Skip to content


Routes enable Sophos Firewall to forward traffic based on the criteria you specify.

You can configure SD-WAN, static, dynamic routes. Sophos Firewall creates VPN routes for IPsec traffic automatically.

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.

To see the route precedence, do as follows:

  • CLI: Enter 4 for Device console, and enter the following command:

    system route_precedence show

  • Web admin console: Go to Routing > SD-WAN routes.

    Route precedence.

The protocol, network, and route details are shown in the following table:

Routes Routing precedence

Static routes:

  • Directly connected networks
  • Unicast routes
  • Dynamic routes
  • SSL VPN connections

SD-WAN routes

VPN routes:

  • Automatically created at the backend for policy-based IPsec VPNs.
  • Includes routes specified using the ipsec_route command on the CLI.

Set the routing precedence on the command-line interface.

Example: system route_precedence set static sdwan_policyroute vpn

WAN link manager (default route) Fallback route if traffic doesn't match any configured route.

See also Route precedence in migrated routes.

Route precedence and VPN traffic

SSL VPN traffic

SSL VPN traffic belongs to static routes. Suppose you've configured an SSL VPN policy and an SD-WAN route with the destination set to your local network

If the route precedence is set to SD-WAN routes, followed by static routes and VPN routes, the firewall first tries to match the SD-WAN route. If it finds a matching route, remote users access the network using this route. The firewall implements the SSL VPN policy if it doesn't find a matching SD-WAN route.

However, if you want users to access the destination using SSL VPN irrespective of a matching SD-WAN route, you must set static route before SD-WAN route. Enter the following command:

system route_precedence set static sdwan_policyroute vpn

IPSec VPN traffic

The system route_precedence command only prioritizes VPN routes over static routes for traffic to the WAN zone. If a static or local route sends traffic to a zone other than WAN, the firewall will route traffic using that static route and not the VPN. To route this traffic to the VPN, use the ipsec_route command for policy-based VPNs with traffic selectors.

Here's an example:

system ipsec_route add net tunnelname <tunnelname>


Pressing Tab twice after tunnelname will show a list of available tunnels.