Sophos Firewall Advanced Routing and SD-WAN Configuration PDF

Summary

This document provides information about advanced routing and SD-WAN configuration on Sophos Firewall. It covers topics such as static routes, dynamic routing protocols, and VPN routes. This page is part of the document.

Full Transcript

Advanced Routing
Configuration on Sophos
Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW1530: Advanced Routing Configuration on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 1
 Advanced Routing Configuration on Sophos Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
Sophos Firewall routes traffic, ✓ Configuring static routes
how to manage gateways, and ✓ Creating gateways and SD-WAN routes
how to configure SD-WAN
profiles and routes.

DURATION

27 minutes

In this chapter you will learn how Sophos Firewall routes traffic, how to manage gateways, and
how to configure SD-WAN profiles and routes.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 2
 Additional information in
Routing the notes

Health Check Routes

Static Routes
Precedence
Directly Dynamic
Unicast SSL VPN
Connected Routing Configurable
Routes Routes
Networks Protocols
route
precedence
SD-WAN Routes

IPsec VPN Routes

Default Route (WAN Link Manager)

Sophos Firewall supports multiple methods for building and dynamically controlling the routing,
which fall into three main types of route; static routes, SD-WAN routes, and VPN routes, and these
are processed in order. In addition to this there are also the health check routes and the default
route. The health check routes are used to route the traffic for health probes independently of any
routes configured. The default route selects the gateway based on the configuration in the WAN
link manager.

Static routes define the gateway to use based on the destination network. This includes directly
connected networks, routes added by dynamic routing protocols, and routes created for SSL VPNs.

SD-WAN routes make decisions based on the properties of the traffic, such as source, destination
and service.

VPN routes are created automatically when policy-based IPsec VPN connections are established
with the Sophos Firewall.

Please note that the precedence of static routes, SD-WAN routes, and VPN routes can be modified
on the command line.

[Additional Information]
Routing behaviour documentation:
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-
us/webhelp/onlinehelp/AdministratorHelp/Routing/SDWANPolicyRouting/RoutingSDWANPolicyBe
havior/index.html

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 3
 PBR: Policy (SD-WAN) Based Route
RTG: Route Through Gateway
Packet Routing MLM: Multi Link Management

Mark if there is a
PBR match
Firewall rule
Traverse full routing matching done on Traverse full routing
and mark post-NAT zone and as per precedence
Destination zone pre-NAT IP PBR, VPN, Main, All

Packet NAT RTG -> NAT Packet
Pre-routing Firewall Routing
Arrives Lookup MLM Lookup Delivered

1 2 3 4 5 6 7 8
NAT lookup for Mark if there is a DNAT or Full NAT as
DNAT/Full NAT match for RTG per rule matched in
rules #3
If WAN traffic with or
Destination zone no PBR and no RTG NAT lookup for the
updated as per mark, then mark for best match SNAT or
DNAT MLM linked NAT rule

This diagram shows how routing is applied to packets by the Sophos Firewall.

After the packet arrives, the Sophos Firewall checks if it matches an SD-WAN route, and if so,
marks the packet. This is used later.
The full routing precedence is traversed, and the destination zone of the packet is marked.

The NAT lookup is performed as previously covered, and the destination zone is updated if a DNAT
or Full NAT rule is matched.

The packet is matched in the firewall based on the post-NAT zone and pre-NAT IP.

Sophos Firewall checks if there is a match for a route through gateway, these will be any migrated
SD-WAN routes created from gateways configured in firewall rules in v17.5.
If the traffic is destined for the WAN zone and no PBR or RTG has been matched, the packet is
marked for MLM.
MLM is the gateway derived from the load balancing configuration across active gateways.

The packet then traverses the full routing as per the precedence.

