Edit gateway details
Change gateway details and create or edit failover rules for it.
Gateway detail
You can change the general details of the gateway, such as type and weight.
Option | Description |
---|---|
IP address | IP address of the gateway. |
Interface | IP address of the interface. |
Type | The method by which traffic is routed through the gateway. Choose Active to route traffic through the gateway. If you configure more than one active gateway, the traffic will be load balanced among the gateways according to the assigned weight. Choose Backup to route traffic through the gateway only when the active gateway is down. |
Weight | Priority of the gateway to be used for allocating traffic. This value determines how much traffic will pass through the link in relation to the other available links. |
If you’ve selected type Backup, you can change the following backup gateway details:
Option | Description |
---|---|
Activate this gateway | The method by which the gateway is activated. Choose If any/all active gateway fails to activate this gateway automatically if any or all of the active gateways fail. Choose Manually to require manual activation. |
Action on activation | The method by which the firewall assigns weight to the gateway. Choose Inherit weight of the failed active gateway to use the weight of the failed active gateway to load balance the traffic among gateways. Choose Use configured weight to use the configured weight of the gateway. |
Action on failback | The method by which the firewall takes action when the primary gateway is restored. Choose Serve new connections through restored gateway to route new connections through the primary gateway. The firewall continues to route existing connections through the backup gateway until they are disconnected or timed out. Choose Serve all connections through restored gateway to re-establish existing connections and route all traffic through the primary gateway. It re-establishes connections for which you’ve specified the backup gateway, for example in an SD-WAN route, and continues to route them through the backup gateway, but not the primary gateway. |
Note
Currently, the option to serve all connections through the restored gateway doesn't apply to SD-WAN routes. When Sophos Firewall matches traffic with SD-WAN routes, it serves only new connections through the restored gateway.
When it matches traffic with WAN link load balance, it serves all connections through the restored gateway if you've selected the option.
Failover rules
Specify the criteria to use to determine when to reroute traffic to another gateway. By default, the firewall uses ping to test the link. You can modify the default criteria and add criteria. Additional criteria are evaluated using AND.
- To change the criteria, click Edit and specify a testing method, port, and IP address.
- To add criteria, click Add and specify a testing method, port, and IP address.
Note
For WAN or ISP-based gateways, you must enter a well-known public IP address to ensure that failover works properly, such as 8.8.8.8
, 8.8.4.4
, or 2001:4860:4860::8888
for IPv6. For custom gateways added for route-based VPN (RBVPN), RED, and MPLS interface types, you must enter an IP address behind the gateway to ensure that failover works properly.
Note
For IPv6, if you want to check the upstream device for a failover check, use the IPv6 address of the gateway instead of the link-local address.
More resources