Check Sophos Firewall Cellular WAN and 4G/5G Failover

Cellular WAN on a Sophos Firewall is usually not the primary internet connection but a backup line: if the fibre, DSL, or cable line fails, a 4G or 5G connection should keep essential services accessible. That’s why Cellular WAN should not be tested only in the event of a disruption.

In practice, failover rarely fails due to a single issue. More often, SIM/PIN, APN, poor signal quality, an incorrectly created gateway, incorrect SD-WAN health checks, or missing fallback logic are involved. This article explains how to plan, test, and narrow down common errors with Cellular WAN.

For basic work with interfaces, zones, and gateways, first refer to Configure Sophos Firewall Zones and Interfaces. For routing of firewall-owned traffic, additionally refer to Check Sophos Firewall SD-WAN Routing for Reply Packets and System Traffic.

When Cellular WAN is Useful

Cellular WAN is primarily suitable as an operational and emergency component. It does not replace a properly dimensioned main line but can make critical locations more stable.

Typical use cases:

Small office with 4G/5G backup for internet access
Branch with SD-WAN failover during provider disruption
Temporary location without a fixed line
Backup path for monitoring, support access, or central services
Fallback for site VPN if bandwidth and tariff allow

Before rollout, it should be clear which services must continue to run during failover. An LTE or 5G link with limited data volume is usually not intended to carry the entire normal site traffic permanently.

Limitations and Important Decisions

Cellular WAN comes with its own limitations. These points should be clarified before configuration:

Topic	Why it is important
Data volume	An unfiltered site can quickly consume a mobile data allowance.
CGNAT	Many mobile providers do not provide a directly reachable public IPv4 address. Incoming services and some VPN scenarios must then be planned differently.
Signal quality	A visible network is not enough. Weak signal values lead to packet loss, latency spikes, and unstable failover tests.
Provider firewall	Some tariffs block incoming connections or certain protocols.
HA	Cellular WAN must be disabled in Sophos Firewall HA environments. This should be checked before an HA design.
Monitoring	Failover must be actively monitored. Otherwise, it is often only noticed during a disruption that the backup line is not working.

For HA environments, Sophos Firewall HA Cluster Variants and Operation is relevant because Cellular WAN cannot be treated like a normal synchronised interface there.

Prerequisites

Before setup, these points should be ready:

Supported 4G/5G modem or integrated cellular module
Active SIM card with appropriate data plan
PIN, if the SIM is not operated without a PIN
Provider’s APN
Optional username and password of the provider
Information on whether the provider uses public IP, private IP, or CGNAT
Desired zone of the Cellular WAN interface
Planned SD-WAN or gateway failover logic
Test window in which the main line can be briefly deactivated

If the cellular line is to serve productively as a fallback, it should also be clarified who is responsible for the tariff, data volume, SIM lock, replacement hardware, and regular tests.

Setting Up Cellular WAN

The exact interface may vary slightly depending on the SFOS version, hardware model, and modem. However, the practical process remains the same: detect the modem, correctly set SIM and APN, check interface and gateway, then test the failover path.

1. Prepare Modem and SIM

First, the modem or cellular module should be prepared without hasty firewall changes.

Check:

SIM is active and not locked.
PIN is known or disabled on the SIM if the operating model allows it.
APN corresponds to the business tariff, not an incorrect consumer or IoT profile.
Antennas are correctly connected and sensibly positioned.
Location has sufficient reception for the desired provider.

For external antennas, not only the signal strength but also the cable routing should be considered. Long or poor antenna cables can negate the advantage of a better antenna position.

2. Check Cellular WAN Interface

After inserting the modem, the Sophos Firewall should create or offer to configure a corresponding interface or gateway.

Check:

Network > Interfaces

Important are:

Interface is active.
Zone is deliberately set, usually WAN.
IP address is obtained.
Gateway is created.
DNS or provider parameters match the planned operation.
Interface is not accidentally part of an unsuitable design like LAG or HA.

If the interface does not appear, the modem should first be recognised. Only then check APN, PIN, and gateway.

3. Plan Gateway and SD-WAN Profile

A Cellular WAN gateway should not simply be placed alongside the main line unchecked. It is crucial when the firewall considers the link active and which traffic is allowed to run over it during failover.

Check:

Routing > Gateways
Routing > SD-WAN profiles
Routing > SD-WAN routes

For many environments, a clear first-available or SLA-based design is sensible:

Prefer main line.
Use Cellular WAN only in case of failure or poor main line.
Set health check with sensible probe targets.
Prioritise business-critical targets.
Limit bandwidth-intensive or non-critical services during failover.

For SD-WAN health checks, do not use only a single internal or external address if this can cause false failures. SD-WAN profiles can use health checks with ping or TCP and up to two probe targets. In cellular environments, TCP is often a realistic addition if ICMP is unreliable on the way.

Check Signal Strength via CLI

Since SFOS 22.0 MR1, Sophos mentions the CLI command in the release notes:

system cellular_wan show

This command is useful if the interface only roughly shows that Cellular WAN is connected, but you need to check signal or modem details. It should be used and documented specifically, especially at locations with unstable cellular coverage.

⚠️ CLI access should only be from trusted admin networks. Before use, Connect to Sophos Firewall via SSH and check access hardening via Device Access and Local Service ACL.