Lastly, there is a NAT lookup.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 4
 PBR: Policy (SD-WAN) Based Route
RTG: Route Through Gateway
Packet Routing MLM: Multi Link Management

Match when
Sophos Firewall
XG135_XN02_SFOS 18.0.0# ip rul ls
sends traffic to
0: from all lookup local
itself
51: from all fwmark 0x4002 lookup gw2
51: from all fwmark 0x4001 lookup gw1 Match PBR if marked
51: from all fwmark 0x4003 lookup gw3
Static routes
53: from all lookup main
including static,
54: from all fwmark 0x200 lookup routeipsec0
dynamic and
150: from all fwmark 0x8002 lookup gw2
directly connected RTG and MLM
150: from all fwmark 0x8001 lookup gw1
networks
150: from all fwmark 0x8003 lookup gw3
WAN interface 151: from 192.168.254.1 lookup wanlink2
IP addresses 151: from 10.101.102.127 lookup wanlink1 System generated traffic
220: from all iif lo lookup 220 and IPsec VPN
221: from all lookup multilink
Added by Linux 32766: from all lookup main No marking
kernel 32767: from all lookup default MLM for system generated traffic
Most traffic does not pass this point
IPv6 default route
Traffic generally will not reach this point

Here is an example of the routing table on Sophos Firewall. You can see that it uses a combination
of the source and fwmark to lookup gateways.

A few points to note:
The orange boxes are added or managed by the kernel
Packets are only marked for one of PBR, RTG or MLM
If a packet is marked for RTG, the Sophos Firewall will still traverse the full route precedence,
but will not be able to match PBR because the fwmark will be different
RTG will always have a lower precedence than VPN and static

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 5
 Packet Routing

XG135_XN02_SFOS 18.0.0# ip route list table wanlink1
default via 10.1.1.250 dev PortB proto static src 10.1.1.100
prohibit default proto static metric 1

From the routing table you can then lookup the route table associated with each gateway as
shown here.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 6
 Packet Routing
main
103.226.184.250 dev Port2_ppp proto kernel scope link src 10.250.18.43
192.168.30.0/24 via 192.168.100.2 dev Port1 proto zebra
routing policies 192.168.31.0/24 via 192.168.100.2 dev Port1 proto zebra
0 from all lookup local 192.168.100.0/24 dev Port1 proto kernel scope link src 192.168.100.1

1 From all fwmark 0x1001 lookup gw1
gw1
51 from all fwmark 0x4001 lookup gw1 routing tables
default via 103.226.184.250 dev Port2_ppp proto static
52 from all lookup main main prohibit default proto static metric 1
53 from all fwmark 0x200 lookup gw1
routeipsec0
gw2 gw2
150 from all fwmark 0x8001 lookup gw1
multilink default via 192.168.8.1 dev WWAN1 proto static
150 from all fwmark 0x8002 lookup gw2
prohibit default proto static metric 1
221 from all lookup multilink

multilink
default proto static
nexthop via 103.226.184.250 dev Port2_ppp weight 1
nexthop via 192.168.8.1 dev WWAN1 weight 1

By using the ip rule list and ip route list table commands you can navigate the
routing table tree to identify how traffic is being routed.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 7
 Additional information in
Setting Routing Precedence the notes

Route precedence can be managed on the console
console> system route_precedence show
ByDefault
default,routing
static routes have the highest precedence
Precedence:
1. Static routes
2. SD-WAN policy routes
3. VPN routes
console> system route_precedence set sdwan_policyroute static vpn
console> system route_precedence show
Routing Precedence:
1. SD-WAN policy routes
2. Static routes
3. VPN routes
console>

By default, static routing has the highest priority; this can be viewed on the console, and changed if
necessary, using the system route_precedence command.

[Additional Information]

The commands for managing route precedence are:
system route_precedence show - Display current route precedence
system route_precedence set sdwan_policyroute vpn static - Set new
route precedence

Default route precedence:
Static routes
SD-WAN policy routes
VPN routes

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 8
 Gateway Management

WAN Link Manager Gateway Manager
All gateways, default WAN
Manage default gateways on gateways are also available
WAN links only here

Cannot create new gateways Add new gateways for use in
routing

Network > WAN link manager Routing > Gateways

There are two gateway management tools on the Sophos Firewall, the WAN link manager, and the
gateway manager.

The WAN link manager allows you to modify existing WAN gateways that are created when new
interfaces are added to the Sophos Firewall on the WAN zone. The WAN link manager does not
allow an admin to create new WAN links from this location; to add a new link, a new interface
would need to be created. Only modifications can be done here.

