Filter subnets from using BGP

You might be able to achieve this using an SD-WAN policy route for the 200 subnet. For the 100 subnet, you can leave it as it is and it will be routed according to the routing table.

If you could provide a diagram, I would be able to give you further advise.

You might be able to achieve this using an SD-WAN policy route for the 200 subnet. For the 100 subnet, you can leave it as it is and it will be routed according to the routing table.

If you could provide a diagram, I would be able to give you further advise.

This is an interesting idea, but unfortunately one problem in this particular case might be that the neighbor is advertising all public prefixes for anything hosted in AWS, which is a large portion of the internet itself.  It would be therefore challenging to define the "destination networks" section of the SD-WAN policy, as there are thousands of advertised prefixes and they change dynamically.  Also, I'm not sure that the SSL VPN subnet would be able to use this policy, so anyone connected to our company's full tunnel VPN would also be unlikely to access any AWS-hosted website from their local browser.  Ideally, I would like to filter all subnets from using the BGP route by default and be able to specifically create a policy allowing the 100 subnet to use the BGP route.  But not sure if this is possible.

Hello.

It is possible to configure BGP filters in a Sophos XG, but Sophos them self have done a good job to hide it.

You can read more about it here. And there is an example there as well.

BGP - Route Filters - Discussions - XG Firewall - Sophos CommunityBGP - Route Filters - Discussions - XG Firewall - Sophos Community

In the end the implementation is more or less the same as Cisco so you can user there documentation about BGP and it should more or less work.

IP Routing: BGP Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3650 Switches) - BGP 4 Prefix Filter and Inbound Route Maps [Cisco Catalyst 3650 Series Switches] - Cisco

//Rickard