Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=network-WAN-link-manager-edit-gateway

Edit a WAN gateway

You can configure WAN gateway settings, assign an active or backup gateway type, specify the weight to load balance sessions, and configure failover rules for multiple WAN links. These settings help you optimize traffic distribution and ensure stable connectivity.

Gateway detail

You can change the default settings for WAN gateways.

Setting Description
IP address IP address of the gateway.
Interface IP address of the interface.
Type

Failover takes place for both types. The options determine whether load-balancing takes place based on the following gateway types:

  • Active: Load balances traffic using the weighted round-robin method when there's more than one active gateway.
  • Backup: Routes traffic through the gateway only when the active gateways become unavailable.
Weight

Determines how traffic is distributed across multiple active WAN links with weighted round-robin load-balancing. A higher weight results in more sessions being sent through the gateway.

For example, if you assign a weight of 1 to gw0 and 2 to gw1, the firewall distributes sessions in the following pattern: one session to gw0, followed by two sessions to gw1.

To optimize performance, assign weights based on the capacity of each link.

Note

By default, the firewall uses session persistence as the load balancing method. For example, when a request arrives from a source IP address, the firewall routes all subsequent requests from that address through the same WAN link. For initial requests from other source IP addresses, it applies weighted round-robin load balancing.

For more information about the WAN link load balancing methods, see routing.

Backup gateways

If you set Type to Backup, you can change the default settings for backup gateways.

Setting Description
Activate this gateway

Select an option to activate the backup gateway.

  • If active gateway fails:
    • ANY: Activates the gateway if any active gateway becomes unavailable.
    • ALL: Only activates the gateway if all the active gateways become unavailable.
  • Manually: You must change the Type to Active in the configuration.
Action on activation

Select an option to assign a load-balancing weight to the backup gateway when it's activated.

  • Inherit weight of the failed active gateway: Inherits the weight of the last active gateway that's become unavailable.
  • Use configured weight: Uses the weight you configured.
Action on failback

Select the action to take when the active gateway is restored.

  • Serve new connections through restored gateway: Sends new connections to the active gateway. Existing connections continue through the backup gateway until they time out or are disconnected.
  • Serve all connections through restored gateway: Re-establishes existing connections and sends all new connections through the active gateway.

Note

Serve all connections through the restored gateway only applies to SD-WAN routes when you select WAN link load balance as the primary gateway in the route configuration. For other link selection settings in SD-WAN routes, the firewall processes traffic as follows:

  • Active WAN link as SD-WAN primary gateway: Serves only new connections through the restored gateway.
  • Backup WAN link as SD-WAN primary gateway: Re-establishes the connections and continues to route traffic through the backup WAN link.

Failover rules

Specify the rules to determine when to reroute traffic to another gateway. By default, the firewall uses ping to test the link.

You can modify the default rule and add more rules. Use AND or OR to specify if all rules or just some must be met before failover takes place.

For WWAN gateways, an additional failover rule with 8.8.8.8, a recognized DNS server address, is automatically created to monitor cellular WAN connectivity. See WAN link manager.

  • To change the criteria, click Edit and specify a testing method, port, and IP address.
  • To add criteria, click Add and specify a testing method, port, and IP address.

Note

For WAN or ISP-based gateways, you must enter a well-known public IP address to ensure that failover works properly, such as 8.8.8.8, 8.8.4.4 for IPv4, and 2001:4860:4860::8888 for IPv6.

For custom gateways added for route-based VPN (RBVPN), RED, and MPLS interfaces, you must enter an IP address behind the gateway to ensure that failover works properly.

Note

For IPv6, to check the upstream device for failover, use the IPv6 address of the gateway instead of the link-local address.