The Gateway manager allows you to create gateways on the Sophos Firewall that can forward
traffic to other networks. These gateways can be used to control the flow of traffic through the
Sophos Firewall by coupling these gateways with routing rules. WAN gateways do not need to be
created since they are automatically added when a WAN interface is created.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 9
 CONFIGURE > Network > WAN link manager
WAN Link Manager

The WAN link manager allows you to configure Internet gateways to support failover and load
balancing.

Using failover, you can minimize the chance of a service disruption and ensure connectivity to the
Internet.

You can achieve failover using an active–backup configuration. In the event of a link failure, the
firewall reroutes traffic to available connections, and traffic is distributed among links according to
their assigned weights. During failover, the firewall monitors the health of the dead link and
redirects traffic to it once it is restored.

Load balancing allows you to optimize connectivity by distributing traffic among links. Traffic is
assigned according to the weight specified in the links. You can achieve load balancing using an
active-active configuration.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 10
 WAN Link Manager

Active or backup
gateway

Gateway priority

When editing WAN gateways, you can set it as either active, in which case the firewall will use it to
route traffic, or backup, in which case the gateway will not be used.

The weight sets the priority of the gateway for allocating traffic. This value determines how much
traffic will pass through the link in relation to the other available links.

You can set the failover rules for the gateway. This determines how the firewall will test whether
the gateway is available, or if it needs to use another gateway.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 11
 WAN Link Manager Failover Rules

By default, the failover rules will be configured with a single rule that will attempt to PING the
gateway IP address. You may need to change this if the gateway is configured not to respond to
PING requests.

You can configure failover rules using either PING or TCP connections. You can also choose to
include multiple rules that can be combined using AND, so failover will only happen if both tests
fail, or they can be combined using OR, where failover will happen if either test fails.

Having multiple failover tests can prevent a failover if the test server is unavailable. You can also
configure the tests to check access to services through the gateway and not just the availability of
the gateway itself.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 12
 Backup Gateway

Activation method

Weight setting

Session handling

For backup gateways there are some additional options.

You can choose to activate the backup gateway either manually, which is the default option, or
dynamically if an active gateway fails. This can be if ANY gateway fails, if ALL gateways fail, or if a
specific gateway fails.

You can also choose for the backup gateway to inherit the weight of the failed active gateway or
use the configured weight.

The action on failback option can be used to control how sessions are handled if the active
gateway comes back online. You can choose to serve new connections through the restored
gateway, or force all connections, including current connections through the restored gateway.
Forcing current connections through the restored gateway can in some circumstances cause the
session to fail for that connection because the traffic is routing asynchronously.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 13
 WAN Link Manager Traffic Report

By clicking on the report icon in the gateway row, you can view the traffic utilization for that
gateway. This can be either weekly, monthly, or for a custom time period.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 14
 CONFIGURE > Routing > Gateways
Gateway Manager

The gateway manager on the Sophos Firewall allows the configuration of IPv4 and IPv6 gateways
for use with SD-WAN routes.

New gateways are added in CONFIGURE > Routing > Gateways.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 15
 CONFIGURE > Routing > Gateways
Gateway Manager

To configure a gateway, enter the IP address and optionally select which interface should be used
to reach it. You can also select a zone, which we will cover later in this section.

Gateways can be monitored using a health check that will test whether the gateway is up by
pinging it at regular intervals, and email notifications can be enabled for when the gateway state
changes.

Please note, if health monitoring is not enabled, the Sophos Firewall will always assume the
gateway is available.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 16
 Gateways
Supported interfaces
Supported interfaces IPv4 IPv6
Static ✓ ✓
DHCP ✓ ✓
PPPoE ✓
Bridge ✓ ✓
LAG (Link Aggregation Group) ✓ ✓
VLAN (Virtual LAN) ✓ ✓
WWAN (Wireless WAN) ✓
IPsec Tunnel (xfrm) ✓ ✓
Unsupported interfaces
Unsupported interfaces
o IPsec,
IPsec, GRE,
GRE, IPIPTunnels,
Tunnels,SSLSSL
VPNVPN site-to-site
site-to-site

This table shows which interface types are supported for IPv4 and IPv6 gateways. IPsec, GRE, IP
Tunnels and SSL site-to-site VPNs are not supported.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 17
 SD-WAN Routes
SD-WAN routing influences routing table decisions
Supports advanced routing scenarios
Support for next-hop and interface-based gateway
Configured using gateway hosts and SD-WAN route rules
User and group application-based traffic selection criteria
Synchronized SD-WAN
SD-WAN profiles select the gateway based on the
link quality

Routing is usually determined by the destination of the traffic; however, SD-WAN routing allows
decisions to be based on other criteria, such as the source and traffic type.

