Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Allowing traffic flow for directly connected networks: Set route precedence

In SD-WAN routes, if the destination network is set to Any, directly connected networks are routed through the WAN interface. Set the route precedence on the command-line console to allow internal traffic flow.

Introduction

Sophos Firewall applies SD-WAN routes to all (external and internal) traffic when both these scenarios happen together:

  • Route precedence: SD-WAN routes are set before static routes on the command-line console.
  • SD-WAN routes: Destination networks are set to Any on the web admin console.

Warning

The default route precedence is set to static, SD-WAN routes, and VPN.

When you migrate from 17.5 to 18.5, Sophos Firewall retains the route precedence set in the earlier version.

This forces your internal sources to use the WAN gateway for internal destinations and may break the internal traffic flow.

To allow traffic flow among directly connected networks, check the route precedence, and set static routes before SD-WAN routes.

Set route precedence to allow internal traffic flow

View the current route precedence. Change the precedence, if required.

  1. Sign in to the command-line interface using SSH. Alternatively, go to the web admin console and click admin > Console in the upper-right corner.
  2. Enter 4 for Device console.
  3. Use the following command:

    console> system route_precedence show

  4. Alternatively, view the route precedence on the web admin console. Go to Routing > SD-WAN routes and see the box below the menu.

  5. To allow internal sources to reach internal networks directly (internal hosts accessing internal devices and servers), set the routing precedence with static routing before SD-WAN routing on the command-line interface.

    Example: console> system route_precedence set static sdwan_policyroute vpn

  6. To check the adjusted route precedence, use the following command again:

    console> system route_precedence show

You must create a firewall rule to allow traffic between internal zones, for example between the LAN and the DMZ.

Sophos Firewall now applies static routes before it applies the SD-WAN policy-based routes. Internal traffic is forwarded directly to the internal destination.