SD-Wan to communicate with Sophos central / live protection

Hello Moritz_Max ,

Thank you for reaching out to the community, the following link will guide you to choose between: "Traditional Settings For Primary and Backup Gateway:" and "New SD-WAN Profile Settings From v19 Onwards:" - Sophos Firewall v19: How to Choose The Gateway For A Firewall Rule 

i know how to setup an SD wan, the question is what is the best setting for an SD Wan to route traffic to sophos.
1: Which destinations i should route?
2: which IP i should probe to check the gateway connection quality to Sophos?

Hey Moritz_Max ,

That strictly depends on your requirement, we have given two methods. with the New SD-WAN you can check the link status and the historical performance, enables performance-based SLA link selection and routing based on real-time packet loss, jitter and latency with zero-impact rerouting of application traffic when transitioning between links. Performance monitoring criteria includes jitter, latency and packet loss and can utilize multiple probe targets for PING and TCP probes. SD-WAN profiles automatically select the best link based on performance or according to your custom SLA policies that define specific values for maximum acceptable jitter, latency, or packet loss before re-routing over a better performing link.

Hey Moritz_Max ,

That strictly depends on your requirement, we have given two methods. with the New SD-WAN you can check the link status and the historical performance, enables performance-based SLA link selection and routing based on real-time packet loss, jitter and latency with zero-impact rerouting of application traffic when transitioning between links. Performance monitoring criteria includes jitter, latency and packet loss and can utilize multiple probe targets for PING and TCP probes. SD-WAN profiles automatically select the best link based on performance or according to your custom SLA policies that define specific values for maximum acceptable jitter, latency, or packet loss before re-routing over a better performing link.

please read my question.
this is specific to Sophos online services and you should know the needed destinations and best IP's.

In that case Moritz_Max - following covers it all Domains and ports to allow

ok these domains are helpful already.
But the problem is they are domain names. For the Health Check i can only enter an IP andres.


so i did ping that domain and used the ip address as Health check probe target.






3 pings, 3 different IP addresses.
That is not very helpful to establish a reliable SD Wan connection to Sophos.

of course with this number of Sophos Domains,  it is not a feasible idea to keep a SD-WAN, I would suggest use the traditional method and prioritize the 443/80 traffic with the all the destination domains mentioned in the KBA above !!