There are two elements for configuring SD-WAN routing on the Sophos Firewall, gateways and SD-
WAN route rules.

If you have multiple Internet connections, routing can be defined through either the primary or
backup gateway WAN connection and can be configured for replay direction.

Synchronized SD-WAN offers additional benefits with SD-WAN application routing. It leverages the
added clarity and reliability of application identification that comes with the sharing of
Synchronized Application Control information between Sophos Central managed endpoints and
Sophos Firewall.

SD-WAN profiles provide link management that allow you to define routing strategies across
multiple gateways. Using SD-WAN profiles enables seamless and efficient routing and rerouting of
traffic based on the performance and stability of the link, optimizing network performance and
ensuring continuity.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 18
 SD-WAN Profiles

Select up to 8 gateways

SD-WAN profiles are managed in CONFIGURE > Routing. Start by selecting up to 8 gateways, these
can include custom gateways such as route-based VPN gateways.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 19
 SD-WAN Profiles

Select performance criteria for SLA

The default SLA, service level agreement, selects the gateway with the best quality link based on
latency. You can change this to alternatively use jitter or packet loss for determining the quality of
the link.

Network latency, sometimes called lag, is the term used to describe how long data takes to reach
its destination.

Jitter measures the changes in the latency in a network connection, where zero milliseconds of
jitter is data being delivered at a constant latency, and five milliseconds of jitter would indicate that
the latency is not stable and can vary be five milliseconds. This can be caused by network
congestion.

Packet loss measure how many packets do not reach their destination as a percentage of packets
sent.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 20
 SD-WAN Profiles

Configure a custom SLA using a mix of
latency, jitter, and packet loss

You also have the option to define a custom SLA that is based on any combination of latency, jitter,
and packet loss. For each of the criteria that you want to use you can define maximum values.

The default values are based on general web traffic, but examples of other traffic types can be seen
by hovering over the information icon for Recommended SLA values.

For example, you could configure an SLA for SIP that requires packet loss not to exceed 1%.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 21
 SD-WAN Profiles

Probe via Ping or TCP connection

Configure one or two probe targets

Customize the health
check settings

SD-WAN profiles provide granular options for monitoring the health of the link. Please note that
when you have an SLA enabled for the profile, you cannot disable the health check.

The health check can be done using either Ping or TCP, to either one or two probe targets. Where
TCP is selected, the port must be entered for the probe targets.

You can also refine the health checks by specifying the interval between checks, response time-
out, when to deactivate and activate gateways, and the sample size that is used for the SLA.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 22
 SD-WAN Profiles
The SLA sample size forms a sliding window for determining link performance

SLA Sample Size

1s

Probes
Interval
between checks

First SLA verdict Link is down Link is up
Latency: 150ms (3 consecutive failures) (5 consecutive responses)
Jitter: 50ms Latency: 150ms
Loss: 0% Jitter: 50ms
Loss: 0%

In this example the sample size is 5. The default sample size is 30.

Let’s see how the health settings work with an example.

Here you can see the timeline for health check probes, and in this example, we are using a one
second interval between probes.

The SLA sample size forms a sliding window over time. The default sample size is 30, but in this
example, we are using 5.

Once the SLA sample size is reached, the first SLA verdict is returned, and it is updated on each
probe. The time taken to report the first verdict is the SLA sample size multiplied by the interval
between checks.

When there are three consecutive failures the firewall determines that the link is down.

If the link comes back up, the firewall will change its status after receiving the configured number
of consecutive responses, five in this example.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 23
 SD-WAN Profiles

The SD-WAN monitoring graphs can be found in MONITOR & ANALYZE > Diagnostics > SD-WAN
performance. The graphs provide current and historical data on latency, jitter, and packet loss, for
each of the gateways in the selected SD-WAN profile.

