Sophos Firewall – SD-WAN Routing Reply-Packet & System Traffic
There are various options for managing Sophos Firewalls in order to efficiently control and route data traffic.
An important component here is the Software-Defined WAN (SD-WAN).
SD-WAN makes it possible to make network infrastructures more intelligent through an additional software layer, especially when controlling traffic between different networks and across different WAN connections.
For optimal functionality, it may be necessary to manually enable SD-WAN settings via the command line (CLI), as some of these settings may be disabled. This post provides an overview of two specific SD-WAN settings that can be customized via SSH: reply-packet and system-generate-traffic. These settings are particularly relevant if you notice that certain traffic routings are not working as expected.
Activate Reply-Packet
Reply packets refer to the reply packets that belong to an outgoing data traffic.
By default, Sophos Firewall enforces symmetric routing for reply packets over WAN interfaces.
However, there may be situations where asymmetric routing is required, e.g. for traffic between LAN and DMZ.
How to check the current setting
show routing sd-wan-policy-route reply-packet
To activate the reply packet option
set routing sd-wan-policy-route reply-packet enable
If this option is activated, response packets can be sent via a different interface than the one originally used, which can be helpful in certain network scenarios.
Activate system-generated traffic
System-generated traffic refers to traffic that is generated by the Sophos Firewall itself, for example for management services or monitoring protocols.
In certain scenarios, it may be necessary to route this traffic via a specific route instead of using the default route.
How to check the current setting
show routing sd-wan-policy-route system-generate-traffic
To activate the System Generate Traffic option
set routing sd-wan-policy-route system-generate-traffic enable
Activating this option ensures that the system-generated traffic is routed correctly via the SD-WAN policies, which is particularly advantageous for complex network infrastructures.
When are these adjustments necessary?
It may happen that certain network requirements are no longer met if the default route settings of the firewall are not sufficient. This can occur, for example, if:
- response packets are incorrectly routed via the wrong interface.
- System-generated traffic is not routed through the network as expected.
In such cases, it makes sense to check the settings described above via the CLI and activate them if necessary. This ensures precise control and adjustment of the network routes and helps to avoid potential network problems.
By activating these functions manually, you can ensure that your network runs more efficiently and stably, especially in more complex environments where specific routes are required.
Conclusion
Customizing the SD-WAN settings via the CLI is a valuable tool for optimally controlling network traffic within the Sophos Firewall. By enabling the reply-packet and system-generate-traffic options, you can ensure that specific network requirements are met and that routing works efficiently and reliably.
Note: These changes should only be made by experienced administrators who understand the impact on the entire network.
Further information
For detailed information and further configuration options for SD-WAN Policy Routing on Sophos Firewall, see the following documentation:
- SD-WAN Policy Routing Behavior: Comprehensive overview of SD-WAN route behavior, including specific details on system-generated traffic and response packets, can be found here. Sophos Knowledge Base on SD-WAN Policy Routing Behavior.
- SD-WAN Policy Routing: This article describes the basic configuration and management of SD-WAN routes. Ideal for a deeper understanding of the functionality and configuration options. Sophos Knowledge Base on SD-WAN Policy Routing.