Thread Info
  • Replies 8 replies
  • Subscribers 29 subscribers
  • Views 3411 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: How to prioritize the traffic via SD-WAN for the applications

Vivek Jagad

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

With the new SD-WAN introduction, we can prioritize the traffic for applications such as Teams, Zoom,
Google meet. etc. You can follow the KBA - How to Choose the Gateway for A Firewall Rule. Here we’ll learn how to configure an SD-WAN rule for the applications.

SD-WAN Application Object configurations

Step1: Add new Application Object

Go to CONFIGURE > Routing > SD-WAN policy routing > IPv4 SD-WAN policy route > Add
Under Application Object > Add new item > Create new


Here you either filter with the category you want to allow or by selecting specific Application with the help of a smart filter. Kindly refer to the screenshot below:

Category

Smart Filter


Step2: Choosing a Gateway

You can mention the desired local network under the source network. You can also mention explicit services under the services section. Under the Routing section, you can set the desired gateway from the available WAN links. Kindly see KB on How to Choose Gateway.




Step3: SD-WAN Policy Routing

CONFIGURE > Routing > SD-WAN policy routing; you’ll be able to see the precedence
            By default, the precedence is set to - static, SD-WAN, and then VPN routes.

Step4: Show Route Precedence 

On the CLI, select option 4. Device Console


➢ To check the route precedence
#system route_precedence show
➢ To change the precedence and have sd-wan as first
#system route_precedence set sdwan_policyroute static vpn

How to Choose the Gateway for A Firewall Rule

I hope this article has helped you achieve your requirement!



Updated Disclaimer
[edited by: Erick Jan at 1:18 PM (GMT -7) on 17 Apr 2023]

Top Replies

  • in reply to Prism +2

    In general, you are trying to cover an additional use case, which is currently "not practical to do". As of today, Profiles are being used to monitor the "general availability of the link". This means, it is not aware of the application behind it. This will likely resolve most of the cases and work fine for most services. 

    You want to build a service aware monitoring, which could potentially detect an outage. For example, SD-WAN Monitoring for Teams, so if Teams fails via one link, it could potentially failover. The point is, the situation, one service is "slow" or not available via one link and not the other are quite rare. Just some example: geo blocking, IP blacklisting, major ISP outage for a certain service(s). 

    In general, if you start to monitor for example simply Google DNS on Port53, you would have a general knowledge about the current situation of the Link - You will not see, if the service Teams fails. But in most cases, the Service Teams will fail for every other peer as well (ISP2 etc.). Or if the ISP has a problem, the general monitoring of Google DNS will reflect this one. 

    Long story short, there are plans to build a service to do this, but it is "not that important from my point of view" - as you will reflect the majority of cases with the general monitoring of the interface with one peer. 

    Jump to answer
Parents Reply Children
No Data