The view can be changed to show graphs for Live, the last 24 and 48 hours, the last week, or the
last month.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 24
 SD-WAN Logging

In the log viewer there is an SD-WAN module that allows you to focus on log entries specific to SD-
WAN routing and health. Each log entry includes the SD-WAN rule ID and name for both the route
request and the reply.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 25
 SD-WAN Routes

SD-WAN routes are configured in CONFIGURE > Routing > SD-WAN routes. Please note that
separate SD-WAN routes need to be created for IPv4 and IPv6.

SD-WAN routes are processed in order from the top down and the first match is used. SD-WAN
routes can be moved by dragging and dropping routes.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 26
 SD-WAN Route Configuration

SD-WAN route configuration is made up of two parts, traffic selector and routing.

Traffic can be selected based on the incoming interface. Please note that if you unbind the
interface, the SD-WAN route will be deleted.

Source, destination and service selectors work in the same way as for firewall rules.

You can match based on the DSCP marking of packets.
Expedited forwarding (EF): Priority queuing that ensures low delay and packet loss. Suitable for
real-time services
Assured forwarding (AF): Assured delivery, but with packet drop if congestion occurs. Assigns
higher priority than best-effort
Class selector (CS): Backward compatibility with network devices that use IP precedence in type
of service

You can also match on application objects and users or groups.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 27
 SD-WAN Route Configuration

Select the gateway using an
SD-WAN profile

Manually select a primary and
backup gateway

In the ‘Link selection settings” you can choose to either select the gateway based on an SD-WAN
profile, or manually select a primary and backup gateway.

If you delete the primary gateway or the SD-WAN profile, the SD-WAN route will be deleted, and
the traffic will use WAN link load balancing.

If you delete the backup gateway, the backup gateway will be set to ‘None’.

Select Override gateway monitoring decision if you want to route traffic through the selected
gateway even if the gateway is down.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 28
 SD-WAN Route Status
Primary or backup gateway is up, and the SD-WAN route is active

Gateways are down and the SD-WAN route is not active
Override gateway monitoring is off

Gateways are down and override gateway monitoring is on
The SD-WAN route is active

Hover over the status icon to
view the statuses of the
gateways and the gateway
monitoring setting

SD-WAN routes can have three statuses:

Green when the primary or backup gateway is up, and the SD-WAN route is active
Red when the gateways are down, and the SD-WAN route is not active and override gateway
monitoring is off
Yellow when the gateways are down, and override gateway monitoring is on. The SD-WAN route
will be active in this case

You can see the status of the gateways and the monitoring setting by hovering your mouse over
the SD-WAN route status icon.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 29
 Additional information in
the notes
Application-Based SD-WAN Routing Behaviour
Application-based routing uses learned routes
The first connection from an application is routed via default route
Once learned, subsequent connections will adhere to application-based routes
Note: learned application routes are flushed on reboot

The DPI engine supports application-based routes for all applications
The legacy web proxy does not support application-based routes for micro-apps
Pattern applications and Synchronized Security applications are supported

Application-based routes require an active Web Protection license
One of the following conditions must be met:
Application classification is on
An application filter policy is applied to the firewall rule
The application is part of the offload signatures, and is flowing through snort

Application-based routing works using learned routes, this means that for the very first connection
from an application it will be routed via the default route. Once the Sophos Firewall has learned
and cached the association between the application and route, all subsequent connections will
adhere to the application-based route.

The DPI supports application-based routing for all applications; however, the legacy web proxy
does not support this for micro-apps.

Application-based routes require an active Web Protection license and one of the following:
Application classification is on, which it is by default
An application filter is applied to the firewall rule
Or the application is part of the offload signatures and is flowing through snort

[Additional Information]
In high availability, the cached application-based routing information is synchronized over the
dedicated HA link using multicast IP 226.1.1.1 on port 4455.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 30
 SD-WAN Migrated IPv4 and IPv6 Policy Routes

The following rules apply to migrated routes:

Sophos Firewall automatically prefixes the firewall rule ID to the SD-WAN route name
Sophos Firewall uses the firewall rule ID to match traffic with migrated routes
SD-WAN routes don’t have zone-based settings
You cannot change the sequence of migrated SD-WAN routes, since they correspond
to the firewall rule sequence
If you delete the firewall rule, the migrated SD-WAN route is deleted
You can edit only the gateways and the gateway monitoring decision

Firewall rules no longer include routing settings. When you migrate from version 17.5 or earlier,
Sophos Firewall migrates the routing settings in firewall rules as migrated SD-WAN routes. You can
see them in the SD-WAN routing table. You can identify these migrated SD-WAN routes by the
firewall rule ID and name. Note that this also applies to restoring a backup configuration file that
was taken on version 17.5 or earlier.

