN traffic

SSL VPN traffic belongs to static routes. Suppose you've configured an SSL VPN policy and an SD-WAN route with the destination set to your local network 10.1.1.0.

If the route precedence is set to SD-WAN routes, followed by static routes and VPN routes, the firewall first tries to match the SD-WAN route. If it finds a matching route, remote users access the network using this route. The firewall implements the SSL VPN policy if it doesn't find a matching SD-WAN route.

However, if you want users to access the destination using SSL VPN irrespective of a matching SD-WAN route, you must set static route before SD-WAN route. Enter the following command:

system route_precedence set static sdwan_policyroute vpn