Practically, signal values should not be read just once. A short series of measurements is better:

Normal operation
After antenna change
In bad weather or expected load
During active failover
After location or provider change

If signal quality fluctuates greatly, the routing configuration is not the actual cause. Then antenna position, provider coverage, module, SIM, and location should be checked first.

Test Failover

A failover test should be planned and conducted traceably. Simply pulling the main line and then only opening a browser is insufficient.

Before the test:

Backup of the firewall configuration available.
Expected primary and backup path documented.
Affected users or site managers informed.
Data volume and tariff limits known.
Log Viewer and monitoring opened.

Test procedure:

Check initial state: main gateway active, Cellular WAN gateway ready.
Generate test traffic, e.g., DNS, HTTPS, RDP, VPN, or a defined business application.
Controlled deactivation of the main line or deliberately fail the gateway health check.
Check if SD-WAN or gateway failover switches to Cellular WAN.
In Log Viewer, check which firewall rules and paths are hit.
Test reachability of the most important targets.
Restore the main line.
Check if the firewall switches back cleanly or deliberately stays on the backup path.

For rule and path checks, refer to Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture. If MTU or fragmentation issues occur, Check Sophos Firewall MTU and MSS for VPN Issues should be included.

Logs and Diagnosis

Cellular WAN issues are spread across multiple log sources. A single log rarely proves the entire cause.

Question	Typical Check
Is the modem recognised?	`mdev.log`, `syslog.log`
Is an interface created?	`networkd.log`
Is a gateway active?	Gateway status, `dgd.log`, Log Viewer
Is the correct route applied?	SD-WAN route, routing table, Log Viewer
Is traffic blocked?	Firewall rule, NAT, web filter, Application Control
Is there packet loss or fragmentation?	Packet Capture, iPerf, MTU/MSS check

The most important log files are categorised in the article Correctly Assign Sophos Firewall Service Logs.

Common Error Patterns

Modem Not Recognised

First check physical points: module, USB port, power supply, antennas, supported hardware, and firmware status. Then check mdev.log and syslog.log. If the modem is not recognised at all, APN or SD-WAN are not yet relevant.

SIM is Active, but No Connection

Then PIN, APN, provider profile, or reception are usually involved. A locked SIM after several incorrect PIN attempts is also possible. For business tariffs, the APN should not be guessed but checked with the provider.

Gateway is Active, but No Traffic Over Cellular WAN

Then the cause is often with SD-WAN route, gateway priority, firewall rule, NAT, or missing return path. In Log Viewer, it should be visible whether the test traffic really uses the backup path.

Failover Works, but Applications are Unstable

Cellular has higher latency and stronger fluctuations than a fixed line. Applications with sensitive sessions, VoIP, large file transfers, VPN-over-VPN, or RDP may react differently. Additionally, MTU/MSS and packet loss can play a role.

VPN Works Over Main Line, but Not Over Cellular WAN

In cellular, CGNAT, provider filters, changing IP addresses, and protocol restrictions are common causes. For site VPN, it should be checked whether the cellular path works as an initiator, whether the peer accepts dynamic IPs, and whether the return route is correct.

Operational Recommendations

Cellular WAN should be operated like an emergency path, not like a forgotten checkbox in the interface.

Sensible operational rules:

Test failover at least quarterly.
Monitor data volume and costs.
Document SIM, APN, and provider contract.
Record antenna position and signal values.
Limit non-critical traffic during failover.
Include gateway and SD-WAN status in monitoring.
Plan a short failover test after firmware updates.
Exclude Cellular WAN early in HA planning or adjust the design.

If a site relies on Cellular WAN, the return path should also be documented: who receives a disruption notification, who is allowed to deactivate the main line, who checks the cellular provider, and when is the normal operation switched back?

Checklist

Modem or cellular module is recognised.
SIM is active and not locked.
PIN and APN are correct.
Cellular WAN interface has the correct zone.
Gateway is created and monitored.
SD-WAN profile uses sensible health checks.
Failover was tested with real test traffic.
Firewall rules and NAT also fit in the backup path.
Data volume and costs are known.
Signal values were documented.
HA restrictions were considered.
Log sources and support process are known.

FAQ

Can Cellular WAN be used as the main line?

Technically, this can work depending on the location. For most companies, however, Cellular WAN is more of a backup path. Data volume, latency, CGNAT, fluctuating signal quality, and provider conditions must be checked before productive continuous operation.

Why is the gateway active, but the site still has no internet?

An active gateway only means that the firewall fundamentally sees the path. After that, SD-WAN route, firewall rule, NAT, DNS, return path, and security features must fit. Therefore, the specific test traffic should be checked in the Log Viewer.

Is a successful ping sufficient as a failover test?

No. Ping is an initial indication but not proof of productive reachability. Additionally, DNS, HTTPS, central applications, VPN, RDP, or other truly needed services should be tested.

Does Cellular WAN work in a Sophos Firewall HA cluster?

For HA, Cellular WAN must be disabled. If cellular failover and HA are required simultaneously, a separate design is needed, for example, via a pre-connected cellular device or another WAN architecture.

Which CLI command shows Cellular WAN details?

From SFOS 22.0 MR1, the command system cellular_wan show is available to check Cellular WAN information such as signal values via the CLI.