making new gateway for DMZ traffic

Hi ,Sophos User1175  Thank you for reaching out to the Sophos community team. The above action or steps are fine and below is also another possible way.

If this new WAN gateway is only for DMZ and WiFi then when you are adding it on XG you may set that is in the backup gateway type in place of an active gateway which will in the later part eliminate 2 SD-WAN routes creation activity. i.e. with this new gateway as in backup 1st SD-WAN rule to route any source via WAN1 will not be required. if you will set this new WAN as in backup gateway. (NAT rule changes will required in both the scenario to have NAT action in place).

regarding the "sd wan routes"

if i make one "sd wan route" for WIFI with a "source networks" of 10.110.22.0/24

and the other "sd wan route" for all the other subnet LANS that i have got and if i put "ANY" in the "source networks" wont 10.110.22.0/24 fall in "ANY"

so do i need to narrow it down?

sorry i dont get what your on about when you say make this new WAN2 a "backup" type

so what your saying is make the new WAN as a "backup" and create a new NAT rule for that one subnet to use the new WAN interface

so no more need for the sd wan routes?

Hello Sophos User1175 , if you have more than 1 ISP and if you want to create another ISP act as a backup gateway then under the WAN link manager > select the that another ISP and select the option as backup as demonstrated by Vishal_R in the screenshot above !

i dont want to create one ISP as active and the other ISP as backup, i want them all as active, one LAN to go out WAN1 and another LAN to go out WAN2

In that case SD-WAN can help, please refer the recommended read -  Sophos Firewall v19: How to Choose The Gateway For A Firewall Rule

Configure SD-WAN routes

so what Vishal_R wont work then?

Based on your requirement i.e. you want LAN1 to go out from ISP1 and LAN2 to go out from ISP2.

You can use SD-WAN, you can refer the doc Gateways and Add a gateway

Assuming you have 2 ISP and 2 LAN already, you can define it under the SD-WAN policy routing by creating two separate SD-WAN rules

SD-WAN rule 1
Source network as LAN1
Primary gateway as ISP1

SD-WAN rule2
Source network as LAN2
Primary gateway ISP2

Based on your requirement i.e. you want LAN1 to go out from ISP1 and LAN2 to go out from ISP2.

You can use SD-WAN, you can refer the doc Gateways and Add a gateway

Assuming you have 2 ISP and 2 LAN already, you can define it under the SD-WAN policy routing by creating two separate SD-WAN rules

SD-WAN rule 1
Source network as LAN1
Primary gateway as ISP1

SD-WAN rule2
Source network as LAN2
Primary gateway ISP2

what about SNAT, do i put in outbound interface ANY or WAN1 and WAN2?

Yes Creating a source NAT rule should also help !

so instead of creating 2 sd wan routes

source networks LAN1 network to gateway WAN1

source networks LAN2 network to gateway WAN2

i can do

create 2 SNAT rules

inbound interface LAN1 interface to outbound interface WAN1

inbound interface LAN2 interface to outbound interface WAN2

Yes Please

sorry i dont know if we replied same time, il repeat

so instead of creating 2 sd wan routes

source networks LAN1 network to gateway WAN1

source networks LAN2 network to gateway WAN2

i can do

create 2 SNAT rules

inbound interface LAN1 interface to outbound interface WAN1

inbound interface LAN2 interface to outbound interface WAN2

will that work?

Yes Sophos User1175 you'll have to create two rules for each LAN 

do you mean create two NAT ie SNAT MASQ rules, one for LAN1 interfaces and the other for LAN2 interface

Yes Sophos User1175 
That's correct LAN1 with ISP1 and LAN2 with ISP2, in the end that's your requirement right ?