XG v18 SD-WAN policy routing in dual ISP WAN - doubling fw rules for what?

Hey SimoXGFW, Thanks for reaching out to Sophos Community.

With v18 Firewall rules are decoupled from Gateway selection and NAT. Considering you've migrated configurations from v17.5 to v18, You'd be having the SD-WAN rules that are mapped to specific firewall rules (configured in v17.5). 

You don't need to replicate each Firewall rule in the SD-WAN policy route. Since you only have two ISPs and the Primary ISP is serving all the traffic unless it goes down, You'll only need to add one SD-WAN Policy route, Define Source network, and the incoming Interface with Destination to ANY and select Active and Backup Gateways.

Optionally, Since you've only 2 ISPs, You can change the gateway type to active or backup for the specific ISPs and don't make changes into SD-WAN Policy routes. Although this can become ambiguous if you decide to add a third ISP in the future :) 

Hey SimoXGFW, Thanks for reaching out to Sophos Community.

With v18 Firewall rules are decoupled from Gateway selection and NAT. Considering you've migrated configurations from v17.5 to v18, You'd be having the SD-WAN rules that are mapped to specific firewall rules (configured in v17.5). 

You don't need to replicate each Firewall rule in the SD-WAN policy route. Since you only have two ISPs and the Primary ISP is serving all the traffic unless it goes down, You'll only need to add one SD-WAN Policy route, Define Source network, and the incoming Interface with Destination to ANY and select Active and Backup Gateways.

Optionally, Since you've only 2 ISPs, You can change the gateway type to active or backup for the specific ISPs and don't make changes into SD-WAN Policy routes. Although this can become ambiguous if you decide to add a third ISP in the future :) 

Hi Davesh and thank you for the reply,

I said that the main use of the ISP2 is as a backup link, not the only use.

I need to force specific traffic of some firewall rules in reverse order, so normally on the backup link, and if the backup link goes down I need them to switch to the main link, and more I need to route some traffic ONLY through ISP1 or the other ISP2, what then?

Generally speaking, If any of the customers aren't in the straight load balancing or failover configurato but got some specific traffic to handle, is my question still valid? Do I have to replicate exactly all the firewall rules to the SD-WAN policy routing ? 

EDIT: I noticed you write about setting up gateways as active and backup. I already have this setup and I0ve always handled everything from the firewall policies before, do I have to setup both link as Active and mange them with SD-WAN policies?

Best Regards,

Simo

Try: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/121408/routing-in-xgv18-with-sd-wan-pbr

Basically routing and other stuff are decoupled. Firewall, NAT etc. 

Backup/Active interfaces are the last Ressource and are overwritten by Sd-WAN. 

Thanks and Ok for the Active / Backup concept, but what about specific Firewall rules that need to go only to one ISP , or reversed ISP preference ( first on ISP2 if fails ISP1 ) ? do I need to mirror them, even on the ports to avoid mistakes if the traffic match another rule?

See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122357/life-of-a-packet-sophos-firewall

Firewall is matching before the SD-WAN Routing comes into place. 

Ok, let's say that I decide that my approach is to write SD-WAN rules with "any" ports to try to simplify things, the specific traffic can be caught in another newer rule, I cannot keep track I have 130 firewall rules. So if my approach is more "any" destination "any" ports I can simplify things, but if I want to be strict and I have a lot of firewall rules and I start cloning them to SD-WAN I could loose the track and I must be extremely precise every time I make a new rule, am I wrong in that?