Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=routing

Routing

Routes enable Sophos Firewall to forward traffic based on the criteria you specify.

You can configure SD-WAN, static, dynamic routes. Sophos Firewall creates VPN routes for IPsec traffic automatically.

Route precedence

Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.

To see the route precedence, do as follows:

  • CLI: Enter 4 for Device console, and enter the following command:

    system route_precedence show

  • Web admin console: Go to Routing > SD-WAN routes.

    Route precedence.

The protocol, network, and route details are shown in the following table:

Routes Routing precedence

Static routes:

  • Directly connected networks
  • Unicast routes
  • Dynamic routes
  • SSL VPN connections

SD-WAN routes

VPN routes:

  • Automatically added for policy-based VPNs
  • Routes specified using the ipsec_route command on the CLI

Set the routing precedence on the command-line interface.

Example: system route_precedence set static sdwan_policyroute vpn
WAN link manager (default route) Fallback route if traffic doesn't match any configured route.

Note

You can't see the routes for policy-based IPsec VPNs and the ipsec_route command.

Route precedence and VPN traffic

SSL VPN traffic

SSL VPN traffic belongs to static routes. Suppose you've configured an SSL VPN policy and an SD-WAN route with the destination set to your local network 10.1.1.0.

If the route precedence is set to SD-WAN routes, followed by static routes and VPN, the firewall first tries to match the SD-WAN route. If it finds a matching route, remote users access the network using this route. The firewall implements the SSL VPN policy if it doesn't find a matching SD-WAN route.

However, if you want users to access the destination using SSL VPN despite having an SD-WAN route, you must set static route before SD-WAN route as follows:

system route_precedence set static sdwan_policyroute vpn

IPsec VPN traffic

When you set vpn before static in the system route_precedence command, the firewall prioritizes VPN over static routes only for traffic to the WAN zone. It uses static or local routes instead of VPN for traffic to zones other than the WAN.

Advanced route configuration

The web admin console only supports basic route configuration. For advanced route configuration, you must use the CLI. See Route configuration.