The following rules apply to migrated routes:
Sophos Firewall automatically prefixes the firewall rule ID to the SD-WAN route name
Sophos Firewall uses the firewall rule ID to match traffic with migrated routes
SD-WAN routes don’t have zone-based settings. When firewall rules specify the same source and
destination networks, but different zones, individual SD-WAN routes that correspond to the
firewall rules are created
You can't change the sequence of migrated SD-WAN routes since they correspond to the firewall
rule sequence
If you delete the firewall rule, the migrated SD-WAN route is deleted
You can edit only the gateways and the gateway monitoring decision

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 31
 Matching Reply Packets
SD-WAN routes will match reply packets
in new installations of Sophos Firewall

SD-WAN routes will not match reply packets
for upgrades or where a pre-v18 configuration file is restored

Enable and disable routing reply packets with SD-WAN routes via the console

SD-WAN routes will match reply packets in new installations of Sophos Firewall.

As this is a change of behavior from previous versions of Sophos Firewall, SD-WAN routes will not
match reply packets for upgrades or where a pre-v18 configuration file is restored.

You can view and set the behaviour for SD-WAN routes on the console using the commands shown
here.

[Additional Information]
show routing sd-wan-policy-route reply packet
set routing sd-wan-policy-route reply packet

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 32
 Zones for Custom Gateways
Assign any zone to a custom
gateway (except VPN)
-
Custom gateways don’t
participate in load balancing
-
Custom gateway zones are not
applied where a migrated SD-
WAN route applies to the traffic
-
VPN lookups are not performed
when the WAN zone is marked
through a gateway

You can create a virtual WAN zone on custom gateways for single arm usage after deployment. This
would primarily be in AWS or Azure. You can create more than one custom gateway attaching
different zones to each. Once configured, you can create access and security rules for traffic going
to these zones.

For example, in a single VPC/vNet deployment in AWS or Azure, you may use this where the
firewall serves as the next-hop for all traffic. It allows an admin to apply policies based on zones,
for example WAN to DMZ instead of WAN to WAN in single-arm deployments.

This configuration may also be used to add an extra layer of security to the internal network; for
example, all east-west traffic between the DMZ and the user network can be routed through the
firewall. The firewall can then enforce network security and validate access for that traffic.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 33
 Zones for Custom Gateways
Custom gateway with zone

SD-WAN Route selecting traffic for gateway

Route precedence: SD-WAN Route must be first

Firewall rule to allow traffic

NAT rule to perform DNAT and SNAT

There are five things to configure to use zones for custom gateways.

First, you create the gateways with the custom zone attached, then you create SD-WAN routes to
select the traffic and route it through your custom gateway. You may need to configure the route
precedence so that SD-WAN routes match first.

You will need to create a firewall rule for the traffic, and finally a NAT Rule to perform DNAT and
SNAT on the traffic.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 34
 Zones for Custom Gateways
SUBNET
SOPHOS FIREWALL

Single port configured in the WAN
172.16.16.16 zone
GATEWAY
SWITCH/
ROUTER 172.16.16.250

172.16.16.10
Custom gateway in LAN zone

Let’s look at an example.

Here we have a subnet 172.16.16.0/24. The Sophos Firewall has the IP address 172.16.16.16 in the
WAN zone and uses 172.16.16.250 as its default gateway. There is another server on the same
subnet with the IP address 172.16.16.10 that is in the LAN zone.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 35
 Zones for Custom Gateways
SUBNET
SOPHOS FIREWALL

Inbound traffic is sent to Sophos Firewall
172.16.16.16

GATEWAY
SWITCH/
ROUTER 172.16.16.250

172.16.16.10

Inbound traffic is routed to the Sophos Firewall.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 36
 Zones for Custom Gateways

We can now look at the configuration of this.

First, we have our gateways; GW is the default gateway on PortA in the WAN zone, and LAN is the
server we are have created the custom gateway for.

