SD-WAN Connection groups - what is the difference between SD-WAN Profile and Primary and Backup Gateway options?

Hello balletbob ,

Thank you for reaching out to the community, the follow recommended read will clarify your doubts - Sophos Firewall v19: How to Choose The Gateway For A Firewall Rule 

"SD-WAN profile"

Software-defined WAN (SD-WAN) adds a layer of software intelligence to your WAN infrastructure.

SD-WAN routes deliver zero-impact failover with performance SLAs for multiple gateways, enabling you to optimize your WAN infrastructure. See SD-WAN routing behavior.

You can route traffic based on applications, users and groups, and network criteria, such as the incoming interface, source and destination networks, and services. You can implement Service Level Agreements (SLA) for gateway performance.

You can use SD-WAN profiles to define an SD-WAN routing strategy across multiple gateways in your SD-WAN network. With two or more gateways configured in your network, you can use an SD-WAN profile to route traffic based on the availability or performance of the gateways. This approach optimizes the performance of your SD-WAN network and helps ensure continuity in the event of an ISP disruption.

Where as "Primary and Backup gateways."

Just helps you route the traffic through a certain gateway you can opt to select the Primary gateway and the Backup gateway.

If you delete the backup gateway, Sophos Firewall sets the backup gateway to None. If the primary gateway goes down, Sophos Firewall routes traffic through the backup gateway. When the primary gateway comes back up, Sophos Firewall routes new connections through it. Existing connections continue to use the backup gateway.

If you delete the SD-WAN profile or the primary gateway, Sophos Firewall deletes the route and implements the default route (WAN link load balance), which load-balances traffic among the active WAN links.

So in summary of what you've shared, the SD-WAN profile is adding the SD-WAN routing rules, where as the Primary Backup option uses standard routing?

Are both automatically configuring the IPSEC VPN tunnel the same way?

I'm not sure why this was moved to the Firewall area from the Central area.
Yes the question does relate to Firewalls, but was specifically asking about the Central config. Configuring an SD-WAN policy on the firewall doesn't do what configuring things from Central does and what I was specifically asking about.

So in summary of what you've shared, the SD-WAN profile is adding the SD-WAN routing rules, where as the Primary Backup option uses standard routing?

Are both automatically configuring the IPSEC VPN tunnel the same way?

I'm not sure why this was moved to the Firewall area from the Central area.
Yes the question does relate to Firewalls, but was specifically asking about the Central config. Configuring an SD-WAN policy on the firewall doesn't do what configuring things from Central does and what I was specifically asking about.

Hello balletbob ,

For SD-WAN Orchestration I recommend you a read here - Sophos Firewall: Managing Firewall and SD-WAN Orchestration

And when you opt for this, all the respective rules and IPsec tunnel and xfrm interfaces are created automatically on the Sophos Firewall.