Managing SD-WAN routes
You can configure SD-WAN routes to dynamically route traffic through multiple gateways based on performance SLAs.
You can create IPv4 and IPv6 SD-WAN routes. You can optimize your WAN infrastructure, including MPLS, internet, LTE, and IPsec tunnel (XFRM) interfaces, routing outbound traffic based on users, groups, application objects, and network criteria, such as the incoming interface, source and destination networks, and services.
Sophos Firewall delivers zero-impact failover, rerouting connections seamlessly based on the SD-WAN profile you select in an SD-WAN route. SD-WAN profiles allow you to assign up to eight gateways, configure SLAs for latency, jitter, and packet loss, and configure health check targets.
SD-WAN reroutes connections to the next available gateway seamlessly. Suppose the gateway currently processing traffic goes down or doesn't meet the SLA any longer. The firewall seamlessly reroutes traffic to the next available gateway without any disconnection or impact to service. See SD-WAN profiles.
The firewall reroutes traffic under the following conditions:
- A gateway becomes unavailable or doesn't meet the SLA.
- The primary gateway or a high-priority gateway becomes available.
- If you edit the SD-WAN route or SD-WAN profile.
- If the route precedence changes.
You can do the following to configure and manage SD-WAN routes:
- To change the sequence of an SD-WAN route, drag and drop the route. Sophos Firewall evaluates routes in the order shown until it finds a match. Once it finds a match, it doesn't evaluate subsequent routes.
- Click More options for the following actions:
- To turn on or turn off a route, use the On or Off switch.
- To edit a route, click Edit .
- To clone a route, click Clone route at the bottom.
- To reset the data transfer count, click Reset data transfer count.
- To delete a route, click Delete.
Hover over the route's icon under Active to see the gateway status.
If you've selected SD-WAN profiles, the gateway statuses can be one of the following:
- In use
- In use, but SLA isn't met
- Available and SLA isn't met
If you've selected primary and backup gateways, the gateway statuses can be one of the following:
One of the gateways is up, and the route is live.
The gateway is down, and the route isn't live. Route only through specified gateways is off.
The gateway is down, and the route isn't live. Route only through specified gateways is on.
If the gateways you configure in the SD-WAN profile or the SD-WAN route aren't available, Sophos Firewall evaluates other SD-WAN routes. If it doesn't find another matching route, it applies the default route (WAN link load balancing), which load-balances traffic among the active WAN links. To see the active WAN links, go to Network > WAN link manager.
Routing follows the precedence you specify on the command-line interface. The default routing precedence is static, SD-WAN, and then VPN routes.
You can see the route precedence on Routing > SD-WAN routes.
How to see SD-WAN logs
SD-WAN logs show the health-check status and route changes triggered due to the health checks. SD-WAN logs include logs specific to an SD-WAN route, SD-WAN profile, and SD-WAN SLA.
SD-WAN logs also show the load-balancing status of the gateways:
To turn on SD-WAN logs, do as follows:
- Go to System services > Log settings.
- Select SD-WAN to turn on logs for the following:
- SD-WAN profile
- SD-WAN SLA
- SD-WAN route
To see the SD-WAN logs, do as follows:
- Click Log viewer in the upper-right corner.
Select SD-WAN in the module list.
To see the SD-WAN profile and route logs in the firewall logs, do as follows:
- Select Firewall in the module list.
Click the expand button next to the list.
Select the SD-WAN logs you want.