Skip to content
Avanet

Change the Sophos Firewall routing priority

Sophos Firewall

This guide explains how to check and adjust route precedence on Sophos Firewall. Route precedence defines the order in which the firewall evaluates static routes, SD-WAN policy routes and VPN routes during route lookup.

Requirements

  • Sophos Firewall with SFOS 18.0 or later
  • Gateway mode
  • Access to the Device Console, for example through SSH
  • A maintenance window if production traffic may be affected

If console access is not yet configured, see Connect to Sophos Firewall via SSH for the steps to connect and open the Device Console.

⚠️ Changing route precedence can immediately affect production traffic. Before changing it, document the current order and verify which static routes, SD-WAN policy routes and VPN routes may be affected.

What is route precedence used for?

Route precedence controls which routing type is evaluated first when multiple routes match the same destination. This is especially important when static routes, SD-WAN policy routes and VPN routes overlap.

A common scenario: An internal network should only be reachable through an IPsec connection or a static route, but the firewall selects an SD-WAN policy route and sends the traffic toward the WAN. In this case, adjusting route precedence can help. Depending on the IPsec design, an IPsec route may also be the cleaner solution.

Sophos documents this command here: route_precedence - Sophos Firewall.

Routing types

  • static: Static routes. According to Sophos, SSL VPN connections also belong to this category.
  • sdwan_policyroute: SD-WAN policy routes or policy-based routes.
  • vpn: VPN routes.

The default order is:

  1. Static
  2. SD-WAN
  3. VPN

Show the current setting

Run the following commands in the Device Console, not in the Advanced Shell.

system route_precedence show

Document the output before changing anything. If a rollback is required, you can restore exactly the previous order.

Change the order

This example places static routes before SD-WAN policy routes and VPN routes:

system route_precedence set static sdwan_policyroute vpn

If the current output already shows static sdwan_policyroute vpn, route precedence is probably not the cause. In that case, check static routes, SD-WAN policy routes, VPN configuration, firewall rules and NAT rules.

Verify the change

Show the new order again:

system route_precedence show

Then test the affected traffic deliberately:

  • Test connectivity to the destination network, for example with ping or traceroute
  • Check the Log Viewer for allowed or dropped traffic
  • Use Packet Capture if needed
  • Verify whether NAT or firewall rules also influence the traffic

Rollback

If traffic does not work as expected after the change, restore the previously documented order. Example:

system route_precedence set sdwan_policyroute static vpn

The exact order must match the output documented before the change.