Custom gateways do not participate in load-balancing, so to use them you need to create SD-WAN
routes for the traffic. Here we have created the HTTP_LAN rule that will match all HTTP traffic and
route it to the custom gateway. So that the Sophos Firewall can still route HTTP traffic out to the
Internet we have also created an SD-WAN route that matches on traffic from the internal hosts and
sends it to the default gateway.

Remember, the default routing precedence is static routes, SD-WAN routes, and the VPN routes;
you may need to adjust this, so the SD-WAN routes take precedence.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 37
 Zones for Custom Gateways

Here we have created a firewall rule that will allow HTTP traffic from the WAN to the LAN where it
is destined for the Sophos Firewall IP address.

We also have a NAT rule that DNAT and SNAT the inbound HTTP traffic, and a second NAT rule to
SNAT the outbound traffic from the LAN server.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 38
 Zones for Custom Gateways
SFVUNL_HV01_SFOS 18.0.4 MR-4# conntrack -E | grep orig-dport=80
[NEW] proto=tcp proto-no=6 timeout=120 state=SYN_SENT orig-src=172.16.16.250
orig-dst=172.16.16.16 orig-sport=56060 orig-dport=80 [UNREPLIED] reply-
src=172.16.16.10 reply-dst=172.16.16.16 reply-sport=80 reply-dport=56060 mark=0x4001
id=3702756992 masterid=0 devin=PortA devout=PortA nseid=16777421 ips=0 sslvpnid=0
webfltid=0 appfltid=0 icapid=0 policytype=1 fwid=2 natid=4 fw_action=1 bwid=0 appid=0
appcatid=0 hbappid=0 hbappcatid=0 dpioffload=0x1 sigoffload=0 inzone=2 outzone=1
devinindex=5 devoutindex=5 hb_src=0 hb_dst=0 flags0=0x400a0000200008
flags1=0x50400800000 flagvalues=3,21,41,43,54,87,98,104,106 catid=0 user=0 luserid=0
usergp=0 hotspotuserid=0 hotspotid=0 dst_mac=00:15:5d:02:05:58
src_mac=00:15:5d:02:05:12 startstamp=1616516496 microflow=INVALID
microflow=INVALID hostrev=0 hostrev=0 ipspid=0 diffserv=0 loindex=5
tlsruleid=0 ips_nfqueue=1 sess_verdict=0 gwoff=0 cluster_node=0 current_state=31
current_state=0 vlan_id=0 inmark=0x8003 brinindex=0 sessionid=362
sessionidrev=27596 session_update_rev=2 dnat_done=3 upclass=0:0 dnclass=0:0
pbrid_dir0=3 pbrid_dir1=0 nhop_id=65535 nhop_id=65535 nhop_rev=0
nhop_rev=0 conn_fp_id=NOT_OFFLOADED

If we review the conntrack you can see that the zone for this connection is being changed from 2
(WAN) to 1 (LAN).

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 39
 Chapter Review

Sophos Firewall marks incoming traffic with the matching routes and the destination
zone before DNAT is applied. Routes are then processed in order of precedence before
SNAT is applied

Sophos Firewall has the WAN link manager for configuring balancing and failover of
Internet links. There is also the gateway manager for creating and managing custom
gateways for SD-WAN routing

SD-WAN profiles provide link selection based on link quality and performance using
latency, jitter, packet loss, or a combination of all three. SD-WAN routes provide powerful
traffic selection options, that can leverage SD-WAN profiles for link selection

Here are the three main things you learned in this chapter.

Sophos Firewall marks incoming traffic with the matching routes and the destination zone before
DNAT is applied. Routes are then processed in order of precedence before SNAT is applied.

Sophos Firewall has the WAN link manager for configuring balancing and failover of Internet links.
There is also the gateway manager for creating and managing custom gateways for SD-WAN
routing.

SD-WAN profiles provide link selection based on link quality and performance using latency, jitter,
packet loss, or a combination of all three. SD-WAN routes provide powerful traffic selection
options, that can leverage SD-WAN profiles for link selection.

Advanced Routing and SD-WAN Configuration on Sophos Firewall - 44
Advanced Routing and SD-WAN Configuration on Sophos Firewall - 45