User and application-based SD-WAN routes
You can configure SD-WAN routes using users, groups, and application objects in addition to network criteria.
You can create user-based SD-WAN routes. For example, you can set Source network to LAN and select the Users or groups you want to specify for the route. The firewall matches the route with traffic from these users from the source network you've specified.
You must have an active Web Protection license.
SD-WAN routes can classify traffic based on applications. So, you can specify routes based on the application type. You can select the SD-WAN profile or gateways based on the application objects you select.
You can create application objects for web applications, micro apps, such as Facebook Messenger, Synchronized Security applications (discovered on endpoint devices), custom applications, and application categories based on the classification parameters.
The firewall matches the route with traffic to these application objects in the destination network you've specified.
Routing behavior for application traffic
WAN link load balance: The first connection from an application is routed using the default route (WAN link load balance). The application-based SD-WAN route applies to subsequent connections after Sophos Firewall learns the session details.
High availability: The cached application-based routing details are synchronized over the dedicated HA link using the multicast IP address 220.127.116.11 on port 4455.
Micro apps: Web proxy mode doesn't support application-based routing for micro apps. It supports only pattern applications and Synchronized Security applications. The DPI engine supports application-based routing for all applications, including micro apps.
How Sophos Firewall implements application routing:
- For the first connection, Sophos Firewall implements an SD-WAN route based on the matching destination port and IP address, protocol, and the inbound interface. If it doesn't find a matching route, it applies the default route (WAN link load balance).
The DPI engine identifies the application and caches the classification decision.
Based on the user's request, another application may take the original application's place within a single connection. For example, users may go to facebook.com first and then start Facebook chat. If the change occurs after the original application is identified, the DPI engine makes a new classification decision.
The new classification decision applies to subsequent connections of the application traffic.
The time to live (TTL) for application session details is 3600 seconds from the start of the session. If another session doesn't start within this period, the session details are purged. When you restart Sophos Firewall, the session details of all application objects are purged. Subsequent connections using the application go through the implementation process listed above.
How to configure user and application-based routing
- Go to Applications > Application object. Create an application object based on your business and user priority.
- Go to Routing > SD-WAN routes.
- Click IPv4 or IPv6 and click Add.
- Select the Source network and Users or groups.
- Select the Destination network and the Application object you created.
- Select an SD-WAN profile.
- Click Save.
Route the individual applications of a web application through different gateways.
For example, you can route Facebook games through a low-bandwidth ISP link and other Facebook apps through a high-bandwidth link.
Route critical applications and specific users or groups through high-bandwidth ISP or MPLS links.
Route application traffic based on users and groups.
- Route application and user traffic to specific servers or routers.